The invention relates to a method for operating a microprocessor unit, particularly in a mobile terminal, and also to an appropriate microprocessor unit and an appropriate mobile terminal.
The prior art discloses the implementation of what is known as a protected runtime environment in a microprocessor unit in order to execute security-critical applications in an isolated environment. In this case, a microprocessor unit is intended to be understood to mean all of the hardware used for executing the applications, particularly the actual microprocessor and appropriate memories that are used for storing data.
Conventional protected runtime environments usually use an operating system with low memory requirements, such as the MobiCore® operating system known from the prior art, which is used in combination with a protected runtime environment in the form of what is known as the ARM TrustZone®. In this case, the operating system used in the protected runtime environment is loaded into an internal RAM store within the protected runtime environment. Since the internal RAM store is of limited size, the operating system used in the protected runtime environment must be a small size, which means that the scope of functions provided by the microprocessor unit is small when the protected runtime environment is executed. This is not a problem so long as only security-critical tasks are transmitted to the protected runtime environment. In particular instances of application, however, it may be necessary for a protected runtime environment with a relatively large scope of functions, too, to be provided by the microprocessor unit. If the microprocessor unit is used in a cell phone, for example, protection against eavesdropping attacks preferably requires the provision of a protected runtime environment that can be used for the voice call functionality of the cell phone. This cannot be achieved by current operating systems that are used in protected runtime environments.
It is therefore an object of the invention to operate a microprocessor unit such that a protected runtime environment with a larger scope of functions than in the prior art is provided.
This object is achieved by the method according to patent claim 1 and the microprocessor unit according to patent claim 8 and the mobile terminal according to patent claim 10. Developments of the invention are defined in the dependent claims.
The method according to the invention is used for operating a microprocessor unit that comprises a microprocessor, on which a normal runtime environment having a first operating system and a protected runtime environment having a second, protected operating system are implemented. In this case, the microprocessor unit also contains a RAM store outside the protected runtime environment, into which RAM store the first operating system is loaded when the normal runtime environment is executed. The first operating system is particularly an inherently known operating system for a microprocessor unit, e.g. a cell phone operating system if the microprocessor unit is used for a cell phone. Examples of such cell phone operating systems are Android or Symbian, which are used for smartphones and provide a large scope of functions.
The method according to the invention is distinguished in that the second operating system is a protected version of the first operating system that, in the course of the execution of the protected runtime environment, is loaded into a section of the RAM store that is provided for the protected runtime environment. In this case, the protected version of the first operating system is particularly what is known as a hardened operating system. The term “hardening” is sufficiently well known from computer engineering and denotes increasing the security of a system, such as a program or an operating system, by using only particular software that is necessary for operating the system and for which there is the assurance that it runs correctly while taking account of security aspects.
According to the invention, therefore not only the original first operating system but also a second operating system, which meets higher security requirements, is used. Usually, the scope of functions over the protected or hardened operating system is reduced in comparison with the original operating system in this case, but is distinctly greater than that of a conventional operating system (such as MobiCore®) provided for a protected runtime environment, which means that more memory is also required. The invention takes account of this by virtue of the second protected operating system being loaded into a RAM store outside the protected runtime environment, since this memory may be of substantially larger design than an internal RAM store within the protected runtime environment.
In one particularly preferred embodiment of the method according to the invention, the second operating system is loaded into a RAM store in the form of an OnSoC RAM (SOC=System on a Chip). In this case, an OnSoC RAM is monolithically integrated in a chip together with the other constituent parts of the microprocessor unit. In one preferred embodiment, the OnSoC RAM is coupled to the microprocessor of the microprocessor unit by means of the inherently known AMBA bus (AMBA=Advanced Microcontroller Bus Architecture).
In a further, particularly preferred embodiment of the method according to the invention, the microprocessor unit is controlled by means of a switch that a user can use to change between the execution of the normal and protected runtime environments. In this way, the user can stipulate the mode in which he can operate the microprocessor unit. If the user uses the microprocessor unit in a security-critical environment, for example, he can switch from the first, unprotected operating system to the second, protected operating system. In this case, the second operating system provides a larger scope of functions than a conventional protected runtime environment, in which the operating system is loaded into an internal RAM store of the protected runtime environment.
In a further preferred embodiment, an indicator unit is used to indicate to a user when the protected runtime environment is being executed, as a result of which the user is always informed about the mode in which he is currently operating the microprocessor unit.
In a further, particularly preferred embodiment of the method according to the invention, the microprocessor unit is provided for a cell phone and contains a baseband processor for processing communication functionalities. In order to ensure that particular communication functionalities are provided even when the protected runtime environment is being executed, a portion of the communication functionalities of the baseband processor is implemented in the second operating system in this embodiment. Preferably, the voice call function or the SMS function or both functions is/are implemented as communication functionalities of the baseband processor in this case, as a result of which the user can use at least basic functionalities of the cell phone.
In a further, particularly preferred embodiment of the method according to the invention, the protected runtime environment is implemented on the basis of inherently known hardware in the form of what is known as an ARM TrustZone®. In contrast to conventional methods, a protected or hardened operating system that is derived from an operating system provided for the normal runtime environment is now used in the TrustZone instead of the MobiCore® operating system that is usually used.
Besides the method described above, the invention also relates to a microprocessor unit, particularly for a mobile terminal, comprising a microprocessor, on which a normal runtime environment having a first operating system and a protected runtime environment having a second operating system are implemented, and also a RAM store outside the protected runtime environment, into which RAM store the first operating system is loaded when the normal runtime environment is executed. The microprocessor unit is distinguished in that the second operating system is a protected or hardened version of the first operating system and a section of the RAM store is provided for the second operating system, into which section the second operating system is loaded in the course of the execution of the protected runtime environment.
Preferably, the microprocessor unit is designed such that one or more of the preferred variants of the method according to the invention that are described above can be implemented on the microprocessor unit.
Furthermore, the invention relates to a mobile terminal, particularly a cell phone, which comprises the microprocessor unit according to the invention or one or more preferred variants of the microprocessor unit according to the invention.
Exemplary embodiments of the invention are described below in detail with reference to the appended figures, in which:
The method according to the invention is described below on the basis of a microprocessor unit that is provided for a cell phone, the method also being able to be used for microprocessor units in other mobile appliances, however. In this case, the microprocessor unit is implemented in the form of what is known as SoC or signal-chip system (SoC=System on a Chip), i.e. essentially all the components of the microprocessor unit are integrated on a single IC chip.
Besides the protected runtime environment TZ, the microprocessor MP also contains a normal runtime environment, which is denoted by NZ in
During the execution of the normal runtime environment, the RAM store R is used in the microprocessor unit in
Besides the microprocessor MP, the microprocessor unit in
In order to operate the microprocessor in
On account of the small scope of functions of MobiCore®, only security-critical tasks can be delegated to the protected runtime environment. Hence, no further functionalities of the microprocessor unit can be used during the execution of the protected runtime environment. This is disadvantageous because in particular scenarios it is desirable for more functions of the conventional operating system, such as the voice call functionality, also to be controlled in the course of the execution of the protected runtime environment. In particular, operation on the basis of a protected runtime environment should be possible in the case of attack scenarios in the public sector environment, such as in the case of eavesdropping on telephones. MobiCore® cannot ensure protection for such attack scenarios, since the voice call functionality is not provided when the MobiCore® operating system is executed.
According to the embodiment in
Depending on the instance of application, the microprocessor unit shown in
The embodiment the invention described in the above has a series of advantages. In particular, a user of the microprocessor unit or of the relevant cell phone is then able to select or change between two modes of operation of the cell phone in an appliance. Firstly, he can use the cell phone in the unprotected mode on the basis of the operating system B1, in which case he has the opportunity to use the advantages of established richOS operating systems, such as downloading applications, using GPS for navigation and the like. If, by contrast, protected operation of the cell phone is necessary, the user can change to the secure mode, in which the cell phone is operated with the hardened operating system B2. In this case, the user no longer has all the functionalities of the cell phone available, but the cell phone is protected against attacks from third parties. Unlike when the MobiCore® operating system shown in
Number | Date | Country | Kind |
---|---|---|---|
102011-012226.5 | Feb 2011 | DE | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP12/00765 | 2/22/2012 | WO | 00 | 9/17/2013 |