Secure and backward-compatible processor and secure software execution thereon
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-021/02
G06F-021/00
G06F-013/20
H04L-009/00
출원번호
US-0048515
(2005-01-31)
등록번호
US-7380275
(2008-05-27)
발명자
/ 주소
Srinivasan,Pramila
Princen,John
Berndt,Frank
Blythe,David
Saperstein,William
Yen,Wei
출원인 / 주소
BroadOn Communications Corp.
대리인 / 주소
Perkins Coie LLP
인용정보
피인용 횟수 :
37인용 특허 :
81
초록▼
A secure processor assuring application software is executed securely, and assuring only authorized software is executed, monitored modes and secure modes of operation. The former executes application software transparently to that software. The latter verifies execution of the application software
A secure processor assuring application software is executed securely, and assuring only authorized software is executed, monitored modes and secure modes of operation. The former executes application software transparently to that software. The latter verifies execution of the application software is authorized, performs any extraordinary services required by the application software, and verifies the processor has obtained rights to execute the content. The secure processor (1) appears hardware-identical to an ordinary processor, with the effect that application software written for ordinary processors can be executed on the secure processor without substantial change, (2) needs only a minimal degree of additional hardware over and above those portions appearing hardware-identical to an ordinary processor. The secure processor operates without substantial reduction in speed or other resources available to the application software. Functions operating in secure mode might reside in an on-chip non-volatile memory, or might be loaded from external storage with authentication.
대표청구항▼
What is claimed is: 1. A method comprising: distinguishing operations on a single processor between a monitored mode and a secure mode; generating a timer interrupt signal using parameters set by a secure mode switch circuit; entering secure mode in response to the timer interrupt signal; when the
What is claimed is: 1. A method comprising: distinguishing operations on a single processor between a monitored mode and a secure mode; generating a timer interrupt signal using parameters set by a secure mode switch circuit; entering secure mode in response to the timer interrupt signal; when the processor is operating in the secure mode: executing on the processor, software loaded using a bootstrap loader that cryptographically authenticates the software; and exiting the secure mode; when the processor is operating in the monitored mode: performing application software on the processor, without substantial change in original code for that application software, wherein the application software sees a processor environment that is not substantially different from an ordinary processor. 2. The method of claim 1, further comprising, when the processor is operating in the secure mode, verifying authorization to perform the application software. 3. The method of claim 1, further comprising, when the processor is operating in the secure mode, checking a cryptographic signature from a trusted source; and verifying that said application software is preserved in integrity and authenticity using the cryptographic signature. 4. The method of claim 1, further comprising performing instructions for the processor substantially identical to those performable by a semiconductor die for an ordinary processor otherwise not responsive to said secure mode. 5. The method of claim 1, further comprising, when the processor is operating in the secure mode, performing security services requested by, and authorized for, the application software. 6. The method of claim 1, further comprising: when the processor is operating in the monitored mode, entering the secure mode in response to a technique selected from the group consisting of: an interrupt, a reset signal, a power on signal, and a timer signal; and when the processor is operating in the secure mode, determining by which technique the secure mode was entered. 7. The method of claim 1, further comprising: when the processor is operating in the monitored mode: generating an interrupt in response to a request for services associated with the application software; and entering the secure mode; when the processor is operating in the secure mode: delivering the services in response to the application software on the processor; and exiting the secure mode. 8. The method of claim 1, further comprising, in response to power-on, when the processor is operating in the secure mode: loading additional code from one or more trusted sources; verifying authenticity of the trusted sources; and verifying content integrity of the additional code. 9. The method of claim 1, wherein said application software includes at least one instruction for execution in the secure mode, further comprising: performing said at least one instruction on behalf of a set of secure kernel code; and authenticating additional secure kernel code. 10. The method of claim 1, further comprising: performing a set of secure software; determining whether additional secure software is authentic; executing the additional secure software if the secure software is authentic; determining authorization to perform the additional secure software; and performing the additional secure software if authorization exists. 11. The method of claim 10, further comprising: loading the additional secure software; and validating the additional secure software using a cryptographic technique, wherein said validating establishes integrity or origin from a trusted source. 12. The method of claim 10, further comprising: loading additional application software; and determining authorization to perform the additional application software. 13. A method comprising: when a security signal indicates that a processor is operating in a monitored mode: refusing access to a secure function in response to the security signal; generating a non-maskable interrupt (NMI) signal based on a programmable timer-based interrupt; entering secure mode in response to the NMI signal; when the security signal indicates that the processor is operating in the secure mode: accessing the secure function in response to the security signal; accessing at least one secure circuit, wherein said secure function includes instructions for launching software content from an external source, measuring trustworthiness of the external source, and facilitating verification of the software content using said processor. 14. The method of claim 13, further comprising performing a set of application code in a manner that is substantially identical to performing the set of application code on a substantially identical non-secure processing unit that is not responsive to said security signal. 15. The method of claim 13, further comprising, when the security signal indicates that the processor is operating in the monitored mode, performing a set of application code. 16. The method of claim 13, further comprising: receiving external instructions from the external source; and verifying the external instructions as authentic, or originating from a trusted source. 17. The method of claim 13, further comprising: monitoring access to an external device; and performing at least one secure function in response to an attempt to access the external device in violation of the security signal and a set of access rules. 18. The method of claim 17, wherein said monitoring access to an external device is responsive to at least one of: a number of accesses requested; a number of instructions performed; a parameter set when the processor is operating in the secure mode; and an interval of operation. 19. The method of claim 17, further comprising maintaining a set of secure information for read-only access. 20. The method of claim 19, further comprising reading the set of secure information from a non-volatile memory. 21. The method of claim 19, further comprising: reading the set of secure information from a non-volatile memory; and disabling writing to the non-volatile memory after packaging. 22. The method of claim 13, further comprising: receiving external data from the external source; constructing data responsive to the external data; comparing the data responsive to the external data with at least some of said secure information. 23. The method of claim 22, further comprising: determining a computed cryptographic value as a function of the external data; and using a public key cryptographic method to verify the computed cryptographic value using a recorded signature value from a trust verifiable source. 24. The method of claim 13, further comprising: requesting additional secure code from the external source; sending data responsive to the secure information to the external source, wherein the external source is capable of verifying authorization to perform the additional secure code; and receiving the additional secure code from the external source, wherein the additional secure code includes information that can be used by a secure device to determinate that it has permission to execute or use some software. 25. The method of claim 13, further comprising: requesting application software from the external source; sending data responsive to the secure information to the external source, wherein the external source is capable of verifying authorization to perform the application software; and receiving the application software from the external source, wherein the application software includes information that can be used by a secure device to determinate that it has permission to execute or use some software. 26. A method of reading secure information from non-volatile memory associated with a single secure processor capable of operating in a secure mode and a non-secure mode, comprising: entering secure mode in response to a reset signal; disabling writing to non-volatile memory when a processor with which the non-volatile memory is associated is packaged; maintaining secure information within the non-volatile memory; switching to non-secure mode; generating an non-maskable interrupt (NMI) signal in response to a timeout from a secure timer; switching to secure mode in response to NMI signal. 27. The method of claim 26, wherein said disabling includes making substantially inaccessible a non-bonded pin. 28. The method of claim 27, wherein the secure information is unique to the processor. 29. The method of claim 27, wherein the secure information is secret. 30. A single-processor processor chip apparatus comprising: a secure switch for switching between a monitored mode and a secure mode on a single processor; a secure timer circuit capable of generating a timer interrupt in response to programmable parameters; memory, coupled to the secure switch, including: security information; a bootstrap loader, wherein, using the security information, the bootstrap loader cryptographically authenticates software loaded in response to execution of the bootstrap loader; the processor coupled to the secure switch, the secure timer circuit, and the memory, wherein, in operation: the processor executes the bootstrap loader, when the processor is operating in the secure mode, the processor executes the software loaded in response to execution of the bootstrap loader and exits the secure mode, when the processor is operating in the monitored mode, the processor performs application software transparently to the application software, and the processor enters secure mode in response to receipt of the timer interrupt. 31. The apparatus of claim 30, wherein, when the processor is operating in the secure mode, the processor verifies authorization to perform the application software. 32. The apparatus of claim 30, wherein, when the processor is operating in the secure mode, the processor checks a cryptographic signature from a trusted source; and verifies that said application software is preserved in integrity and authenticity using the cryptographic signature. 33. The apparatus of claim 30, wherein, when the processor is operating in the secure mode, the processor performs security services requested by, and authorized for, the application software. 34. The apparatus of claim 30, wherein, when the processor is operating in the monitored mode, the secure switch switches to the secure mode in response to a technique selected from the group consisting of: an interrupt, a reset signal, a power on signal, and a timer signal; and when the processor is operating in the secure mode, the processor determines by which technique the secure mode was entered. 35. The apparatus of claim 30, wherein: when the processor is operating in the monitored mode: the processor responds to an interrupt generated when a request for services associated with the application software is recorded; and the secure switch switches to the secure mode; when the processor is operating in the secure mode: the processor delivers the services in response to the application software; and the secure switch switches to the monitored mode. 36. The apparatus of claim 30, wherein, in response to a power-on state, when the processor is operating in the secure mode: the processor loads additional code from one or more trusted sources; the processor verifies authenticity of the trusted sources; and the processor verifies content integrity of the additional code. 37. The apparatus of claim 30, wherein said application software includes at least one instruction for execution in the secure mode, wherein: the processor performs said at least one instruction on behalf of a set of secure kernel code; and the processor authenticates additional secure kernel code. 38. The apparatus of claim 30, wherein the processor: performs a set of secure software; determines whether additional secure software is authentic; executes the additional secure software if the secure software is authentic; determines authorization to perform the additional secure software; and performs the additional secure software if authorization exists. 39. The apparatus of claim 38, wherein the processor: loads the additional secure software; and validates the additional secure software using a cryptographic technique, wherein said validating establishes integrity or origin from a trusted source. 40. The apparatus of claim 38, wherein the processor: loads additional application software; and determines authorization to perform the additional application software. 41. The apparatus of claim 38, wherein access rights to internal resources are issued from a trust verifiable authority, wherein when the processor is operating in the secure mode, the processor validates trust and verifies access rights as authentic using a public key cryptographic verification technique, and wherein the processor sets up access rights in secure mode and the access rights are unmodifiable in the monitored mode. 42. The apparatus of claim 41, wherein the processor applies the access rights to resources, wherein the resources may be designated as "enabled", "disabled", or "restricted". 43. The apparatus of claim 42, wherein the resources include software resources and hardware resources. 44. The apparatus of claim 42, wherein the designation is application-specific. 45. The apparatus of claim 42, wherein the designation is user-specific. 46. The apparatus of claim 42, wherein the designation is device-specific. 47. The apparatus of claim 42, wherein the designation is associated with one or more of the group consisting of bandwidth, time-of-use, dates, memory use, a limitation on internal resources, conditional on internal secure data, access rights from a server, rights dependent on secure state, and consumption data. 48. The apparatus of claim 30, wherein said security information includes information maintained in a non-volatile memory, said non-volatile memory having a circuit capable of enabling writing of said non-volatile memory, said circuit being disabled when said secure processor is packaged. 49. The apparatus of claim 30, wherein said security information includes information maintained in a non-volatile memory, said non-volatile memory having a circuit capable of enabling writing of said non-volatile memory, said circuit including a pin which is substantially inaccessible when said secure processor is packaged. 50. The apparatus of claim 30, wherein said security information includes an identity value substantially unique to the apparatus, or a set of private key information substantially unique to the processor; wherein a selected set of content or software is assured to be executed when authorization to consume said content or execute said software exists. 51. The apparatus of claim 30, including means for combining said key information and a substantially unique identity value, with the effect of implementing a digital rights management scheme for enforcing intellectual property rights. 52. The apparatus of claim 30, wherein at least a portion of said secure information is digitally signed using either a public key/secret private key system or a symmetric encryption/decryption key. 53. The apparatus of claim 30, wherein at least a portion of said secure information is encrypted using either a public key/secret private key system or a symmetric encryption/decryption key. 54. The apparatus of claim 30, wherein, in operation, the processor verifies authenticity of a purchase receipt or license or other digital rights management data, wherein the purchase receipt or license or other digital rights management data facilitates verification of a selected set of content or software as authentic and authorized. 55. The apparatus of claim 54, wherein, in an operational configuration, the processor is permitted to consume the content or execute the software in response to an attempt to verify authenticity of a purchase receipt or license or other digital rights management data. 56. The apparatus of claim 54, wherein said receipt includes information sufficient to substantially identify the processor and information sufficient to substantially identify an identity value substantially unique to said content or software. 57. The apparatus of claim 54, wherein, in an operational configuration, the processor is permitted to consume the content or execute the software in response to verifying said digital signature. 58. The apparatus of claim 54, wherein, in an operational configuration, the processor is permitted to consume the content or execute the software in response to an attempt to decrypt a portion of the secure information. 59. A method comprising: including a security code verification module in a bootstrap loader; implementing the bootstrap loader in firmware; initializing non-volatile memory with a first security code verification value associated with the security code module, wherein security code includes instructions to enable access rights to hardware and software resources when in a secure mode, wherein the access rights to resources are issued from a trust verifiable source, and wherein access rights data is verifiable as authentic from a source using a public key cryptographic verification method, using a single microprocessor; providing security logic wherein, in operation, the security logic generates a non-maskable interrupt (NMI) signal in response to a timeout from the secure timer, and wherein the single microprocessor enters secure mode in response to the NMI signal. 60. The method of claim 59, further comprising configuring the first security code verification value. 61. The method of claim 59, further comprising: locating security code using the security code verification module; computing a second security code verification value associated with the security code; and executing the security code if the first security code verification value verifies correctly with respect to the second security code verification value. 62. The method of claim 59, further comprising: loading security code associated with the security code verification module into volatile memory; computing a second security code verification value associated with the security code; and executing the security code if the first security code verification value verifies correctly with respect to the second security code verification value. 63. The method of claim 59, further comprising: loading a first module of security code associated with the security code verification module into volatile memory; computing a second security code verification value associated with the security code; and executing the first module of the security code if the first security code verification value verifies correctly with respect to the second security code verification value. 64. The method of claim 63, wherein said first module of security code has been loaded into volatile memory, further comprising: authenticating a second module of the security code using data in the first module of the security code; and loading the second module of the security code into volatile memory when authenticated. 65. The method of claim 59, further comprising implementing a non-maskable interrupt that is triggered at specified times. 66. The method of claim 65, further comprising executing security code associated with the security code verification module when the non-maskable interrupt is triggered. 67. The method of claim 65, wherein said specified times include on reset. 68. The method of claim 65, further comprising using a timer to trigger the non-maskable interrupt at intervals defined by security code associated with the security code verification module, wherein triggering at intervals facilitates monitoring running applications. 69. The method of claim 65, further comprising switching to a secure mode, different in security level from a backward-compatible monitored mode. 70. The method of claim 65, further comprising embedding chip identities and keys to facilitate a procedure selected from the group consisting of: tracking the chip, implementation of licensing schemes, and authenticated software loading. 71. The method of claim 59, further comprising using the NV memory to maintain secure versioning or sequencing of state. 72. The method of claim 71, wherein said using the NV memory to maintain secure versioning or sequencing of state further comprises maintaining a version or sequence number in the NV memory, wherein access to the version or sequence number is allowed in a security mode and restricted in an application mode. 73. The method of claim 71, further comprising refusing to update a version or sequence number maintained in the NV memory to a previous state.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (81)
Hogan, Kenneth; Polucha, Micheal; Pham, Trieu; Vollum, Steve; Johnston, Jessee, Airborne e-mail data transfer protocol.
Peterson, Leonard J.; Freedman, Steven J.; Partovi, Hadi; Endres, Raymond E.; D'Souza, David J.; Ellerman, Erik Castedo; Jiggins, Julian P., Client-side system for scheduling delivery of web content and locally managing the web content.
Karolak Dale W. (Ft. Wayne IN) Shirey Carl L. (Ft. Wayne IN) Steiner Wesley D. (Ft. Wayne IN) Rue Robert T. (Ft. Wayne IN), Communications management system architecture.
Acharya, Swarup; Korth, Henry F.; Poosala, Viswanath, Computer implemented method and apparatus for fulfilling a request for information content with a user-selectable version of a file containing that information content.
Hatakeyama, Takahisa; Yoshioka, Makoto; Miyazawa, Yuji, Content usage control system, content usage apparatus, computer readable recording medium with program recorded for computer to execute usage method.
Ikuta Masanao,JPX ; Kambe Tomoaki,JPX ; Takida Satoshi,JPX, Data caching apparatus, data caching method and medium recorded with data caching program in client/server distributed system.
Blatter Harold ; Horlander Thomas Edward ; Bridgewater Kevin Elliott ; Deiss Michael Scott, Decoding system and data format for processing and storing encrypted broadcast, cable or satellite video data.
Downs Edgar ; Gruse George Gregory ; Hurtado Marco M. ; Lehman Christopher T. ; Milsted Kenneth Louis ; Lotspiech Jeffrey B., Electronic content delivery system.
Shaw David E. ; Ardai Charles E. ; Marsh Brian D. ; Moraes Mark A. ; Rudolph Dana B. ; Mc Auliffe Jon D., Electronic mail system for displaying advertisement at local computer received from remote system while the local compu.
Traversat Bernard A. ; Saulpaugh Tom ; Schmidt Jeffrey A. ; Slaughter Gregory L. ; Tracey William J. ; Woodward Steve, Generic schema for storing configuration information on a server computer.
Christopher H. Stewart ; Svilen B. Pronev ; Darrell J. Starnes, Method and apparatus for efficient storage and retrieval of objects in and from an object storage device.
Lambert Mark L. ; van der Rijn Daniel J. G. ; Kemper David J. ; Verkler Jay L., Method and apparatus for storing and delivering documents on the internet.
Sanjay Agraharam ; Robert Edward Markowitz ; Kenneth H. Rosen ; David Hilton Shur ; Joel A. Winthrop, Method and apparatus to enhance a multicast information stream in a communication network.
Arnold Thomas Andrew ; Pettitt John Philip ; Rendleman ; Jr. Jesse Noel ; Lewis ; Jr. Robert Lincoln, Method and system for delivering digital products electronically.
Fields, Duane Kimbell; Gregg, Thomas Preston; Hassinger, Sebastian Daniel; Hurley, II, William Walter; Kolb, Mark Andrew; Vu, Stacy Braden, Method and system for distributing image-based content on the internet.
Uesaka Yasushi,JPX ; Yamauchi Kazuhiko,JPX ; Kozuka Masayuki,JPX ; Higaki Nobuo,JPX ; Horiuchi Koichi,JPX ; Haruna Syusuke,JPX, Microprocessor suitable for reproducing AV data while protecting the AV data from illegal copy and image information processing system using the microprocessor.
Webber Neil F. (Hudson MA) Israel Robert K. (Westford MA) Kenley Gregory (Northborough MA) Taylor Tracy M. (Upton MA) Foster Antony W. (Framingham MA), Network file migration system.
Lin Mengjou, Process scheduling for streaming data through scheduling of disk jobs and network jobs and the relationship of the scheduling between these types of jobs.
Theriault Roger ; Lockhart Thomas Wayne,CAX ; Battin Robert D., Proxy host computer and method for accessing and retrieving information between a browser and a proxy.
Tso Michael Man-Hak ; Jing Jin ; Knauerhase Robert Conrad ; Romrell David Alfred ; Gillespie Daniel Joshua ; Bakshi Bikram Singh ; Sathyanarayan Seshardi, Scaling proxy server sending to the client a graphical user interface for establishing object encoding preferences after receiving the client's request for the object.
Vaitzblit Lev (Concord MA) Ramakrishnan Kadangode K. (Maynard MA) Tzelnic Percy (Concord MA), Scheduling and admission control policy for a continuous media server.
Doherty, Robert J.; Tierney, Peter L.; Arnaoutoglou-Andreou, Marios, System and embedded license control mechanism for the creation and distribution of digital content files and enforcement of licensed use of the digital content files.
Duane Kimbell Fields ; Thomas Preston Gregg ; Sebastian Daniel Hassinger ; William Walter Hurley, System and method for cooperative client/server customization of web pages.
Pasquali Sandro, System and method for providing a dynamic advertising content window within a window based content manifestation environment provided in a browser.
Ford, Daniel A.; Kraft, Reiner; Tewari, Gaurav, System and technique for dynamic information gathering and targeted advertising in a web based model using a live information selection and analysis tool.
Stefik Mark J. (Woodside CA) Bobrow Daniel G. (Palo Alto CA) Pirolli Peter L. T. (El Cerrito CA), System for controlling the distribution and use of composite digital works.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Nakamura Hiroki,JPX ; Kusumi Yuki,JPX ; Oashi Masahiro,JPX ; Shimoji Tatsuya,JPX, Video on demand system with a transmission schedule table in the video server including entries for client identifiers,.
Belknap William R. (San Jose CA) Henley Martha R. (Morgan Hill CA) Falcon ; Jr. Lorenzo (San Jose CA) Frayne Thomas E. (San Jose CA) Luo Mei-Lan (San Jose CA) Saxena Ashok R. (San Jose CA), Video optimized media streamer with cache management.
O'Brien, Terence W.; Schmalbach, Richard; Blessing, John; Murray, Jeffrey, Computer architecture for an electronic device providing SLS access to MLS file system with trusted loading and protection of program execution memory.
Yen, Wei; Princen, John; Lo, Raymond; Srinivasan, Pramila, Delivery of license information using a short messaging system protocol in a closed content distribution system.
Holtzman, Michael; Jogand-Coulomb, Fabrice, Method and apparatus for upgrading a memory card that has security mechanisms for preventing copying of secure content and applications.
Nicolson, Kenneth Alexander; Matsushima, Hideki; Takayama, Hisashi; Ito, Takayuki; Haga, Tomoyuki; Maeda, Manabu, Secure boot method for executing a software component including updating a current integrity measurement based on whether the software component is enabled.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.