System and method for hardware based security
First Claim
1. A method of programming features on a device, the method comprising:
- providing a hardware module on said device, said hardware module comprising non volatile memory (NVM) for storing feature activation information, at least a portion of said NVM being protected, and a cryptographic controller for performing cryptographic operations;
said hardware module receiving a first command for establishing a secure session with an agent connected to said hardware module;
said hardware module generating one or more public keys using said cryptographic controller, and providing said one or more public keys to said agent to enable said agent to provide said public keys to an appliance to generate a shared secret key;
said hardware module obtaining an encrypted set of features from said agent;
said hardware module using said shared secret to decrypt said set of features; and
said hardware module programming one or more features on said NVM of said device according to said set of features.
7 Assignments
0 Petitions
Accused Products
Abstract
An asset management system is provided, which includes a hardware module operating as an asset control core. The asset control core generally includes a small hardware core embedded in a target system on chip that establishes a hardware-based point of trust on the silicon die. The asset control core can be used as a root of trust on a consumer device by having features that make it difficult to tamper with. The asset control core is able to generate a unique identifier for one device and participate in the tracking and provisioning of the device through a secure communication channel with an appliance. The appliance generally includes a secure module that caches and distributes provisioning data to one of many agents that connect to the asset control core, e.g. on a manufacturing line or in an after-market programming session.
120 Citations
18 Claims
-
1. A method of programming features on a device, the method comprising:
-
providing a hardware module on said device, said hardware module comprising non volatile memory (NVM) for storing feature activation information, at least a portion of said NVM being protected, and a cryptographic controller for performing cryptographic operations; said hardware module receiving a first command for establishing a secure session with an agent connected to said hardware module; said hardware module generating one or more public keys using said cryptographic controller, and providing said one or more public keys to said agent to enable said agent to provide said public keys to an appliance to generate a shared secret key; said hardware module obtaining an encrypted set of features from said agent; said hardware module using said shared secret to decrypt said set of features; and said hardware module programming one or more features on said NVM of said device according to said set of features. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer readable medium comprising computer executable instructions that include instructions for performing operations comprising:
-
providing a hardware module on said device, said hardware module comprising non volatile memory (NVM) for storing feature activation information, at least a portion of said NVM being protected, and a cryptographic controller for performing cryptographic operations; said hardware module receiving a first command for establishing a secure session with an agent connected to said hardware module; said hardware module generating one or more public keys using said cryptographic controller, and providing said one or more public keys to said agent to enable said agent to provide said public keys to an appliance to generate a shared secret key; said hardware module obtaining an encrypted set of features from said agent; said hardware module using said shared secret to decrypt said set of features; and said hardware module programming one or more features on said NVM of said device according to said set of features.
-
-
7. A method of programming features on a device, the method comprising:
-
providing a connection to a hardware module on said device through an agent in communication with said hardware module, said hardware module comprising non volatile memory for storing feature activation information; obtaining from said agent, one or more public keys generated by said hardware module using a cryptographic controller; using said one or more public keys to generate a shared secret key; using said shared secret key to encrypt a set of features; providing an encrypted set of features to said hardware module through said agent; and metering a credit pool indicative of a quantity of hardware modules to be programmed. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A non-transitory computer readable medium comprising computer executable instructions that include instructions for performing operations comprising:
-
providing a connection to a hardware module on said device through an agent in communication with said hardware module, said hardware module comprising non volatile memory for storing feature activation information; obtaining from said agent, one or more public keys generated by said hardware module using a cryptographic controller; using said one or more public keys to generate a shared secret key; using said shared secret key to encrypt a set of features; providing an encrypted set of features to said hardware module through said agent; and metering a credit pool indicative of a quantity of hardware modules to be programmed.
-
-
13. A server appliance comprising a processor, memory, and a connection to an agent, said server appliance being configured to perform operations comprising:
-
providing a connection to a hardware module on said device through an agent in communication with said hardware module, said hardware module comprising non volatile memory for storing feature activation information; obtaining from said agent, one or more public keys generated by said hardware module using a cryptographic controller; using said one or more public keys to generate a shared secret key; using said shared secret key to encrypt a set of features; providing an encrypted set of features to said hardware module through said agent; and metering a credit pool indicative of a quantity of hardware modules to be programmed.
-
-
14. A method of programming features on a device, the method comprising:
-
providing a first connection to a hardware module on said device and a second connection to an appliance, said appliance comprising sets of features to be programmed on said device, said hardware module comprising non volatile memory for storing feature activation information; sending a command to said hardware module to initiate a secure session therewith; obtaining, from said hardware module, one or more public keys generated by said hardware module; providing said public keys to said appliance; obtaining, from said appliance, an encrypted set of features; providing said encrypted set of features by establishing a feature programming session with said hardware module; and obtaining a response from said hardware module pertaining to application of said set of features. - View Dependent Claims (15, 16, 17)
-
-
18. A non-transitory computer readable medium comprising computer executable instructions that include instructions for performing operations comprising:
-
providing a first connection to a hardware module on said device and a second connection to an appliance, said appliance comprising sets of features to be programmed on said device, said hardware module comprising non volatile memory for storing feature activation information; sending a command to said hardware module to initiate a secure session therewith; obtaining, from said hardware module, one or more public keys generated by said hardware module; providing said public keys to said appliance; obtaining, from said appliance, an encrypted set of features; providing said encrypted set of features by establishing a feature programming session with said hardware module; and obtaining a response from said hardware module pertaining to application of said set of features.
-
Specification