Secure and backward-compatible processor and secure software execution thereon
First Claim
1. A method comprising:
- distinguishing operations on a single processor between a monitored mode and a secure mode;
generating a timer interrupt signal using parameters set by a secure mode switch circuit;
entering secure mode in response to the timer interrupt signal;
when the processor is operating in the secure mode;
executing on the processor, software loaded using a bootstrap loader that cryptographically authenticates the software; and
exiting the secure mode;
when the processor is operating in the monitored mode;
performing application software on the processor, without substantial change in original code for that application software, wherein the application software sees a processor environment that is not substantially different from an ordinary processor.
3 Assignments
0 Petitions
Accused Products
Abstract
A secure processor assuring application software is executed securely, and assuring only authorized software is executed, monitored modes and secure modes of operation. The former executes application software transparently to that software. The latter verifies execution of the application software is authorized, performs any extraordinary services required by the application software, and verifies the processor has obtained rights to execute the content. The secure processor (1) appears hardware-identical to an ordinary processor, with the effect that application software written for ordinary processors can be executed on the secure processor without substantial change, (2) needs only a minimal degree of additional hardware over and above those portions appearing hardware-identical to an ordinary processor. The secure processor operates without substantial reduction in speed or other resources available to the application software. Functions operating in secure mode might reside in an on-chip non-volatile memory, or might be loaded from external storage with authentication.
184 Citations
73 Claims
-
1. A method comprising:
-
distinguishing operations on a single processor between a monitored mode and a secure mode; generating a timer interrupt signal using parameters set by a secure mode switch circuit; entering secure mode in response to the timer interrupt signal; when the processor is operating in the secure mode; executing on the processor, software loaded using a bootstrap loader that cryptographically authenticates the software; and exiting the secure mode; when the processor is operating in the monitored mode; performing application software on the processor, without substantial change in original code for that application software, wherein the application software sees a processor environment that is not substantially different from an ordinary processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
when a security signal indicates that a processor is operating in a monitored mode; refusing access to a secure function in response to the security signal; generating a non-maskable interrupt (NMI) signal based on a programmable timer-based interrupt; entering secure mode in response to the NMI signal; when the security signal indicates that the processor is operating in the secure mode; accessing the secure function in response to the security signal; accessing at least one secure circuit, wherein said secure function includes instructions for launching software content from an external source, measuring trustworthiness of the external source, and facilitating verification of the software content using said processor. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method of reading secure information from non-volatile memory associated with a single secure processor capable of operating in a secure mode and a non-secure mode, comprising:
-
entering secure mode in response to a reset signal; disabling writing to non-volatile memory when a processor with which the non-volatile memory is associated is packaged; maintaining secure information within the non-volatile memory; switching to non-secure mode; generating an non-maskable interrupt (NMI) signal in response to a timeout from a secure timer; switching to secure mode in response to NMI signal. - View Dependent Claims (27, 28, 29)
-
-
30. A single-processor processor chip apparatus comprising:
-
a secure switch for switching between a monitored mode and a secure mode on a single processor; a secure timer circuit capable of generating a timer interrupt in response to programmable parameters; memory, coupled to the secure switch, including; security information; a bootstrap loader, wherein, using the security information, the bootstrap loader cryptographically authenticates software loaded in response to execution of the bootstrap loader; the processor coupled to the secure switch, the secure timer circuit, and the memory, wherein, in operation; the processor executes the bootstrap loader, when the processor is operating in the secure mode, the processor executes the software loaded in response to execution of the bootstrap loader and exits the secure mode, when the processor is operating in the monitored mode, the processor performs application software transparently to the application software, and the processor enters secure mode in response to receipt of the timer interrupt. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. A method comprising:
-
including a security code verification module in a bootstrap loader; implementing the bootstrap loader in firmware; initializing non-volatile memory with a first security code verification value associated with the security code module, wherein security code includes instructions to enable access rights to hardware and software resources when in a secure mode, wherein the access rights to resources are issued from a trust verifiable source, and wherein access rights data is verifiable as authentic from a source using a public key cryptographic verification method, using a single microprocessor; providing security logic wherein, in operation, the security logic generates a non-maskable interrupt (NMI) signal in response to a timeout from the secure timer, and wherein the single microprocessor enters secure mode in response to the NMI signal. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73)
-
Specification