System and Method for Efficient Security Domain Translation and Data Transfer
First Claim
1. A method of transferring encrypted data from an external source to an external destination, by a processor selectively operated in either a secure mode or a non-secure mode comprising:
- in a secure mode,managing cryptographic keys for first and second security domains; and
initializing a first secure Direct Memory Access (DMA) transfer into secure memory and a second secure DMA transfer from secure memory; and
in a non-secure mode,receiving data encrypted in a first security domain from the external source;
executing the first secure DMA transfer to move the encrypted data to a secure cryptographic module and clear text data to the secure memory;
executing the second secure DMA transfer to move clear text data from the secure memory to the secure cryptographic module; and
transferring data encrypted in the second security domain to the external destination.
1 Assignment
0 Petitions
Accused Products
Abstract
A mobile UE includes a CPU, a secure DMA module, a secure cryptographic module, secure memory, and non-secure memory. The secure cryptographic module and secure memory allow access only by secure processes, including the secure DMA module. The CPU manages cryptographic keys and initializes DMA transfers in secure mode. The CPU executes the DMA transfers in non-secure mode. A first DMA transfer moves data encrypted in a first security domain to the secure cryptographic module, and moves clear text data to the secure memory. A second DMA transfer moves the clear text data to the secure cryptographic module, and data encrypted in a second security domain out of the secure cryptographic module. The data encrypted in the second security domain are transmitted to an external device. The secure memory protects the clear text data from being copied; only encrypted data is accessible by non-secure processes.
94 Citations
21 Claims
-
1. A method of transferring encrypted data from an external source to an external destination, by a processor selectively operated in either a secure mode or a non-secure mode comprising:
-
in a secure mode, managing cryptographic keys for first and second security domains; and initializing a first secure Direct Memory Access (DMA) transfer into secure memory and a second secure DMA transfer from secure memory; and in a non-secure mode, receiving data encrypted in a first security domain from the external source; executing the first secure DMA transfer to move the encrypted data to a secure cryptographic module and clear text data to the secure memory; executing the second secure DMA transfer to move clear text data from the secure memory to the secure cryptographic module; and transferring data encrypted in the second security domain to the external destination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of efficiently translating encrypted data from a first security domain to a second security domain by a processor selectively operated in either a secure mode or a non-secure mode, while minimizing the required switching between modes, comprising:
-
in a secure mode, providing a decryption key operative in the first security domain; providing an encryption key operative in the second security domain loading the first domain decryption key and second domain encryption key into a secure cryptographic module; initializing a first secure Direct Memory Access (DMA) transfer from non-secure memory to the secure cryptographic module and from the secure cryptographic module to secure memory; and initializing a second secure DMA transfer from secure memory to the secure cryptographic module and from the secure cryptographic module to non-secure memory; and in a non-secure mode, receiving data encrypted in a first security domain and storing it in non-secure memory; executing the first secure DMA transfer to decrypt the data from the first security domain; executing the second secure DMA transfer to encrypt the data into the second security domain; and transferring data in the second security domain. - View Dependent Claims (11, 12)
-
-
13. A mobile User Equipment (UE) operative to receive data encrypted in a first security domain, translate the data to a second security domain, and transmit the data encrypted in the second security domain, comprising:
-
a data transfer bus; secure memory connected to the bus and accessible only by secure processes; a secure cryptographic module connected to the bus and accessible only by secure processes, the secure cryptographic module operative to at least decrypt data in the first security domain and encrypt data in the second security domain; and a secure DMA module connected to the bus and recognized by the secure memory and secure cryptographic module as a secure process, the DMA module operative to transfer data in at least a first DMA transfer operative to move data encrypted in a first security domain into the secure cryptographic module and clear text from the secure cryptographic module to the secure memory, and a second DMA transfer operative to move clear text data into the secure cryptographic module and data encrypted in the second security domain from the secure cryptographic module. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
Specification