Methods and apparatus for a configurable protection architecture for on-chip systems

US 8,443,422 B2
Filed: 09/01/2010
Issued: 05/14/2013
Est. Priority Date: 11/05/2002
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus, comprising:

an interconnect coupled and shared amongst a plurality of target intellectual property blocks including a first target intellectual property block, and a plurality of initiator intellectual property blocks including a first initiator intellectual property block, where the first target intellectual property block is configured to service and respond to transactions from the first initiator intellectual property block over the interconnect, wherein the interconnect has an associated protection mechanism with protection logic configured to restrict access for the transactions to the first target intellectual property block based on criteria including access permissions associated with a protection region for the first target intellectual property block, where the access permissions associated with the protection region at least include who is the source requesting access to the first target intellectual property block and the type of access being requested, where the interconnect is configured to route the transactions between the first initiator intellectual property block and the first target intellectual property block, where the protection logic is configurable to set the access permissions for two or more protection regions in the integrated circuit, where each protection region is associated with address spacing in the integrated circuit, where the protection mechanism compares to determine when attributes of the transaction satisfy the access permissions of a given protection region, where the protection mechanism is a firewall that is programmable to prevent unauthorized access to or from the two or more protection regions, and where at least the protection mechanism, the interconnect, the first initiator intellectual property block and the first target intellectual property block are located on and part of a System on a Chip.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various methods and apparatuses of protection mechanism are described. A target intellectual property block may field and service requests from an initiator intellectual property block in a system-on-chip network. The target intellectual property block has an associated protection mechanism with logic configured to restrict access for the requests to the target intellectual property block. The request'"'"'s access is restricted based on access permissions associated with a region within the target intellectual property block and attributes of the request trying to access that region.

69 Citations

View as Search Results

20 Claims

1. An apparatus, comprising:
- an interconnect coupled and shared amongst a plurality of target intellectual property blocks including a first target intellectual property block, and a plurality of initiator intellectual property blocks including a first initiator intellectual property block, where the first target intellectual property block is configured to service and respond to transactions from the first initiator intellectual property block over the interconnect, wherein the interconnect has an associated protection mechanism with protection logic configured to restrict access for the transactions to the first target intellectual property block based on criteria including access permissions associated with a protection region for the first target intellectual property block, where the access permissions associated with the protection region at least include who is the source requesting access to the first target intellectual property block and the type of access being requested, where the interconnect is configured to route the transactions between the first initiator intellectual property block and the first target intellectual property block, where the protection logic is configurable to set the access permissions for two or more protection regions in the integrated circuit, where each protection region is associated with address spacing in the integrated circuit, where the protection mechanism compares to determine when attributes of the transaction satisfy the access permissions of a given protection region, where the protection mechanism is a firewall that is programmable to prevent unauthorized access to or from the two or more protection regions, and where at least the protection mechanism, the interconnect, the first initiator intellectual property block and the first target intellectual property block are located on and part of a System on a Chip.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The apparatus of claim 1, where the protection mechanism is a firewall with protection logic located in any one of 1) a target agent connected between the first target intellectual property block and the interconnect, 2) the interconnect, 3) and portions of the firewall with protection logic found in both of the target agent and interconnect;
    - and the firewall has configurable registers to store access permissions.
  - 3. The apparatus of claim 2, where the firewall with protection logic includes a comparator to make a comparison between the transaction and the access permissions for the protection region to determine whether the transaction should be delivered to the first target intellectual property block based upon at least configured parameters for the access permissions in the configurable registers.
  - 4. The apparatus of claim 1, where the access permissions associated with each protection region also includes a destination address space being accessed.
  - 5. The apparatus of claim 1, wherein the protection logic of the protection mechanism further includes software accessible registers to allow parameters that define a space covered by each protection region and its access permissions to be programmable at run time.
  - 6. The apparatus of claim 1,wherein the protection logic of the protection mechanism is configurable to create separate read request access permissions and write request access permissions for each group of initiator intellectual property blocks, and the protection logic has programmable registers to store the separate read request access permissions and write request access permissions.
  - 7. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - protection logic configured to create two or more protection regions including a default region at a lowest priority level that covers the address spacing for the entire first target intellectual property block.
  - 8. The apparatus of claim 1, wherein the protection logic of the protection mechanism is configured to allow a user to program both 1) a base starting address of the protection region and a size, and 2) what transaction attributes are needed to access the protection region.
  - 9. The apparatus of claim 8, wherein the protection logic of the protection mechanism is configured so that when an error is detected, then the logic signals a security violation as an interrupt.
  - 10. The apparatus of claim 1, wherein the protection mechanism further comprises:
    - one or more software configurable registers to create the two or more protection regions on the System on a Chip including the protection region, where the protection logic is configured to assign each protection region a priority level, and when protection regions overlap in address spacing, then a given protection region with a highest assigned priority level takes precedence in the overlapped address range, and wherein the protection logic has one or more registers to define protection region parameters that include the base starting address and the size of the protection region.
  - 11. The apparatus of claim 1, further comprising:
    - an error logging logic that records details of a failed transaction, and that reports a failed transaction access attempt to either or both the first initiator intellectual property block that initiated the failed transaction or to another component.
  - 12. A non-transitory computer readable storage media storing instructions, which when executed by a machine, the instructions are configured to cause the machine to generate a software representation of the apparatus of claim 1.

13. A non-transitory computer readable storage media containing instructions, which when executed by a machine, the instructions are configured to cause the machine to generate a software representation of an apparatus, where the apparatus includes:
- an interconnect coupled and shared amongst a plurality of target intellectual property blocks including a first target intellectual property block, and a plurality of initiator intellectual property blocks including a first initiator intellectual property block, where the first target intellectual property block is configured to service and respond to transactions from the first initiator intellectual property block over the interconnect, wherein the interconnect has an associated protection mechanism with protection logic configured to restrict access for the transactions to the first target intellectual property block based on criteria including access permissions associated with a protection region for the first target intellectual property block, where the access permissions associated with the protection region at least include who is the source requesting access to the first target intellectual property block and the type of access being requested, where the interconnect is configured to route the transactions between the first initiator intellectual property block and the first target intellectual property block, where the protection logic is configurable to set the access permissions for two or more protection regions in the integrated circuit, where each protection region is associated with address spacing in the integrated circuit, where the protection mechanism compares to determine when attributes of the transaction satisfy the access permissions of a given protection region, where the protection mechanism is programmable to prevent unauthorized access to or from the protection region, and where at least the protection mechanism, the interconnect, the first initiator intellectual property block and the first target intellectual property block are located on and are part of a System on a Chip.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13, where the protection mechanism is a firewall with protection logic located in 1) a target agent connected between the first target intellectual property block and the interconnect, 2) the interconnect, 3) and any combination of both.
  - 15. The apparatus of claim 13, where the protection mechanism is a firewall with protection logic that includes a comparator to make a comparison between the transaction and the access permissions for the protection region to determine whether the transaction should be delivered to the first target intellectual property block based upon at least configured parameters in the access permissions.
  - 16. The apparatus of claim 15, wherein the protection logic of the protection mechanism further includes software accessible registers to allow parameters that define each protection region and its access permissions to be programmable, and the protection logic is configured to create two or more protection regions including a default region at a lowest priority level that covers the address spacing for the entire target intellectual property block.
  - 17. The apparatus of claim 13, wherein the protection logic of the protection mechanism is configured to allow a user to program both 1) a base starting address of the protection region and a size and 2) what transaction attributes are needed to access the protection region.

18. A method for a firewall protection mechanism for an interconnect located on a System on a Chip, comprising:
- configuring the firewall protection mechanism having protection logic to restrict access for transactions intended for a first target intellectual property block on the System on a Chip based on criteria including access permissions associated with a protection region for the first target intellectual property block, where the interconnect is coupled between a first initiator intellectual property block and the first target intellectual property block, where the first target intellectual property block is configured to service and respond to transactions from the first initiator intellectual property block over the interconnect, wherein the firewall protection mechanism is associated with the interconnect and the protection logic is configurable to set the access permissions for two or more protection regions in the System on a Chip, where the access permissions associated with the protection region at least include which initiator is the source requesting access and the type of access being requested; and
  
  configuring the interconnect to route the transactions between a plurality of target intellectual property blocks including the first target intellectual property block, and a plurality of initiator intellectual property blocks including the first initiator intellectual property block, where each protection region is associated with address spacing in the System on a Chip.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further comprising:
    - configuring the firewall protection mechanism to make a comparison between the transaction and the access permissions for the protection region to determine whether the transaction should be delivered to the first target intellectual property block based upon at least configured parameters in the access permissions.
  - 20. The method of claim 18, further comprising:
    - configuring two or more protection regions to exist on the integrated circuit including the protection region, where the protection logic is configured to assign each protection region a priority level, and when protection regions overlap in address spacing, then the protection region with a highest assigned priority level takes precedence in the overlapped address range, andconfiguring the protection logic of the firewall protection mechanism to create separate read request access permissions and write request access permissions for each group of initiator intellectual property blocks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
META Platforms Technologies LLC (Meta Platforms, Inc. (f/k/a Facebook, Inc.))
Original Assignee
Sonics Incorporated (Meta Platforms, Inc. (f/k/a Facebook, Inc.))
Inventors
Weber, Wolf-Dietrich, Seigneret, Frank, Hamilton, Stephen W, Wingard, Drew A
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
SIMS, JING F

Application Number

US12/874,123
Publication Number

US 20110067114A1
Time in Patent Office

986 Days
Field of Search

726 2- 6, 726 11- 13, 726 26- 30
US Class Current

726/4
CPC Class Codes

G06F 12/10   Address translation

G06F 21/78   to assure secure storage of...

Y02D 10/00   Energy efficient computing,...

Methods and apparatus for a configurable protection architecture for on-chip systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for a configurable protection architecture for on-chip systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links