Microprocessor with secure execution mode and store key instructions
First Claim
Patent Images
1. A microprocessor comprising:
- an instruction-processing pipeline including a fetch unit and an execution unit;
a processor bus;
a cache memory hierarchy; and
a secure memory, inaccessible via the processor bus and not part of the cache memory hierarchy, configured to store cryptographic keys;
wherein the microprocessor is configured to restrict access to the secure memory by preventing a non-privileged program from reading or writing cryptographic key values to or from the secure memory;
wherein the microprocessor is further configured to;
receive a request to switch from a normal execution mode in which encrypted instructions are unable to be executed, into a secure execution mode (SEM), in which they are able to be executed;
conditionally grant the request to switch into the SEM on the basis of whether the request is in the form of an instruction carrying an encrypted parameter, the instruction is part of a privileged program or process, and the encrypted parameter, when decrypted, meets a predetermined criterion for running an encrypted program;
execute an instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor;
fetch encrypted instructions of the encrypted program from an instruction cache into the fetch unit; and
within the fetch unit, decrypt the encrypted instructions of the encrypted program into plaintext instructions using decryption logic within the instruction-processing pipeline, the decryption logic using cryptographic key values stored in the secure memory, or one or more derivatives thereof, to decrypt the encrypted program; and
execute the plaintext instructions as other encrypted instructions of the encrypted program are fetched, without storing the plaintext instructions prior to their execution and without exposing the plaintext instructions to any non-privileged program or to any resources external to the microprocessor.
1 Assignment
0 Petitions
Accused Products
Abstract
A microprocessor conditionally grants a request to switch from a normal execution mode in which encrypted instructions cannot be executed, into a secure execution mode (SEM). Thereafter, the microprocessor executes a plurality of instructions, including a store-key instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor. After fetching an encrypted program from an instruction cache, the microprocessor decrypts the encrypted program into plaintext instructions using decryption logic within the microprocessor'"'"'s instruction-processing pipeline.
74 Citations
19 Claims
-
1. A microprocessor comprising:
-
an instruction-processing pipeline including a fetch unit and an execution unit; a processor bus; a cache memory hierarchy; and a secure memory, inaccessible via the processor bus and not part of the cache memory hierarchy, configured to store cryptographic keys; wherein the microprocessor is configured to restrict access to the secure memory by preventing a non-privileged program from reading or writing cryptographic key values to or from the secure memory; wherein the microprocessor is further configured to; receive a request to switch from a normal execution mode in which encrypted instructions are unable to be executed, into a secure execution mode (SEM), in which they are able to be executed; conditionally grant the request to switch into the SEM on the basis of whether the request is in the form of an instruction carrying an encrypted parameter, the instruction is part of a privileged program or process, and the encrypted parameter, when decrypted, meets a predetermined criterion for running an encrypted program; execute an instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor; fetch encrypted instructions of the encrypted program from an instruction cache into the fetch unit; and within the fetch unit, decrypt the encrypted instructions of the encrypted program into plaintext instructions using decryption logic within the instruction-processing pipeline, the decryption logic using cryptographic key values stored in the secure memory, or one or more derivatives thereof, to decrypt the encrypted program; and execute the plaintext instructions as other encrypted instructions of the encrypted program are fetched, without storing the plaintext instructions prior to their execution and without exposing the plaintext instructions to any non-privileged program or to any resources external to the microprocessor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of securely executing encrypted instructions within a microprocessor, the method comprising:
-
receiving a request to switch from a normal execution mode in which encrypted instructions are unable to be executed, into a secure execution mode (SEM), in which they are able to be executed; conditionally granting the request to switch into the SEM on the basis of whether the request is in the form of an instruction carrying an encrypted parameter, the instruction is part of a privileged program or process, and the encrypted parameter, when decrypted, meets a predetermined criterion for running an encrypted program; executing an instruction to write a set of cryptographic key values into a secure memory of the microprocessor, wherein the secure memory is inaccessible from a processor bus of the microprocessor and is not part of a cache memory hierarchy, and wherein the non-privileged program is unable to read or write cryptographic key values from or to the secure memory; fetching encrypted instructions of the encrypted program from an instruction cache into a fetch unit of an instruction processing pipeline; and decrypting the encrypted instructions of the encrypted program into plaintext instructions using decryption logic within the instruction-processing pipeline, and using one or more sets of one or more cryptographic key values stored in the secure memory, or one or more derivatives thereof, to decrypt the encrypted program; and executing the plaintext instructions as other encrypted instructions of the encrypted program are fetched, without storing the plaintext instructions prior to their execution and without exposing the plaintext instructions to any non-privileged program or to any resources external to the microprocessor. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer program product encoded in at least one non-transitory computer usable medium for use with a computing device, the computer program product comprising:
computer usable program code embodied in said medium, for specifying a microprocessor, the computer usable program code comprising; first program code for specifying an instruction-processing pipeline including a fetch unit and an execution unit; second program code for specifying a processor bus; third program code for specifying a cache memory hierarchy; fourth program code for specifying a secure memory, inaccessible via the processor bus and not part of the cache memory hierarchy, configured to store cryptographic keys; fifth program code for specifying a configuration of the microprocessor to restrict access to the secure memory by preventing a non-privileged program from reading or writing cryptographic key values to or from the secure memory; sixth program code for specifying a configuration of the microprocessor to receive a request to switch from a normal execution mode in which encrypted instructions are unable to be executed, into a secure execution mode (SEM), in which they are able to be executed; seventh program code for specifying a configuration of the microprocessor to conditionally grant the request to switch into the SEM on the basis of whether the request is in the form of an instruction carrying an encrypted parameter, the instruction is part of a privileged program or process, and the encrypted parameter, when decrypted, meets a predetermined criterion for running an encrypted program; eighth program code for specifying one or more execution units to execute an instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor; ninth program code for specifying a configuration of the fetch unit to fetch encrypted instructions of the encrypted program from an instruction cache into the fetch unit; and tenth program code for specifying decryption logic with in the fetch unit to decrypt the encrypted instructions of the encrypted program into plaintext instructions, the decryption logic using one or more sets of one or more cryptographic key values stored in the secure memory, or one or more derivatives thereof, to decrypt the encrypted program; and eleventh program code for specifying a configuration of the microprocessor to execute the plaintext instructions as other encrypted instructions of the encrypted program are fetched, without storing the plaintext instructions prior to their execution and without exposing the plaintext instructions to any non-privileged program or to any resources external to the microprocessor.
Specification