Secure software and hardware association technique

US 8,677,144 B2
Filed: 02/24/2009
Issued: 03/18/2014
Est. Priority Date: 02/25/2008
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating boot code of a semiconductor product, the method comprising:

in a hardware processor;

retrieving a public asymmetric encryption key, the public key associated with an original equipment manufacturer (OEM), the public key stored in memory by a provider of the semiconductor product;

loading the boot code from boot code memory, the boot code signed by a private key associated with the public key, the boot code identifying a secure location associated with the OEM storing encrypted program code;

authenticating the boot code by using the public key associated with the OEM during a first power-on sequence of the semiconductor product following installation of the semiconductor product, the authentication being performed internally with respect to the semiconductor product;

establishing a secure connection to the secure location;

receiving a command from the secure location signed by a private asymmetric encryption key associated with the OEM, the command requesting generation of a chip identifier token (ChipID token), the private asymmetric encryption key paired with the public key associated with the OEM;

generating the ChipID token by encrypting a chip identifier (ChipID) stored in memory by using the public key associated with the OEM;

transmitting the ChipID token to the secure location to be verified by the OEM by matching the ChipID against a plurality of ChipIDs stored in a database in the secure location;

receiving encrypted program code signed by the private key associated with the OEM if the ChipID is a match;

authenticating the encrypted program code by using the public key associated with the OEM; and

decrypting the encrypted program code by using a code encryption key (CEK) stored in memory;

wherein the encrypted program code is software.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, authenticated hardware and authenticated software are cryptographically binded using symmetric and asymmetric cryptography. Cryptographically binding the hardware and software ensures that original equipment manufacturer (OEM) hardware will only run OEM software. Cryptographically binding the hardware and software protects the OEM binary code so it will only run on the OEM hardware and cannot be replicated or altered to operate on unauthorized hardware. This cryptographic binding technique is referred to herein as secure software and hardware association (SSHA).

Citations

55 Claims

1. A method of authenticating boot code of a semiconductor product, the method comprising:
- in a hardware processor;
  
  retrieving a public asymmetric encryption key, the public key associated with an original equipment manufacturer (OEM), the public key stored in memory by a provider of the semiconductor product;
  
  loading the boot code from boot code memory, the boot code signed by a private key associated with the public key, the boot code identifying a secure location associated with the OEM storing encrypted program code;
  
  authenticating the boot code by using the public key associated with the OEM during a first power-on sequence of the semiconductor product following installation of the semiconductor product, the authentication being performed internally with respect to the semiconductor product;
  
  establishing a secure connection to the secure location;
  
  receiving a command from the secure location signed by a private asymmetric encryption key associated with the OEM, the command requesting generation of a chip identifier token (ChipID token), the private asymmetric encryption key paired with the public key associated with the OEM;
  
  generating the ChipID token by encrypting a chip identifier (ChipID) stored in memory by using the public key associated with the OEM;
  
  transmitting the ChipID token to the secure location to be verified by the OEM by matching the ChipID against a plurality of ChipIDs stored in a database in the secure location;
  
  receiving encrypted program code signed by the private key associated with the OEM if the ChipID is a match;
  
  authenticating the encrypted program code by using the public key associated with the OEM; and
  
  decrypting the encrypted program code by using a code encryption key (CEK) stored in memory;
  
  wherein the encrypted program code is software.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1 further comprising:
    - receiving a request signed by the private key associated with the OEM and encrypted with CEK that provides a new CEK;
      
      retrieving the new CEK from the request by using the public key associated with the OEM stored in memory and decrypting the request using the CEK; and
      
      replacing the CEK stored in memory with the new CEK.
  - 3. The method of claim 1 wherein the public key associated with the OEM is stored in memory during manufacture of the semiconductor product.
  - 4. The method of claim 1 wherein the ChipID is generated and stored in memory during manufacture of the semiconductor product.
  - 5. The method of claim 4 wherein the ChipID is any number, a random number, or associated with the public and private key pair associated with the OEM.
  - 6. The method of claim 1 wherein the CEK is generated and stored in memory during manufacture of the semiconductor product.
  - 7. The method of claim 6 wherein the CEK is associated with the public and private key pair associated with the OEM.
  - 8. The method of claim 1 wherein the OEM uses the private key associated with the OEM to decrypt the ChipID token to retrieve the ChipID.
  - 9. The method of claim 1 wherein the database is created by the semiconductor provider and maintained by the OEM.
  - 10. The method of claim 1 wherein the encrypted program code is encrypted by using a CEK decrypted from a code encryption key token (CEK token) by using the private key associated with the OEM, the CEK token associated with the ChipID token and stored in the database.
  - 11. The method of claim 1 further comprising performing the authentication in circuitry external to the semiconductor product.
  - 12. The method of claim 11 wherein the circuitry is between the semiconductor product and the program code memory.
  - 13. The method of claim 12 further comprising maintaining the semiconductor product in a reset state until the boot code is authenticated.
  - 14. The method of claim 1 further comprising halting operation of the semiconductor product until the boot code is authenticated.
  - 15. The method of claim 1 further comprising:
    - detecting whether authentication has been enabled for the semiconductor product; and
      
      if authentication has been enabled for the semiconductor product, performing the authentication, and, if authentication has not been enabled for the semiconductor product, allowing the semiconductor product to perform a normal boot code loading process.
  - 16. The method of claim 1 wherein the OEM is a certificate authority issuing the public key associated with the OEM.
  - 17. The method of claim 1 wherein the authentication uses asymmetric cryptographic algorithms such as elliptic curve cryptography (ECC) and Rivest Shamir Adleman (RSA).
  - 18. The method of claim 1 wherein the authentication uses symmetric cryptographic algorithms such as Advanced Encryption Standard (AES) and Data Encryption Standard (DES).
  - 19. The method of claim 1 further comprising:
    - transmitting a request to a secure location associated with the OEM requesting updated program code;
      
      receiving encrypted updated program code from the secure location, the encrypted updated program code signed by a private key associated with the OEM and encrypted by using a code encryption key (CEK), the CEK decrypted from a code encryption key token (CEK token) stored in a database by using a private key associated with the OEM;
      
      authenticating the encrypted updated program code by using the public key associated with the OEM; and
      
      retrieving the updated program code by using a CEK stored in memory to decrypt the encrypted updated program code.
  - 20. The method of claim 1 further comprising receiving commands encrypted by a code encryption key (CEK) decrypted from a code encryption key token (CEK token) stored in a database by using the private key associated with the OEM, the commands received over a secure physical connection with the semiconductor product to change the public key and a CEK stored in memory.
  - 21. The method of claim 1 wherein the public key associated with the OEM is stored in memory by the semiconductor provider during manufacture of the semiconductor product.
  - 22. The method of claim 1 further comprising detecting whether a bypass is enabled to prevent the authentication.

23. An apparatus for authenticating boot code of a semiconductor product, the apparatus comprising:
- memory configured to store a public asymmetric encryption key from a provider of the semiconductor product, the public key associated with an original equipment manufacturer (OEM);
  
  a Code Authentication Unit (CAU) configured to retrieve the public key associated with the OEM from the memory, load the boot code from boot code memory the boot code identifying a secure location associated with the OEM storing encrypted program code, the program code signed by a private key associated with the public key, and authenticate the boot code by using the public key associated with the OEM during a first power-on sequence of the semiconductor product following installation of the semiconductor product, the authentication being performed internally with respect to the semiconductor product;
  
  a First Time Boot Logic (FTBL) configured to;
  
  establish a secure connection to the secure location,receive a command from the secure location signed by a private asymmetric encryption key associated with the OEM, the command requesting a chip identifier token (ChipID token),generate the ChipID token by encrypting a chip identifier (ChipID) stored in memory by using the public key associated with the OEM,transmit the ChipID token to the secure location to be verified by the OEM by matching the ChipID against ChipIDs stored in a database, andreceive encrypted program code if the ChipID is a match; and
  
  a Code Decryption Logic (CDL) configured to decrypt the encrypted program code by using a code encryption key (CEK) stored in memory;
  
  wherein the CAU is further configured to authenticate the encrypted program code by using the public key associated with the OEM and wherein the encrypted program code is application software.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 54)
- - 24. The apparatus of claim 23 wherein the FTBL is further configured to receive a request signed by the private key associated with the OEM and encrypted with the CEK that provides a new CEK, wherein the CDL is further configured to decrypt the request using the CEK, and wherein the FTBL is further configured to retrieve the new CEK from the request by using the public key associated with the OEM stored in memory, and replace the CEK stored in memory with the new CEK.
  - 25. The apparatus of claim 23 wherein the public key associated with the OEM is stored in memory during manufacture of the semiconductor product.
  - 26. The apparatus of claim 23 wherein the ChipID is generated and stored in memory during manufacture of the semiconductor product.
  - 27. The apparatus of claim 26 wherein the ChipID is any number, a random number, or associated with the public and private key pair associated with the OEM.
  - 28. The apparatus of claim 23 wherein the CEK is generated and stored in memory during manufacture of the semiconductor product.
  - 29. The apparatus of claim 28 wherein the CEK is associated with the public and private key pair associated with the OEM.
  - 30. The apparatus of claim 23 wherein the OEM uses the private key associated with the OEM to decrypt the ChipID token to retrieve the ChipID.
  - 31. The apparatus of claim 23 wherein the database is created by the semiconductor provider and maintained by the OEM.
  - 32. The apparatus of claim 23 wherein the encrypted program code is encrypted by using a CEK decrypted from a code encryption key token (CEK token) by using the private key associated with the OEM, the CEK token associated with the ChipID token and stored in the database.
  - 33. The apparatus of claim 23 wherein the apparatus is external to the semiconductor product.
  - 34. The apparatus of claim 33 wherein the apparatus is between the semiconductor product and the program code memory.
  - 35. The apparatus of claim 34 wherein the apparatus maintains the semiconductor product in a reset state until the boot code is authenticated.
  - 36. The apparatus of claim 23 wherein the apparatus is internal to the semiconductor product.
  - 37. The apparatus of claim 36 wherein the apparatus halts operation of the semiconductor product until the boot code is authenticated.
  - 38. The apparatus of claim 23 wherein the FTBL is further configured to detect whether authentication has been enabled for the semiconductor product, and, if authentication has been enabled for the semiconductor product, perform the authentication, and, if authentication has not been enabled for the semiconductor product, allow the semiconductor to perform a normal boot code loading process.
  - 39. The apparatus of claim 23 wherein the OEM is a certificate authority issuing the public key associated with the OEM.
  - 40. The apparatus of claim 23 wherein the CAU uses asymmetric cryptographic standards such as elliptic curve cryptography (ECC) and Rivest Shamir Adleman (RSA).
  - 41. The apparatus of claim 23 wherein the CDL uses symmetric cryptographic algorithms such as Advanced Encryption Standard (AES) and Data Encryption Standard (DES).
  - 42. The apparatus of claim 23 wherein the FTBL is further configured to transmit a request to a secure location associated with the OEM requesting updated program code, receive encrypted updated program code from the secure location, the encrypted updated program code signed by a private key associated with the OEM and encrypted by using a code encryption key (CEK) decrypted from a code encryption key token (CEK token) stored in a database by using the private key associated with the OEM, wherein the CAU is further configured to authenticate the encrypted updated program code by using the public key associated with the OEM, and the CDL is further configured to retrieve the updated program code by using a CEK stored in memory to decrypt the encrypted updated program code.
  - 43. The apparatus of claim 23 wherein the CDL is further configured to receive commands encrypted by a code encryption key (CEK) decrypted from a code encryption key token (CEK token) stored in a database by using the private key associated with the OEM, the commands received over a secure physical connection with the semiconductor product to change the public key and a CEK stored in memory.
  - 44. The apparatus of claim 23 wherein the public key associated with the OEM is stored in memory by the semiconductor provider during manufacture of the semiconductor product.
  - 45. The apparatus of claim 23 further comprising a bypass configured to prevent the authentication.
  - 54. The method of claim 23 wherein the non-volatile memory is one-time programmable (OTP) memory.

46. A method of initializing circuitry for authenticating boot code in a semiconductor product, the method comprising:
- in a hardware processor;
  
  generating a public asymmetric encryption key associated with an original equipment manufacturer (OEM);
  
  storing the public asymmetric encryption key in memory on the semiconductor product;
  
  loading boot code to a boot code memory on the semiconductor product, the boot code signed by a private key associated with the public key, the boot code further authenticated by the public key;
  
  generating a chip identifier (ChipID) associated with the semiconductor product;
  
  generating a code encryption key (CEK) associated with the ChipID;
  
  storing the ChipID and the CEK in the memory;
  
  encrypting the ChipID using the public key associated with the OEM to generate a chip identifier token (ChipID token);
  
  encrypting the CEK using the public key associated with the OEM to generate a CEK token; and
  
  storing the ChipID token and the CEK token to a database.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53)
- - 47. The method of claim 46 further comprising:
    - signing the database by using a private key associated with a semiconductor provider;
      
      transferring the signed database to the OEM to be maintained by the OEM; and
      
      destroying the database created by the semiconductor provider.
  - 48. The method of claim 46 wherein the database is created by the semiconductor provider and maintained by the OEM.
  - 49. The method of claim 46 further comprising enabling the authentication.
  - 50. The method of claim 49 wherein authentication is enabled by burning a fuse.
  - 51. The method of claim 49 wherein authentication is enabled by writing a value to one-time programmable (OTP) memory.
  - 52. The method of claim 46 wherein the ChipID is a random number.
  - 53. The method of claim 46 wherein the public key associated with the OEM, the ChipID, and the CEK are stored in non-volatile memory.

55. A non-transitory computer readable medium having computer readable program codes embodied therein for authenticating boot code, the computer readable medium program codes performing functions comprising:
- retrieving a public asymmetric encryption key, the public key associated with an original equipment manufacturer (OEM), the public key stored in memory by a provider of the semiconductor product;
  
  loading boot code from boot code memory, the program code signed by a private key associated with the public key;
  
  authenticating the boot code by using the public key associated with the OEM during a first power-on sequence of the semiconductor product following installation of the semiconductor product, the authentication being performed internally with respect to the semiconductor product;
  
  identifying a secure location associated with the OEM storing encrypted program code;
  
  establishing a secure connection to the secure location;
  
  receiving a command from the secure location signed by a private asymmetric encryption key associated with the OEM requesting generation of a chip identifier token (ChipID token);
  
  generating the ChipID token by encrypting a chip identifier (ChipID) stored in memory by using the public key associated with the OEM;
  
  transmitting the ChipID token to the secure location to be verified by the OEM by matching the ChipID against ChipIDs stored in a database;
  
  receiving encrypted program code signed by the private key associated with the OEM if the ChipID is a match;
  
  authenticating the encrypted program code by using the public key associated with the OEM; and
  
  decrypting the encrypted program code by using a code encryption key (CEK) stored in memory;
  
  wherein the encrypted program code is application software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Marvell Asia Pte Limited (Marvell Technology Group Limited)
Original Assignee
Cavium, LLC (Marvell Technology Group Limited)
Inventors
Haider, Amer, Hussain, Muhammad R., Kessler, Richard E., Badr, Imran
Primary Examiner(s)
Tabor, Amare F
Assistant Examiner(s)
Getachew, Abiy

Application Number

US12/392,004
Publication Number

US 20090217054A1
Time in Patent Office

1,848 Days
Field of Search

713/189
US Class Current

713/189
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Secure software and hardware association technique

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Secure software and hardware association technique

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links