METHOD AND APPARATUS INCLUDING ARCHITECTURE FOR PROTECTING SENSITIVE CODE AND DATA

US 20120102307A1
Filed: 12/09/2010
Published: 04/26/2012
Est. Priority Date: 10/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method for providing a secure execution environment for program code or data, comprising:

offloading code or data from a host processor to a secure asset management unit (SAMU) in an encrypted format for authenticating and for maintaining confidentiality of the code or data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure execution environment for execution of sensitive code and data including a secure asset management unit (SAMU) is described. The SAMU provides a secure execution environment to run sensitive code, for example, code associated with copy protection schemes established for content consumption. The SAMU architecture allows for hardware-based secure boot and memory protection and provides on-demand code execution for code provided by a host processor. The SAMU may boot from an encrypted and signed kernel code, and execute encrypted, signed code. The hardware-based security configuration facilitates preventing vertical or horizontal privilege violations.

166 Citations

16 Claims

1. A method for providing a secure execution environment for program code or data, comprising:
- offloading code or data from a host processor to a secure asset management unit (SAMU) in an encrypted format for authenticating and for maintaining confidentiality of the code or data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the offloading includes creating an encrypted binary boot image with a random key generated in a signing tool used by the SAMU.
  - 3. The method of claim 2, wherein the encrypted binary boot image is encrypted for the SAMU and provided as a secure kernel and as a secure application for the SAMU.
  - 4. The method of claim 3, wherein a user installs the encrypted binary boot image and presents the encrypted binary boot image to the SAMU on demand.
  - 5. The method of claim 4, further comprising:
    - validating the encrypted binary boot image for integrity before configuring a decryption key for use with the SAMU using a boot read only memory (ROM).
  - 6. The method of claim 5, further comprising:
    - generating a decryption key by the boot ROM for use with the SAMU; and
      
      passing control to the encrypted binary boot image in response to a positive validation.
  - 7. The method of claim 5, wherein no SAMU service is exposed if there is a negative validation, and the application reverts to a software based protection scheme.

8. A system for providing a secure execution environment for program code or data, comprising:
- a computer configured to execute at least one application including code or data on a host processor;
  
  a secure asset management unit (SAMU) configured to execute program code, wherein the SAMU is connected to the computer and is configured to offload code or data from the host processor in an encrypted format to authenticate and to maintain confidentiality of the code or data.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the SAMU is further configured to provide an encrypted binary boot image with a random key generated in a signing tool used by the SAMU as part of the offloading.
  - 10. The system of claim 9, wherein the encrypted binary boot image is encrypted for the SAMU and provided as a secure kernel and as a secure application for SAMU.
  - 11. The system of claim 10, wherein a user installs the encrypted binary boot image on the system and presents the encrypted binary boot image to the SAMU on demand.
  - 12. The system of claim 11, wherein the SAMU is further configured to validate the encrypted binary boot image for integrity before configuring a decryption key for use with the SAMU using a boot read only memory (ROM).
  - 13. The system of claim 12, wherein the boot ROM is further configured to generate a decryption key for use with the SAMU and to pass control to the encrypted binary boot image in response to a positive validation.
  - 14. The system of claim 12, wherein no SAMU service is exposed if there is a negative validation, and the application reverts to a software based protection scheme for authentication.

15. A computer-readable storage medium storing a set of instructions for execution by one or more processors to facilitate manufacture of a secure asset management unit (SAMU), the SAMU configured to:
- execute program code; and
  
  offload sensitive program code or data from a processor in an encrypted format to authenticate and to maintain confidentiality of the program code or data.
- View Dependent Claims (16)
- - 16. The computer-readable storage medium of claim 15, wherein the instructions are hardware description language (HDL) instructions used for the manufacture of a device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Advanced Micro Devices, Inc.
Original Assignee
Advanced Micro Devices, Inc.
Inventors
Wong, Daniel W.

Granted Patent

US 8,904,190 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/109   by using specially-adapted ...

G06F 21/575   Secure boot

G06F 21/60   Protecting data

G06F 21/70   Protecting specific interna...

G06F 21/72   in cryptographic circuits

METHOD AND APPARATUS INCLUDING ARCHITECTURE FOR PROTECTING SENSITIVE CODE AND DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

166 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS INCLUDING ARCHITECTURE FOR PROTECTING SENSITIVE CODE AND DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links