Implementing access control by system-on-chip

US 10,482,275 B2
Filed: 01/27/2015
Issued: 11/19/2019
Est. Priority Date: 01/27/2014
Status: Active Grant

First Claim

Patent Images

1. A system-on-chip (SoC), comprising a hardware access control unit, the hardware access control unit comprising a secure memory for storing access control data, the hardware access control unit to:

receive, from a programming agent, a message comprising an access control data item;

store the access control data item in the secure memory;

update a state variable reflecting a state of communications between the hardware access control unit and the programming agent, by applying a non-linear function to a current value of the state variable, a cryptographic key shared between the programming agent and the hardware access control unit, and a hash of contents of the secure memory;

calculate a message digest by applying a first cryptographic hash function to contents of the message, a cryptographic key the state variable;

authenticate the message using the message digest;

repeatedly validate the access control data item for detecting unauthorized modification of the access control data item stored in the secure memory, wherein validating the access control data item comprises comparing a value of a second cryptographic hash function of the access control data item to a stored reference value; and

control, in view of the access control data item, access by an initiator device to a target device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for implementing access control by systems-on-chip (SoCs). An example SoC may comprise: an access control unit comprising a secure memory for storing access control data, the access control unit to: receive a message comprising an access control data item; store the access control data item in the secure memory; perform at least one of: authenticating the message using a message digest function, or validating contents of the secure memory by comparing a stored reference value with a calculated value of a message digest function of the contents of the secure memory; and control, in view of the access control data item, access by an initiator device to a target device.

Citations

19 Claims

1. A system-on-chip (SoC), comprising a hardware access control unit, the hardware access control unit comprising a secure memory for storing access control data, the hardware access control unit to:
- receive, from a programming agent, a message comprising an access control data item;
  
  store the access control data item in the secure memory;
  
  update a state variable reflecting a state of communications between the hardware access control unit and the programming agent, by applying a non-linear function to a current value of the state variable, a cryptographic key shared between the programming agent and the hardware access control unit, and a hash of contents of the secure memory;
  
  calculate a message digest by applying a first cryptographic hash function to contents of the message, a cryptographic key the state variable;
  
  authenticate the message using the message digest;
  
  repeatedly validate the access control data item for detecting unauthorized modification of the access control data item stored in the secure memory, wherein validating the access control data item comprises comparing a value of a second cryptographic hash function of the access control data item to a stored reference value; and
  
  control, in view of the access control data item, access by an initiator device to a target device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The SoC of claim 1, wherein the access control data item comprises an access control rule.
  - 3. The SoC of claim 2, wherein the access control rule comprises an identifier of the initiator device, an identifier of the target device, an address range, and an access permission.
  - 4. The SoC of claim 1, wherein the hardware access control unit is implemented by a network-on-chip (NoC) comprising a filtering firewall to enforce access control in view of the access control data item while transporting at least one of data frames or electric signals between the initiator device and the target device.
  - 5. The SoC of claim 1, wherein the hardware access control unit is implemented by a memory management unit (MMU) to enforce access control in view of the access control data item while translating a first address to a second address referencing a memory location on the target device.
  - 6. The SoC of claim 1, wherein the initiator device is provided by one of:
    - a central processing unit (CPU), a graphical processing unit (GPU), or a cryptographic core.
  - 7. The SoC of claim 1, wherein the target device is provided by one of:
    - a memory device, a storage device, or an input/output (I/O) device.
  - 8. The SoC of claim 1, further comprising a cryptographic key management system to generate the cryptographic key.
  - 9. The SoC of claim 1, wherein the access control data item comprises an address translation rule.

10. A system-on-chip (SoC), comprising a hardware access control unit, the hardware access control unit comprising a first secure memory and a second secure memory for storing access control data, the hardware access control unit to:
- receive, from a programming agent, a first message comprising a first access control data item;
  
  store the first access control data item in the first secure memory;
  
  update a state variable reflecting a state of communications between the hardware access control unit and the programming agent, by applying a non-linear function to a current value of the state variable, a cryptographic key shared between the programming agent and the hardware access control unit, and a hash of contents of the first secure memory;
  
  calculate a first message digest by applying a first cryptographic hash function to contents of the first message, the cryptographic key the state variable;
  
  authenticate the first message using the first message digest;
  
  receive a second message comprising a second access control data item;
  
  store the second access control data item in the second secure memory;
  
  responsive to detecting a triggering event, validating the first access control data item for detecting unauthorized modification of the first access control data item stored in the first secure memory, wherein validating the first access control data item comprises comparing a value of a second cryptographic hash function of the first access control data item to a stored reference value;
  
  validate the second access control data item for detecting unauthorized modification of the second access control data item stored in the second secure memory;
  
  interpret the first access control data item as subordinate to the second access control data item; and
  
  control, in view of the second access control data item, access by an initiator device to a target device.

11. A method, comprising:
- receiving, by a hardware access control unit, from a programming agent, a message comprising an access control data item;
  
  storing the access control data item in a secure memory;
  
  updating a state variable reflecting a state of communications between the hardware access control unit and the programming agent, by applying a non-linear function to a current value of the state variable, a cryptographic key shared between the programming agent and the hardware access control unit, and a hash of contents of a secure memory;
  
  calculating a message digest by applying a first cryptographic hash function to contents of the message, the cryptographic key and the state variable;
  
  authenticating the message using the message digest;
  
  repeatedly, responsive to detecting a triggering event, validating the access control data item for detecting unauthorized modification of the access control data item stored in the secure memory, wherein validating the access control data item comprises comparing a value of a second cryptographic hash function of the access control data item to a stored reference value; and
  
  controlling, in view of the access control data item, access by an initiator device to a target device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein the access control data item comprises an access control rule.
  - 13. The method of claim 12, wherein the access control rule comprises at least one of:
    - an identifier of the initiator device, an identifier of the target device, an address range, an access permission, or an access authorization type.
  - 14. The method of claim 11, wherein the controlling further comprises filtering data frames traversing the hardware access control unit based on an access control rule set comprising a plurality of access control rules defined on non-overlapping address ranges.
  - 15. The method of claim 11, the controlling further comprises filtering data frames traversing the hardware access control unit based on an access control rule set comprising a plurality of access control rules defined on a plurality of overlapping address ranges.
  - 16. The method of claim 15, wherein a first access control rule defined on a first address range of the plurality of overlapping address ranges is interpreted as overriding a second access control rule defined on a second address range of the plurality of overlapping address ranges.
  - 17. The method of claim 11, wherein the controlling further comprises translating a virtual address to a physical address, the physical address referencing a memory location on the target device.
  - 18. The method of claim 11, wherein receiving the message comprising the access control data item is performed within a boot sequence of the SoC.
  - 19. The method of claim 11, wherein the access control data item comprises an address translation rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptography Research, Inc. (Rambus Inc.)
Original Assignee
Cryptography Research, Inc. (Rambus Inc.)
Inventors
Hampel, Craig E., Cioranesco, Jean-Michel, do Canto, Rodrigo Portella, de Almeida, Guilherme Ozari
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Le, Canh

Application Number

US15/111,972
Publication Number

US 20160350549A1
Time in Patent Office

1,757 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 21/755   with measures against power...

G06F 21/85   interconnection devices, e....

H04L 63/0227   Filtering policies mail mes...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/123   received data contents, e.g...

Implementing access control by system-on-chip

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Implementing access control by system-on-chip

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links