Microprocessor having secure non-volatile storage access

US 8,615,799 B2
Filed: 10/31/2008
Issued: 12/24/2013
Est. Priority Date: 05/24/2008
Status: Active Grant

First Claim

Patent Images

1. An apparatus providing for a secure execution environment, comprising:

an x86-compatible microprocessor, capable of executing all of the instructions in the x86 instruction set, and configured to execute non-secure application programs and a secure application program, wherein said non-secure application programs are accessed from a system memory via a system bus, and wherein said x86-compatible microprocessor is also configured to automatically transition to a degraded mode where BIOS instructions are allowed to execute in order to allow for user input and the display of messages, but the execution of more complicated software such as an operating system is not allowed, said x86-compatible microprocessor comprising;

a cryptographic unit, configured to encrypt said secure application program according to a cryptographic algorithm using a processor unique cryptographic key; and

a processor key register, configured to store said processor unique cryptographic key, wherein said processor key register can only be read by said cryptographic unit; and

a secure non-volatile memory, coupled to said microprocessor via a private serial bus, configured to store said secure application program in encrypted form, wherein transactions over said private serial bus between said x86-compatible microprocessor and said secure non-volatile memory are isolated from said system bus and corresponding system bus resources within said x86-compatible microprocessor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus providing for a secure execution environment. The apparatus includes a microprocessor and a secure non-volatile memory. The microprocessor is configured to execute non-secure application programs and a secure application program, where the non-secure application programs are accessed from a system memory via a system bus. The secure non-volatile memory is coupled to the microprocessor via a private bus. The secure non-volatile memory is configured to store the secure application program, where transactions over the private bus between the microprocessor and the secure non-volatile memory are isolated from the system bus and corresponding system bus resources within the microprocessor.

150 Citations

22 Claims

1. An apparatus providing for a secure execution environment, comprising:
- an x86-compatible microprocessor, capable of executing all of the instructions in the x86 instruction set, and configured to execute non-secure application programs and a secure application program, wherein said non-secure application programs are accessed from a system memory via a system bus, and wherein said x86-compatible microprocessor is also configured to automatically transition to a degraded mode where BIOS instructions are allowed to execute in order to allow for user input and the display of messages, but the execution of more complicated software such as an operating system is not allowed, said x86-compatible microprocessor comprising;
  
  a cryptographic unit, configured to encrypt said secure application program according to a cryptographic algorithm using a processor unique cryptographic key; and
  
  a processor key register, configured to store said processor unique cryptographic key, wherein said processor key register can only be read by said cryptographic unit; and
  
  a secure non-volatile memory, coupled to said microprocessor via a private serial bus, configured to store said secure application program in encrypted form, wherein transactions over said private serial bus between said x86-compatible microprocessor and said secure non-volatile memory are isolated from said system bus and corresponding system bus resources within said x86-compatible microprocessor.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus as recited in claim 1, wherein said secure non-volatile memory comprises a flash ROM.
  - 3. The apparatus as recited in claim 1, wherein said transactions comprise parts of said secure application program that are encrypted according to said cryptographic algorithm.
  - 4. The apparatus as recited in claim 3, wherein said cryptographic algorithm comprises the Advanced Encryption Standard (AES) algorithm.
  - 5. The apparatus as recited in claim 3, wherein said processor unique cryptographic key is employed to encrypt and decrypt said parts.
  - 6. The apparatus as recited in claim 1, wherein said private serial bus and said secure non-volatile memory cannot be observed or accessed by said non-secure application programs.
  - 7. The apparatus as recited in claim 1, wherein said x86-compatible microprocessor generates hashes of selected parts of said secure application program, and wherein said microprocessor encrypts and writes said hashes into said secure non-volatile memory.

8. A microprocessor apparatus, for executing secure code within a secure execution environment, the microprocessor apparatus comprising:
- a secure non-volatile memory, configured to store a secure application program; and
  
  an x86-compatible microprocessor, capable of executing all of the instructions in the x86 instruction set, coupled to said secure non-volatile memory via a private serial bus, configured to execute non-secure application programs and said secure application program, wherein said secure application program is encrypted according to a cryptographic algorithm using a processor unique cryptographic key, and wherein said x86-compatible microprocessor is also configured to automatically transition to a degraded mode where BIOS instructions are allowed to execute in order to allow for user input and the display of messages, but the execution of more complicated software such as an operating system is not allowed, said x86-compatible microprocessor comprising;
  
  a cryptographic unit, configured to encrypt said secure application program; and
  
  a processor key register, configured to store said processor unique cryptographic key, wherein said processor key register can only be read by said cryptographic unit;
  
  a bus interface unit, configured to accomplish system bus transactions over a system bus to access said non-secure applications in system memory; and
  
  a secure non-volatile memory interface unit, configured to couple said x86-compatible microprocessor to said secure non-volatile memory via a private serial bus, wherein private serial bus transactions over said private serial bus to access said secure non-volatile memory are hidden from observation by system bus resources within said x86-compatible microprocessor and to any device coupled to said system bus.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The microprocessor apparatus as recited in claim 8, wherein said secure non-volatile memory comprises a flash ROM.
  - 10. The microprocessor apparatus as recited in claim 8, wherein said private serial bus comprises a serial bus.
  - 11. The microprocessor apparatus as recited in claim 8, wherein said private serial bus transactions comprise parts of said secure application program that are encrypted according to said cryptographic algorithm.
  - 12. The microprocessor apparatus as recited in claim 11, wherein said cryptographic algorithm comprises the Advanced Encryption Standard (AES) algorithm.
  - 13. The microprocessor apparatus as recited in claim 11, wherein said processor unique cryptographic key is employed to encrypt and decrypt said parts.
  - 14. The microprocessor apparatus as recited in claim 8, wherein said private serial bus and said secure non-volatile memory cannot be observed or accessed by said non-secure application programs during execution.
  - 15. The microprocessor apparatus as recited in claim 8, wherein said x86-compatible microprocessor generates hashes of selected parts of said secure application program, and wherein said x86-compatible microprocessor encrypts and writes said hashes into said secure non-volatile memory.

16. A method for executing secure code within a secure execution environment, the method comprising:
- providing a secure non-volatile memory for storage of the secure code;
  
  encrypting the secure code according to a cryptographic algorithm using a processor unique cryptographic key, wherein the processor unique cryptographic key can be accessed only by cryptographic logic disposed within an x86-compatible microprocessor, and wherein the x86-compatible microprocessor is capable of executing all of the instructions in the x86 instruction set, and wherein said x86-compatible microprocessor is also configured to automatically transition to a degraded mode where BIOS instructions are allowed to execute in order to allow for user input and the display of messages, but the execution of more complicated software such as an operating system is not allowed;
  
  employing the x86-compatible microprocessor to store the secure code within the secure non-volatile memory via private transactions accomplished over a private serial bus that is coupled to the secure non-volatile memory; and
  
  fetching the secure code from the secure non-volatile memory over the private serial bus for execution by the x86-compatible microprocessor;
  
  wherein the private serial bus is isolated from all system bus resources within the x86-compatible microprocessor and external to the x86-compatible microprocessor, and wherein the private serial bus is observable and accessible exclusively by secure execution logic within the x86-compatible microprocessor.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method as recited in claim 16, wherein the secure non-volatile memory comprises a flash ROM.
  - 18. The method as recited in claim 16, wherein said storing comprises accomplishing serial transactions over the private serial bus to access the secure non-volatile memory.
  - 19. The method as recited in claim 16, wherein the cryptographic algorithm comprises the Advanced Encryption Standard (AES) algorithm.
  - 20. The method as recited in claim 16, wherein the processor unique cryptographic key is employed to decrypt the secure code subsequent to said fetching.
  - 21. The method as recited in claim 16, wherein the private serial bus and the secure non-volatile memory cannot be observed or accessed by non-secure code during execution by the x86-compatible microprocessor.
  - 22. The method as recited in claim 16, wherein said employing comprises, via the x86-compatible microprocessor, generating hashes of selected portions of the secure code, and additionally storing the hashes in the secure non-volatile memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIA Technologies Incorporated (VIA Technologies)
Original Assignee
VIA Technologies Incorporated (VIA Technologies)
Inventors
Henry, G. Glenn, Parks, Terry
Primary Examiner(s)
Cervetti, David Garcia
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US12/263,131
Publication Number

US 20090292893A1
Time in Patent Office

1,880 Days
Field of Search

713/165, 713/167, 713/172, 713/1, 713/189, 712/32, 712/43, 712/220, 711/100, 711/152, 711/163, 726/27, 726/34, 726/26, 726/17, 726 21- 22
US Class Current

726/21
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/554   involving event detection a...

G06F 21/70   Protecting specific interna...

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 21/73   by creating or determining ...

G06F 21/74   operating in dual or compar...

G06F 21/82   Protecting input, output or...

Microprocessor having secure non-volatile storage access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

150 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Microprocessor having secure non-volatile storage access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links