Microprocessor having internal secure memory
First Claim
1. An apparatus providing for a secure execution environment, comprising:
- a microprocessor, coupled to a system bus, configured to execute non-secure application programs and a secure application program, wherein said non-secure application programs are accessed from a system memory via said system bus, and wherein said microprocessor is also configured to automatically transition to a degraded mode where only BIOS instructions are allowed to execute in order to allow for user input and the display of messages, said microprocessor comprising;
a non-secure memory, configured to store portions of said non-secure application programs for execution by the microprocessor, wherein said non-secure memory is observable and accessible by said non-secure application programs and by system bus resources within said microprocessor;
a secure volatile memory, configured to store said secure application program for execution by said microprocessor, wherein said secure volatile memory is isolated from said non-secure application programs and said system bus resources within said microprocessor, and wherein said secure application program is retrieved from a secure non-volatile memory over a private bus, decrypted using a processor unique key, and is written to said secure volatile memory;
a cryptographic unit, isolated from said system bus and disposed within execution logic in said microprocessor, configured to employ said processor unique key to decrypt said secure application program; and
a processor key register, coupled to said cryptographic unit, configured to store said processor unique key, wherein said processor key register can only be read by said cryptographic unit.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus providing for a secure execution environment. The apparatus includes a microprocessor that is configured to execute non-secure application programs and a secure application program, where the non-secure application programs are accessed from a system memory via a system bus. The microprocessor has a non-secure memory and a secure volatile memory. The non-secure memory is configured to store portions of the non-secure application programs for execution by the microprocessor, where the non-secure memory is observable and accessible by the non-secure application programs and by system bus resources within the microprocessor. The secure volatile memory is configured to store the secure application program for execution by the microprocessor, where the secure volatile memory is isolated from the non-secure application programs and the system bus resources within the microprocessor. The secure application program is decrypted using a processor unique key and is written to the secure volatile memory.
140 Citations
24 Claims
-
1. An apparatus providing for a secure execution environment, comprising:
a microprocessor, coupled to a system bus, configured to execute non-secure application programs and a secure application program, wherein said non-secure application programs are accessed from a system memory via said system bus, and wherein said microprocessor is also configured to automatically transition to a degraded mode where only BIOS instructions are allowed to execute in order to allow for user input and the display of messages, said microprocessor comprising; a non-secure memory, configured to store portions of said non-secure application programs for execution by the microprocessor, wherein said non-secure memory is observable and accessible by said non-secure application programs and by system bus resources within said microprocessor; a secure volatile memory, configured to store said secure application program for execution by said microprocessor, wherein said secure volatile memory is isolated from said non-secure application programs and said system bus resources within said microprocessor, and wherein said secure application program is retrieved from a secure non-volatile memory over a private bus, decrypted using a processor unique key, and is written to said secure volatile memory; a cryptographic unit, isolated from said system bus and disposed within execution logic in said microprocessor, configured to employ said processor unique key to decrypt said secure application program; and a processor key register, coupled to said cryptographic unit, configured to store said processor unique key, wherein said processor key register can only be read by said cryptographic unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A microprocessor apparatus, for executing secure code within a secure execution environment, the microprocessor apparatus comprising:
-
a secure non-volatile memory, coupled to a private bus, configured to store a secure application program; and a microprocessor, coupled to said private bus, configured to execute non-secure application programs and said secure application program, wherein said non-secure application programs are accessed from a system memory via a system bus, and wherein said secure application program is accessed from said secure non-volatile memory, and wherein transactions over said private bus are isolated from said system bus and corresponding system bus resources within said microprocessor, and wherein said microprocessor is also configured to automatically transition to a degraded mode where only BIOS instructions are allowed to execute in order to allow for user input and the display of messages, said microprocessor comprising; a non-secure memory, configured to store portions of said non-secure application programs for execution by said microprocessor, wherein said non-secure memory is observable and accessible by said non-secure application programs and by system bus resources within said microprocessor, and; a secure volatile memory, configured to store said secure application program for execution by said microprocessor, wherein said secure volatile memory is isolated from said non-secure application programs and said system bus resources within said microprocessor, and wherein said secure application program is retrieved from said secure non-volatile memory, decrypted using a processor unique key, and is written to said secure volatile memory; a cryptographic unit, isolated from said system bus and disposed within execution logic in said microprocessor, configured to employ said processor unique key to decrypt said secure application program; and a processor key register, coupled to said cryptographic unit, configured to store said processor unique key, wherein said processor key register can only be read by said cryptographic unit. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for executing secure code within a secure execution environment, the method comprising:
-
providing a secure non-volatile memory for storage of the secure code; storing the secure code within the secure non-volatile memory via private transactions accomplished over a private bus that is coupled to the secure non-volatile memory; and fetching the secure code from the secure non-volatile memory over the private bus for execution by a microprocessor, and employing a cryptographic unit disposed within the microprocessor to decrypt the secure code using a processor unique key, wherein the processor unique key is stored in a processor key register within the microprocessor, and wherein the processor key register can only be read by the cryptographic unit, and storing the secure code in a secure volatile memory, wherein the secure volatile memory and the cryptographic unit are isolated from non-secure code and system bus resources within the microprocessor, and wherein the microprocessor is also configured to automatically transition to a degraded mode where only BIOS instructions are allowed to execute in order to allow for user input and the display of messages; wherein the private bus is isolated from all system bus resources within the microprocessor and external to the microprocessor, and wherein the private bus is observable and accessible exclusively by secure execution logic within the microprocessor. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification