INITIALIZATION OF A MICROPROCESSOR PROVIDING FOR EXECUTION OF SECURE CODE

US 20090292929A1
Filed: 10/31/2008
Published: 11/26/2009
Est. Priority Date: 05/24/2008
Status: Active Grant

First Claim

Patent Images

1. An apparatus providing for a secure execution environment, comprising:

a microprocessor, configured to execute non-secure application programs and a secure application program, wherein said non-secure application programs are accessed from a system memory via a system bus, said microprocessor comprising;

secure execution mode initialization logic, configured to provide for initialization of a secure execution mode within said microprocessor for execution of said secure application program, wherein said secure execution mode initialization logic employs an asymmetric key algorithm to decrypt an enable parameter that directs said microprocessor to enter said secure execution mode; and

an authorized public key, configured for employment by a cryptographic unit within said microprocessor to decrypt said enable parameter, said enable parameter having been encrypted according to said asymmetric key algorithm using an authorized private key that corresponds to said authorized public key; and

a secure non-volatile memory, coupled to said microprocessor via a private bus, configured to store said secure application program following initialization of said secure execution mode, wherein transactions over said private bus between said microprocessor and said secure non-volatile memory are isolated from said system bus and corresponding system bus resources within said microprocessor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus including a microprocessor and a secure non-volatile memory. The microprocessor executes non-secure application programs and a secure application program. The microprocessor has secure execution mode initialization logic and an authorized public key. The secure execution mode initialization logic provides for initialization of a secure execution mode within the microprocessor. The secure execution mode initialization logic employs an asymmetric key algorithm to decrypt an enable parameter directing entry into the secure execution mode. The authorized public key is used to decrypt the enable parameter, the enable parameter having been encrypted according to the asymmetric key algorithm using an authorized private key that corresponds to the authorized public key. The secure non-volatile memory stores the secure application program, where transactions over the private bus between the microprocessor and the secure non-volatile memory are isolated from the system bus and corresponding system bus resources within the microprocessor.

Citations

30 Claims

1. An apparatus providing for a secure execution environment, comprising:
- a microprocessor, configured to execute non-secure application programs and a secure application program, wherein said non-secure application programs are accessed from a system memory via a system bus, said microprocessor comprising;
  
  secure execution mode initialization logic, configured to provide for initialization of a secure execution mode within said microprocessor for execution of said secure application program, wherein said secure execution mode initialization logic employs an asymmetric key algorithm to decrypt an enable parameter that directs said microprocessor to enter said secure execution mode; and
  
  an authorized public key, configured for employment by a cryptographic unit within said microprocessor to decrypt said enable parameter, said enable parameter having been encrypted according to said asymmetric key algorithm using an authorized private key that corresponds to said authorized public key; and
  
  a secure non-volatile memory, coupled to said microprocessor via a private bus, configured to store said secure application program following initialization of said secure execution mode, wherein transactions over said private bus between said microprocessor and said secure non-volatile memory are isolated from said system bus and corresponding system bus resources within said microprocessor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus as recited in claim 1, wherein said microprocessor further comprises:
    - an authorized public key register, wherein said authorized public key is stored within said authorized public key register during fabrication of said microprocessor.
  - 3. The apparatus as recited in claim 1, wherein said microprocessor further comprises:
    - an authorized public key register, wherein said authorized public key, upon power up of said microprocessor, is retrieved from said secure non-volatile memory and programmed into said authorized public key register, said authorized public key having been stored in said secure non-volatile memory by an authorizing party.
  - 4. The apparatus as recited in claim 1, wherein said asymmetric key algorithm comprises the RSA algorithm.
  - 5. The apparatus as recited in claim 1, wherein said enable parameter is passed via execution of a secure execution mode enable instruction.
  - 6. The apparatus as recited in claim 1, wherein said enable parameter is passed via a write to a hidden machine specific register within said microprocessor.
  - 7. The apparatus as recited in claim 1, wherein, upon verification of said enable parameter following decryption, said secure execution mode initialization logic enables said secure execution mode for execution of said secure application program.
  - 8. The apparatus as recited in claim 1, wherein said enable parameter comprises a pointer to a location in system memory where said secure application program is stored in encrypted form.
  - 9. The apparatus as recited in claim 1, wherein said enable parameter comprises a pointer to a location in BIOS where said secure application program is stored in encrypted form.
  - 10. The apparatus as recited in claim 1, wherein, following successful decryption of said enable parameter, said microprocessor fetches said secure application program, employs said authorized public key to decrypt said secure application program, encrypts said secure application program using a processor key according to a symmetric key algorithm, and stores an encrypted version of said secure application program in said secure non-volatile memory.

11. A microprocessor apparatus, for executing secure code within a secure execution environment, the microprocessor apparatus comprising:
- a secure non-volatile memory, configured to store a secure application program; and
  
  a microprocessor, coupled to said secure non-volatile memory via a private bus, configured to execute non-secure application programs and said secure application program, said microprocessor comprising;
  
  secure execution mode initialization logic, configured to provide for initialization of a secure execution mode within said microprocessor for execution of said secure application program, wherein said secure execution mode initialization logic employs an asymmetric key algorithm to decrypt an enable parameter that directs said microprocessor to enter said secure execution mode; and
  
  an authorized public key, configured for employment by a cryptographic unit within said microprocessor to decrypt said enable parameter, said enable parameter having been encrypted according to said asymmetric key algorithm using an authorized private key that corresponds to said authorized public key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The microprocessor apparatus as recited in claim 11, wherein said microprocessor further comprises:
    - an authorized public key register, wherein said authorized public key is stored within said authorized public key register during fabrication of said microprocessor.
  - 13. The microprocessor apparatus as recited in claim 11, wherein said microprocessor further comprises:
    - an authorized public key register, wherein said authorized public key, upon power up of said microprocessor, is retrieved from said secure non-volatile memory and programmed into said authorized public key register, said authorized public key having been stored in said secure non-volatile memory by an authorizing party.
  - 14. The microprocessor apparatus as recited in claim 11, wherein said asymmetric key algorithm comprises the RSA algorithm.
  - 15. The microprocessor apparatus as recited in claim 11, wherein said enable parameter is passed via execution of a secure execution mode enable instruction.
  - 16. The microprocessor apparatus as recited in claim 11, wherein said enable parameter is passed via a write to a hidden machine specific register within said microprocessor.
  - 17. The microprocessor apparatus as recited in claim 11, wherein, upon verification of said enable parameter following decryption, said secure execution mode initialization logic enables said secure execution mode for execution of said secure application program.
  - 18. The microprocessor apparatus as recited in claim 11, wherein said enable parameter comprises a pointer to a location in system memory where said secure application program is stored in encrypted form.
  - 19. The microprocessor apparatus as recited in claim 11, wherein said enable parameter comprises a pointer to a location in BIOS where said secure application program is stored in encrypted form.
  - 20. The microprocessor apparatus as recited in claim 11, wherein, following successful decryption of said enable parameter, said microprocessor fetches said secure application program, employs said authorized public key to decrypt said secure application program, encrypts said secure application program using a processor key according to a symmetric key algorithm, and stores an encrypted version of said secure application program in said secure non-volatile memory.

21. A method for executing secure code within a secure execution environment, the method comprising:
- providing a secure non-volatile memory for storage of the secure code, wherein the secure code is to be stored within the secure non-volatile memory via private transactions accomplished over a private bus that is coupled to the secure non-volatile memory; and
  
  initializing a secure execution mode within a microprocessor for execution of the secure code, said initializing comprising;
  
  via a cryptographic unit within the microprocessor, employing an authorized public key to decrypt an enable parameter according to an asymmetric key algorithm, the enable parameter having been encrypted according to the asymmetric key algorithm using a corresponding authorized private key;
  
  wherein the private bus is isolated from all system bus resources within the microprocessor and external to the microprocessor, and wherein the private bus is observable and accessible exclusively by secure execution logic within the microprocessor.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method as recited in claim 21, wherein said employing comprises:
    - fetching the authorized public key from an authorized public key register within the microprocessor, wherein the authorized public key register is stored in the authorized public key register during fabrication of the microprocessor.
  - 23. The method as recited in claim 21, wherein said employing comprises:
    - fetching the authorized public key from the secure non-volatile memory and programming the authorized public key into an authorized public key register, the authorized public key having been stored in the secure non-volatile memory by an authorizing party.
  - 24. The method as recited in claim 21, wherein the asymmetric key algorithm comprises the RSA algorithm.
  - 25. The method as recited in claim 21, wherein the enable parameter is passed via execution of a secure execution mode enable instruction.
  - 26. The method as recited in claim 21, wherein the enable parameter is passed via a write to a hidden machine specific register within said microprocessor.
  - 27. The method as recited in claim 21, wherein said initializing further comprises:
    - upon verification of the enable parameter following decryption, enabling the secure execution mode for execution of the secure code.
  - 28. The method as recited in claim 21, wherein the enable parameter comprises a pointer to a location in system memory where the secure code is stored in encrypted form.
  - 29. The method as recited in claim 21, wherein the enable parameter comprises a pointer to a location in BIOS where the secure code is stored in encrypted form.
  - 30. The method as recited in claim 21, wherein said initializing further comprises:
    - following successful decryption of the enable parameter, fetching the secure code;
      
      using the authorized public key to decrypt the secure code;
      
      encrypting the secure code using a processor key according to a symmetric key algorithm; and
      
      storing an encrypted version of the secure code in the secure non-volatile memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIA Technologies Incorporated (VIA Technologies)
Original Assignee
VIA Technologies Incorporated (VIA Technologies)
Inventors
Parks, Terry, Henry, G. Glenn

Granted Patent

US 8,370,641 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/554   involving event detection a...

G06F 21/70   Protecting specific interna...

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 21/73   by creating or determining ...

G06F 21/74   operating in dual or compar...

G06F 21/82   Protecting input, output or...

INITIALIZATION OF A MICROPROCESSOR PROVIDING FOR EXECUTION OF SECURE CODE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

INITIALIZATION OF A MICROPROCESSOR PROVIDING FOR EXECUTION OF SECURE CODE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links