Abstract: A secure data transfer apparatus, where a processor in the apparatus is configured to execute a driver software to generate cryptography information, a cryptography device in the apparatus is configured to obtain a current cryptography parameter based on the cryptography information, and perform a cryptography operation using the current cryptography parameter, a Peripheral Component Interconnect Express (PCIe) interface in the apparatus configured to perform a ciphertext data exchange with a memory controller in a memory located external to the apparatus, where the ciphertext data exchange includes sending the ciphertext data from the cryptography device to the memory controller when the memory is to be written, and sending the ciphertext data from the memory controller to the cryptography device when the memory is to be read.

Abstract: A security assessment apparatus and method for a processor are disclosed, and relate to the field of electronic technologies, to improve security during running of the processor. The security assessment apparatus includes: a processor (101), configured to run instructions in a memory (105); an access controller (103), configured to control a processor tracker (102) to access a first storage area in the memory (105), where the processor (101) is prohibited from accessing the first storage area; the processor tracker (102), configured to obtain first address information of a first instruction in the instructions in the memory (105), and store the first address information in the first storage area; and a security protection system (104), configured to obtain the first address information from the first storage area, and assess security of the first instruction based on the first address information.

Abstract: An insecure software detection apparatus is provided, including: a dedicated processor (101), configured to: when a first analysis result indicates that to-be-detected software is not secure, analyze the to-be-detected software by using a first neural network model, to obtain a second analysis result, where the first analysis result is obtained by analyzing the to-be-detected software by using a second neural network model; and a general-purpose processor (102), configured to: obtain the second analysis result from the dedicated processor, and perform security processing on the to-be-detected software based on the second analysis result. The apparatus first analyzes the to-be-detected software by using the second neural network model with low power consumption. When an analysis result indicates that the to-be-detected software is not secure, the dedicated processor analyzes the to-be-detected software by using the first neural network model with a high computing capability.

Abstract: An electronic apparatus and a security protection method are disclosed. The electronic apparatus includes a security protection apparatus and a first processor. Security isolation exists between the security protection apparatus and the first processor. The first processor is configured to operate when driven by software, and the software includes an operating system and/or an application. The security protection apparatus is configured to: perform security detection on the software, and when detecting that the software is tampered with, perform a security protection operation on the electronic apparatus. In this way, the electronic apparatus may be monitored in real time during an operating process of the electronic apparatus, to avoid theft or modification of important data such as key data and improve security.

Abstract: The present application provides a secure element comprising a processor and a memory integrated into a semiconductor chip; the memory is configured to provide a storage space for the processor to load and run a secure program, the secure program includes an image of a secure operating system, and the image of the secure operating system includes a system image resident segment and a system image dynamic loading segment. The processor is configured to: divide the system image dynamic loading segment into a plurality of pages, where each of the plurality of pages includes some content of the system image dynamic loading segment; perform security processing on each of the plurality of pages; and migrate each security-processed page to an external storage of the secure element.

Abstract: A mobile payment apparatus includes a communication unit configured to exchange payment information with a communication peer end using a radio link, a memory configured to store mobile payment software, a SE, including a first storage module and a processor, and at least one CPU configured to execute general operating system software. The processor is configured to load the mobile payment software from the memory to the first storage module and exchange the payment information with the communication unit under action of the mobile payment software. The first storage module is configured to provide memory space for executing the mobile payment software for the processor. The SE and the at least one CPU are located in a first semiconductor chip.

Abstract: A key processing method includes receiving, in a trusted execution environment, an initial key from a file encryption system in a normal execution environment, decrypting, in the trusted execution environment, the initial key to obtain a file key, storing, in the trusted execution environment, the file key in a key register of a storage controller, where the file encryption system in the normal execution environment is forbidden to access the key register, obtaining, in the trusted execution environment, a key index of the file key in the key register, where the key index indicates a storage location of the file key in the key register, and sending, in the trusted execution environment, the key index to the file encryption system.

Abstract: This application provides an example storage controller. The storage controller includes a controller, a keystore, a key generator, a file cryptography device, and a data memory interface. The keystore is configured to store a classkey. The controller is configured to receive indication information of a to-be-processed file and indication information of a random number that are sent by a processor, obtain the to-be-processed file based on the indication information of the to-be-processed file, obtain the random number based on the indication information of the random number, and obtain a first classkey from a classkey stored in the keystore. The key generator is configured to calculate a file key based on the random number and the first classkey obtained by the controller. The file cryptography device is configured to process the to-be-processed file by using the file key calculated by the key generator.

Abstract: A secure data transfer apparatus, where a processor in the apparatus is configured to execute a driver software to generate cryptography information, a cryptography device in the apparatus is configured to obtain a current cryptography parameter based on the cryptography information, and perform a cryptography operation using the current cryptography parameter, a Peripheral Component Interconnect Express (PCIe) interface in the apparatus configured to perform a ciphertext data exchange with a memory controller in a memory located external to the apparatus, where the ciphertext data exchange includes sending the ciphertext data from the cryptography device to the memory controller when the memory is to be written, and sending the ciphertext data from the memory controller to the cryptography device when the memory is to be read.

Abstract: A key processing method includes receiving, in a trusted execution environment, an initial key from a file encryption system in a normal execution environment, decrypting, in the trusted execution environment, the initial key to obtain a file key, storing, in the trusted execution environment, the file key in a key register of a storage controller, where the file encryption system in the normal execution environment is forbidden to access the key register, obtaining, in the trusted execution environment, a key index of the file key in the key register, where the key index indicates a storage location of the file key in the key register, and sending, in the trusted execution environment, the key index to the file encryption system.

Abstract: A system on chip is integrated in a first semiconductor chip, and includes a secure element and at least one central processing unit that is coupled to the secure element. Security isolation exists between the secure element and the at least one central processing unit. The at least one central processing unit is configured to communicate with the secure element. The secure element includes a secure processor and a first memory that is coupled to the secure processor. The secure processor can suspend running first secure operating system software and further start second secure operating system software, to implement switching between multiple pieces of secure operating system software. Running data of running secure operating system software is stored in the first memory, and running data of secure operating system software that is not run is stored in a second memory outside the system on chip.

Abstract: An apparatus for controlling running of multiple security software applications, including: a secure element and at least one central processing unit coupled to the secure element, where the secure element includes a processor and a first random access memory; the processor is configured to: run secure operating system software and at least one security software application based on the secure operating system software; when it is required to run a second security software application, suspend running of a first security software application in the at least one security software application, control migrating first temporary data generated during running of the first security software application from the first random access memory to a storage device disposed outside the secure element, and based on the secure operating system software, run the second security software application.

Abstract: The present application provides a secure element comprising a processor and a memory integrated into a semiconductor chip; the memory is configured to provide a storage space for the processor to load and run a secure program, the secure program includes an image of a secure operating system, and the image of the secure operating system includes a system image resident segment and a system image dynamic loading segment. The processor is configured to: divide the system image dynamic loading segment into a plurality of pages, where each of the plurality of pages includes some content of the system image dynamic loading segment; perform security processing on each of the plurality of pages; and migrate each security-processed page to an external storage of the secure element.

Abstract: A system on chip is integrated in a first semiconductor chip, and includes a secure element and at least one central processing unit that is coupled to the secure element. Security isolation exists between the secure element and the at least one central processing unit. The at least one central processing unit is configured to communicate with the secure element. The secure element includes a secure processor and a first memory that is coupled to the secure processor. The secure processor can suspend running first secure operating system software and further start second secure operating system software, to implement switching between multiple pieces of secure operating system software. Running data of running secure operating system software is stored in the first memory, and running data of secure operating system software that is not run is stored in a second memory outside the system on chip.

Abstract: A system on chip SOC and a terminal are disclosed. The SOC includes a bus interface, a secure element SE, and a first element that are integrated in the SOC. The bus interface is configured to be connected to an I/O device. The SE is configured to: in a secure scenario, access the I/O device by using the bus interface, obtain first data input by the I/O device, and perform secure processing on the first data; and in a common scenario, control access of the first element to the I/O device, where the secure scenario indicates a scenario that requires secure input, and the common scenario indicates a scenario that does not require secure input. The first element is configured to: in the common scenario, under control of the SE, obtain second data input by the I/O device.

Abstract: An apparatus for controlling running of multiple security software applications, including: a secure element and at least one central processing unit coupled to the secure element, where the secure element includes a processor and a first random access memory; the processor is configured to: run secure operating system software and at least one security software application based on the secure operating system software; when it is required to run a second security software application, suspend running of a first security software application in the at least one security software application, control migrating first temporary data generated during running of the first security software application from the first random access memory to a storage device disposed outside the secure element, and based on the secure operating system software, run the second security software application.

Abstract: Embodiments of the present application disclose a near field communication method and a mobile terminal. After receiving an AID selection command that is used for initiating an NFC service and that is sent by an NFC controller, the AP parses the AID selection command to obtain a target AID. Then, the AP searches the AID routing table to obtain a first destination address corresponding to the target AID. If an object corresponding to the first destination address is an SE, the AP establishes a first link between the AP and the SE. The AP sends, to the SE, all subsequently received service data that belongs to the same NFC service as the AID selection command, until the AP receives a new AID selection command.

Abstract: The present invention discloses a low-power startup method and a user equipment. The method includes: running, by a user equipment UE, a first subprogram in a boot load program bootloader, so as to determine whether the UE is charged through a universal serial bus interface USB; if the UE is charged through the USB and battery power is lower than a starting threshold, initializing, by the UE, the USB; when the USB successfully enumerates the UE, running, by the UE, a second subprogram in the bootloader to initialize an off-chip random memory in the UE; running, by the UE, a third subprogram in the bootloader to read a system mirror from an off-chip flash memory in the UE and load the system mirror to the off-chip random memory; and running, by the UE, the system mirror to complete a startup.

Abstract: Embodiments of the present invention disclose a network switching method, a version upgrade method, and a terminal device, which relate to the field of communications technologies. A terminal receives a user instruction that instructs the terminal to access a network of a target operator. If an operator of a network currently accessed by the terminal is different from the target operator, a preset file is read to obtain image information corresponding to the target operator. A target image file corresponding to the target operator is obtained according to the image information and version switching is performed according to the target image file. The preset file includes image information that corresponds to all image files of operators stored in the terminal in one-to-one correspondence.

Abstract: A mobile payment apparatus includes a communication unit configured to exchange payment information with a communication peer end using a radio link, a memory configured to store mobile payment software, a SE, including a first storage module and a processor, and at least one CPU configured to execute general operating system software. The processor is configured to load the mobile payment software from the memory to the first storage module and exchange the payment information with the communication unit under action of the mobile payment software. The first storage module is configured to provide memory space for executing the mobile payment software for the processor. The SE and the at least one CPU are located in a first semiconductor chip.