PROVIDING FAST NON-VOLATILE STORAGE IN A SECURE ENVIRONMENT

US 20120036347A1
Filed: 08/06/2010
Published: 02/09/2012
Est. Priority Date: 08/06/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a processor to execute instructions; and

a peripheral controller coupled to the processor via a first link, the peripheral controller including a storage controller to control a non-volatile storage coupled to the peripheral controller, wherein the storage controller is to enable access to a secure partition of the non-volatile storage in a secure mode and to prevent visibility of the secure partition outside of the secure mode.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a peripheral controller coupled to a processor can include a storage controller. This storage controller can control access to a non-volatile storage coupled to the peripheral controller. The storage may include both secure and open partitions, and the storage controller can enable access to the secure partition only when the processor is in a secure mode. In turn, during unsecure operation such as third party code execution, visibility of the secure partition can be prevented. Other embodiments are described and claimed.

175 Citations

20 Claims

1. An apparatus comprising:
- a processor to execute instructions; and
  
  a peripheral controller coupled to the processor via a first link, the peripheral controller including a storage controller to control a non-volatile storage coupled to the peripheral controller, wherein the storage controller is to enable access to a secure partition of the non-volatile storage in a secure mode and to prevent visibility of the secure partition outside of the secure mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the peripheral controller further includes a flash interface to interface with a flash memory that stores a basic input/output system (BIOS).
  - 3. The apparatus of claim 2, wherein at least a portion of the BIOS is to be stored in the secure partition during system operation.
  - 4. The apparatus of claim 2, wherein at least one system password is to be stored in the secure partition.
  - 5. The apparatus of claim 1, wherein the processor is to send a system management interrupt (SMI) signal to the peripheral controller to indicate entry into the secure mode and the storage controller is to open the secure partition responsive to the SMI signal.
  - 6. The apparatus of claim 5, wherein the storage controller is to encrypt data prior to storage in the secure partition.
  - 7. The apparatus of claim 1, wherein the non-volatile storage includes an open partition that is to provide fast cache access to application information for an application executed in a non-secure mode.
  - 8. The apparatus of claim 2, wherein the BIOS is to create the secure partition and to set a region for the secure partition in a plurality of boundary registers of the storage controller and to lock the secure partition after the creation.
  - 9. The apparatus of claim 8, wherein the BIOS is to enable read access to a portion of the secure partition in a non-secure mode and to prevent write access to the portion in the non-secure mode.

10. A method comprising:
- configuring, using trusted code of a trusted mode of a system, a secure partition of a non-volatile storage of the system, the secure partition to be hidden during an untrusted mode of operation, the non-volatile storage separate from a firmware storage of the system; and
  
  responsive to an interrupt signal that indicates entry into the trusted mode, enabling access to the secure partition; and
  
  accessing the secure partition during the trusted mode and performing at least one operation using information stored in the secure partition.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, further comprising maintaining the secure partition hidden in the untrusted mode via a configuration register of a storage controller coupled to the non-volatile storage.
  - 12. The method of claim 10, further comprising after performing the at least one operation in the trusted mode, allowing the secure partition to remain visible in the untrusted mode so that untrusted code can access at least a portion of the secure partition.
  - 13. The method of claim 12, further comprising locking the secure partition on a next interrupt signal following the interrupt signal to prevent the untrusted code from further access to the secure partition.
  - 14. The method of claim 10, further comprising allowing untrusted code to access an open partition of the non-volatile storage via a storage controller of a peripheral controller coupled to a processor, and preventing the untrusted code from access to the secure partition of the non-volatile storage via the storage controller.
  - 15. The method of claim 14, further comprising accessing firmware in the firmware storage coupled to the peripheral controller and storing at least a portion of the firmware in the secure partition to enable faster access to the firmware than from the firmware storage.

16. An article comprising a non-transitory machine-accessible storage medium including instructions that when executed cause a system to:
- receive a memory access request to a location in a non-volatile storage coupled to a peripheral controller, the non-volatile storage including a first portion to be accessible to application code and a second portion that is inaccessible and hidden to the application code;
  
  determine if the system is in a trusted mode and if so, enable access to the second portion to perform the memory access request; and
  
  otherwise, to prevent access to the second portion.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The article of claim 16, further comprising instructions that enable the system to indicate to a requester of the memory access request that the non-volatile storage is unavailable if the system is not in the trusted mode.
  - 18. The article of claim 16, further comprising instructions that enable the system to encrypt data and to store the data of the memory access request in the second portion if the memory access request is a write request.
  - 19. The article of claim 18, further comprising instructions that enable the system to decrypt data obtained from the second portion responsive to the memory access request if the memory access request is a read request.
  - 20. The article of claim 16, wherein preventing access to the second portion includes sending a message to a requester of the memory access request to indicate that the memory access request is for a missing storage location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SK Hynix NAND Product Solutions Corporation (SK Hynix Inc.)
Original Assignee
Intel Corporation
Inventors
Swanson, Robert C., Bulusu, Mallik, Zimmer, Vincent J.

Granted Patent

US 8,539,245 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06F 21/72   in cryptographic circuits

G06F 21/74   operating in dual or compar...

G06F 21/79   in semiconductor storage me...

G06F 21/85   interconnection devices, e....

G06F 2221/2107   File encryption

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2115   Third party

PROVIDING FAST NON-VOLATILE STORAGE IN A SECURE ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

PROVIDING FAST NON-VOLATILE STORAGE IN A SECURE ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others