Device, system, and method for processor-based data protection

摘要

A device, system, and method for providing processor-based data protection on a mobile computing device includes accessing data stored in memory with a central processing unit of the mobile computing device and determining that the accessed data is encrypted data based on a data included in one or more control registers of the central processing unit. If the data is determined to be encrypted data, the central processing unit is to decrypt the encrypted data using a cryptographic key stored in the central processing unit. The encrypted data may also be stored on a drive of the mobile computing device. The encryption state of the data stored on the drive is maintained in a drive encryption table, which is used to update a memory page tables and the one or more control registers.

主权项

1. A mobile computing device for processor-based data protection, the mobile computing device comprising:
a memory device including data stored therein in an encrypted state, wherein the data is associated with an encryption property flag that is set; and a central processing unit including a cryptographic symmetric key stored therein and at least one control register, wherein the memory device is separate from the central processing unit, the central processing unit to: (i) receive a secure command from a security server; (ii) decrypt the secure command; (iii) determine whether the secure command is a command to enable decryption by the central processing unit, (iv) enable, in response to a determination that the secure command is a command to enable decryption, decryption by the central processing unit using the cryptographic symmetric key stored therein, (v) access the data stored in the memory device, (vi) determine that the data accessed in the memory device is encrypted based on a state of a control bit of the at least one control register of the central processing unit, (vii) decrypt the data accessed in the memory device using the cryptographic symmetric key in response to determining that the data accessed in the memory device is encrypted, and (viii) store the decrypted data in the memory device with the associated encryption property flag set.