Microprocessor with secure execution mode and store key instructions

US 9,798,898 B2
Filed: 10/15/2015
Issued: 10/24/2017
Est. Priority Date: 05/25/2010
Status: Active Grant

First Claim

Patent Images

1. A microprocessor comprising:

an instruction-processing pipeline including a fetch unit and an execution unit;

a processor bus;

a cache memory hierarchy; and

a secure memory, inaccessible via the processor bus and not part of the cache memory hierarchy, configured to store cryptographic keys;

wherein the microprocessor is configured to restrict access to the secure memory by preventing a non-privileged program from reading or writing cryptographic key values to or from the secure memory;

wherein the microprocessor is further configured to;

receive a request to switch from a normal execution mode in which encrypted instructions are unable to be executed, into a secure execution mode (SEM), in which they are able to be executed;

conditionally grant the request to switch into the SEM on the basis of whether the request is in the form of an instruction carrying an encrypted parameter, the instruction is part of a privileged program or process, and the encrypted parameter, when decrypted, meets a predetermined criterion for running an encrypted program;

execute an instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor;

fetch encrypted instructions of the encrypted program from an instruction cache into the fetch unit; and

within the fetch unit, decrypt the encrypted instructions of the encrypted program into plaintext instructions using decryption logic within the instruction-processing pipeline, the decryption logic using cryptographic key values stored in the secure memory, or one or more derivatives thereof, to decrypt the encrypted program; and

execute the plaintext instructions as other encrypted instructions of the encrypted program are fetched, without storing the plaintext instructions prior to their execution and without exposing the plaintext instructions to any non-privileged program or to any resources external to the microprocessor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A microprocessor conditionally grants a request to switch from a normal execution mode in which encrypted instructions cannot be executed, into a secure execution mode (SEM). Thereafter, the microprocessor executes a plurality of instructions, including a store-key instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor. After fetching an encrypted program from an instruction cache, the microprocessor decrypts the encrypted program into plaintext instructions using decryption logic within the microprocessor'"'"'s instruction-processing pipeline.

74 Citations

View as Search Results

19 Claims

1. A microprocessor comprising:
- an instruction-processing pipeline including a fetch unit and an execution unit;
  
  a processor bus;
  
  a cache memory hierarchy; and
  
  a secure memory, inaccessible via the processor bus and not part of the cache memory hierarchy, configured to store cryptographic keys;
  
  wherein the microprocessor is configured to restrict access to the secure memory by preventing a non-privileged program from reading or writing cryptographic key values to or from the secure memory;
  
  wherein the microprocessor is further configured to;
  
  receive a request to switch from a normal execution mode in which encrypted instructions are unable to be executed, into a secure execution mode (SEM), in which they are able to be executed;
  
  conditionally grant the request to switch into the SEM on the basis of whether the request is in the form of an instruction carrying an encrypted parameter, the instruction is part of a privileged program or process, and the encrypted parameter, when decrypted, meets a predetermined criterion for running an encrypted program;
  
  execute an instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor;
  
  fetch encrypted instructions of the encrypted program from an instruction cache into the fetch unit; and
  
  within the fetch unit, decrypt the encrypted instructions of the encrypted program into plaintext instructions using decryption logic within the instruction-processing pipeline, the decryption logic using cryptographic key values stored in the secure memory, or one or more derivatives thereof, to decrypt the encrypted program; and
  
  execute the plaintext instructions as other encrypted instructions of the encrypted program are fetched, without storing the plaintext instructions prior to their execution and without exposing the plaintext instructions to any non-privileged program or to any resources external to the microprocessor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The microprocessor of claim 1, wherein the microprocessor is configured to decrypt successive sections of the encrypted program using sets of one or more cryptographic key values, or derivatives thereof, that are selected from the secure memory according to addresses at which the successive sections of the encrypted program are stored.
  - 3. The microprocessor of claim 1, wherein the encrypted parameter and encrypted program are encrypted using distinct cryptographic mechanisms.
  - 4. The microprocessor of claim 3 wherein successive sections of the encrypted program are encrypted according to addresses at which the successive sections of the encrypted program are stored.
  - 5. The microprocessor of claim 1, wherein the microprocessor is configured to execute an instruction to write cryptographic key values to the secure memory using an immediate data field of the instruction.
  - 6. The microprocessor of claim 1, wherein the secure memory is configured to receive cryptographic key values through an encrypted channel.
  - 7. The microprocessor of claim 1, wherein the microprocessor comprises SEM exception handling logic and SEM interrupt handling logic that are inaccessible to programs running in normal execution mode, and the microprocessor is configured to use the SEM exception handling logic and SEM interrupt handling logic when operating in the SEM.
  - 8. The microprocessor of claim 1, wherein the microprocessor is configured to prevent decryption of encrypted instructions unless the microprocessor is in the SEM.
  - 9. The microprocessor of claim 1, wherein the microprocessor is configured to prevent decryption of encrypted instructions unless the microprocessor is operating in the system management mode of the x86 architecture.

10. A method of securely executing encrypted instructions within a microprocessor, the method comprising:
- receiving a request to switch from a normal execution mode in which encrypted instructions are unable to be executed, into a secure execution mode (SEM), in which they are able to be executed;
  
  conditionally granting the request to switch into the SEM on the basis of whether the request is in the form of an instruction carrying an encrypted parameter, the instruction is part of a privileged program or process, and the encrypted parameter, when decrypted, meets a predetermined criterion for running an encrypted program;
  
  executing an instruction to write a set of cryptographic key values into a secure memory of the microprocessor, wherein the secure memory is inaccessible from a processor bus of the microprocessor and is not part of a cache memory hierarchy, and wherein the non-privileged program is unable to read or write cryptographic key values from or to the secure memory;
  
  fetching encrypted instructions of the encrypted program from an instruction cache into a fetch unit of an instruction processing pipeline; and
  
  decrypting the encrypted instructions of the encrypted program into plaintext instructions using decryption logic within the instruction-processing pipeline, and using one or more sets of one or more cryptographic key values stored in the secure memory, or one or more derivatives thereof, to decrypt the encrypted program; and
  
  executing the plaintext instructions as other encrypted instructions of the encrypted program are fetched, without storing the plaintext instructions prior to their execution and without exposing the plaintext instructions to any non-privileged program or to any resources external to the microprocessor.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising:
    - selecting successive sets of one or more cryptographic key values with which to decrypt the encrypted program according to addresses at which successive sections of the encrypted program are stored; and
      
      decrypting successive sections of the encrypted program using the selected sets.
  - 12. The method of claim 10, further comprising encrypting the encrypted parameter and the encrypted program using distinct cryptographic mechanisms.
  - 13. The method of claim 12, further comprising encrypting successive sections of the encrypted program according to addresses at which the successive sections of the encrypted program are stored.
  - 14. The method of claim 10, wherein the instruction to write cryptographic key values to the secure memory stores the cryptographic key values in an immediate data field of the instruction.
  - 15. The method of claim 10, further comprising receiving cryptographic key values through an encrypted channel.
  - 16. The method of claim 10, further comprising using SEM exception handling logic and SEM interrupt handling logic that are inaccessible to programs running in normal execution mode to handle interrupts and exceptions while operating in the SEM.
  - 17. The method of claim 10, further comprising preventing decryption of encrypted instructions unless the microprocessor is in the SEM.
  - 18. The method of claim 10, further comprising preventing decryption of encrypted instructions unless the microprocessor is operating in the system management mode of the x86 architecture.

19. A computer program product encoded in at least one non-transitory computer usable medium for use with a computing device, the computer program product comprising:
- computer usable program code embodied in said medium, for specifying a microprocessor, the computer usable program code comprising;
  
  first program code for specifying an instruction-processing pipeline including a fetch unit and an execution unit;
  
  second program code for specifying a processor bus;
  
  third program code for specifying a cache memory hierarchy;
  
  fourth program code for specifying a secure memory, inaccessible via the processor bus and not part of the cache memory hierarchy, configured to store cryptographic keys;
  
  fifth program code for specifying a configuration of the microprocessor to restrict access to the secure memory by preventing a non-privileged program from reading or writing cryptographic key values to or from the secure memory;
  
  sixth program code for specifying a configuration of the microprocessor to receive a request to switch from a normal execution mode in which encrypted instructions are unable to be executed, into a secure execution mode (SEM), in which they are able to be executed;
  
  seventh program code for specifying a configuration of the microprocessor to conditionally grant the request to switch into the SEM on the basis of whether the request is in the form of an instruction carrying an encrypted parameter, the instruction is part of a privileged program or process, and the encrypted parameter, when decrypted, meets a predetermined criterion for running an encrypted program;
  
  eighth program code for specifying one or more execution units to execute an instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor;
  
  ninth program code for specifying a configuration of the fetch unit to fetch encrypted instructions of the encrypted program from an instruction cache into the fetch unit; and
  
  tenth program code for specifying decryption logic with in the fetch unit to decrypt the encrypted instructions of the encrypted program into plaintext instructions, the decryption logic using one or more sets of one or more cryptographic key values stored in the secure memory, or one or more derivatives thereof, to decrypt the encrypted program; and
  
  eleventh program code for specifying a configuration of the microprocessor to execute the plaintext instructions as other encrypted instructions of the encrypted program are fetched, without storing the plaintext instructions prior to their execution and without exposing the plaintext instructions to any non-privileged program or to any resources external to the microprocessor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIA Technologies Incorporated (VIA Technologies)
Original Assignee
VIA Technologies Incorporated (VIA Technologies)
Inventors
Henry, G. Glenn, Parks, Terry, Bean, Brent, Crispin, Thomas A.
Primary Examiner(s)
Rashid, Harunur

Application Number

US14/884,525
Publication Number

US 20160104010A1
Time in Patent Office

740 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0875   with dedicated cache, e.g. ...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/602   Providing cryptographic fac...

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 21/74   operating in dual or compar...

G06F 2212/402   Encrypted data

G06F 2212/452   Instruction code

G06F 2221/2107   File encryption

G06F 9/30003   Arrangements for executing ...

G06F 9/30079   Pipeline control instructio...

G06F 9/30178   of compressed or encrypted ...

G06F 9/30189   according to execution mode...

H04L 2209/12   Details relating to cryptog...

H04L 2209/20   Manipulating the length of ...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0827   involving distinctive inter...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894 : Escrow, recovery or storing...

View All

Microprocessor with secure execution mode and store key instructions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Microprocessor with secure execution mode and store key instructions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links