BRANCH AND SWITCH KEY INSTRUCTION IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS

US 20110296203A1
Filed: 04/21/2011
Published: 12/01/2011
Est. Priority Date: 05/25/2010
Status: Active Grant

First Claim

Patent Images

1. A microprocessor, comprising:

a fetch unit, configured to fetch and decrypt a branch and switch key instruction using first decryption key data; and

microcode, configured to;

cause the fetch unit to fetch and decrypt the next sequential instruction after the branch and switch key instruction using the first decryption key data, if the direction of the branch and switch key instruction is not taken; and

cause the fetch unit to fetch and decrypt a target instruction of the branch and switch key instruction using second decryption key data that is different from the first decryption key data, if the direction of the branch and switch key instruction is taken.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A microprocessor includes a fetch unit that fetches and decrypts an (atomic) branch and switch key instruction using first decryption key data. If the branch direction is not taken, the fetch unit fetches and decrypts the next sequential instruction after the branch and switch key instruction using the first decryption key data. If the direction is taken, the fetch unit fetches and decrypts a target instruction of the branch and switch key instruction using second decryption key data that is different from the first decryption key data. The instruction points to the decryption key data; alternatively, the microprocessor consults a mapping of target address ranges to decryption key data. An encryption program replaces conventional inter-program-chunk branch instructions with branch and switch key instructions before encrypting the program using information that divides the program into a sequence of chunks each chunk being a sequence of instructions and having distinct associated encryption key data.

Citations

31 Claims

1. A microprocessor, comprising:
- a fetch unit, configured to fetch and decrypt a branch and switch key instruction using first decryption key data; and
  
  microcode, configured to;
  
  cause the fetch unit to fetch and decrypt the next sequential instruction after the branch and switch key instruction using the first decryption key data, if the direction of the branch and switch key instruction is not taken; and
  
  cause the fetch unit to fetch and decrypt a target instruction of the branch and switch key instruction using second decryption key data that is different from the first decryption key data, if the direction of the branch and switch key instruction is taken.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The microprocessor of claim 1, wherein the microcode is further configured to update the fetch unit to use the second decryption key data rather than the first decryption key data, prior to causing the fetch unit to decrypt the target instruction using the second decryption key data, if the direction of the branch and switch key instruction is taken.
  - 3. The microprocessor of claim 2, wherein the branch and switch key instruction specifies a storage location of the second decryption key data within the microprocessor.
  - 4. The microprocessor of claim 3, wherein to update the fetch unit to use the second decryption key data the microcode is configured to load the fetch unit with the second decryption key data from the storage location within the microprocessor.
  - 5. The microprocessor of claim 2, wherein the microcode is further configured to determine a storage location of the second decryption key data within the microprocessor based on the memory address of the target instruction.
  - 6. The microprocessor of claim 5, wherein to update the fetch unit to use the second decryption key data wherein the microcode is configured to load the fetch unit with the second decryption key data from the storage location within the microprocessor.
  - 7. The microprocessor of claim 5, wherein to determine the storage location of the second decryption key data within the microprocessor based on the memory address of the target instruction, the microcode is configured to look up the memory address in a table within the microprocessor having a mapping of memory address ranges to storage locations within the microprocessor.
  - 8. The microprocessor of claim 7, wherein the storage locations within the microprocessor are within a register of the microprocessor.
  - 9. The microprocessor of claim 7, wherein the storage locations within the microprocessor are within a random access memory of the microprocessor.
  - 10. The microprocessor of claim 1, wherein the microprocessor is configured to execute the branch and switch key instruction atomically.
  - 11. The microprocessor of claim 1, wherein the fetch unit is further configured to:
    - generate a decryption key based on the first decryption key data and a portion of a fetch address used to fetch the branch and switch key instruction, prior to decrypting the branch and switch key instruction;
      
      wherein to decrypt the branch and switch key instruction using first decryption key data the fetch unit is configured to perform a Boolean exclusive-OR (XOR) operation of the branch and switch key instruction with the generated decryption key.
  - 12. The microprocessor of claim 1, wherein the microprocessor is configured to take an exception in response to the branch and switch key instruction if the microprocessor is not in a secure execution mode.

13. A method for processing an encrypted program by a microprocessor, the method comprising:
- fetching and decrypting a branch and switch key instruction using first decryption key data;
  
  if the direction of the branch and switch key instruction is not taken, fetching and decrypting the next sequential instruction after the branch and switch key instruction using the first decryption key data; and
  
  if the direction of the branch and switch key instruction is taken, fetching and decrypting a target instruction of the branch and switch key instruction using second decryption key data that is different from the first decryption key data.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein said decrypting the branch and switch key instruction and the next sequential instruction using the first decryption key data is performed by a fetch unit of the microprocessor using the first decryption key data, wherein if the direction of the branch and switch key instruction is taken, the method further comprises:
    - updating the fetch unit to use the second decryption key data rather than the first decryption key data, prior to said decrypting the target instruction using the second decryption key data.
  - 15. The method of claim 14, wherein the branch and switch key instruction specifies a storage location of the second decryption key data within the microprocessor.
  - 16. The method of claim 15, wherein said updating the fetch unit to use the second decryption key data comprises loading the fetch unit with the second decryption key data from the storage location within the microprocessor.
  - 17. The method of claim 14, further comprising:
    - determining a storage location of the second decryption key data within the microprocessor based on the memory address of the target instruction.
  - 18. The method of claim 17, wherein said updating the fetch unit to use the second decryption key data comprises loading the fetch unit with the second decryption key data from the storage location within the microprocessor.
  - 19. The method of claim 17, wherein said determining the storage location of the second decryption key data within the microprocessor based on the memory address of the target instruction comprises looking up the memory address in a table within the microprocessor having a mapping of memory address ranges to storage locations within the microprocessor.
  - 20. The method of claim 19, wherein the storage locations within the microprocessor are within a register of the microprocessor.
  - 21. The method of claim 19, wherein the storage locations within the microprocessor are within a random access memory of the microprocessor.
  - 22. The method of claim 13, wherein execution of the branch and switch key instruction is performed atomically by the microprocessor.
  - 23. The method of claim 13, further comprising:
    - generating a decryption key based on the first decryption key data and a portion of a fetch address used to fetch the branch and switch key instruction, prior to said decrypting the branch and switch key instruction;
      
      wherein said decrypting the branch and switch key instruction using first decryption key data comprises performing a Boolean exclusive-OR (XOR) operation of the branch and switch key instruction with the generated decryption key.
  - 24. The method of claim 13, further comprising:
    - taking an exception in response to the branch and switch key instruction if the microprocessor is not in a secure execution mode.

25. A method for encrypting a program for subsequent execution by a microprocessor configured to decrypt and execute the encrypted program, the method comprising:
- receiving an object file specifying an unencrypted program that includes conventional branch instructions whose target address may be determined prior to the time in which the microprocessor runs the program;
  
  analyzing the program to obtain chunk information, wherein the chunk information divides the program into a sequence of chunks, wherein each of the chunks comprises a sequence of instructions, wherein the chunk information further comprises encryption key data associated with each of the chunks, wherein the encryption key data associated with each of the chunks is distinct;
  
  replacing each of the conventional branch instructions that specifies a target address that is within a different chunk than the chunk in which the conventional branch instruction resides with a branch and switch key instruction; and
  
  encrypting the program based on the chunk information.
- View Dependent Claims (26, 27)
- - 26. The method of claim 25, wherein each of the branch and switch key instructions specifies a storage location within the microprocessor storing the encryption key data associated with the chunk that includes the target address specified by the branch and switch key instruction.
  - 27. The method of claim 25, wherein said encrypting the program based on the chunk information comprises:
    - for each block of instruction data of each of the chunks, generating an encryption key based on the encryption key data associated with the chunk and a portion of a memory address of the block;
      
      performing a Boolean exclusive-OR (XOR) operation of the block with the generated encryption key.

28. A method for encrypting a program for subsequent execution by a microprocessor configured to decrypt and execute the encrypted program, the method comprising:
- receiving an object file specifying an unencrypted program that includes conventional branch instructions whose target address may only be determined at the time in which the microprocessor runs the program;
  
  analyzing the program to obtain chunk information, wherein the chunk information divides the program into a sequence of chunks, wherein each of the chunks comprises a sequence of instructions, wherein the chunk information further comprises encryption key data associated with each of the chunks, wherein the encryption key data associated with each of the chunks is distinct;
  
  replacing each of the conventional branch instructions with a branch and switch key instruction; and
  
  encrypting the program based on the chunk information.
- View Dependent Claims (29, 30, 31)
- - 29. The method of claim 28, further comprising:
    - including the chunk information within the object file for loading into the microprocessor prior to execution of the program by the microprocessor.
  - 30. The method of claim 29, wherein the chunk information within the object file for loading into the microprocessor prior to execution of the program specifies for each of the chunks a storage location within the microprocessor storing the encryption key data associated with the chunk.
  - 31. The method of claim 28, wherein said encrypting the program based on the chunk information comprises:
    - for each block of instruction data of each of the chunks, generating an encryption key based on the encryption key data associated with the chunk and a portion of a memory address of the block;
      
      performing a Boolean exclusive-OR (XOR) operation of the block with the generated encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIA Technologies Incorporated (VIA Technologies)
Original Assignee
VIA Technologies Incorporated (VIA Technologies)
Inventors
Parks, Terry, Bean, Brent, Henry, G. Glenn, Crispin, Thomas A.

Granted Patent

US 8,639,945 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/190
CPC Class Codes

G06F 12/0875   with dedicated cache, e.g. ...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/602   Providing cryptographic fac...

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 2212/402   Encrypted data

G06F 2212/452   Instruction code

G06F 2221/2107   File encryption

G06F 9/30003   Arrangements for executing ...

G06F 9/30058   Conditional branch instruct...

G06F 9/30079   Pipeline control instructio...

G06F 9/30178   of compressed or encrypted ...

G06F 9/30189   according to execution mode...

H04L 2209/12   Details relating to cryptog...

H04L 2209/20   Manipulating the length of ...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0827   involving distinctive inter...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894 : Escrow, recovery or storing...

View All

BRANCH AND SWITCH KEY INSTRUCTION IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

BRANCH AND SWITCH KEY INSTRUCTION IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links