On-die cryptographic apparatus in a secure microprocessor
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-009/06
G06F-021/72
G06F-021/75
G06F-021/71
G06F-021/82
G06F-021/55
G06F-021/12
G06F-021/73
G06F-021/74
G06F-012/14
G06F-021/14
G06F-021/70
출원번호
US-0263177
(2008-10-31)
등록번호
US-9002014
(2015-04-07)
발명자
/ 주소
Henry, G. Glenn
Parks, Terry
출원인 / 주소
Via Technologies, Inc.
대리인 / 주소
Huffman, Richard K.
인용정보
피인용 횟수 :
0인용 특허 :
69
초록▼
An apparatus providing for a secure execution environment, including a secure non-volatile memory and a microprocessor. The secure non-volatile memory stores a secure application program. The secure application program is encrypted according to a cryptographic algorithm. The microprocessor is couple
An apparatus providing for a secure execution environment, including a secure non-volatile memory and a microprocessor. The secure non-volatile memory stores a secure application program. The secure application program is encrypted according to a cryptographic algorithm. The microprocessor is coupled to the secure non-volatile memory via a private bus and to a system memory via a system bus. The microprocessor executes non-secure application programs and the secure application program. The non-secure application programs are accessed from the system memory via the system bus. Transactions over the private bus are isolated from the system bus and corresponding system bus resources within the microprocessor. The microprocessor has a cryptographic unit, disposed within execution logic. The cryptographic unit is configured to encrypt the secure application program for storage in the secure non-volatile memory, and is configured to decrypt the secure application program for execution by the microprocessor.
대표청구항▼
1. An apparatus providing for a secure execution environment, comprising: a secure non-volatile memory, configured to store a secure application program, wherein said secure application program is encrypted according to a symmetric key algorithm; anda microprocessor, coupled to said secure non-volat
1. An apparatus providing for a secure execution environment, comprising: a secure non-volatile memory, configured to store a secure application program, wherein said secure application program is encrypted according to a symmetric key algorithm; anda microprocessor, coupled to said secure non-volatile memory via a private bus and to a system memory via a system bus, configured to execute non-secure application programs and said secure application program, wherein said non-secure application programs are accessed from said system memory via said system bus, and wherein transactions over said private bus between said microprocessor and said secure non-volatile memory are isolated from said system bus and corresponding system bus resources within said microprocessor, said microprocessor comprising: a cryptographic unit, disposed within execution logic, configured to employ an authorized public key to decrypt an enable parameter according to an asymmetric key algorithm, said enable parameter having been encrypted according to said asymmetric key algorithm using a corresponding authorized private key, and configured to encrypt said secure application program for storage in said secure non-volatile memory, wherein said secure application program is encrypted in said system memory according to said asymmetric key algorithm, and wherein, upon enablement of a secure execution mode, said cryptographic unit is employed to decrypt said secure application program and to encrypt said secure application program according to said symmetric key algorithm and transfer said secure application program to said secure non-volatile memory over said private bus; anda processor key register, coupled to said cryptographic unit, configured to store a cryptographic key that is unique to said microprocessor, wherein said cryptographic key is programmed into said processor key register during fabrication of said microprocessor, and wherein said cryptographic key is employed to encrypt said secure application program for storage into said secure non-volatile memory, and wherein said processor key register can only be read by said cryptographic unit. 2. The apparatus as recited in claim 1, wherein said processor key register comprises a plurality of poly fuses that are distributed physically over a microprocessor die. 3. The apparatus as recited in claim 1, wherein said cryptographic key comprises a 128-bit cryptographic key, and wherein said cryptographic unit encrypts said secure application program according to the Advanced Encryption Standard (AES) algorithm. 4. The apparatus as recited in claim 1, wherein said cryptographic unit generates one or more hashes of said secure application program, and wherein said cryptographic unit encrypts said one or more hashes and stores said one or more hashes in said secure non-volatile memory. 5. The apparatus as recited in claim 4, wherein said cryptographic unit generates said one or more hashes according to the SHA-1 algorithm. 6. The apparatus as recited in claim 1, wherein said secure application program is initially encrypted according to an asymmetric key algorithm using a first one of two corresponding asymmetric keys, and wherein said microprocessor fetches said secure application program in asymmetrically encrypted form from said system memory over said system bus, and wherein said microprocessor employs said cryptographic unit to decrypt said secure application program according to said asymmetric key algorithm. 7. The apparatus as recited in claim 6, wherein said microprocessor further comprises: a public key register, coupled to said cryptographic unit, configured to store a second one of said two corresponding cryptographic keys, wherein said second one of said two corresponding cryptographic keys is employed by said cryptographic unit to decrypt said secure application program. 8. A microprocessor apparatus, for executing secure code within a secure execution environment, the microprocessor apparatus comprising: a secure non-volatile memory, configured to store a secure application program, wherein said secure application program is encrypted according to a symmetric key algorithm; anda microprocessor, coupled to said secure non-volatile memory via a private bus and to a system memory via a system bus, configured to execute non-secure application programs and said secure application program, said microprocessor comprising: a bus interface unit, configured to accomplish system bus transactions over said system bus to access said non-secure applications in system memory;a secure non-volatile memory interface unit, configured to couple said microprocessor to said secure non-volatile memory via a private bus, wherein private bus transactions over said private bus to access said secure non-volatile memory are hidden from observation by system bus resources within said microprocessor and to any device coupled to said system bus;a cryptographic unit, disposed within execution logic and coupled to said secure non-volatile memory interface unit, configured to employ an authorized public key to decrypt an enable parameter according to an asymmetric key algorithm, said enable parameter having been encrypted according to said asymmetric key algorithm using a corresponding authorized private key, and configured to encrypt said secure application program for storage in said secure non-volatile memory, wherein said secure application program is encrypted in said system memory according to an asymmetric key algorithm, and wherein, upon enablement of said secure execution mode, said cryptographic unit is employed to decrypt said secure application program and to encrypt said secure application program according to said symmetric key algorithm and transfer said secure application program to said secure non-volatile memory over said private bus; anda processor key register, coupled to said cryptographic unit, configured to store a cryptographic key that is unique to said microprocessor, wherein said cryptographic key is programmed into said processor key register during fabrication of said microprocessor, and wherein said cryptographic key is employed to encrypt said secure application program for storage into said secure non-volatile memory, and wherein said processor key register can only be read by said cryptographic unit. 9. The microprocessor apparatus as recited in claim 8, wherein said processor key register comprises a plurality of poly fuses that are distributed physically over a microprocessor die. 10. The microprocessor apparatus as recited in claim 8, wherein said cryptographic key comprises a 128-bit cryptographic key, and wherein said cryptographic unit encrypts said secure application program according to the Advanced Encryption Standard (AES) algorithm. 11. The microprocessor apparatus as recited in claim 8, wherein said cryptographic unit generates one or more hashes of said secure application program, and wherein said cryptographic unit encrypts said one or more hashes and stores said one or more hashes in said secure non-volatile memory. 12. The microprocessor apparatus as recited in claim 11, wherein said cryptographic unit generates said one or more hashes according to the SHA-1 algorithm. 13. The microprocessor apparatus as recited in claim 8, wherein said secure application program is initially encrypted according to an asymmetric key algorithm using a first one of two corresponding asymmetric keys, and wherein said microprocessor fetches said secure application program in asymmetrically encrypted form from said system memory over said system bus, and wherein said microprocessor employs said cryptographic unit to decrypt said secure application program according to said asymmetric key algorithm. 14. The microprocessor apparatus as recited in claim 13, wherein said microprocessor further comprises: a public key register, coupled to said cryptographic unit, configured to store a second one of said two corresponding cryptographic keys, wherein said second one of said two corresponding cryptographic keys is employed by said cryptographic unit to decrypt said secure application program. 15. A method for executing secure code within a secure execution environment, the method comprising: coupling a secure non-volatile memory to a microprocessor via a private bus for storage of the secure code, wherein the private bus is isolated from all system bus resources within the microprocessor and external to the microprocessor;via a cryptographic unit disposed within the microprocessor, employing an authorized public key to decrypt an enable parameter according to an asymmetric key algorithm, the enable parameter having been encrypted according to the asymmetric key algorithm using a corresponding authorized private key, and encrypting the secure application program, said encrypting comprising: enabling a secure execution mode;retrieving the secure code from system memory, wherein the secure code is encrypted according to the asymmetric key algorithm;decrypting the secure code;accessing a processor key register, coupled to said cryptographic unit, configured to store a cryptographic key that is unique to the microprocessor, wherein the processor key register can only be read by the cryptographic unit; andemploying the cryptographic key to encrypt the secure code according to a symmetric key algorithm; andstoring the secure code within the secure non-volatile memory via private transactions accomplished over the private bus, wherein the private bus is observable and accessible exclusively by secure execution logic within the microprocessor. 16. The method as recited in claim 15, wherein the processor key register comprises a plurality of poly fuses that are distributed physically over a microprocessor die. 17. The method as recited in claim 15, wherein the cryptographic key comprises a 128-bit cryptographic key, and wherein the cryptographic unit encrypts the secure application program according to the Advanced Encryption Standard (AES) algorithm. 18. The method as recited in claim 15, further comprising: via the cryptographic unit, generating one or more hashes of the secure application program, and encrypting the one or more hashes, and storing the one or more hashes in the secure non-volatile memory. 19. The method as recited in claim 18, wherein the cryptographic unit generates the one or more hashes according to the SHA-1 algorithm. 20. The method as recited in claim 15, wherein the secure application program is initially encrypted according to an asymmetric key algorithm using a first one of two corresponding asymmetric keys, and wherein the microprocessor fetches the secure application program in asymmetrically encrypted form from the system memory over the system bus, and wherein the microprocessor employs the cryptographic unit to decrypt the secure application program according to the asymmetric key algorithm. 21. The method as recited in claim 20, further comprising: accessing a public key register, coupled to the cryptographic unit, configured to store a second one of the two corresponding cryptographic keys, wherein the second one of the two corresponding cryptographic keys is employed by the cryptographic unit to decrypt the secure application program.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (69)
Watt,Simon Charles, Apparatus and method for controlling access to a memory unit.
Johnson, Richard C.; Morgan, Andrew; Anvin, H. Peter; Torvalds, Linus, Architecture, system, and method for operating on encrypted and/or hidden information.
Sibigtroth James M. (Round Rock TX) Rhoades Michael W. (Austin TX) Grimmer ; Jr. George G. (Austin TX) Longwell Susan W. (Austin TX), Integrated circuit microcontroller with on-chip memory and external bus interface and programmable mechanism for securin.
McDevitt,Hugh W.; Spanel,Carol; Walls,Andrew D., Method, apparatus and program storage device for providing clocks to multiple frequency domains using a single input clock of variable frequency.
Little Wendell L. ; Curry Stephen M. ; Grider Steven N. ; Thrower Mark L. ; Hass Steven N. ; Bolan Michael L. ; Fieseler Ricky D. ; Harrington Bradley M., Microcircuit with memory that is protected by both hardware and software.
Okada, Takayuki, Processor with a function to prevent illegal execution of a program, an instruction executed by a processor and a method of preventing illegal execution of a program.
Force Gordon (San Jose CA) Davis Timothy D. (Arlington TX) Duncan Richard L. (Bedford TX) Norcross Thomas M. (Arlington TX) Shay Michael J. (Arlington TX) Short Timothy A. (Duncanville TX), Programmable distributed personal security.
Hartmann Robert F. (San Jose CA) Chan Yiu-Fai (Saratoga CA) Frankovich Robert J. (Cupertino CA) Ou Jung-Hsing (Sunnyvale CA) So Hock C. (Milpitas CA) Wong Sau-Ching (Hillsborough CA), Programmable macrocell using eprom or eeprom transistors for architecture control in programmable logic circuits.
Guttag Karl M. (Houston TX) Nussrallah Steve (Richardson TX), Security bit for designating the security status of information stored in a nonvolatile memory.
Padgaonkar Ajay J. (9617 S. 43rd Pl. Phoenix AZ 85044) Mitra Sumit K. (8860 S. Drea La. Tempe AZ 85284), Security for digital signal processor program memory.
Burghardt Martin (Oberneuching NY DEX) Berman Eric (Hicksville NY) Padgaonkar Ajay (Sugarland TX) Allen Ray (Mesa AZ), System and method for protecting contents of microcontroller memory by providing scrambled data in response to an unauth.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Watt, Simon Charles; Dornan, Christopher Bentley; Orion, Luc; Chaussade, Nicolas; Belnet, Lionel; Brochier, Stephane Eric Sebastian; Mansell, David Hennah; Symes, Dominic Hugo, Task following between multiple operating systems.
Watt,Simon Charles; Dornan,Christopher Bentley; Orion,Luc; Chaussade,Nicolas; Belnet,Lionel; Brochier,Stephane Eric Sebastien; Mansell,David Hennah; Callan,Jonathan Sean, Vectored interrupt control within a system having a secure domain and a non-secure domain.
Doi Bryan C. (Fremont CA) Thomas Steven D. (Palm Dale CA) Coli Vincent J. (San Jose CA) Giglio Vito D. (Canoga Park CA), Verifiable security circuitry for preventing unauthorized access to programmed read only memory.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.