On-die cryptographic apparatus in a secure microprocessor
First Claim
1. An apparatus providing for a secure execution environment, comprising:
- a secure non-volatile memory, configured to store a secure application program, wherein said secure application program is encrypted according to a symmetric key algorithm; and
a microprocessor, coupled to said secure non-volatile memory via a private bus and to a system memory via a system bus, configured to execute non-secure application programs and said secure application program, wherein said non-secure application programs are accessed from said system memory via said system bus, and wherein transactions over said private bus between said microprocessor and said secure non-volatile memory are isolated from said system bus and corresponding system bus resources within said microprocessor, said microprocessor comprising;
a cryptographic unit, disposed within execution logic, configured to employ an authorized public key to decrypt an enable parameter according to an asymmetric key algorithm, said enable parameter having been encrypted according to said asymmetric key algorithm using a corresponding authorized private key, and configured to encrypt said secure application program for storage in said secure non-volatile memory, wherein said secure application program is encrypted in said system memory according to said asymmetric key algorithm, and wherein, upon enablement of a secure execution mode, said cryptographic unit is employed to decrypt said secure application program and to encrypt said secure application program according to said symmetric key algorithm and transfer said secure application program to said secure non-volatile memory over said private bus; and
a processor key register, coupled to said cryptographic unit, configured to store a cryptographic key that is unique to said microprocessor, wherein said cryptographic key is programmed into said processor key register during fabrication of said microprocessor, and wherein said cryptographic key is employed to encrypt said secure application program for storage into said secure non-volatile memory, and wherein said processor key register can only be read by said cryptographic unit.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus providing for a secure execution environment, including a secure non-volatile memory and a microprocessor. The secure non-volatile memory stores a secure application program. The secure application program is encrypted according to a cryptographic algorithm. The microprocessor is coupled to the secure non-volatile memory via a private bus and to a system memory via a system bus. The microprocessor executes non-secure application programs and the secure application program. The non-secure application programs are accessed from the system memory via the system bus. Transactions over the private bus are isolated from the system bus and corresponding system bus resources within the microprocessor. The microprocessor has a cryptographic unit, disposed within execution logic. The cryptographic unit is configured to encrypt the secure application program for storage in the secure non-volatile memory, and is configured to decrypt the secure application program for execution by the microprocessor.
-
Citations
21 Claims
-
1. An apparatus providing for a secure execution environment, comprising:
-
a secure non-volatile memory, configured to store a secure application program, wherein said secure application program is encrypted according to a symmetric key algorithm; and a microprocessor, coupled to said secure non-volatile memory via a private bus and to a system memory via a system bus, configured to execute non-secure application programs and said secure application program, wherein said non-secure application programs are accessed from said system memory via said system bus, and wherein transactions over said private bus between said microprocessor and said secure non-volatile memory are isolated from said system bus and corresponding system bus resources within said microprocessor, said microprocessor comprising; a cryptographic unit, disposed within execution logic, configured to employ an authorized public key to decrypt an enable parameter according to an asymmetric key algorithm, said enable parameter having been encrypted according to said asymmetric key algorithm using a corresponding authorized private key, and configured to encrypt said secure application program for storage in said secure non-volatile memory, wherein said secure application program is encrypted in said system memory according to said asymmetric key algorithm, and wherein, upon enablement of a secure execution mode, said cryptographic unit is employed to decrypt said secure application program and to encrypt said secure application program according to said symmetric key algorithm and transfer said secure application program to said secure non-volatile memory over said private bus; and a processor key register, coupled to said cryptographic unit, configured to store a cryptographic key that is unique to said microprocessor, wherein said cryptographic key is programmed into said processor key register during fabrication of said microprocessor, and wherein said cryptographic key is employed to encrypt said secure application program for storage into said secure non-volatile memory, and wherein said processor key register can only be read by said cryptographic unit. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A microprocessor apparatus, for executing secure code within a secure execution environment, the microprocessor apparatus comprising:
-
a secure non-volatile memory, configured to store a secure application program, wherein said secure application program is encrypted according to a symmetric key algorithm; and a microprocessor, coupled to said secure non-volatile memory via a private bus and to a system memory via a system bus, configured to execute non-secure application programs and said secure application program, said microprocessor comprising; a bus interface unit, configured to accomplish system bus transactions over said system bus to access said non-secure applications in system memory; a secure non-volatile memory interface unit, configured to couple said microprocessor to said secure non-volatile memory via a private bus, wherein private bus transactions over said private bus to access said secure non-volatile memory are hidden from observation by system bus resources within said microprocessor and to any device coupled to said system bus; a cryptographic unit, disposed within execution logic and coupled to said secure non-volatile memory interface unit, configured to employ an authorized public key to decrypt an enable parameter according to an asymmetric key algorithm, said enable parameter having been encrypted according to said asymmetric key algorithm using a corresponding authorized private key, and configured to encrypt said secure application program for storage in said secure non-volatile memory, wherein said secure application program is encrypted in said system memory according to an asymmetric key algorithm, and wherein, upon enablement of said secure execution mode, said cryptographic unit is employed to decrypt said secure application program and to encrypt said secure application program according to said symmetric key algorithm and transfer said secure application program to said secure non-volatile memory over said private bus; and a processor key register, coupled to said cryptographic unit, configured to store a cryptographic key that is unique to said microprocessor, wherein said cryptographic key is programmed into said processor key register during fabrication of said microprocessor, and wherein said cryptographic key is employed to encrypt said secure application program for storage into said secure non-volatile memory, and wherein said processor key register can only be read by said cryptographic unit. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for executing secure code within a secure execution environment, the method comprising:
-
coupling a secure non-volatile memory to a microprocessor via a private bus for storage of the secure code, wherein the private bus is isolated from all system bus resources within the microprocessor and external to the microprocessor; via a cryptographic unit disposed within the microprocessor, employing an authorized public key to decrypt an enable parameter according to an asymmetric key algorithm, the enable parameter having been encrypted according to the asymmetric key algorithm using a corresponding authorized private key, and encrypting the secure application program, said encrypting comprising; enabling a secure execution mode; retrieving the secure code from system memory, wherein the secure code is encrypted according to the asymmetric key algorithm; decrypting the secure code; accessing a processor key register, coupled to said cryptographic unit, configured to store a cryptographic key that is unique to the microprocessor, wherein the processor key register can only be read by the cryptographic unit; and employing the cryptographic key to encrypt the secure code according to a symmetric key algorithm; and storing the secure code within the secure non-volatile memory via private transactions accomplished over the private bus, wherein the private bus is observable and accessible exclusively by secure execution logic within the microprocessor. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification