Secure IoT device update

US 10,416,991 B2
Filed: 02/27/2017
Issued: 09/17/2019
Est. Priority Date: 12/14/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus for updating, comprising:

an IoT device including a first memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables at least two independent execution environments for an application processor including a first independent execution environment and a second execution environment, wherein the first independent execution environment has at least one capability that the second independent execution environment does not have, wherein the second independent execution environment is a normal world of the application processor that is configured to manage updates, wherein the first independent execution environment is a secure world of the application processor that is adapted to perform firewall configurations, to monitor the normal world of the application processor, to reset the normal world of the application processor, and to control access of the normal world of the application processor to a second memory, and further configured in response to execution to enable actions, including;

communicating a request for a requested update from the second independent execution environment to the first independent execution environment;

the first independent execution environment validating the requested update;

communicating instructions associated with the validated update from the first independent execution environment to the second independent execution environment;

for image binaries associated with the validated update, sending image requests from the second independent execution environment to a cloud service;

receiving, by the first independent execution environment, the requested image binaries from the cloud service;

using the first independent execution environment to write the received image binaries to the second memory;

the first independent execution environment validating the written image binaries; and

responsive to validating the written image binaries, the first independent execution environment enabling access by the second independent execution environment to the validated written image binaries.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed technology is generally directed to updating of applications, firmware and/or other software on IoT devices. In one example of the technology, a request that is associated with a requested update is communicated from a normal world of a first application processor to a secure world of the first application processor. The secure world validates the requested update. Instructions associated with the validated update are communicated from the secure world to the normal world. Image requests are sent from the normal world to a cloud service for image binaries associated with the validated update. The secure world receives the requested image binaries from the cloud service. The secure world writes the received image binaries to memory, and validates the written image binaries.

71 Citations

View as Search Results

20 Claims

1. An apparatus for updating, comprising:
- an IoT device including a first memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables at least two independent execution environments for an application processor including a first independent execution environment and a second execution environment, wherein the first independent execution environment has at least one capability that the second independent execution environment does not have, wherein the second independent execution environment is a normal world of the application processor that is configured to manage updates, wherein the first independent execution environment is a secure world of the application processor that is adapted to perform firewall configurations, to monitor the normal world of the application processor, to reset the normal world of the application processor, and to control access of the normal world of the application processor to a second memory, and further configured in response to execution to enable actions, including;
  
  communicating a request for a requested update from the second independent execution environment to the first independent execution environment;
  
  the first independent execution environment validating the requested update;
  
  communicating instructions associated with the validated update from the first independent execution environment to the second independent execution environment;
  
  for image binaries associated with the validated update, sending image requests from the second independent execution environment to a cloud service;
  
  receiving, by the first independent execution environment, the requested image binaries from the cloud service;
  
  using the first independent execution environment to write the received image binaries to the second memory;
  
  the first independent execution environment validating the written image binaries; and
  
  responsive to validating the written image binaries, the first independent execution environment enabling access by the second independent execution environment to the validated written image binaries.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the application processor is further configured such that validating the requested update includes:
    - determining whether the requested update is properly signed; and
      
      comparing image binaries associated with the requested update with image binaries already installed.
  - 3. The apparatus of claim 1, wherein the application processor is further configured such that validating the written image binaries includes comparing signatures associated with the image binaries with corresponding signatures stored in metadata associated with the image binaries.
  - 4. The apparatus of claim 1, wherein the first memory and the application processor are part of a hybrid chip on the IoT that is configured cause the IoT device to operate as an IoT device, and wherein the hybrid chip further includes a microcontroller that is configured to control network connectivy between the IoT device and IoT services, such that the IoT device is configured to receive IoT devices via the network connectivity.
  - 5. The apparatus of claim 1, wherein the application processor is further configured such that communicating instructions associated with the validated update from the secure world to the normal world includes communicating, from the secure world to the normal world, an indication as to which image binaries should be installed as part of the validated update.
  - 6. The apparatus of claim 1, wherein the application processor is configured such that the secure world has a trust zone that creates a private independent execution environment that is hardware-protected from the rest of the IoT device.
  - 7. The apparatus of claim 6, wherein the second memory is a flash memory, and wherein the application processor is configured such that the secure world has write access to the flash memory and such that the normal world is prevented from writing to the flash memory.

8. A method for updating, comprising:
- communicating, in at least one processor that includes a first independent execution environment and a second independent execution environment, wherein the first independent execution environment has at least one capability that the second independent execution environment does not have, a request for a requested update from a second independent execution environment of a first application processor to a secure world of the first application processor, wherein the secure world is configured to monitor the second independent execution environment;
  
  the secure world validating the requested update;
  
  communicating instructions associated with the validated update from the secure world to the second independent execution environment;
  
  for image binaries associated with the validated update, sending image requests from the second independent execution environment to a cloud service;
  
  receiving, by the secure world, the requested image binaries from the cloud service;
  
  using the secure world to write the received image binaries to memory;
  
  the secure world validating the written image binaries; and
  
  responsive to validating the written image binaries, the secure world enabling access by the second independent execution environment to the validated written image binaries.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The method of claim 8, wherein validating the requested update includes:
    - determining whether the requested update is properly signed; and
      
      comparing image binaries associated with the requested update with image binaries already installed.
  - 10. The method of claim 8, wherein validating the written image binaries includes comparing signatures associated with the image binaries with corresponding signatures stored in metadata associated with the image binaries.
  - 11. The method of claim 8, wherein the second independent execution environment is a normal world.
  - 12. The method of claim 11, further comprising receiving, by the normal world, information associated with whether a new update is currently available.
  - 13. The method of claim 11, further comprising:
    - communicating from the secure world to at least one of the normal world or a security complex that the written image binaries have been validated.
  - 14. The method of claim 11, further comprising:
    - communicating from at least one of a security complex or the normal world to the secure world an indication to switch to the validated update.
  - 15. The method of claim 11, further comprising:
    - communicating from the secure world to at least one of the normal world or a security complex a location of the validated update.
  - 16. The method of claim 11, wherein communicating instructions associated with the validated update from the secure world to the normal world includes communicating, from the secure world to the normal world, an indication as to which image binaries should be installed as part of the validated update.
  - 17. The method of claim 16, wherein sending image requests from the normal world to the cloud service includes sending, for image binaries that the secure world indicated should be installed as part of the validated update, image requests associated with the image binaries to the cloud service.

18. A processor-readable storage medium, having stored thereon processor-executable code that is configured to, upon execution by at least one processor, enable at least two independent execution environments for the processor including a first independent execution environment and a second execution environment, wherein the first independent execution environment has at least one capability that the second independent execution environment does not have, and wherein the first independent execution environment is a secure world that is configured to monitor the second independent execution environment, and further configured in response to execution to enable actions, including:
- communicating a request that is associated with a requested update from the second independent execution environment to the secure world;
  
  the secure world validating the requested update;
  
  communicating instructions associated with the validated update from the secure world to the second independent execution environment;
  
  for image binaries associated with the validated update, sending image requests from the second independent execution environment to a cloud service;
  
  receiving, by the secure world, the requested image binaries from the cloud service;
  
  using the secure world to write the received image binaries to memory; and
  
  the secure world validating the written image binaries.
- View Dependent Claims (19, 20)
- - 19. The processor-readable storage medium of claim 18, wherein the processor-executable code is further configured such that validating the requested update includes:
    - determining whether the requested update is properly signed; and
      
      comparing image binaries associated with the requested update with image binaries already installed.
  - 20. The processor-readable storage medium of claim 18, wherein the processor-executable code is further configured such that validating the written image binaries includes comparing signatures associated with the image binaries with corresponding signatures stored in metadata associated with the image binaries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Bonar, Adrian, Olinsky, Reuben R., Kim, Sang Eun, Nightingale, Edmund B., de Carvalho, Thales
Primary Examiner(s)
Lyons, Andrew M.

Application Number

US15/444,024
Publication Number

US 20180165088A1
Time in Patent Office

932 Days
Field of Search

717168-178
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/74   operating in dual or compar...

G06F 8/65   Updates security arrangemen...

G06F 8/658   Incremental updates; Differ...

H04L 67/12   specially adapted for propr...

H04L 67/34   involving the movement of s...

H04W 4/70   Services for machine-to-mac...

Secure IoT device update

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

71 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure IoT device update

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links