System and method for selecting and using a signal processor in a multiprocessor system to operate as a security for encryption/decryption of data

US 7,475,257 B2
Filed: 09/25/2003
Issued: 01/06/2009
Est. Priority Date: 09/25/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method, in a multiprocessor system, the multiprocessor system comprising a control processor and a plurality of controlled processors, the method comprising:

selecting at least one controlled processor of the plurality of controlled processors to operate in a shared operational state;

selecting a second controlled processor from the plurality of controlled processors to operate in an isolated operational state;

configuring the at least one first controlled processor of the multiprocessor system to be in the shared operational state, wherein the shared operational state causes the at least one first controlled processor to operate using a common memory accessible by the plurality of controlled processors in the multiprocessor system;

configuring the second controlled processor of the multiprocessor system, via loading and executing initialization code in the second controlled processor, to be in the isolated operational state, wherein the isolated operational state causes a local memory associated with the second controlled processor to be not accessible by the at least one first controlled processor;

executing first code within the second controlled processor in a secure manner by virtue of the isolated operational state; and

executing second code within the at least one first controlled processor in an unsecured manner by virtue of the shared operational state.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided to dedicate one or more processors in a multiprocessing system to performing encryption functions. When the system initializes, one of the synergistic processing unit (SPU) processors is configured to run in a secure mode wherein the local memory included with the dedicated SPU is not shared with the other processors. One or more encryption keys are stored in the local memory during initialization. During initialization, the SPUs receive nonvolatile data, such as the encryption keys, from nonvolatile register space. This information is made available to the SPU during initialization before the SPUs local storage might be mapped to a common memory map. In one embodiment, the mapping is performed by another processing unit (PU) that maps the shared SPUs'"'"' local storage to a common memory map.

105 Citations

View as Search Results

36 Claims

1. A method, in a multiprocessor system, the multiprocessor system comprising a control processor and a plurality of controlled processors, the method comprising:
- selecting at least one controlled processor of the plurality of controlled processors to operate in a shared operational state;
  
  selecting a second controlled processor from the plurality of controlled processors to operate in an isolated operational state;
  
  configuring the at least one first controlled processor of the multiprocessor system to be in the shared operational state, wherein the shared operational state causes the at least one first controlled processor to operate using a common memory accessible by the plurality of controlled processors in the multiprocessor system;
  
  configuring the second controlled processor of the multiprocessor system, via loading and executing initialization code in the second controlled processor, to be in the isolated operational state, wherein the isolated operational state causes a local memory associated with the second controlled processor to be not accessible by the at least one first controlled processor;
  
  executing first code within the second controlled processor in a secure manner by virtue of the isolated operational state; and
  
  executing second code within the at least one first controlled processor in an unsecured manner by virtue of the shared operational state.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - sending an encryption request from a first controlled processor in the at least one first controlled processor to the second controlled processor;
      
      receiving, at the second controlled processor, the encryption request;
      
      reading data from the common memory into the local memory associated with the second controlled processor, wherein the reading is performed by the second controlled processor;
      
      executing at the second controlled processor, an encryption process corresponding to the encryption request, the encryption process being adapted to transform the data; and
      
      writing the transformed data from the second controlled processor to the common memory.
  - 3. The method as described in claim 2 further comprising:
    - reading, at the second controlled processor, one or more special nonvolatile registers, the special registers including one or more encryption keys; and
      
      using one or more of the encryption keys in the encryption process.
  - 4. The method as described in claim 2, wherein the sending further comprises writing the request to a mailbox that corresponds to the second controlled processor and the receiving further comprises checking the second controlled processor'"'"'s mailbox from the second controlled processor.
  - 5. The method as described in claim 2 further comprising:
    - identifying an input data area in the common memory from which the data is read and an output buffer area to which the transformed data is written.
  - 6. The method as described in claim 2, wherein configuring the second controlled processor further comprises:
    - reading, from the common memory, initialization software code to be executed on the second controlled processor; and
      
      authenticating the initialization software code.
  - 7. The method as described in claim 6 wherein the authenticating is performed by a routine stored in a nonvolatile memory and wherein the executing of the encryption process is only performed if the initialization software code is successfully authenticated.
  - 8. The method as described in claim 7 further comprising:
    - reading, at the second controlled processor, one or more special nonvolatile registers, the special nonvolatile registers including one or more encryption keys, after the initialization software code is successfully authenticated; and
      
      restricting access to the special nonvolatile registers from outside of the second controlled processor.
  - 9. The method as described in claim 2 wherein the reading and writing steps are performed using Direct Memory Access (DMA) operations.
  - 10. The method as described in claim 2 further comprising:
    - identifying the encryption process and an encryption algorithm from a plurality of encryption processes and encryption algorithms based upon the encryption request; and
      
      loading encryption software code corresponding to the identified encryption process and the encryption algorithm, the loading being performed by reading the encryption software code from the common memory to the second controlled processor'"'"'s local memory.
  - 11. The method of claim 1, wherein selecting a second controlled processor from the plurality of controlled processors to operate in an isolated operational state comprises:
    - identifying a free controlled processor in the plurality of controlled processors that has not be dedicated to perform a specific device function; and
      
      assigning the free controlled processor to be the second controlled processor and perform encryption device functions.
  - 12. The method of claim 1, wherein configuring the second controlled processor to be in the isolated operational state comprises:
    - determining if the initialization code is authentic;
      
      setting the second controlled processor to run in the isolated operational state in response to the initialization code being determined to be authentic; and
      
      providing access to special purpose registers storing encryption keys to only the second controlled processor in response to the setting of the second controlled processor to run in the isolated operational state.
  - 13. The method of claim 12, wherein if the initialization code is determined to not be authentic, the second controlled processor is set to run in the shared operational state and another controlled processor in the plurality of controlled processors is selected to operate in the isolated operational state.
  - 14. The method of claim 1, wherein the common memory comprises a first portion associated with the control processor and a second portion associated with the plurality of controlled processors, and wherein data to be processed by the second controlled processor in the isolated operational state is retrieved from the first portion of the common memory and results data generated by processing the data is written back to the first portion of the common memory.
  - 15. The method of claim 1, wherein the at least one first controlled processor and the second controlled processor are synergistic processing units.

16. An information handling system, comprising:
- a control processor;
  
  a plurality of controlled processors, wherein each of the plurality of controlled processors comprises a local memory; and
  
  a common memory shared by the control processor and the plurality of controlled processors in the information handling system, wherein the plurality of controlled processors comprises;
  
  at least one first controlled processor selected and configured to be in a shared operational state, wherein the shared operation state causes the at least one first controlled processor to operate using the common memory; and
  
  a second controlled processor selected and configured, via loading and executing initialization code in the second controlled processor, to be in an isolated operational state, wherein the isolated operational state causes a local memory associated with the second controlled processor to be not accessible by the at least one first controlled processor, wherein the second controlled processor executes first code in a secure manner by virtue of the isolated operational state, and wherein the at least one first controlled processor executes in an unsecured manner by virtue of the shared operational state.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The information handling system of claim 16, wherein an encryption process runs in the second controlled processor, the encryption process being effective to:
    - load data, associated with an encryption request, from the common memory to the second controlled processor'"'"'s local memory;
      
      transform the data based on the encryption request; and
      
      write the transformed data from the second controlled processor'"'"'s local memory to the common memory.
  - 18. The information handling system as described in claim 17 further comprising software code effective to:
    - read, at the second controlled processor, one or more special nonvolatile registers, the special registers including one or more encryption keys; and
      
      use one or more of the encryption keys in the encryption process.
  - 19. The information handling system as described in claim 17 wherein the encryption request is sent from a first controlled processor in the at least one first controlled processor, and wherein the sending of the encryption request comprises:
    - writing the encryption request to a mailbox that corresponds to the second controlled processor; and
      
      reading, from the second controlled processor, the encryption request from the second controlled processor'"'"'s mailbox.
  - 20. The information handling system as described in claim 17 further comprising software code effective to:
    - identify an input data area in the common memory from which the data is read and an output buffer area to which the transformed data is written.
  - 21. The information handling system as described in claim 17 further comprising software code effective to configure the second controlled processor by:
    - initializing the second controlled processor prior to receiving the request, the initializing further including;
      
      reading, from the common memory, initialization software code to be executed on the second controlled processor; and
      
      authenticating the initialization software code.
  - 22. The information handling system as described in claim 21 wherein the software code effective to authenticate the initialization software code is performed by a routine stored in a nonvolatile memory, wherein the encryption process is only performed if the initialization software code is successfully authenticated.
  - 23. The information handling system as described in claim 22 further comprising software code effective to:
    - read, at the second controlled processor, one or more special nonvolatile registers, the special nonvolatile registers including one or more encryption keys, after the initialization software code is successfully authenticated; and
      
      restrict access to the special nonvolatile registers from outside of the second controlled processor.
  - 24. The information handling system as described in claim 17 further comprising:
    - a Direct Memory Access (DMA) controller associated with each of the plurality of controlled processors, wherein the second controlled processor reads from and writes to the common memory using DMA operations performed by the second controlled processor'"'"'s DMA controller.
  - 25. The information handling system as described in claim 17 further comprising software code effective to:
    - identify the encryption process and an encryption algorithm from a plurality of encryption processes and encryption algorithms based upon the encryption request; and
      
      load encryption software code corresponding to the identified encryption process and the encryption algorithm, the load being performed by reading the encryption software code from the common memory to the second controlled processor'"'"'s local memory.
  - 26. The information handling system of claim 16, wherein the at least one first controlled processor and the second controlled processor are synergistic processing units.

27. A computer program product comprising a computer useable medium having a computer readable program, wherein the computer readable program, when executed on a computing device comprising a control processor and a plurality of controlled processors, causes the computing device to:
- select at least one first controlled processor of the plurality of controlled processors to operate in a shared operational state;
  
  select a second controlled processor from the plurality of controlled processors to operate in an isolated operational state;
  
  configure the at least one first controlled processor of the computing device to be in the shared operational state, wherein the shared operational state causes the at least one first controlled processor to operate using a common memory accessible by the plurality of controlled processors in the computing device;
  
  configure the second controlled processor of the computing device, via loading and executing initialization code in the second controlled processor, to be in the isolated operational state, wherein the isolated operational state causes a local memory associated with the second controlled processor to be not accessible by the at least one first controlled processor;
  
  execute first code within the second controlled processor in a secure manner by virtue of the isolated operational state; and
  
  execute second code within the at least one first controlled processor in an unsecured manner by virtue of the shared operational state.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 28. The computer program product of claim 27, further comprising:
    - means for sending an encryption request from a first controlled processor in the at least one first controlled processor to the second controlled processor;
      
      means for receiving, at the second controlled processor, the encryption request;
      
      means for reading data from the common memory into the local memory associated with the second controlled processor, wherein the means for reading is performed by the second controlled processor;
      
      means for executing, at the second controlled processor, an encryption process corresponding to the request, the encryption process being adapted to transform the data; and
      
      means for writing the transformed data from the second controlled processor to the common memory.
  - 29. The computer program product as described in claim 28 further comprising:
    - means for reading, at the second controlled processor, one or more special nonvolatile registers, the special registers including one or more encryption keys; and
      
      means for using one or more of the encryption keys in the encryption process.
  - 30. The computer program product as described in claim 28 wherein the means for sending further comprises means for writing the request to a mailbox that corresponds to the second controlled processor and the means for receiving further comprises means for checking the second controlled processor'"'"'s mailbox from the second controlled processor.
  - 31. The computer program product as described in claim 28 further comprising:
    - means for identifying an input data area in the common memory from which the data is read and an output buffer area to which the transformed data is written.
  - 32. The computer program product as described in claim 28, wherein the means for configuring the second controlled processor comprises:
    - means for initializing the second controlled processor prior to receiving the request, the means for initializing further including;
      
      means for reading, from the common memory, initialization software code to be executed on the second controlled processor; and
      
      means for authenticating the initialization software code.
  - 33. The computer program product as described in claim 32 wherein the means for authenticating operates using a routine stored in a nonvolatile memory and wherein the means for executing of the encryption process operations only if the initialization software code is successfully authenticated.
  - 34. The computer program product as described in claim 33 further comprising:
    - means for reading, at the second controlled processor, one or more special nonvolatile registers, the special nonvolatile registers including one or more encryption keys, the means for reading operating after the initialization software code is successfully authenticated; and
      
      means for restricting access to the special nonvolatile registers from outside of the second controlled processor.
  - 35. The computer program product as described in claim 28 further comprising:
    - means for identifying the encryption process and an encryption algorithm from a plurality of encryption processes and encryption algorithms based upon the encryption request; and
      
      means for loading encryption software code corresponding to the identified encryption process and the encryption algorithm, the means for loading operating by reading the encryption software code from the common memory to the second controlled processor'"'"'s local memory.
  - 36. The computer program product of claim 27, wherein the at least one first controlled processor and the second controlled processor are synergistic processing units.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation, Sony Interactive Entertainment Inc. (Sony Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Hofstee, Harm Peter, Suzuoki, Masakazu, Day, Michael Norman, Aguilar, Maximino Jr., Hatakeyama, Akiyuki, Craft, David
Primary Examiner(s)
Parthasarathy; Pramila

Application Number

US10/670,825
Publication Number

US 20050071651A1
Time in Patent Office

1,930 Days
Field of Search

None
US Class Current

713/189
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6236   between heterogeneous systems

H04L 2209/125   Parallelization or pipelini...

H04L 9/0894   Escrow, recovery or storing...

System and method for selecting and using a signal processor in a multiprocessor system to operate as a security for encryption/decryption of data

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

System and method for selecting and using a signal processor in a multiprocessor system to operate as a security for encryption/decryption of data

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others