Methods of on-chip memory partitioning and secure access violation checking in a system-on-chip

US 8,745,724 B2
Filed: 12/30/2011
Issued: 06/03/2014
Est. Priority Date: 08/17/2011
Status: Active Grant

First Claim

Patent Images

1. A device having on-chip secure access violation checking, comprising:

a plurality of slave components;

a plurality of master components, wherein each master component is configured to send an access request to a slave component in the plurality of slave components;

a decoder coupled to a first set of slave components, configured to;

determine whether a request from a master component in the plurality of master components for a slave component in the first set of slave components is a valid request, andcommunicate a response based on the determination; and

a plurality of secure trap modules, each of the secure trap modules coupled to a different master component in the plurality of master components, each secure trap module configured to;

log a request from an associated master component for a slave component,monitor for a response from the slave component to the request, andgenerate an interrupt when the response indicates a security violation.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for partitioning memory into multiple secure and open regions are provided. The systems enable the security level of a given region to be determined without an increase in the time needed to determine the security level. Also, systems and methods for identifying secure access violations are disclosed. A secure trap module is provided for master devices in a system-on-chip. The secure trap module generates an interrupt when an access request for a transaction generates a security error.

9 Citations

View as Search Results

20 Claims

1. A device having on-chip secure access violation checking, comprising:
- a plurality of slave components;
  
  a plurality of master components, wherein each master component is configured to send an access request to a slave component in the plurality of slave components;
  
  a decoder coupled to a first set of slave components, configured to;
  
  determine whether a request from a master component in the plurality of master components for a slave component in the first set of slave components is a valid request, andcommunicate a response based on the determination; and
  
  a plurality of secure trap modules, each of the secure trap modules coupled to a different master component in the plurality of master components, each secure trap module configured to;
  
  log a request from an associated master component for a slave component,monitor for a response from the slave component to the request, andgenerate an interrupt when the response indicates a security violation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The device of claim 1, further comprising:
    - a set of security aware slave components coupled to the decoder, each security aware slave component configured to;
      
      determine whether a request from a given master component is a valid request;
      
      generate a response based on the determination; and
      
      communicate the response to the decoder.
  - 3. The device of claim 1, wherein each slave component in the first set of slave components has an associated level of security.
  - 4. The device of claim 3, wherein the associated level of security is locked until a system reset.
  - 5. The device of claim 3, wherein the system supports n levels of security, where n is greater than 1.
  - 6. The device of claim 3, further comprising a register coupled to the decoder configured to store the status of each slave component in the first set of slave components.
  - 7. The device of claim 2, further comprising a register configured to store an identification of the set of security aware slave components.
  - 8. The device of claim 1, further comprising a switch coupled to the plurality of master components and the plurality of secure trap modules.
  - 9. The device of claim 8, further comprising:
    - a slave component coupled to the switch, wherein the slave component is configured to receive an access request from a master component in the plurality of master components, generate a response based on the determination, and communicate the response to the switch.

10. A method for performing secure access checking in a system on chip, comprising:
- transmitting, from a master component, an access request for a slave component;
  
  logging, at a secure trap module coupled to the master component, the access request;
  
  receiving at the secure trap module a response to the request, wherein the response identifies whether the access request for the slave component is valid; and
  
  generating, by the secure trap module, a secure interrupt when the security response identifies that the access request represents a violation.
- View Dependent Claims (11)
- - 11. The method of claim 10, further comprising:
    - transmitting, by the secure trap module, the secure interrupt to a secure master.

12. A system for determining, for a transaction, the validity of an access request for a memory address, comprising:
- a memory partitioned into a plurality of regions, wherein each region is associated with a security level;
  
  a memory partitioning circuit coupled to the memory, including;
  
  a multiplexer, wherein the multiplexer is configured to receive the security level for each region as inputs and a portion of a memory address as control bits and output a security value for a region containing the memory address; and
  
  a verification circuit coupled to the memory partitioning circuit, the verification circuit configured to;
  
  receive the output of the multiplexer,receive a transaction security value for the access request for the memory address, anddetermine whether the access request for the memory address is valid, based on the security value for the region and the transaction security value for the access request for the memory address.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein each memory region has a predetermined size.
  - 14. The system of claim 12, wherein the memory is partitioned into n regions.
  - 15. The system of claim 14, wherein the multiplexer is an n-to-1 multiplexer.
  - 16. The system of claim 12, wherein the security level is n bits, where n is greater than 1.
  - 17. The system of claim 16, further comprising an additional n-1 multiplexers, wherein each of the multiplexers is configured to receive a bit of the security level for each of the plurality of regions.
  - 18. The system of claim 12, wherein the verification circuit is configured to determine whether the access request for the memory address is valid by comparing the transaction security value for the access request for the memory address to the security value for the region.
  - 19. The system of claim 12, wherein the verification circuit is further configured to generate an interrupt when the access request for the memory address is not valid.
  - 20. The system of claim 12, wherein the verification circuit is further configured to block access to the memory when the access request for the memory address is not valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Kothari, Love
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
WYSZYNSKI, AUBREY H

Application Number

US13/341,787
Publication Number

US 20130047250A1
Time in Patent Office

886 Days
Field of Search

726/16
US Class Current

726/16
CPC Class Codes

G06F 1/26   Power supply means, e.g. re...

G06F 1/32   Means for saving power

G06F 1/3203   Power management, i.e. even...

G06F 1/3228   Monitoring task completion,...

G06F 12/14   Protection against unauthor...

G06F 21/44   Program or device authentic...

H01L 2924/00   Indexing scheme for arrange...

H01L 2924/0002   Not covered by any one of g...

H03K 19/01   Modifications for accelerat...

H03K 2005/00019   Variable delay

H03K 2005/00026   controlled by an analog ele...

H03K 2005/00058   controlled by a digital set...

H03K 3/0315   Ring oscillators

H03K 3/037   Bistable circuits

H03K 3/0375   provided with means for inc...

H03K 5/133   using a chain of active del...

H03L 7/0802   the loop being adapted for ...

H03L 7/097   using a comparator for comp...

H03L 7/0997   Controlling the number of d...

Methods of on-chip memory partitioning and secure access violation checking in a system-on-chip

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods of on-chip memory partitioning and secure access violation checking in a system-on-chip

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links