Secure feature and key management in integrated circuits
First Claim
Patent Images
1. A method comprising:
- obtaining, by a delegate authority system, a base key, the delegate authority system being configured to lock, unlock, modify, or any combination thereof one or more configurable hardware features of an integrated circuit using a delegated signed block (DSB) comprising one or more commands and a payload;
deriving, by the delegate authority system, a mixed key using the base key;
deriving, by the delegate authority system, a transport key using the mixed key;
obtaining, by the delegate authority system, a payload key;
encrypting the payload key using the transport key to obtain an encrypted payload key;
deriving, by the delegate authority system, a validator using the encrypted payload key and the mixed key, wherein the validator enables a security manager core of the integrated circuit to verify that the encrypted payload key is valid and unmodified;
receiving, by the delegate authority system, delegate input parameters, the delegate input parameters comprises an address of where the security manager core is to deliver the payload;
signing, by the delegate authority system, the delegate input parameters, the encrypted payload key, and the validator using a delegate private key to create the DSB, wherein the delegate private key is associated with the delegate authority system; and
providing the DSB to the security manager core of the integrated circuit, wherein the security manager core is to extract the payload in the DSB, the payload specifying at least one of a restriction, a binding, or a value intended for the one or more configurable hardware features of the integrated circuit, in response to a signature of the DSB being verified by the security manager core.
1 Assignment
0 Petitions
Accused Products
Abstract
A mechanism for providing secure feature and key management in integrated circuits is described. An example method includes receiving, by a root authority system, data identifying a command that affects operation of an integrated circuit, singing, by the root authority system, the command using a root authority key to create a root signed block (RSB), and providing the RSB to a security manager of the integrated circuit.
45 Citations
20 Claims
-
1. A method comprising:
-
obtaining, by a delegate authority system, a base key, the delegate authority system being configured to lock, unlock, modify, or any combination thereof one or more configurable hardware features of an integrated circuit using a delegated signed block (DSB) comprising one or more commands and a payload; deriving, by the delegate authority system, a mixed key using the base key; deriving, by the delegate authority system, a transport key using the mixed key; obtaining, by the delegate authority system, a payload key; encrypting the payload key using the transport key to obtain an encrypted payload key; deriving, by the delegate authority system, a validator using the encrypted payload key and the mixed key, wherein the validator enables a security manager core of the integrated circuit to verify that the encrypted payload key is valid and unmodified; receiving, by the delegate authority system, delegate input parameters, the delegate input parameters comprises an address of where the security manager core is to deliver the payload; signing, by the delegate authority system, the delegate input parameters, the encrypted payload key, and the validator using a delegate private key to create the DSB, wherein the delegate private key is associated with the delegate authority system; and providing the DSB to the security manager core of the integrated circuit, wherein the security manager core is to extract the payload in the DSB, the payload specifying at least one of a restriction, a binding, or a value intended for the one or more configurable hardware features of the integrated circuit, in response to a signature of the DSB being verified by the security manager core. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
obtaining, by a delegate authority system, a mixed key or a precursor to the mixed key, the delegate authority system being configured to lock, unlock, modify, or any combination thereof one or more configurable hardware features of an integrated circuit using a delegated signed block (DSB) comprising one or more commands and a payload; deriving, by the delegate authority system, a transport key using the mixed key; obtaining, by the delegate authority system, a payload key; encrypting the payload key using the transport key to obtain an encrypted payload key; receiving, by the delegate authority system, delegate input parameters, the delegate input parameters comprises an address of where a security manager core of the integrated circuit is to deliver the payload; signing, by the delegate authority system, the delegate input parameters and the encrypted payload key using a delegate private key to create the DSB, wherein the delegate private key is associated with the delegate authority system; and providing the DSB to the security manager core of the integrated circuit, wherein the security manager core to extract the payload in the DSB, the payload specifying at least one of a restriction, a binding, or a value intended for the one or more configurable hardware features of the integrated circuit, in response to a signature of the DSB being verified by the security manager core. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A delegate authority system comprising:
-
a memory device; and a processing device operatively coupled to the memory device, the processing device to; obtain a mixed key or a precursor to the mixed key; derive a transport key using the mixed key; obtain a payload key; encrypt the payload key using the transport key to obtain an encrypted payload key; receive delegate input parameters, the delegate input parameters comprises an address of where a security manager core of an integrated circuit is to deliver a payload of a delegated signed block (DSB), wherein the delegate authority system is configured to lock, unlock, modify, or any combination thereof one or more configurable hardware features of the integrated circuit using the DSB; sign the delegate input parameters and the encrypted payload key using a delegate private key to create the DSB, wherein the delegate private key is associated with the delegate authority system; and provide the DSB to the security manager core of the integrated circuit, wherein the security manager core to extract the payload in the DSB, the payload specifying at least one of a restriction, a binding, or a value intended for the one or more configurable hardware features of the integrated circuit, in response to a signature of the DSB being verified by the security manager core. - View Dependent Claims (20)
-
Specification