Managing use of a field programmable gate array with isolated components

US 9,230,091 B2
Filed: 06/20/2012
Issued: 01/05/2016
Est. Priority Date: 06/20/2012
Status: Active Grant

First Claim

Patent Images

1. A field programmable gate array (FPGA), comprising:

a plurality of programmable elements; and

isolated FPGA elements enabling secure communication by the field programmable gate array with other components in a computer system, the isolated FPGA elements comprising a first memory and a second memory, the first memory being enabled to receive encrypted data from outside the FPGA and the second memory being isolated during operation from components outside the FPGA and enabled to store data decrypted within the FPGA.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. For example, data written by the FPGA to memory is encrypted, and is decrypted within the FPGA when read back from memory. Data transferred between the FPGA and other components such as the CPU or GPU, whether directly or through memory, can similarly be encrypted using cryptographic keys known to the communicating components. Transferred data also can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code.

Citations

19 Claims

1. A field programmable gate array (FPGA), comprising:
- a plurality of programmable elements; and
  
  isolated FPGA elements enabling secure communication by the field programmable gate array with other components in a computer system, the isolated FPGA elements comprising a first memory and a second memory, the first memory being enabled to receive encrypted data from outside the FPGA and the second memory being isolated during operation from components outside the FPGA and enabled to store data decrypted within the FPGA.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The field programmable gate array of claim 1, wherein the isolated FPGA elements comprises a mutual authentication and encryption key module enabling encryption and authentication of data communicated between the FPGA and other components of the computer system.
  - 3. The field programmable gate array of claim 2, wherein the mutual authentication and encryption key module comprises a program loading section comprising:
    - the first memory enabled to receive input data including encrypted program logic and at least one encrypted key;
      
      a first decryption module having inputs to receive the encrypted key, a public key corresponding to a sender of the encrypted key, and a private key associated with the FPGA, and having an output providing a decrypted key;
      
      a second decryption module having inputs to receive the decrypted key from the first decryption module and the encrypted program logic from the memory, and having an output providing decrypted program logic;
      
      the second memory enabled to receive and store the decrypted program logic; and
      
      control circuitry for using the decrypted program logic from the second memory to program the programmable elements of the FPGA.
  - 4. The field programmable gate array of claim 1, wherein the isolated FPGA elements comprises:
    - a memory access channel, comprising;
      
      an encryption module having inputs to receive data from the processing elements of the FPGA and outputs providing encrypted data to a memory; and
      
      a decryption module having inputs to receive data from the memory and outputs providing decrypted data to the processing elements within the FPGA.
  - 5. The field programmable gate array of claim 1, wherein the isolated FPGA elements comprises:
    - a communication channel access module, comprising;
      
      an encryption module having inputs to receive data from the processing elements of the FPGA and outputs providing encrypted data to a communication channel; and
      
      a decryption module having inputs to receive data from the communication channel and outputs providing decrypted data to the processing elements within the FPGA.
  - 6. The field programmable gate array of claim 1, wherein the isolated FPGA elements comprises isolated registers, comprising:
    - an encryption module having inputs to receive data from the processing elements of the FPGA and outputs providing encrypted data to a register within the FPGA; and
      
      an input module having an input for receiving a request for data from the register and an output providing the encrypted data from the register;
      
      a decryption module having inputs to receive data from the register and outputs providing decrypted data to the processing elements within the FPGA.

7. A method for programming a field programmable gate array (FPGA), comprising:
- receiving encrypted program logic into a first memory within the FPGA;
  
  decrypting the encrypted program logic using a decryption module within the FPGA into a second memory within the FPGA, the second memory being isolated during operation within the FPGA from components outside the FPGA; and
  
  programming the FPGA using the decrypted program logic.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, further comprising:
    - receiving an encrypted key for the encrypted program logic into the first memory;
      
      decrypting the encrypted key within the field programmable gate array;
      
      storing the decrypted key in an isolated memory within the FPGA; and
      
      using the decrypted key in the decrypting of the encrypted program logic.
  - 9. The method of claim 8, wherein the encrypted key is encrypted using a public key for the field programmable gate array and a private key for a provider of the encrypted program logic.
  - 10. The method of claim 9, wherein the encrypted program logic is encrypted using a symmetric key.

11. In a computer system, a process comprising:
- establishing a mutually-authenticated and encrypted secure channel between a field programmable gate array (FPGA) and a computer component, wherein unencrypted data is stored in an isolated memory within the FPGA which is isolated during operation from components outside the FPGA and inaccessible to the computer component; and
  
  sending data to the computer component securely over the mutually-authenticated and encrypted secure channel.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The process of claim 11, wherein the FPGA includes a second memory, and wherein sending the data securely comprises:
    - the field programmable gate array encrypting the data stored in the isolated memory and storing the encrypted data in the second memory; and
      
      the computer component reading the encrypted data from the second memory and decrypting the data within the computer component.
  - 13. The process of claim 12, wherein the computer component is a central processing unit.
  - 14. The process of claim 12, wherein the computer component is a trusted platform module component.
  - 15. The process of claim 12, wherein the computer component is a storage device.
  - 16. The process of claim 12, wherein the computer component is another computing device with its own field programmable gate array.
  - 17. The process of claim 11, wherein sending the data securely comprises:
    - the field programmable gate array encrypting the data using a public key for the computer component and a private key of the field programmable gate array and sending the encrypted data to the computer component; and
      
      the computer component receiving and decrypting the data within the computer component using a public key for the field programmable gate array and a private key of the computer component.
  - 18. The process of claim 17, wherein the encrypted data includes at least one shared secret.
  - 19. The process of claim 18, further comprising securely sending additional data between the field programmable gate array and the computer component by encrypting and decrypting the additional data using the at least one shared secret.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
LaMacchia, Brian A., Nightingale, Edmund B., Barham, Paul
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US13/528,400
Publication Number

US 20130346758A1
Time in Patent Office

1,294 Days
Field of Search

713/190
US Class Current

1/1
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/76   in application-specific int...

G06F 21/85   interconnection devices, e....

Managing use of a field programmable gate array with isolated components

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Managing use of a field programmable gate array with isolated components

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links