Switch key instruction in a microprocessor that fetches and decrypts encrypted instructions

US 8,700,919 B2
Filed: 04/21/2011
Issued: 04/15/2014
Est. Priority Date: 05/25/2010
Status: Active Grant

First Claim

Patent Images

1. A microprocessor that includes a pipeline comprising:

an instruction cache;

a fetch unit, configured to fetch a sequence of blocks of encrypted instructions of an encrypted program from the instruction cache at a corresponding sequence of fetch address values, wherein while fetching each block of the sequence the fetch unit is further configured to generate a decryption key as a function of key values in the fetch unit and a portion of the corresponding fetch address value, wherein for each fetched block of the sequence the fetch unit is further configured to decrypt the encrypted instructions in the fetched block using the generated decryption key;

an execution unit that follows the fetch unit; and

a switch key instruction, configured to instruct the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks from the instruction cache;

wherein the fetch unit fetches a first encrypted instruction and decrypts it using a first key value;

the execution unit replaces the first key value with a second key value in response to executing the switch key instruction; and

the fetch unit fetches a second encrypted instruction and decrypts it using the second key value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A fetch unit fetches a sequence of blocks of encrypted instructions of an encrypted program from an instruction cache at a corresponding sequence of fetch address values. While fetching each block of the sequence, the fetch unit generates a decryption key as a function of key values and the corresponding fetch address value, and decrypts the encrypted instructions using the generated decryption key by XORing them together. A switch key instruction instructs the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks. The fetch unit inherently provides an effective decryption key length that depends upon the function and amount of key values used. Including one or more switch key instructions within the encrypted program increases the effective decryption key length up to the encrypted program length.

46 Citations

20 Claims

1. A microprocessor that includes a pipeline comprising:
- an instruction cache;
  
  a fetch unit, configured to fetch a sequence of blocks of encrypted instructions of an encrypted program from the instruction cache at a corresponding sequence of fetch address values, wherein while fetching each block of the sequence the fetch unit is further configured to generate a decryption key as a function of key values in the fetch unit and a portion of the corresponding fetch address value, wherein for each fetched block of the sequence the fetch unit is further configured to decrypt the encrypted instructions in the fetched block using the generated decryption key;
  
  an execution unit that follows the fetch unit; and
  
  a switch key instruction, configured to instruct the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks from the instruction cache;
  
  wherein the fetch unit fetches a first encrypted instruction and decrypts it using a first key value;
  
  the execution unit replaces the first key value with a second key value in response to executing the switch key instruction; and
  
  the fetch unit fetches a second encrypted instruction and decrypts it using the second key value.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The microprocessor of claim 1, wherein the fetch unit is configured to decrypt the encrypted instructions in the fetched block by performing a Boolean exclusive-OR (XOR) operation of the encrypted instructions with the generated decryption key.
  - 3. The microprocessor of claim 1, wherein the microprocessor is configured to take an exception in response to the switch key instruction if the microprocessor is not in a secure execution mode.
  - 4. The microprocessor of claim 1, wherein the microprocessor is further configured to flush from the pipeline decrypted instructions that are newer in program order than the switch key instruction.
  - 5. The microprocessor of claim 1, further comprising:
    - microcode, configured to implement the switch key instruction.
  - 6. The microprocessor of claim 1, wherein the microprocessor is further configured to branch to a next sequential instruction in program order after the switch key instruction in response to executing the switch key instruction.

7. A microprocessor comprising:
- an instruction cache;
  
  a fetch unit, configured to fetch a sequence of blocks of encrypted instructions of an encrypted program from the instruction cache at a corresponding sequence of fetch address values, wherein while fetching each block of the sequence the fetch unit is further configured to generate a decryption key as a function of key values in the fetch unit and a portion of the corresponding fetch address value, wherein for each fetched block of the sequence the fetch unit is further configured to decrypt the encrypted instructions in the fetched block using the generated decryption key; and
  
  a switch key instruction, configured to instruct the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks from the instruction cache;
  
  wherein the fetch unit inherently provides an effective decryption key length used to decrypt the encrypted program, wherein the effective decryption key length depends upon how many key values are available in the fetch unit and the function used to generate decryption keys used by the fetch unit to decrypt each block of the sequence, wherein the update of the key values in the fetch unit by one or more switch key instructions within the encrypted program increases the effective decryption key length beyond the inherently provided effective decryption key length.
- View Dependent Claims (8)
- - 8. The microprocessor of claim 7, wherein the increased effective decryption key length is as long as the encrypted program.

9. A microprocessor comprising:
- an instruction cache;
  
  a fetch unit, configured to fetch sequence of blocks encrypted instructions of an encrypted program from the instruction cache at a corresponding sequence of fetch address values, wherein while fetching each block of the sequence the fetch unit is further configured to generate a decryption key as a function of key values in the fetch unit and a portion of the corresponding fetch address value, wherein for each fetched block of the sequence the fetch unit is further configured to decrypt the encrypted instructions in the fetched block using the generated decryption key; and
  
  a register file, configured to store a plurality of sets of key values; and
  
  a switch key instruction, configured to instruct the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks from the instruction cache;
  
  wherein the switch key instruction specifies an index value that specifies a location of one of the plurality of sets of key values within the register file, wherein the microprocessor is configured to update the key values in the fetch unit used to generate the decryption key with the one of the plurality of sets of key values within the register file location specified by the index value specified by the switch key instruction.

10. A microprocessor-implemented method for securely operating a program in a microprocessor having an instruction cache, the method comprising:
- fetching first encrypted instructions of the program from the instruction cache and decrypting them using a first decryption key value into first unencrypted instructions;
  
  replacing the first decryption key with a second decryption key, in response to executing a switch key instruction among the first unencrypted instructions; and
  
  fetching second encrypted instructions of the program from the instruction cache and decrypting them using the second decryption key value into second unencrypted instructions;
  
  wherein the program comprises a first chunk of sequential instructions immediately followed by a second chunk of sequential instructions, wherein the first chunk comprises the first encrypted instructions and the second chunk comprises the second encrypted instructions, wherein the first chuck is encrypted with the first decryption key and the second chunk is encrypted with the second decryption key, and wherein the switch key instruction is the last instruction in the first chunk.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the switch key instruction specifies an index value that specifies a location within a register file of the microprocessor, wherein said replacing the first decryption key with the second decryption key comprises loading a fetch unit of the microprocessor with the second decryption key from the register file location specified by the index value.
  - 12. The method of claim 10, wherein said fetching the second encrypted instructions comprises branching to a next sequential instruction in program order after the switch key instruction.
  - 13. The method of claim 10, wherein said decrypting the first and second encrypted instructions comprises performing a Boolean exclusive-OR (XOR) operation of the first and second encrypted instructions with the first and second decryption keys, respectively.
  - 14. The method of claim 10, wherein said executing the switch key instruction comprises taking an exception if the microprocessor is not in a secure execution mode.

15. A microprocessor-implemented method for securely operating an encrypted program in a microprocessor, the method comprising:
- fetching a sequence of blocks of encrypted instructions of the encrypted program from an instruction cache at a corresponding sequence of fetch address values;
  
  while said fetching each block of the sequence, generating a decryption key as a function of key values and a portion of the corresponding fetch address value;
  
  for each fetched block of the sequence, decrypting the encrypted instructions in the fetched block using the generated decryption key; and
  
  executing a switch key instruction during said fetching the sequence of blocks, wherein said executing the switch key instruction comprises updating the key values used to perform said generating the decryption key;
  
  wherein the function of the key values and the portion of the corresponding fetch address value inherently provides an effective decryption key length used to decrypt the encrypted program, wherein the inherently provided effective decryption key length depends upon how many key values are available for generating the decryption key and the function used to generate the decryption keys, wherein updating the key values by one or more switch key instructions within the encrypted program increases the effective decryption key length beyond the inherently provided effective decryption key length.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the switch key instruction is a decrypted instruction produced by said decrypting the encrypted instructions in one of the fetched sequence of blocks.
  - 17. The method of claim 15, wherein the increased effective decryption key length is as long as the encrypted program.
  - 18. The method of claim 15, wherein said decrypting the encrypted instructions in the fetched block using the generated decryption key comprises performing a Boolean exclusive-OR (XOR) operation of the encrypted instructions with the generated decryption key.
  - 19. The method of claim 15, further comprising:
    - flushing decrypted instructions that are newer in program order than the switch key instruction.
  - 20. The method of claim 15, wherein the switch key instruction specifies an index value that specifies a location within the microprocessor holding the key values with which said updating is performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIA Technologies Incorporated (VIA Technologies)
Original Assignee
VIA Technologies Incorporated (VIA Technologies)
Inventors
Henry, G. Glenn, Parks, Terry, Bean, Brent, Crispin, Thomas A.
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US13/091,547
Publication Number

US 20110296202A1
Time in Patent Office

1,090 Days
Field of Search

713/190
US Class Current

713/190
CPC Class Codes

G06F 12/0875   with dedicated cache, e.g. ...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/602   Providing cryptographic fac...

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 2212/402   Encrypted data

G06F 2212/452   Instruction code

G06F 2221/2107   File encryption

G06F 9/30003   Arrangements for executing ...

G06F 9/30058   Conditional branch instruct...

G06F 9/30079   Pipeline control instructio...

G06F 9/30178   of compressed or encrypted ...

G06F 9/30189   according to execution mode...

H04L 2209/12   Details relating to cryptog...

H04L 2209/20   Manipulating the length of ...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0827   involving distinctive inter...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894 : Escrow, recovery or storing...

View All

Switch key instruction in a microprocessor that fetches and decrypts encrypted instructions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Switch key instruction in a microprocessor that fetches and decrypts encrypted instructions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links