Implementing access control by system-on-chip
First Claim
1. A system-on-chip (SoC), comprising a hardware access control unit, the hardware access control unit comprising a secure memory for storing access control data, the hardware access control unit to:
- receive, from a programming agent, a message comprising an access control data item;
store the access control data item in the secure memory;
update a state variable reflecting a state of communications between the hardware access control unit and the programming agent, by applying a non-linear function to a current value of the state variable, a cryptographic key shared between the programming agent and the hardware access control unit, and a hash of contents of the secure memory;
calculate a message digest by applying a first cryptographic hash function to contents of the message, a cryptographic key the state variable;
authenticate the message using the message digest;
repeatedly validate the access control data item for detecting unauthorized modification of the access control data item stored in the secure memory, wherein validating the access control data item comprises comparing a value of a second cryptographic hash function of the access control data item to a stored reference value; and
control, in view of the access control data item, access by an initiator device to a target device.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for implementing access control by systems-on-chip (SoCs). An example SoC may comprise: an access control unit comprising a secure memory for storing access control data, the access control unit to: receive a message comprising an access control data item; store the access control data item in the secure memory; perform at least one of: authenticating the message using a message digest function, or validating contents of the secure memory by comparing a stored reference value with a calculated value of a message digest function of the contents of the secure memory; and control, in view of the access control data item, access by an initiator device to a target device.
-
Citations
19 Claims
-
1. A system-on-chip (SoC), comprising a hardware access control unit, the hardware access control unit comprising a secure memory for storing access control data, the hardware access control unit to:
-
receive, from a programming agent, a message comprising an access control data item; store the access control data item in the secure memory; update a state variable reflecting a state of communications between the hardware access control unit and the programming agent, by applying a non-linear function to a current value of the state variable, a cryptographic key shared between the programming agent and the hardware access control unit, and a hash of contents of the secure memory; calculate a message digest by applying a first cryptographic hash function to contents of the message, a cryptographic key the state variable; authenticate the message using the message digest; repeatedly validate the access control data item for detecting unauthorized modification of the access control data item stored in the secure memory, wherein validating the access control data item comprises comparing a value of a second cryptographic hash function of the access control data item to a stored reference value; and control, in view of the access control data item, access by an initiator device to a target device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system-on-chip (SoC), comprising a hardware access control unit, the hardware access control unit comprising a first secure memory and a second secure memory for storing access control data, the hardware access control unit to:
-
receive, from a programming agent, a first message comprising a first access control data item; store the first access control data item in the first secure memory; update a state variable reflecting a state of communications between the hardware access control unit and the programming agent, by applying a non-linear function to a current value of the state variable, a cryptographic key shared between the programming agent and the hardware access control unit, and a hash of contents of the first secure memory; calculate a first message digest by applying a first cryptographic hash function to contents of the first message, the cryptographic key the state variable; authenticate the first message using the first message digest; receive a second message comprising a second access control data item; store the second access control data item in the second secure memory; responsive to detecting a triggering event, validating the first access control data item for detecting unauthorized modification of the first access control data item stored in the first secure memory, wherein validating the first access control data item comprises comparing a value of a second cryptographic hash function of the first access control data item to a stored reference value; validate the second access control data item for detecting unauthorized modification of the second access control data item stored in the second secure memory; interpret the first access control data item as subordinate to the second access control data item; and control, in view of the second access control data item, access by an initiator device to a target device.
-
-
11. A method, comprising:
-
receiving, by a hardware access control unit, from a programming agent, a message comprising an access control data item; storing the access control data item in a secure memory; updating a state variable reflecting a state of communications between the hardware access control unit and the programming agent, by applying a non-linear function to a current value of the state variable, a cryptographic key shared between the programming agent and the hardware access control unit, and a hash of contents of a secure memory; calculating a message digest by applying a first cryptographic hash function to contents of the message, the cryptographic key and the state variable; authenticating the message using the message digest; repeatedly, responsive to detecting a triggering event, validating the access control data item for detecting unauthorized modification of the access control data item stored in the secure memory, wherein validating the access control data item comprises comparing a value of a second cryptographic hash function of the access control data item to a stored reference value; and controlling, in view of the access control data item, access by an initiator device to a target device. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
Specification