Secure processing unit systems and methods
First Claim
1. A secure processing unit, the secure processing unit including:
- an internal memory unit;
a processor including a memory management unit and a plurality of security registers, the memory management unit further including a level-one page table, the level-one page table including a plurality of level-one page table entries, wherein the level-one page table entries each correspond to at least one level-two page table, and wherein the level-one page table entries each contain a predefined attribute, the predefined attribute being operable to indicate to the memory management unit whether entries in a corresponding level-two page table may designate certain predefined memory regions;
tamper detection and response logic;
an interface to external systems or components;
one or more buses for connecting the internal memory unit, the processor, the tamper detection and response logic, and the interface to external systems and components; and
a tamper-resistant housing.
4 Assignments
0 Petitions
Accused Products
Abstract
A hardware Secure Processing Unit (SPU) is described that can perform both security functions and other information appliance functions using the same set of hardware resources. Because the additional hardware required to support security functions is a relatively small fraction of the overall device hardware, this type of SPU can be competitive with ordinary non-secure CPUs or microcontrollers that perform the same functions. A set of minimal initialization and management hardware and software is added to, e.g., a standard CPU/microcontroller. The additional hardware and/or software creates an SPU environment and performs the functions needed to virtualize the SPU'"'"'s hardware resources so that they can be shared between security functions and other functions performed by the same CPU.
-
Citations
18 Claims
-
1. A secure processing unit, the secure processing unit including:
-
an internal memory unit; a processor including a memory management unit and a plurality of security registers, the memory management unit further including a level-one page table, the level-one page table including a plurality of level-one page table entries, wherein the level-one page table entries each correspond to at least one level-two page table, and wherein the level-one page table entries each contain a predefined attribute, the predefined attribute being operable to indicate to the memory management unit whether entries in a corresponding level-two page table may designate certain predefined memory regions; tamper detection and response logic; an interface to external systems or components; one or more buses for connecting the internal memory unit, the processor, the tamper detection and response logic, and the interface to external systems and components; and a tamper-resistant housing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An information appliance, the information appliance comprising:
-
a memory unit; a secure processing unit, the secure processing unit including; a tamper resistant packaging; tamper detection and response logic; a secure memory unit; a processing unit, including a memory management unit and a plurality of processor security registers, the memory management unit further including a level-one page table and a plurality of level-two page tables, the level-one page table including a plurality of level-one page table entries and the level-two page table including a plurality of level-two page table entries, wherein the level-one page table entries each correspond to at least one level-two page table, and wherein the level-one page table entries each contain a predefined attribute, the predefined attribute beingoperable to indicate to the memory management unit whether a corresponding level-two page table may designate certain predefined memory regions; and
,a bus for connecting the memory unit and the secure processing unit; wherein the secure processing unit is operable to perform both secure processing operations and at least some processing operations performed by a conventional information appliance processing unit. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. In a system including a secure processing unit, the secure processing unit comprising an internal memory unit and a processor, and the processor including a memory management unit and a plurality of processor security registers, the memory management unit further including a level-one page table and a plurality of level-two page tables, the level-one page table including a plurality of level-one page table entries and the level-two page table including a plurality of level-two page table entries, wherein the level-one page table entries each correspond to at least one level-two page table, and wherein the level-one page table entries each contain a predefined attribute, the predefined attribute being operable to indicate to the memory management unit whether a corresponding level-two page table may designate certain predefined memory regions, a method for controlling access to the internal memory unit, the method comprising:
-
(a) obtaining a request to access a portion of memory in the internal memory unit; (b) checking critical address protection data stored in at least one of said processor security registers to determine whether the portion of memory is subject to critical access protection; and (c) granting the request if the portion of memory is not subject to critical access protection. - View Dependent Claims (17, 18)
-
Specification