Secure processing environment

US 20060090084A1
Filed: 01/26/2005
Published: 04/27/2006
Est. Priority Date: 10/22/2004
Status: Active Grant

First Claim

Patent Images

1. A method of modifying an embedded processing system to incorporate security functionality, comprising:

providing an embedded processing system to be modified;

incorporating at least one security peripheral into the embedded processing system;

defining at least one secure operating mode and at least one open operating mode for the embedded processing system; and

providing open operating mode access restrictions for at least a portion of the security peripherals.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure operations and components may be integrated into a conventional processing system executing a standard operating system. A secure processing environment where trusted secure application code is executed may be provided for performing secure operations. In this environment, the applications and components may access all of the components in the system including secure components. An open processing environment is provided for performing conventional operations. Conventional application code may be executed in the open environment. In the open environment, access may only be provided to open components. That is, open applications and components may not be allowed to access the secure components in the system. In this way, a secure processing environment may be provided that allows secure and non-secure applications to be simultaneously executed while protecting sensitive data and operations. For example, encrypted and authenticated secure application code may be securely executed on a general purpose processor along with other, non-secure application code. In addition, access to components that use or store sensitive information may be restricted to selected secure components such as those that execute secure code.

Citations

45 Claims

1. A method of modifying an embedded processing system to incorporate security functionality, comprising:
- providing an embedded processing system to be modified;
  
  incorporating at least one security peripheral into the embedded processing system;
  
  defining at least one secure operating mode and at least one open operating mode for the embedded processing system; and
  
  providing open operating mode access restrictions for at least a portion of the security peripherals.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 comprising providing at least one secure mode controller configured to enforce the at least one secure operating mode and the at least one open operating mode.
  - 3. The method of claim 1 comprising providing at least one cryptographic processor configured to process data for the secure operating mode.
  - 4. The method of claim 3 comprising wherein the at least one cryptographic processor comprises a public key engine configured to generate asymmetric keys for the secure operation mode.
  - 5. The method of claim 1 comprising providing a secure memory access unit configured to authenticate code for the secure operating mode.
  - 6. The method of claim 1 comprising providing a secure memory access unit configured to decrypt code for the secure operating mode.
  - 7. The method of claim 1 comprising providing at least one non-volatile memory configured to store cryptographic material for the secure operating mode.
  - 8. The method of claim 1 comprising providing a random number generator configured to generate key material for the secure operating mode.
  - 9. The method of claim 1 comprising providing secure protect logic configured to protect the secure operating mode.
  - 10. The method of claim 1 comprising adapting a bus arbiter to generate at least one signal indicative of the secure operating mode.
  - 11. The method of claim 10 comprising adapting an address decoder to enable access to at least one secure peripheral in accordance with the at least one signal indicative of the secure operating mode.
  - 12. The method of claim 1 comprising adapting an address decoder to enable access to at least one secure peripheral in accordance with the secure operating mode.
  - 13. The method of claim 1 comprising adapting boot ROM to initiate the secure operating mode.
  - 14. The method of claim 1 wherein the at least one security peripheral performs at least one of containing, using or providing cryptographically sensitive material.
  - 15. The method of claim 1 wherein at least processor executes code in the at least one secure operating mode and the at least one open operating mode.
  - 16. The method of claim 1 wherein the embedded processing system comprises a system on a chip.

17. A secure data processing method comprising:
- defining a secure mode of operation and an open mode of operation;
  
  verifying code to be executed during the secure mode of operation; and
  
  restricting access to at least one secure peripheral in the open mode of operation.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 18. The method of claim 17 wherein verifying code comprises authenticating code.
  - 19. The method of claim 17 wherein verifying code comprises authenticating code on a per-block basis.
  - 20. The method of claim 17 comprising preventing unauthenticated code from being executed during the secure mode of operation.
  - 21. The method of claim 17 wherein verifying code comprises decrypting code.
  - 22. The method of claim 17 comprising caching the verified code.
  - 23. The method of claim 17 wherein the at least one secure peripheral performs at least one of containing, using or providing cryptographically sensitive material.
  - 24. The method of claim 23 wherein the cryptographically sensitive material comprises at least one key.
  - 25. The method of claim 17 comprising storing key material for the secure mode of operation in a one-time-programmable memory.
  - 26. The method of claim 17 comprising using the key material to initiate the secure mode of operation.
  - 27. The method of claim 17 comprising booting in a secure mode of operation.
  - 28. The method of claim 17 comprising enforcing transitions between the secure and open modes of operation.
  - 29. The method of claim 17 comprising monitoring a co-processor bus to enforce transitions between the secure and open modes of operation.
  - 30. The method of claim 17 wherein restricting access comprises generating at least one signal indicative of the open or secure mode of operation.
  - 31. The method of claim 17 wherein restricting access comprises controlling generation of at least one component select.
  - 32. The method of claim 17 wherein defining a secure mode of operation and an open mode of operation comprises generating at least one memory map.
  - 33. The method of claim 17 wherein defining a secure mode of operation and an open mode of operation comprises defining at least one secure bus master and at least one open bus master.
  - 34. The method of claim 17 wherein defining a secure mode of operation and an open mode of operation comprises defining the at least one secure peripheral and at least one open peripheral.
  - 35. The method of claim 17 wherein the at least one open peripheral restricts access to a portion of the at least one open peripheral in accordance with the open mode of operation.

36. A system on a chip comprising:
- at least one secure mode controller configured to enforce a secure mode of operation and an open mode of operation;
  
  at least one processor configured to execute code for the secure mode of operation and the open mode of operation;
  
  at least one non-volative memory configured to store cryptographic material for the secure mode of operation;
  
  at least one cryptographic processor configured to process data for the secure mode of operation.
- View Dependent Claims (37, 38, 39, 40, 41, 43, 44, 45)
- - 37. The system on a chip of claim 36 comprising a random number generator configured to generate key material for the secure mode of operation.
  - 38. The system on a chip of claim 36 wherein the at least one cryptographic processor comprises a public key engine configured to generate asymmetric keys for the secure mode of operation.
  - 39. The system on a chip of claim 36 comprising a secure memory access unit configured to authenticate code for the secure mode of operation.
  - 40. The system on a chip of claim 36 comprising a secure memory access unit configured to decrypt code for the secure mode of operation.
  - 41. The system on a chip of claim 36 comprising a bus arbiter configured to generate at least one signal indicative of the secure mode of operation.
  - 43. The system on a chip of claim 36 comprising an address decoder configured to enable access to at least one secure peripheral in accordance with the secure mode of operation.
  - 44. The system on a chip of claim 36 comprising boot ROM configured to initiate the secure mode of operation.
  - 45. The system on a chip of claim 36 comprising secure protect logic configured to protect the secure mode of operation.

42. The system on a chip of claim 42 comprising an address decoder configured to enable access to at least one secure peripheral in accordance with the at least one signal indicative of the secure mode of operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Buer, Mark

Granted Patent

US 8,332,653 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/575 Secure boot

Secure processing environment

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Secure processing environment

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links