Security Processing Engines, Circuits and Systems and Adaptive Processes and Other Processes

US 20120011351A1
Filed: 06/21/2011
Published: 01/12/2012
Est. Priority Date: 07/08/2010
Status: Active Grant

First Claim

Patent Images

1. An electronic circuit comprising:

one or more programmable control-plane engines operable to process packet header information and form at least one command;

one or more programmable data-plane engines selectively operable for at least one of a plurality of cryptographic processes selectable in response to the at least one command; and

a programmable host processor coupled to such a data-plane engine and such a control-plane engine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic circuit (200) includes one or more programmable control-plane engines (410, 460) operable to process packet header information and form at least one command, one or more programmable data-plane engines (310, 320, 370) selectively operable for at least one of a plurality of cryptographic processes selectable in response to the at least one command, and a programmable host processor (100) coupled to such a data-plane engine (310) and such a control-plane engine (410). Other processors, circuits, devices and systems and processes for their operation and manufacture are disclosed.

Citations

45 Claims

1. An electronic circuit comprising:
- one or more programmable control-plane engines operable to process packet header information and form at least one command;
  
  one or more programmable data-plane engines selectively operable for at least one of a plurality of cryptographic processes selectable in response to the at least one command; and
  
  a programmable host processor coupled to such a data-plane engine and such a control-plane engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The electronic circuit claimed in claim 1 wherein the circuit includes multiple such data engines adapted to primarily process streams of data, said one or more control-plane engine adapted to primarily schedule and control said data engines, thereby avoiding stalling of control operations and data operations by each other.
  - 3. The electronic circuit claimed in claim 2 wherein the multiple data engines support encryption and authentication simultaneously according to a selectable pipeline order thereof.
  - 4. The electronic circuit claimed in claim 2 wherein said control-plane engine is selectively operable according to first and second passes together with at least one of the data engines for a cryptographic process according to a selectable pipeline order establishing such first pass by said control-plane engine, then at least one such cryptographic process one or more of the data engines, and then such second pass by said control-plane engine.
  - 5. The electronic circuit claimed in claim 4 wherein the least two engines among said data engines and control engine are operable to process stream data so that the at least two engines are concurrently processing different parts of the stream data.
  - 6. The electronic circuit claimed in claim 1 wherein said control-plane engine is operable to receive and process control information substantially concurrently with said at least one data-plane engine performing the selected cryptographic processes.
  - 7. The electronic circuit claimed in claim 1 wherein said one or more control plane engines include at least two control plane engines concurrently operable with at least one of them operable for internet-layer cryptographic control and at least another one of them operable for separate transport-layer cryptographic control, and said one or more data-plane engines include at least two data-plane engines concurrently operable with the at least two control plane engines and with each other, at least one of the data-plane engines for internet-layer related cryptographic data processing in response to such control and at least another one of them for transport-layer cryptographic processing in response to such separate control.
  - 8. The electronic circuit claimed in claim 1 wherein said at least one said control plane engine and data plane engine are operable in a first pipeline for internet-layer cryptographic operation and said at least another one said control plane engine and data plane engine are operable in a second pipeline for transport-layer cryptographic operation, and said various engines are operable so that the first pipeline and said second pipeline are pipelined together, whereby a combined pipeline for concurrent transport-layer and internet-layer cryptographic operation is enabled.
  - 9. The electronic circuit claimed in claim 1 wherein such control-plane engine is operable to process packet header information and form a cascaded command to establish a pipelined process utilizing at least two of said data-plane engines.
  - 10. The electronic circuit claimed in claim 1 further comprising a chunking circuit coupled with at least one of said data plane engines and said chunking circuit operable to automatically break input packets into smaller chunks for processing by at least one of said data plane engines.
  - 11. The electronic circuit claimed in claim 10 wherein at least one of said chunking circuit and said control plane engines is operable to schedule the chunks based on latency-related control data and auto-forward the chunks to a said engine identified in the chunk.
  - 12. The electronic circuit claimed in claim 1 for use with packets having different priorities, and wherein each of said one or more data plane engines processes packets in data chunks, and at least one of such data plane engines is operable to switch to chunks from a higher priority packet after processing some but fewer than all of the chunks from a current packet of lower priority, whereby a rapid response to a new higher priority packet is facilitated.
  - 13. The electronic circuit claimed in claim 1 further comprising a security context cache module operable to fetch a control data structure for a respective security context for establishing a cryptographic mode.
  - 14. The electronic circuit claimed in claim 13 wherein said security context cache module is responsive to control data in an input packet to perform a fetch of the control data structure.
  - 15. The electronic circuit claimed in claim 13 wherein at least one of said control plane engines and at least two of said data plane engines are coupled with said security context cache module to access at least part of a selected security context.
  - 16. The electronic circuit claimed in claim 13 further comprising a chunking circuit coupled with at least one of said data plane engines and at least one of said control plane engines, and said chunking circuit operable to automatically break input packets into smaller chunks for processing, one of the chunks being a start-of-packet chunk, and wherein the at least one said control-plane engine includes a command encoder circuit operable to form the at least one command in response to the security context applicable to a start of packet chunk.
  - 17. The electronic circuit claimed in claim 13 wherein the one or more control plane engines and the one or more data plane engines are operable to approximately-concurrently access multiple security contexts and process multiple packets to which the multiple security contexts are respectively applicable, whereby to concurrently process packet streams that are under multiple security standards respectively.
  - 18. The electronic circuit claimed in claim 1 wherein the one or more control-plane engines and the one or more data-plane engines together have both control plane/data plane parallelism and cryptographic streaming parallelism.
  - 19. The electronic circuit claimed in claim 1 wherein said host processor is also operable to form at least one command and such data-plane engine also responsive to such a command from said host processor.
  - 20. The electronic circuit claimed in claim 1 further comprising a register, and wherein said host processor is operable to establish an ownership datum in said register representing either ownership for processing purposes by said host processor or by said control plane engine, and said control-plane engine is operable in response to a state of said ownership datum representing reception of ownership from said host processor to subsequently alter said ownership datum to release ownership back to said host processor.
  - 21. The electronic circuit claimed in claim 1 wherein the at least one said data-plane engine has hardware cryptographic cores, and the at least one said data-plane engine is operable in a direct mode to selectively engage the hardware cryptographic cores to process non-packet data.

22. A security context cache module for use with a host processor and an external memory, said module comprising:
- a local cache memory;
  
  a local processor coupled with said local cache memory;
  
  an ingress circuit having an input for ingress of a packet stream including an ingress packet having a security context pointer; and
  
  an auto-fetch circuit responsive to such ingress packet and operable to automatically fetch a security context from the external memory to said local cache memory using the security context pointer, and to associate the security context in said local cache memory with the packet stream, said auto-fetch circuit operable for multiple such packet streams and ingress packets, whereby to allow simultaneous security connections.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The security context cache module claimed in claim 22 further comprising an eviction circuit responsive to a new packet steam to auto-evict a security context from said local cache memory when such local cache memory is full.
  - 24. The security context cache module claimed in claim 23 further comprising a control circuit responsive to a tier datum in the ingress packet to specify a tier-datum-specified one of at least two tiers for a security context upon storing such security context in said local cache memory wherein said control circuit is operable to protect a first tier security context from the auto-eviction and a second tier security context is subject to auto-eviction.
  - 25. The security context cache module claimed in claim 22 wherein said local cache memory includes multiple cache ways and said auto-fetch circuit is responsive to a security context identification bit field in said ingress packet to act as a cache way-select control.
  - 26. The security context cache module claimed in claim 25 wherein said auto-fetch circuit is operable to compare the security context identification bit field with contents of said selected cache way to detect presence of the identified security context, and operable upon failure to thus detect, to auto-fetch the identified security context from the external memory.

27. A streaming interface for packet data, comprising:
- a buffer circuit for a packet stream including a packet having an associated request field for thread identification, said buffer circuit operable to provide a ready signal indicating that said buffer circuit currently has at least a predetermined amount of space to accept data; and
  
  a data transfer circuit responsive to the request for thread identification to transfer data to a particular target thread, said data transfer circuit including a control circuit responsive to the ready signal, and responsive to a start-of-packet indicator and an end-of-packet indicator and a drop-packet indicator, and further responsive to a multi-bit thread identification of a thread that is currently occupying the buffer circuit.
- View Dependent Claims (28, 29)
- - 28. The streaming interface claimed in claim 27 wherein said control circuit is operable to establish simultaneous connections for plural different threads in response to packets having control information indicating a new distinct thread.
  - 29. The streaming interface claimed in claim 27 wherein said control circuit is responsive to the packet having an active tear down datum to tear down a connection.

30. A control method for packet processing, the control method comprising:
- host-loading a first storage area with a context including control data and processing instructions for processing at least part of a packet;
  
  supplying a stream of packets including a particular packet to a packet processing subsystem, the particular packet including a pointer to a context in the first storage area;
  
  operating the packet processing subsystem to access the context from the first storage area for use in the packet processing subsystem in accordance with the pointer; and
  
  processing the stream of packets in the packet processing subsystem in accordance with the control data and processing instructions in the context.
- View Dependent Claims (31, 32, 33)
- - 31. The control method claimed in claim 30 wherein the supplying includes plural streams and plural such pointers to plural contexts and the processing of the streams is at least approximately concurrent in accordance with plural contexts to which the pointers point.
  - 32. The control method claimed in claim 30 wherein the control data in the context includes program instructions and an indication of a processing topology, and the processing includes processing the stream of packets with at least two programmable processors in a pipeline topology organized as specified in the control data and the processing is in accordance with the program instructions in the context.
  - 33. The control method claimed in claim 32 wherein the indication of the specified processing topology represents an identification of a particular cryptographic process, and the processing includes responding to the identification of the particular cryptographic process to generate a set of engine identifications ordered in a particular order to specify the processing topology, whereby to effectuate particular cryptographic process.

34. An electronic method of processing packets, the method comprising:
- providing a set of accelerator engines and at least one separate control engine;
  
  receiving packets from a stream using an electronic interface;
  
  electronically chunking the packets into chunks in a memory, the chunks being generally shorter than their packets and at least one of the chunks having associated control information;
  
  operating the separate control engine in response to the control information to electronically generate and store a sequence of engine identifications representing a pipelined process by selected ones of said accelerator engines one after another according to the sequence; and
  
  coupling and operating the accelerator engines responsive to the stored sequence of engine identifications so that a first accelerator engine having the first engine identification in the sequence processes a series of the chunks to produce resulting chunks, and a second accelerator engine having the second engine identification in the sequence processes the resulting chunks from the first accelerator engine beginning substantially as soon as the first of the resulting chunks comes from the first accelerator engine, whereby the stream of packets is pipeline-processed.
- View Dependent Claims (35, 36)
- - 35. The electronic method claimed in claim 34 further comprising electronically combining chunks from an accelerator engine having the last engine identification in sequence so that the data from the chunks is delivered as an egress stream.
  - 36. The electronic method claimed in claim 35 further comprising employing the separate control engine to electronically generate a packet header for said electronic combining, whereby the egress stream is packetized.

37. A packet interface circuit comprising:
- a control circuit operable to receive packets each having a header and a payload, some of the packets representing a first stream, and some others of the packets representing a second stream, the control circuit operable to assign thread identifications identifying each such stream;
  
  a memory; and
  
  a chunking circuit operable, when a given such packet has a payload exceeding a predetermined length, to store chunks in said memory so that the chunks have the predetermined length or less, and said chunking circuit operable to load chunk control information into said memory, the control information indicating start of packet (SOP), middle of packet (MOP), and end of packet (EOP), depending on the position in the payload of data in a given stored chunk.
- View Dependent Claims (38)
- - 38. The control method claimed in claim 37 wherein said control circuit is responsive to a flow index for given such stream.

39. A communication method for control communication between processors, the communication method comprising:
- electronically breaking ingress packets into smaller chunks, one of the chunks for a packet being a start-of-packet chunk having associated control information;
  
  operating one or more programmable control-plane engines to process such a start of packet chunk and form at least one command to organize a set of data plane engines into a particular pipeline topology; and
  
  selectively operating the data-plane engines programmably to process the chunks in accordance with the command, whereby to effectuate at least one of a plurality of packet processing modes.
- View Dependent Claims (40, 41)
- - 40. The communication method claimed in claim 39 further comprising an initialization process including setting up at least one security context for access by each such control plane engine and data-plane engine, activating an enable for a least one of the control-plane engines, downloading firmware into such enabled control-plane engine, and activating an enable for a least a first one of the data-plane engines in the topology.
  - 41. The communication method claimed in claim 39 wherein the at least one command also organizes at least one of the engines into the topology according to a Pass1 engine identification and a Pass2 engine identification.

42. An electronic buffering circuit comprising:
- at least three processors each having inputs and outputs and identified by respective engine identifications, and at least one of said processors operable to generate particular engine identifications of at least two of said processors;
  
  a plurality of buffers at least equal in number to the plurality of processors; and
  
  a selection circuit responsive to controls based on the engine identifications of said processors for any-order interconnection of a selected processor-buffer-processor topology.
- View Dependent Claims (43, 44)
- - 43. The electronic buffering circuit claimed in claim 42 further comprising at least two ingress packet interface circuits and at least two additional buffers respectively coupling said two ingress packet interface circuits to said selection circuit.
  - 44. The electronic buffering circuit claimed in claim 42 further comprising at least two egress packet interface circuits fed from said selection circuit.

45. A packet-processing electronic subsystem comprising:
- a first data interface for first streaming data;
  
  a second data interface for second streaming data;
  
  a scheduler circuit coupled to said first and second data interfaces and including a packet memory;
  
  a security context cache module coupled for input from, and output to, said scheduler circuit, said security context cache module including a cache controller and a cache storage for at least one security context;
  
  a packet header processing module coupled for input from, and output to, said scheduler circuit;
  
  an authentication module coupled for input from, and output to, said scheduler circuit; and
  
  an encryption module coupled for input from, and output to, said scheduler circuit and said encryption module including control circuitry and encryption accelerators responsive to a security context in said security context cache module to operate said encryption module and said authentication module as specified by said security context and said packet header processing module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Texas Instruments, Inc.
Original Assignee
Texas Instruments, Inc.
Inventors
Beaudoin, Denis Roland, Mundra, Amritpal Singh

Granted Patent

US 9,141,831 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/1
CPC Class Codes

G06F 21/72   in cryptographic circuits

G06F 2221/2107   File encryption

G06F 7/588   Random number generators, i...

H04L 2209/125   Parallelization or pipelini...

H04L 47/2441   relying on flow classificat...

H04L 63/0428   wherein the data content is...

H04L 63/0485   Networking architectures fo...

H04L 63/08   for authentication of entit...

H04L 9/0625   with splitting of the data ...

H04L 9/0631   Substitution permutation ne...

H04L 9/0637   Modes of operation, e.g. ci...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/065   Encryption by serially and ...

H04L 9/0869   involving random numbers or...

H04L 9/3013   involving the discrete loga...

H04L 9/32   including means for verifyi...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3242   involving keyed hash functi...

H04L 9/50   using hash chains, e.g. blo...

H04W 12/069 : using certificates or pre-s...

View All

Security Processing Engines, Circuits and Systems and Adaptive Processes and Other Processes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Security Processing Engines, Circuits and Systems and Adaptive Processes and Other Processes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links