Method and apparatus for a configurable protection architecture for on-chip systems

US 7,793,345 B2
Filed: 09/27/2005
Issued: 09/07/2010
Est. Priority Date: 11/05/2002
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a target intellectual property block configured to field and service requests from an initiator intellectual property block in a system-on-chip network;

said system-on-chip network having an associated protection mechanism with logic configured to restrict access for the requests to the target intellectual property block based on access permissions associated with a protection region within the target intellectual property block and attributes of a first request trying to access that region, wherein a destination address and a source protection ID are extracted out of the first request and then

1) the address is decoded and compared against an address map to find out where the target intellectual property block is and

2) the source protection ID from the first request is checked against a protection key map to determine whether the first request should be delivered to the target intellectual property block.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various methods and apparatuses of protection mechanism are described. A target intellectual property block may field and service requests from an initiator intellectual property block in a system-on-chip network. The target intellectual property block has an associated protection mechanism with logic configured to restrict access for the requests to the target intellectual property block. The request'"'"'s access is restricted based on access permissions associated with a region within the target intellectual property block and attributes of the request trying to access that region.

60 Citations

View as Search Results

26 Claims

1. An apparatus, comprising:
- a target intellectual property block configured to field and service requests from an initiator intellectual property block in a system-on-chip network;
  
  said system-on-chip network having an associated protection mechanism with logic configured to restrict access for the requests to the target intellectual property block based on access permissions associated with a protection region within the target intellectual property block and attributes of a first request trying to access that region, wherein a destination address and a source protection ID are extracted out of the first request and then
  
  1) the address is decoded and compared against an address map to find out where the target intellectual property block is and
  
  2) the source protection ID from the first request is checked against a protection key map to determine whether the first request should be delivered to the target intellectual property block.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - protection-region logic to determine access permissions for two or more protection regions that overlap in address spacing within the same target intellectual property block.
  - 3. The apparatus of claim 2, wherein the protection-region logic also has software accessible registers to allow parameters that define each protection region and its permissions to be programmable at run time.
  - 4. The apparatus of claim 2, wherein the protection mechanism further comprises:
    - a set of software programmable registers in the protection region logic that control a size parameter and a priority parameter of the protection regions.
  - 5. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - protection-region logic to divide the target intellectual property block into two or more protection regions that can overlap in address spacing, where each protection region may be configured to possess different access permissions to access that protection region.
  - 6. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - protection-region logic to assign each protection region a priority level, and when protection regions overlap in address spacing, then the protection region with a highest assigned priority level takes precedence in the overlapped address range.
  - 7. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - protection-region logic that requires protection regions that overlap in address space to exist at different priority levels, and to have a default region at a lowest priority level that covers the address spacing for the entire target intellectual property block.
  - 8. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - initiator group logic to create an index of one or more groups of initiators, where each initiator group has separate read access permissions and write access permissions.
  - 9. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - dynamic attribute checking logic to compare attribute bits associated with the request that may dynamically change during an operation of the initiator intellectual property block to the access permissions associated with the protection region, wherein the dynamic variables that are attached along with the request include a security mode of the initiator intellectual property block at the time the request is generated.
  - 10. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - initiator group logic to determine access permissions for the initiator intellectual property block based on the initiator intellectual property block being in a specific group of initiator intellectual property blocks;
      
      protection-region logic to determine access permissions for one or more protection regions; and
      
      a comparator circuit coupled to the initiator group logic and the protection-region logic in order to determine if the attributes of the request satisfy the access permissions of the initiator group logic and the protection-region logic.
  - 11. The apparatus of claim 10, wherein the protection mechanism further comprises:
    - an error logging logic that records details of a failed request, and that reports the failed request access attempt to either or both the initiator intellectual property block that initiated the failed request or to another component.
  - 12. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - initiator group logic to form initiator intellectual property block groups programmable by the user, where a first group of initiator intellectual property blocks is associated with a first set of write access permissions and a first set of read access permissions and a second group of initiator intellectual property blocks is associated with a second set of write access permissions and a second set of read access permissions.
  - 13. The apparatus of claim 12, wherein the initiator group logic is programmable at run time.
  - 14. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - initiator group logic to store write access permissions and read access permission in registers as bit vectors.
  - 15. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - dynamic attribute checking logic to look up in a table permissions that are associated with dynamically changeable attributes of a request by a bit vector pattern.
  - 16. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - protection-region logic to allow a user to program how many protection regions may exist in the target intellectual property block, the base starting address of the protection regions, the size of the protection regions, the priority level of the protection regions, and what request attributes are needed to access the protection regions.
  - 17. The apparatus of claim 16, wherein the protection-region logic is programmable at run time.
  - 18. The apparatus of claim 16, wherein the protection-region logic creates multiple protection regions at first period in time and then at a second period of time the size of a first protection region is programmed to be zero in order to turn off this already created protection region.
  - 19. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - registers to store permissions that are associated with dynamically changeable attributes of a request in a bit vector pattern.
  - 20. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - protection-region logic to create a replica protection region set at a highest priority level to overlay a first region about to be modified to cover those periods in time when the first region is being initially set up, when the parameters of the first region are being modified, or when the access permissions to the first region are being modified.
  - 21. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - an output of the protection-region logic directly coupled to a multiplexer to select an access permission for a first protection region using the attributes of the request.
  - 22. The apparatus of claim 1, further comprising:
    - an agent for the target intellectual property block that facilitates communications with an interconnect on behalf of the target intellectual property block, wherein the agent contains the protection mechanism and the protection mechanism includesprotection-region logic to establish access permissions for one or more protection regions within the target, andinitiator group logic to create separate read access permissions and write access permissions for each group of initiator intellectual property block.
  - 23. The apparatus of claim 22, wherein the protection-region logic is composed of protection-region address matching logic with programmable registers to store access permission bits and a plurality of multiplexers.
  - 24. The apparatus of claim 22, wherein the protection-region logic has a first register to define protection region parameters that include a base starting address, a size of the region, and a priority level assigned to a first protection region.
  - 25. The apparatus of claim 22, wherein the initiator group logic is composed of initiator group matching logic with programmable registers to store access permission bits and initiator IDs forming the groups and a plurality of multiplexers.
  - 26. A non-transitory computer readable medium containing instructions, which when executed by a computing machine to cause said computing machine to generate the apparatus of claim 1.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
META Platforms Technologies LLC (Meta Platforms, Inc. (f/k/a Facebook, Inc.))
Original Assignee
Sonics Incorporated (Meta Platforms, Inc. (f/k/a Facebook, Inc.))
Inventors
Seigneret, Frank, Weber, Wolf-Dietrich, Wingard, Drew E., Hamilton, Stephen W.
Primary Examiner(s)
Pyzocha; Michael
Assistant Examiner(s)
SIMS, JING F

Application Number

US11/237,038
Publication Number

US 20060129747A1
Time in Patent Office

1,806 Days
Field of Search

713/203, 711/203, 726/3, 726/6, 726/2, 726/21, 726 27- 30
US Class Current

726/21
CPC Class Codes

G06F 12/10   Address translation

G06F 21/78   to assure secure storage of...

Y02D 10/00   Energy efficient computing,...

Method and apparatus for a configurable protection architecture for on-chip systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for a configurable protection architecture for on-chip systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links