Secure software and hardware association technique
First Claim
Patent Images
1. A method of authenticating boot code of a semiconductor product, the method comprising:
- in a hardware processor;
retrieving a public asymmetric encryption key, the public key associated with an original equipment manufacturer (OEM), the public key stored in memory by a provider of the semiconductor product;
loading the boot code from boot code memory, the boot code signed by a private key associated with the public key, the boot code identifying a secure location associated with the OEM storing encrypted program code;
authenticating the boot code by using the public key associated with the OEM during a first power-on sequence of the semiconductor product following installation of the semiconductor product, the authentication being performed internally with respect to the semiconductor product;
establishing a secure connection to the secure location;
receiving a command from the secure location signed by a private asymmetric encryption key associated with the OEM, the command requesting generation of a chip identifier token (ChipID token), the private asymmetric encryption key paired with the public key associated with the OEM;
generating the ChipID token by encrypting a chip identifier (ChipID) stored in memory by using the public key associated with the OEM;
transmitting the ChipID token to the secure location to be verified by the OEM by matching the ChipID against a plurality of ChipIDs stored in a database in the secure location;
receiving encrypted program code signed by the private key associated with the OEM if the ChipID is a match;
authenticating the encrypted program code by using the public key associated with the OEM; and
decrypting the encrypted program code by using a code encryption key (CEK) stored in memory;
wherein the encrypted program code is software.
7 Assignments
0 Petitions
Accused Products
Abstract
In an embodiment, authenticated hardware and authenticated software are cryptographically binded using symmetric and asymmetric cryptography. Cryptographically binding the hardware and software ensures that original equipment manufacturer (OEM) hardware will only run OEM software. Cryptographically binding the hardware and software protects the OEM binary code so it will only run on the OEM hardware and cannot be replicated or altered to operate on unauthorized hardware. This cryptographic binding technique is referred to herein as secure software and hardware association (SSHA).
-
Citations
55 Claims
-
1. A method of authenticating boot code of a semiconductor product, the method comprising:
-
in a hardware processor; retrieving a public asymmetric encryption key, the public key associated with an original equipment manufacturer (OEM), the public key stored in memory by a provider of the semiconductor product; loading the boot code from boot code memory, the boot code signed by a private key associated with the public key, the boot code identifying a secure location associated with the OEM storing encrypted program code; authenticating the boot code by using the public key associated with the OEM during a first power-on sequence of the semiconductor product following installation of the semiconductor product, the authentication being performed internally with respect to the semiconductor product; establishing a secure connection to the secure location; receiving a command from the secure location signed by a private asymmetric encryption key associated with the OEM, the command requesting generation of a chip identifier token (ChipID token), the private asymmetric encryption key paired with the public key associated with the OEM; generating the ChipID token by encrypting a chip identifier (ChipID) stored in memory by using the public key associated with the OEM; transmitting the ChipID token to the secure location to be verified by the OEM by matching the ChipID against a plurality of ChipIDs stored in a database in the secure location; receiving encrypted program code signed by the private key associated with the OEM if the ChipID is a match; authenticating the encrypted program code by using the public key associated with the OEM; and decrypting the encrypted program code by using a code encryption key (CEK) stored in memory; wherein the encrypted program code is software. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus for authenticating boot code of a semiconductor product, the apparatus comprising:
-
memory configured to store a public asymmetric encryption key from a provider of the semiconductor product, the public key associated with an original equipment manufacturer (OEM); a Code Authentication Unit (CAU) configured to retrieve the public key associated with the OEM from the memory, load the boot code from boot code memory the boot code identifying a secure location associated with the OEM storing encrypted program code, the program code signed by a private key associated with the public key, and authenticate the boot code by using the public key associated with the OEM during a first power-on sequence of the semiconductor product following installation of the semiconductor product, the authentication being performed internally with respect to the semiconductor product; a First Time Boot Logic (FTBL) configured to; establish a secure connection to the secure location, receive a command from the secure location signed by a private asymmetric encryption key associated with the OEM, the command requesting a chip identifier token (ChipID token), generate the ChipID token by encrypting a chip identifier (ChipID) stored in memory by using the public key associated with the OEM, transmit the ChipID token to the secure location to be verified by the OEM by matching the ChipID against ChipIDs stored in a database, and receive encrypted program code if the ChipID is a match; and a Code Decryption Logic (CDL) configured to decrypt the encrypted program code by using a code encryption key (CEK) stored in memory; wherein the CAU is further configured to authenticate the encrypted program code by using the public key associated with the OEM and wherein the encrypted program code is application software. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 54)
-
-
46. A method of initializing circuitry for authenticating boot code in a semiconductor product, the method comprising:
-
in a hardware processor; generating a public asymmetric encryption key associated with an original equipment manufacturer (OEM); storing the public asymmetric encryption key in memory on the semiconductor product; loading boot code to a boot code memory on the semiconductor product, the boot code signed by a private key associated with the public key, the boot code further authenticated by the public key; generating a chip identifier (ChipID) associated with the semiconductor product; generating a code encryption key (CEK) associated with the ChipID; storing the ChipID and the CEK in the memory; encrypting the ChipID using the public key associated with the OEM to generate a chip identifier token (ChipID token); encrypting the CEK using the public key associated with the OEM to generate a CEK token; and storing the ChipID token and the CEK token to a database. - View Dependent Claims (47, 48, 49, 50, 51, 52, 53)
-
-
55. A non-transitory computer readable medium having computer readable program codes embodied therein for authenticating boot code, the computer readable medium program codes performing functions comprising:
-
retrieving a public asymmetric encryption key, the public key associated with an original equipment manufacturer (OEM), the public key stored in memory by a provider of the semiconductor product; loading boot code from boot code memory, the program code signed by a private key associated with the public key; authenticating the boot code by using the public key associated with the OEM during a first power-on sequence of the semiconductor product following installation of the semiconductor product, the authentication being performed internally with respect to the semiconductor product; identifying a secure location associated with the OEM storing encrypted program code; establishing a secure connection to the secure location; receiving a command from the secure location signed by a private asymmetric encryption key associated with the OEM requesting generation of a chip identifier token (ChipID token); generating the ChipID token by encrypting a chip identifier (ChipID) stored in memory by using the public key associated with the OEM; transmitting the ChipID token to the secure location to be verified by the OEM by matching the ChipID against ChipIDs stored in a database; receiving encrypted program code signed by the private key associated with the OEM if the ChipID is a match; authenticating the encrypted program code by using the public key associated with the OEM; and decrypting the encrypted program code by using a code encryption key (CEK) stored in memory; wherein the encrypted program code is application software.
-
Specification