The invention relates to a hardware-based embedded system confidentiality protection method, which comprises the following steps: 1, generating an object code; 2, encrypting that object code and storing the object code into a non-volatile storage; 3, power-on resetting; 4, executing a program, such as a cache miss or a data cache write-back, and executing step 5; otherwise, executing step 4 untilthe program ends; 5, if that out memory is written, executing step 6; otherwise, executing step 8; 6, carrying out truncating and filling, generating pad with hardware encryption logic, and generating ciphertext with data of exclusive OR cache line; 7, writing that ciphertext into the external memory, and executing the step 4; 8, truncating and filling that physical address corresponding to the cache line, generating the pad by the hardware encryption logic, and exclusively or reading the ciphertext from the external memory to obtain instructions or data; 9, sending instructions or data intothat processor and write corresponding cache lines, and executing step 4. Through the above steps, the method can realize the confidentiality protection of the embedded system with lower performance cost and implementation cost.