IMPLEMENTING ACCESS CONTROL BY SYSTEM-ON-CHIP

US 20160350549A1
Filed: 01/27/2015
Published: 12/01/2016
Est. Priority Date: 01/27/2014
Status: Active Grant

First Claim

Patent Images

1. A system-on-chip (SoC), comprising:

an access control unit comprising a secure memory for storing access control data, the access control unit to;

receive a message comprising an access control data item;

store the access control data item in the secure memory;

perform at least one of;

authenticating the message using a message digest function, or validating contents of the secure memory by comparing a stored reference value with a calculated value of a message digest function of the contents of the secure memory; and

control, in view of the access control data item, access by an initiator device to a target device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for implementing access control by systems-on-chip (SoCs). An example SoC may comprise: an access control unit comprising a secure memory for storing access control data, the access control unit to: receive a message comprising an access control data item; store the access control data item in the secure memory; perform at least one of: authenticating the message using a message digest function, or validating contents of the secure memory by comparing a stored reference value with a calculated value of a message digest function of the contents of the secure memory; and control, in view of the access control data item, access by an initiator device to a target device.

36 Citations

View as Search Results

28 Claims

1. A system-on-chip (SoC), comprising:
- an access control unit comprising a secure memory for storing access control data, the access control unit to;
  
  receive a message comprising an access control data item;
  
  store the access control data item in the secure memory;
  
  perform at least one of;
  
  authenticating the message using a message digest function, or validating contents of the secure memory by comparing a stored reference value with a calculated value of a message digest function of the contents of the secure memory; and
  
  control, in view of the access control data item, access by an initiator device to a target device.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The SoC of claim 1, wherein the access control data item comprises at least one of:
    - an access control rule or an address translation rule.
  - 8. The SoC of claim 7, wherein the access control rule comprises at least one of:
    - an identifier of the initiator device, an identifier of the target device, an address range, an access permission, or an access authorization type.
  - 9. The SoC of claim 1, wherein the access control unit is implemented by a network-on-chip (NoC) comprising a filtering firewall to enforce access control in view of the access control data item while transporting at least one of data frames or electric signals between the initiator device and the target device.
  - 10. The SoC of claim 1, wherein the access control unit is implemented by a memory management unit (MMU) to enforce access control in view of the access control data item while translating a first address to a second address referencing a memory location on the target device.
  - 11. The SoC of claim 1, wherein authenticating the message comprises calculating a value of the message digest function of the message, in view of a secret shared between the access control unit and a programming agent that has initiated the message.
  - 12. The SoC of claim 1, wherein the access control unit is further to validate the message in view of a value of a state variable comprised by the message, wherein the state variable reflects a state of communications between the access control unit and a programming agent that has initiated the message.

2-6. -6. (canceled)

13. (canceled)

14. A system-on-chip (SoC), comprising:
- an access control unit comprising a first secure memory and a second secure memory for storing access control data, the access control unit to;
  
  receive a first message comprising a first access control data item;
  
  authenticate the first message using a first message digest function and a first cryptographic key;
  
  store the first access control data item in the first secure memory;
  
  receive a second message comprising a second access control data item;
  
  authenticate the second message using a second message digest function and a second cryptographic key;
  
  store the second access control data item in the second secure memory; and
  
  control, in view of at least one of the first access control data item or the second access control data item, access by an initiator device to a target device.
- View Dependent Claims (16)
- - 16. The SoC of claim 14, wherein the access control unit is to interpret the second access control data item as subordinate to the first access control data item.

15. (canceled)

17. A method, comprising:
- receiving, by a system-on-chip (SoC), a message comprising an access control data item;
  
  authenticating the message using a message digest function;
  
  storing the access control data item in a secure memory; and
  
  controlling, in view of the access control data item, access by an initiator device to a target device.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The method of claim 17, wherein the message digest function is provided by a cryptographic hash function.
  - 19. The method of claim 17, wherein authenticating the message further comprises calculating a hash message authentication code (HMAC) using the message digest function.
  - 20. The method of claim 17, wherein the access control data item comprises at least one of:
    - an access control rule or an address translation rule.
  - 21. The method of claim 17, wherein the access control rule comprises at least one of:
    - an identifier of the initiator device, an identifier of the target device, an address range, an access permission, or an access authorization type.
  - 22. The method of claim 17, wherein the controlling further comprises filtering data frames traversing the access control unit based on an access control rule set comprising a plurality of access control rules defined on non-overlapping address ranges
  - 23. The method of claim 17, the controlling further comprises filtering data frames traversing the access control unit based on an access control rule set comprising a plurality of access control rules defined on a plurality of overlapping address ranges.
  - 24. The method of claim 23, wherein a first access control rule defined on a first address range of the plurality of overlapping address ranges is interpreted as overriding a second access control rule defined on a second address range of the plurality of overlapping address ranges.
  - 25. The method of claim 17, the controlling further comprises translating a virtual address to a physical address, the physical address referencing a memory location on the target device.
  - 26. The method of claim 17, wherein authenticating the message comprises calculating a value of the message digest function of the message, based on a secret shared between the access control unit and a programming agent that has initiated the message.
  - 27. The method of claim 17, further comprising:
    - validating the message in view of a value of a state variable associated with the message, wherein the state variable reflects a state of communications between the access control unit and a programming agent that has initiated the message.

28-35. -35. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptography Research, Inc. (Rambus Inc.)
Original Assignee
Cryptography Research, Inc. (Rambus Inc.)
Inventors
de Almeida, Guilherme Ozari, Hampel, Craig E., Cioranesco, Jean-Michel, do Canto, Rodrigo Portella

Granted Patent

US 10,482,275 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 21/755   with measures against power...

G06F 21/85   interconnection devices, e....

H04L 63/0227   Filtering policies mail mes...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/123   received data contents, e.g...

IMPLEMENTING ACCESS CONTROL BY SYSTEM-ON-CHIP

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

IMPLEMENTING ACCESS CONTROL BY SYSTEM-ON-CHIP

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links