Memory protection apparatus and method
By setting up memory protection devices on the system interconnect bus, the memory access behavior of all bus master devices in the SoC can be monitored, which solves the security blind spots and latency problems of existing MPUs, improves the security and performance of the system, and adapts to the needs of complex multi-tasking environments.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- STRANGE MOORE SHANGHAI INTEGRATED CIRCUIT DESIGN CO LTD
- Filing Date
- 2026-04-03
- Publication Date
- 2026-07-14
Smart Images

Figure CN122387883A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of computer security technology, and specifically relates to a memory protection device and method. Background Technology
[0002] The Memory Protection Unit (MPU) is a core hardware component that ensures the security of memory access in a computing system. In mainstream solutions, the MPU exists as a tightly coupled component of the processor core. This in-core integrated design has limitations in its application in System-on-Chip (SoC).
[0003] First, the protection scope of the MPU is limited to access by its own processor core, and it cannot monitor the memory access behavior of other bus master devices (such as DMA, GPU, NPU) in the SoC, resulting in a security blind spot. At the same time, it is difficult to flexibly adapt to the diverse interconnect protocols in the SoC, leading to high integration complexity.
[0004] Secondly, the MPU's serial checking logic is located in the processor's critical memory access path, which can easily increase access latency. Furthermore, the number and size of its protected regions are statically fixed, failing to meet dynamic software requirements. During task switching, the configuration reload overhead is significant, easily introducing nondeterministic latency and impacting real-time performance.
[0005] Furthermore, the MPU cannot dynamically adjust the granularity of its checks based on the access source, transaction type, or system scenario, and it lacks hardware anti-tampering mechanisms, posing a security risk. Additionally, as a component within the processor core, it is difficult to coordinate with other system security components to provide memory protection. Summary of the Invention
[0006] The purpose of this invention is to provide a memory protection device and method. By setting the memory protection device on the system interconnect bus and performing identifier matching, address matching and permission matching on memory access requests in sequence, the memory access behavior of each master device on the bus can be monitored, which can effectively improve security, reduce access latency, reduce performance overhead, and improve the real-time response capability of the system.
[0007] To address the aforementioned technical problems, the present invention provides a memory protection device, wherein the memory protection device is disposed on the system's interconnect bus, comprising:
[0008] The interface adaptation module is used to receive and parse memory access requests; The identifier matching module, cascaded with the interface adaptation module, is used to match the master device identifier information in the memory access request with the first configuration information. If the match is successful, the memory access request is passed to the address matching module; otherwise, the memory access request is blocked. The address matching module is cascaded with the identifier matching module and is used to match the target address in the memory access request with the second configuration information. If the match is successful, the memory access request and the corresponding permission control information are passed to the permission matching module; otherwise, the memory access request is blocked. The permission matching module is cascaded with the address matching module to match the access attributes and operation type of the memory access request with the permission control information, and to allow or block the memory access request based on the matching result.
[0009] In one embodiment of the present invention, a security event processing module is further included, which is used to generate a corresponding security event record when the memory access request is blocked.
[0010] In one embodiment of the present invention, the interface adaptation module includes one or more protocol processing engines for receiving and parsing the memory access request based on the bus protocol.
[0011] In one embodiment of the present invention, the bus protocol includes at least two of AMBA, AXI, AHB, and APB.
[0012] In one embodiment of the present invention, the second configuration information includes address region configuration information, which is stored in an address register.
[0013] In one embodiment of the present invention, a configuration management module is further included to manage the first configuration information, the second configuration information, and the permission control information; the configuration management module includes: A configuration register is used to store the first configuration information, the second configuration information, and the permission control information; The verification register is used to receive and store the written token value; A verification controller is used to verify the token value and, based on the verification result, allow or block write operations to the configuration register.
[0014] In one embodiment of the present invention, at least one of the identifier matching module, the address matching module, and the permission matching module is set to a bypass state.
[0015] This invention also provides a memory protection method applied to a system bus, the method comprising the following steps: Receive memory access requests from the bus; Based on the master device identifier information in the memory access request, it is matched with the first configuration information. If they do not match, the memory access request is blocked. If a match is found, the target address in the memory access request is matched with the second configuration information; if a match is not found, the memory access request is blocked. If a match is found, the access control information corresponding to the target address is obtained, and the access attributes and operation type of the memory access request are matched with the access control information. Based on the matching result, the memory access request is allowed or blocked.
[0016] The present invention also provides a memory protection device, including a memory and a processor; the memory stores code, and the processor is configured to execute the code, wherein when the code is executed, the device performs the memory protection method as described above.
[0017] The present invention also provides a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the memory protection method as described in any of the above descriptions.
[0018] By adopting the above technical solution, this invention, as an example, has the following advantages and positive effects: This invention places the memory protection device on the system interconnect bus and performs identifier matching, address matching, and permission matching on memory access requests sequentially. This not only monitors the CPU core but also the memory access behavior of other bus master devices in the SoC, avoiding security blind spots. Furthermore, the MPU's serial checking logic is not located on the processor's critical memory access path, which helps reduce access latency, improves system performance, and allows it to work collaboratively with other security components on the system to better provide memory protection services.
[0019] Furthermore, this invention enhances the system's dynamic adjustment flexibility, overcomes the shortcomings of statically fixed protected memory regions, and better adapts to complex multi-tasking environments, dynamic memory allocation requirements, and application needs for system state switching. In addition, the verification mechanism introduced in this invention provides tamper-proof protection for core configurations, improving system security and reliability, and providing a hardware foundation for building systems that meet high functional safety requirements.
[0020] In addition, this invention helps reduce the complexity of system-level security design, verification and authentication. It also effectively purifies the bus access flow by intercepting illegal and unauthorized access in real time, reducing the occupation and interference of invalid transactions on system resources, thereby improving the effective utilization rate of system interconnection bandwidth and transaction processing efficiency in the security mode as a whole. Attached Figure Description
[0021] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0022] Figure 1 A schematic diagram of the framework of a memory protection device provided in an embodiment of the present invention.
[0023] Figure 2 This is a hardware architecture block diagram of a memory protection device provided in an embodiment of the present invention.
[0024] Figure 3 A schematic diagram illustrating the steps of a memory protection method provided in an embodiment of the present invention. Detailed Implementation
[0025] The technical solutions disclosed in this invention will be described in detail below with reference to specific embodiments.
[0026] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0027] It should be noted that the illustrations provided in this embodiment are only schematic representations of the basic concept of the present invention. Therefore, the drawings only show the components related to the present invention and are not drawn according to the actual number, shape and size of the components in the actual implementation. In the actual implementation, the form, quantity and proportion of each component can be arbitrarily changed, and the layout of the components may also be more complex.
[0028] In this invention, it should be noted that the terms "center," "upper," "lower," "left," "right," "vertical," "horizontal," "inner," and "outer," etc., indicate the orientation or positional relationship based on the orientation or positional relationship shown in the accompanying drawings. They are used only for the convenience of describing this application and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation. Therefore, they should not be construed as limitations on this application. Furthermore, the terms "first" and "second" are used only for descriptive and distinguishing purposes and should not be construed as indicating or implying relative importance.
[0029] like Figure 1 As shown, the present invention provides a memory protection device 100, which is disposed on the system interconnect bus.
[0030] In this invention, the interconnect bus of the system refers to the communication infrastructure responsible for transmitting data, addresses, and control signals between various functional units within a computer system. It serves as a shared transmission medium, connecting multiple bus master devices (such as CPU, GPU, DMA controller, etc.) with slave devices (such as memory, peripherals, etc.).
[0031] Specifically, the interconnect bus can take different forms depending on the system size, performance requirements, and protocol standards: For example, the interconnect bus inside the System-on-a-Chip (SoC) serves as the data exchange center of the SoC, connecting multiple CPU clusters, GPUs, Neural Processing Units (NPUs), Image Signal Processors (ISPs), and high-speed memory controllers. It supports various standard on-chip bus protocols, such as the AMBA series protocols, specifically AXI (e.g., AXI4, AXI5), CHI, AHB / APB, and other protocols.
[0032] Interconnect buses can also be board-level interconnects outside the chip, such as in a multiprocessor server system where multiple processors, accelerators, or I / O devices are interconnected via a PCI-E bus and access shared memory.
[0033] Interconnect buses can also be data plane buses for network processors, dedicated high-bandwidth buses for connecting multiple message processing engines, lookup engines, and memory interfaces. Alternatively, in the automotive field, they can be real-time or functional safety buses connecting microcontrollers, FPGAs, safety modules, and I / O controllers.
[0034] Therefore, the scope of protection of the present invention is not limited to setting the memory protection device 100 on a specific bus, but mainly includes setting the memory protection device on a system interconnection structure with shared communication path characteristics.
[0035] By placing the memory protection device 100 on the system bus, it has advantages including, but not limited to, the following: It can monitor not only the CPU core, but also the memory access behavior of other bus master devices in the SoC (such as DMA, GPU, NPU), avoiding security blind spots. In addition, the MPU's serial inspection logic is not located on the processor's critical memory access path, which helps reduce access latency, improve system performance, and can work in conjunction with other security components on the system to better provide memory protection services for the system, especially complex and heterogeneous systems-on-chips (SoCs).
[0036] like Figure 1 As shown, the memory protection device 100 includes an interface adapter module 101 and a permission matching module 104.
[0037] In some embodiments of the present invention, the interface adaptation module 101 includes one or more parallel protocol processing engines for receiving and parsing memory access requests, specifically including memory access requests based on the system bus transmission protocol.
[0038] For example, the interface adaptation module 101 integrates multiple AMBA series protocol processing engines in parallel to parse and process received memory access requests, extract the required fields, and encapsulate them into an internal format. Specifically, this includes, but is not limited to, parallel processing using one or more of the AXI4, AHB, APB4, and APB5 protocol processing engines.
[0039] By setting the interface adapter module 101, the system bus memory protection device 100 can flexibly adapt to different heterogeneous interconnect protocols in the SoC design without modifying the processor core or other main devices themselves, which helps to reduce integration complexity.
[0040] The identifier matching module 102 is cascaded with the interface adaptation module 101 to match the master device identifier information in the memory access request with the first configuration information.
[0041] Cascading refers to connecting the output of the interface adapter module 101 to the input of the identifier matching module 102, so that data (i.e., memory access requests and related signals) can be transmitted from the interface adapter module 101 to the identifier matching module 102. The connection method includes, but is not limited to, wireless connection and wired connection (such as connection through metal wires).
[0042] In this invention, the master device identifier refers to a signal or field used to uniquely distinguish different bus master devices in the transmission protocol of the system interconnect bus, including but not limited to bus transaction ID, network device hardware address, logical device ID, security domain identifier, etc. Each master device initiating a memory access request will have a unique master device identifier, enabling the memory protection device 100 to identify the source of each memory access request.
[0043] The identifier matching module 102 matches the master device identifier information with the first configuration information. In some embodiments, the first configuration information includes preset master device identifier information stored in a configuration register or lookup table. Its content can be loaded by the system software during the security initialization phase, defining a list of master device identifiers authorized to initiate memory access requests. The identifier matching module 102 uses the extracted master device identifier information as a keyword for search and matching.
[0044] If the matching fails, it means that the main device that initiated the memory access request is not authorized or is abnormally identified. The identification matching module 102 determines the memory access request as an illegal memory access request and blocks the memory access request.
[0045] If the match is successful, it means that the master device that initiated the memory access request has been trusted and registered by the system, and the identification matching module 102 will pass the memory access request to the address matching module 103 at the next level in the cascading sequence.
[0046] The identifier matching module 102 is cascaded with the address matching module 103. Specifically, the output of the identifier matching module 102 is connected to the input of the address matching module 103. The address matching module 103 extracts the target address from the received memory access request and matches the target address with the second configuration information.
[0047] In some embodiments of the present invention, the second configuration information includes address region configuration information, which defines a legally protected memory address window. The data structure includes, for example, a base address, a region size or mask, and an associated permission index or attribute. The base address represents the starting address of the memory region. The region size or mask represents the coverage area of the memory region. The associated permission index or attribute points to or contains the access permission rules corresponding to the memory region (i.e., the permission control information required by the subsequent permission matching module 104).
[0048] In some embodiments of the present invention, the second configuration information is stored in one or more sets of address registers, such as 4 sets, 8 sets or 16 sets.
[0049] Furthermore, each set of address registers is programmable, allowing system software (such as the operating system and security monitor) to dynamically write and modify them at runtime. This design enables the system to flexibly adjust the number of protected memory regions, as well as the base address, size, permissions, priority, and other parameters of each memory region, based on the currently running task, loaded application, or security status. This overcomes the shortcomings of statically fixed protected memory regions and better adapts to complex multi-tasking environments, dynamic memory allocation requirements, and application needs for system state switching. Specifically, for example, during task switching, the corresponding address registers (and their associated permission control information) for the memory regions required by the task can be updated, significantly reducing context overhead, reducing latency, and improving the system's real-time performance.
[0050] The address matching module 103 matches the target address in the memory access request with the second configuration information. If they do not match, it means that the target address in the memory access request does not belong to any legally defined memory region. The address matching module 103 determines the memory access request as an illegal memory access request and blocks the memory access request.
[0051] If the match is successful, it means that the target address in the memory access request belongs to a legally defined memory region. The address matching module 103 will pass the memory access request and the corresponding permission control information to the permission matching module 104 at the next level in the cascading order.
[0052] In some implementations, if the computer system is configured with overlapping address regions, a unique and valid matching result and corresponding access control information can be determined based on preset priority rules (such as region number, specific priority bits).
[0053] In some implementations, access control information is implemented as a multi-bit access control register, where each bit or field specifies under what conditions a certain operation is allowed. For example, the access control register may contain a read-allow bit, a write-allow bit, and an execute-allow bit.
[0054] The address matching module 103 is cascaded with the permission matching module 104. Specifically, the output of the address matching module 103 is connected to the input of the permission matching module 104.
[0055] It should be noted that the cascading relationship between the aforementioned modules refers to a logical sequential processing dependency, and does not limit their physical deployment to the same chip or device. In other embodiments of the present invention, the interface adaptation module 101, the identifier matching module 102, the address matching module 103, and the permission management module can be physically deployed on different hardware nodes. These nodes can be connected and transmit processing results through system internal buses, network interfaces, or even wireless communication links. As long as the above-mentioned logical cascading data transmission order is maintained, they all fall within the protection scope of the present invention.
[0056] The permission matching module 104 is used to match the access attributes and operation type of the memory access request with the permission control information.
[0057] Access attributes refer to a set of metadata or signals defined by the interconnect bus protocol that accompany a memory access request. These attributes describe the context or mode attributes of the current access, and are not limiting. They include, for example, security status (e.g., secure or insecure), access category (e.g., privileged mode or user mode), and permission level (e.g., instruction fetching or data access). In interconnect bus protocols such as AMBA and AXI, access attributes are typically encoded and carried by the AxPROT (AXI Protection) signal group. Operation type refers to the specific operation behavior of this memory access request, usually categorized into read, write, and execute.
[0058] The specific matching steps of the permission matching module 104 can be found as follows: Extract the access attributes and operation type of a memory access request. For example, a memory access request may have access attributes of non-secure, user mode, and data access, and its operation type may be write.
[0059] The permission matching module 104 compares the above information with the rules defined in the permission control information item by item. Specifically, for example, it checks whether the permission control information contains a write-allow bit, or if the permission control information requires "secure access only," it checks whether the "security status" of this access request is secure. In some implementations, the permission matching module 104 can use combined judgment. For example, if the permission control information requires "write in privileged mode is allowed, but write in user mode is prohibited," the permission matching module 104 needs to check whether the operation type of the memory access request is a write operation and whether the access attribute of the memory access request is privileged mode.
[0060] During the comparison process described above, if any condition is not met—for example, attempting to write data in user mode to a memory region that is only allowed to write in privileged mode—the match is deemed unsuccessful, and the memory access request is blocked. Conversely, if all comparison items meet the corresponding rules defined in the access control information, the access control module 104 determines that the match is successful and forwards the memory access request to the target slave device on the bus (such as the memory controller).
[0061] By adopting a fine-grained matching mechanism based on access attributes and operation types, this invention can improve the flexibility of protection strategies, making it easier to implement different security strategies based on different memory access requests, different scenarios, and different actual needs, thereby providing a guarantee for building a sound system security architecture.
[0062] Furthermore, the present invention also includes a security event processing module for generating a corresponding security event record when the memory access request is blocked.
[0063] When any of the aforementioned identifier matching module 102, address matching module 103, and permission matching module 104 determines that a match has failed and blocks the memory access request, the corresponding matching module generates a violation event signal and sends it along with key context information to the security event processing module. Based on the received key context information, the security event processing module generates a security event record and stores it in a protected dedicated register or a secure memory segment. In some embodiments, the security event record includes fields such as violation type, master device identifier, target address, access attribute, and operation type. Optionally, the configuration information of the relevant matching module when generating the violation event signal (such as the address range in effect at that time) can also be recorded for analysis of whether the configuration has been tampered with or whether there are logical errors.
[0064] In other implementations, in addition to generating corresponding security event records, the security event handling module can selectively perform interrupt generation and bus error feedback. For example, it can issue a high-priority security exception interrupt to one or more processor cores of the system, or generate a corresponding error response on the bus according to the adopted bus protocol specification to notify the master device that the access operation has failed for security reasons in a standard manner.
[0065] In some embodiments, the memory protection device 100 further includes a configuration management module for managing the first configuration information, the second configuration information, and the permission control information.
[0066] By way of example and not limitation, the configuration management module includes a configuration register, a verification register, and a verification controller. The configuration register stores the first configuration information, the second configuration information, and the access control information. The verification register receives and stores written token values. Specifically, when the software needs to modify the contents of the configuration register, it must first write a token value to the verification register. This verification register is typically set to automatically clear after being written to or to be valid only once, preventing the token from being reused.
[0067] When the verification controller detects a token value being written to the verification register, it captures the token value and compares it with an internally preset expected value. In some implementations, this expected value can be a constant fixed during chip design, or a dynamic value loaded securely by higher-privilege firmware at startup. When the token value and the expected value match, the verification controller generates a signal. Subsequent write operations to the configuration register will only be executed and updated during the period this signal is valid.
[0068] Conversely, if the token value does not match, the verification controller will discard the token value written to the verification register. At the same time, the security event handling module can record this illegal attempt as a security event and selectively trigger a system interrupt.
[0069] Optionally, the signal is time-sensitive. If no configuration write operation is performed within the time limit, the verification controller will automatically cancel the signal, and token verification will be required for the next modification.
[0070] By setting up the above verification mechanism, the problem of misconfiguration or malicious tampering of the configuration register can be effectively prevented, which helps to improve the security and reliability of the memory protection device 100 and meets the design requirements of a high-reliability and high-security system.
[0071] In one embodiment, at least one of the identifier matching module 102, the address matching module 103, and the permission matching module 104 is set to a bypass state. Specifically, each of the above matching modules has an independent bypass control bit, which is located in the device's configuration register and can be set or cleared by specific software (such as the operating system kernel or security monitor) through a write operation.
[0072] When the bypass control bit of a matching module is set, that matching module enters bypass mode. In this mode, the matching module will not perform any matching checks on memory access requests passing through it, but will directly pass the memory access request (along with necessary transmission information) to the next level matching module or allow it directly.
[0073] Specifically, if the identifier matching module 102 is set to bypass state, all master device identifier information will be considered valid, and the identifier matching module 102 will not need to perform matching. The memory access request will be passed to the address matching module 103. This is suitable for application scenarios such as when the system trusts all bus master devices or when it is in the debugging stage and needs to ignore master device identifier checks.
[0074] If the address matching module 103 is set to bypass mode, all target addresses will be considered valid, and the address matching module 103 will not perform matching, instead passing the memory access request and access control information to the access control module 104. This is suitable for applications such as implementing a unified access control policy across the entire address space, or for quickly establishing memory mappings during system initialization.
[0075] If the permission matching module 104 is set to bypass state, all access attributes and operation types will be considered to conform to the permission control information, and memory access requests will be allowed to the target memory. This is suitable for application scenarios such as disabling permission checks in a fully trusted environment to maximize performance.
[0076] Figure 2The diagram illustrates a hardware architecture block diagram of a specific embodiment of the memory protection device of the present invention, showing the data flow passing through the following four cascaded modules from left to right: The interface adapter module corresponds to the `input_adapter` in the block diagram. This module serves as the front-end interface between the device and external system interconnect buses (such as AXI and AHB). Internally, it contains one or more protocol processing engines (such as `AXI_INTF`) to handle memory access requests from different bus protocols (AXI and AHB in the example of the diagram) simultaneously or on demand. Following the bus protocol handshake sequence, the interface adapter module receives the original memory access request, parses it, extracts key information required for subsequent security checks, such as the master device identifier, target address, operation type, and access attributes, and encapsulates it into a unified internal transaction format for output, thus providing standardized data for subsequent matching.
[0077] The identifier matching module corresponds to ID_match in the block diagram. This identifier matching module is cascaded with the interface adaptation module, receives parsed memory access requests, and matches the master device identifier information (such as AWID / ARID in the AXI bus) extracted from the memory access request with the first configuration information (stored in the configuration management module).
[0078] The address matching module corresponds to ADDR_match in the block diagram. This module is cascaded with the identifier matching module and processes memory access requests that have passed identifier matching. It matches the target address in the request with the second configuration information to find the authorized region to which the target address belongs. If the address is not in any authorized region, the memory request is blocked; if a match is successful, it simultaneously obtains the permission control information bound to that authorized region and passes the memory access request and this permission control information to the permission matching module.
[0079] The permission matching module corresponds to PROT_match in the block diagram. This module is cascaded with the address matching module. It matches the access attributes (such as secure / insecure, privileged / user) and operation type (read / write / execute) of the memory access request itself with the permission control information (specifying which operations are allowed in the authorized region) received from the address matching module. If the match is successful, a permission signal is generated, allowing the memory access request; if the match fails, the memory access request is blocked.
[0080] In addition to the core pipeline mentioned above, the memory protection device also includes a configuration management module and a security event handling module. The configuration management module corresponds to cfg_mmr (Configuration Memory-MappedRegisters) in the block diagram. This module contains configuration registers that store first configuration information, second configuration information, and access control information.
[0081] In some implementations, the configuration management module integrates a hardware anti-tampering mechanism, specifically including a verification register and a verification controller. Any write operation to the configuration register must first be verified by writing the correct token value to the verification register; otherwise, the write operation will be discarded, reducing the risk of security policies being tampered with by malicious software.
[0082] The Security Event Handling module corresponds to the Security Event Handling module in the block diagram. This module is cascaded to the identifier matching module, address matching module, and permission matching module. When any illegal memory access request is blocked, this module is automatically triggered, responsible for generating and recording detailed security event logs, such as error logs and interrupt signals reported to the system software, for security auditing and fault diagnosis.
[0083] like Figure 3 As shown, this invention provides a memory protection method applied to a system bus, the method comprising the following steps: S1 receives memory access requests from the bus; S2 matches the master device identifier information in the memory access request with the first configuration information; if they do not match, the memory access request is blocked. S3 If a match is found, the target address in the memory access request is matched with the second configuration information; if a match is not found, the memory access request is blocked. If a match is found, the access control information corresponding to the target address is obtained, and the access attributes and operation type of the memory access request are matched with the access control information. Based on the matching result, the memory access request is allowed or blocked.
[0084] The present invention also provides a memory protection device, including a memory and a processor; the memory stores code, and the processor is configured to execute the code, wherein when the code is executed, the device performs the memory protection method described above.
[0085] The present invention also provides a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the memory protection method described above.
[0086] The present invention also provides a computer program product containing instructions that, when run on a computer, enable the computer to execute the memory protection method described above.
[0087] The present invention also provides a network device, including at least one processor and a memory, wherein the memory stores a computer program, and the processor is used to execute the memory protection method described above by invoking the aforementioned computer operation instructions. In one embodiment, the network device may specifically be a server.
[0088] In summary, by placing a memory protection device on the system interconnect bus and performing identifier matching, address matching, and permission matching on memory access requests in sequence, this invention enables unified monitoring and management of memory access behavior of all bus master devices in the system. This helps eliminate security blind spots, reduce nondeterministic latency, lower context overhead, and improve the real-time performance of the system.
[0089] Furthermore, this invention enhances the system's dynamic adjustment flexibility, overcomes the shortcomings of statically fixed protected memory regions, and better adapts to complex multi-tasking environments, dynamic memory allocation requirements, and application needs for system state switching. In addition, the verification mechanism introduced in this invention provides tamper-proof protection for core configurations, improving system security and reliability, and providing a hardware foundation for building systems that meet high functional safety requirements.
[0090] In addition, this invention helps reduce the complexity of system-level security design, verification and authentication. It also effectively purifies the bus access flow by intercepting illegal and unauthorized access in real time, reducing the occupation and interference of invalid transactions on system resources, thereby improving the effective utilization rate of system interconnection bandwidth and transaction processing efficiency in the security mode as a whole.
[0091] It will be apparent to those skilled in the art that the present invention is not limited to the details of the exemplary embodiments described above, and that the invention can be implemented in other specific forms without departing from its spirit or essential characteristics. Therefore, the embodiments should be considered in all respects as exemplary and non-limiting, and the scope of the invention is defined by the appended claims rather than the foregoing description. Thus, all variations falling within the meaning and scope of equivalents of the claims are intended to be included within the present invention. No reference numerals in the claims should be construed as limiting the scope of the claims.
[0092] Furthermore, it should be understood that although this specification describes embodiments, not every embodiment contains only one independent technical solution. This narrative style is merely for clarity. Those skilled in the art should consider the specification as a whole, and the technical solutions in each embodiment can also be appropriately combined to form other embodiments that can be understood by those skilled in the art.
Claims
1. A memory protection device, characterized in that, The memory protection device is located on the system's interconnect bus and includes: The interface adaptation module is used to receive and parse memory access requests; The identifier matching module, cascaded with the interface adaptation module, is used to match the master device identifier information in the memory access request with the first configuration information. If the match is successful, the memory access request is passed to the address matching module; otherwise, the memory access request is blocked. The address matching module is cascaded with the identifier matching module and is used to match the target address in the memory access request with the second configuration information. If the match is successful, the memory access request and the corresponding permission control information are passed to the permission matching module; otherwise, the memory access request is blocked. The permission matching module is cascaded with the address matching module to match the access attributes and operation type of the memory access request with the permission control information, and to allow or block the memory access request based on the matching result.
2. The memory protection device according to claim 1, characterized in that: It also includes a security event handling module, which generates a corresponding security event record when the memory access request is blocked.
3. The memory protection device according to claim 1, characterized in that: The interface adaptation module includes one or more protocol processing engines for receiving and parsing the memory access request based on the bus protocol.
4. The memory protection device according to claim 3, characterized in that: The bus protocol includes the AMBA protocol, which includes at least two of AXI, AHB, and APB.
5. The memory protection device according to claim 1, characterized in that: The second configuration information includes address region configuration information, which is stored in an address register.
6. The memory protection device according to claim 1, characterized in that: It also includes a configuration management module for managing the first configuration information, the second configuration information, and the permission control information; The configuration management module includes: A configuration register is used to store the first configuration information, the second configuration information, and the permission control information; The verification register is used to receive and store the written token value; A verification controller is used to verify the token value and, based on the verification result, allow or block write operations to the configuration register.
7. The memory protection device according to claim 1, characterized in that: At least one of the identifier matching module, the address matching module, and the permission matching module is set to bypass mode.
8. A memory protection method, characterized in that, The method, applied to the system bus, includes the following steps: Receive memory access requests from the bus; Based on the master device identifier information in the memory access request, it is matched with the first configuration information. If they do not match, the memory access request is blocked. If a match is found, the target address in the memory access request is matched with the second configuration information; if a match is not found, the memory access request is blocked. If a match is found, the access control information corresponding to the target address is obtained, and the access attributes and operation type of the memory access request are matched with the access control information. Based on the matching result, the memory access request is allowed or blocked.
9. A memory protection device, characterized in that: The device includes a memory and a processor; the memory stores code, and the processor is configured to execute the code, wherein when the code is executed, the device performs the method as described in claim 8.
10. A computer-readable storage medium, characterized in that: The computer-readable storage medium stores instructions that, when executed on a computer, cause the computer to perform the method as described in claim 8.