Control function employing a requesting master id and a data address to qualify data access within an integrated system

US 6,851,056 B2
Filed: 04/18/2002
Issued: 02/01/2005
Est. Priority Date: 04/18/2002
Status: Active Grant

First Claim

Patent Images

1. A data access method for an integrated system having multiple functional masters, the multiple functional masters having multiple master ids, the method comprising:

predefining at system initialization different levels of data access security to the multiple functional masters, wherein the different levels of data access security are predefined in an access table, the access table enforcing the defined access rights for the multiple functional masters to ensure security within the integrated system;

receiving a request for data from a requesting master of the multiple functional masters; and

responsive to the request, determining by a data access control function whether to grant access to the data based on a master id of the requesting master, the data access level for the requesting master defined in the access table and an address of the data; and

when granting access, deciding by the data access control function, with reference to the data access level of the requesting master, whether to decrypt the data when the request is a read request, and whether to encrypt the data when the request is a write request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control function for an integrated system is provided which determines data access based on the master id of a requesting master within the system and the address of the data. The access control function can be inserted, for example, into the data transfer path between bus control logic and one or more slaves. In addition to determining whether to grant access to the data, the access control function can further qualify the access by selectively implementing encryption and decryption of data, again dependent on the data authorization level for the particular functional master initiating the request for data.

107 Citations

View as Search Results

19 Claims

1. A data access method for an integrated system having multiple functional masters, the multiple functional masters having multiple master ids, the method comprising:
- predefining at system initialization different levels of data access security to the multiple functional masters, wherein the different levels of data access security are predefined in an access table, the access table enforcing the defined access rights for the multiple functional masters to ensure security within the integrated system;
  
  receiving a request for data from a requesting master of the multiple functional masters; and
  
  responsive to the request, determining by a data access control function whether to grant access to the data based on a master id of the requesting master, the data access level for the requesting master defined in the access table and an address of the data; and
  
  when granting access, deciding by the data access control function, with reference to the data access level of the requesting master, whether to decrypt the data when the request is a read request, and whether to encrypt the data when the request is a write request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the request comprises a granted master request received from bus control logic of the integrated system, and wherein said method is implemented in the data flow between the bus control logic and at least one slave of the integrated system.
  - 3. The method of claim 1, further comprising determining access table parameters for use in decrypting or encrypting the data, the access table parameters including a key set pointer, a version number and a whitening address.
  - 4. The method of claim 3, wherein the key set pointer points to a key set, the key set comprising a key value, encryption/decryption parameters, and a whitening variable, wherein the key value and the whitening variable are confidential numbers used for all data associated with the key set.
  - 5. The method of claim 3, further comprising selectively performing an encryption process on the data when the request comprises a write request, the encryption process comprising performing whitening on clear write data, encrypting a result of the whitening, and further whitening an encrypted result, and selectively performing a decryption process on encrypted read data when the request comprises a read request, the decryption process including unwhitening the encrypted read data, decrypting a result of the unwhitening, and further unwhitening the decrypted result to achieve clear data for forwarding to the requesting master.
  - 6. The method of claim 5, wherein the whitening and unwhitening comprise obtaining a whitening value, the obtaining of a whitening value comprising combining the whitening address, the version number, and the whitening variable of the access table parameters to obtain the whitening value.
  - 7. The method of claim 6, wherein the combining comprises matching a size of the whitening value to a block size of the data.
  - 8. The method of claim 1, further comprising implementing the method within a bus-to-bus bridge of the integrated system, wherein the requesting master is coupled to a first bus of the integrated system and communicates across the bus-to-bus bridge with at least one slave, the at least one slave being coupled to the bus-to-bus bridge across a second bus.
  - 9. The method of claim 1, further comprising implementing the method within a memory subsystem of the integrated system, wherein the data resides in at least one of open volatile memory, secure volatile memory, open non-volatile memory, or secure non-volatile memory.

10. A data access system for an integrated system having multiple functional masters, the multiple functional masters having multiple master ids, the data access system comprising:
- means for predefining at system initialization different levels of data access security to the multiple functional masters, wherein the different levels of data access security are predefined in an access table, the access table enforcing the define access rights for the multiple functional masters to ensure security within the integrated system;
  
  means for receiving a request for data from a requesting master of the multiple functional masters; and
  
  means for determining by a data access control function whether to grant access to the data based on the master id of the requesting master, the data access level for the requesting master defined in the access table, and an address of the data, the means for determining being responsive to receipt of the request by the means for receiving; and
  
  when granting access, deciding by the data access control function, with reference to the data access level of the requesting master, whether to decrypt the data when the request is a read request, and whether to encrypt the data when the request is a write request.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the request comprises a granted master request received from bus control logic of the integrated system, and wherein said system is implemented in the data flow between the bus control logic and at least one slave of the integrated system.
  - 12. The system of claim 10, further comprising means for determining access table parameters for use in decrypting or encrypting the data, the access table parameters including a key set pointer, a version number and a whitening address.
  - 13. The system of claim 12, wherein the key set pointer points to a key set, the key set comprising a key value, encryption/decryption parameters, and a whitening variable, wherein the key value and the whitening variable are confidential numbers used for all data associated with the key set.
  - 14. The system of claim 12, further comprising means for selectively performing an encryption process on the data when the request comprises a write request, the encryption process comprising performing whitening on clear write data, encrypting a result of the whitening, and further whitening an encrypted result, and means for selectively performing a decryption process on encrypted read data when the request comprises a read request, the decryption process including unwhitening the encrypted read data, decrypting a result of the unwhitening, and further unwhitening the decrypted result to achieve clear data for forwarding to the requesting master.
  - 15. The system of claim 14, further comprising means for obtaining a whitening value, the means for obtaining a whitening value comprising means for combining the whitening address, the version number, and the whitening variable of the access table parameters to obtain the whitening value.
  - 16. The system of claim 15, wherein the means for combining comprises means for matching a size of the whitening value to a block size of the data.
  - 17. The system of claim 10, wherein the system is implemented within a bus-to-bus bridge of the integrated system, with the requesting master being coupled to a first bus of the integrated system and communicating across the bus-to-bus bridge with at least one slave, the at least one slave being coupled to the bus-to-bus bridge across a second bus.
  - 18. The system of claim 10, wherein the system is implemented within a memory subsystem of the integrated system, wherein the data resides in at least one of open volatile memory, secure volatile memory, open non-volatile memory, or secure non-volatile memory.

19. At least one program storage device readable by a machine, tangibly embodying at least one program of instructions executable by the machine to perform a data access method for an integrated system having multiple functional masters, the multiple functional masters having multiple master ids, the method comprising:
- predefining at system initialization different levels of data access security to the multiple functional masters, wherein the different levels of data access security are predefined in an access table, the access table enforcing the defined access rights for the multiple functional masters to ensure security within the integrated system;
  
  receiving a request for data from a requesting master of the multiple functional masters; and
  
  responsive to the request, determining by a data access control function whether to grant access to the data based on the master id of the requesting master, the data access level for the requesting master defined in the access table and an address of the data; and
  
  when granting access, deciding by the data access control function, with reference to the data access level of the requesting master, whether to decrypt the data when the request is a read request, and whether to encrypt the data when the request is a write request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hall, William E., Foster, Eric M., Franklin, Dennis E., Evans, Edward K.
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
NOBAHAR, ABDULHAKIM

Application Number

US10/125,527
Publication Number

US 20030200451A1
Time in Patent Office

1,020 Days
Field of Search

713/193, 713/201, 713/200, 713/182, 713/1, 710/200, 710/243, 710/244, 710/107, 710/110
US Class Current

713/193
CPC Class Codes

G06F 12/1483   using an access-table, e.g....

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 21/85   interconnection devices, e....

G06F 2221/2129   Authenticate client device ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2143   Clearing memory, e.g. to pr...

Control function employing a requesting master id and a data address to qualify data access within an integrated system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

107 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Control function employing a requesting master id and a data address to qualify data access within an integrated system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others