Microprocessor with on-the-fly switching of decryption keys
First Claim
Patent Images
1. A microprocessor comprising:
- a secure memory configured to store and provide cryptographic keys for use in decrypting encrypted instructions; and
an instruction-processing pipeline configured to fetch instructions from a cache and execute them, the pipeline comprising;
a fetch unit configured to fetch both unencrypted and encrypted instructions of an instruction set architecture (ISA) supported by the microprocessor;
a decryption circuit configured to decrypt encrypted instructions using cryptographic keys received from the secure memory; and
one or more execution units configured to execute instructions or microinstructions translated from instructions;
wherein the ISA includes a store-key instruction to store one or more cryptographic keys into the secure memory, and wherein the microprocessor supports store-key instructions that are encrypted;
wherein when presented with an encrypted store-key instruction, the microprocessor is configured to use a first set of one or more cryptographic keys to decrypt the encrypted store-key instruction, and thereafter execute the decrypted store-key instruction, and thereafter use a second set of one or more cryptographic keys provided by the encrypted store-key instruction to decrypt a subsequent set of one or more encrypted instructions;
the microprocessor enabling an encrypted program to change the sets of cryptographic keys used to decrypt successive sets of the program'"'"'s instructions;
wherein the ISA includes a secure execution mode (SEM) instruction to request a switch from a normal execution mode into the SEM, and wherein the microprocessor is configured to prevent decryption of an encrypted program unless the microprocessor is in the SEM.
1 Assignment
0 Petitions
Accused Products
Abstract
A microprocessor is provided in which an encrypted program can replace the decryption keys that are used to decrypt sections of the encrypted program. The microprocessor may be decrypting and executing a first section of the encrypted program when it encounters, decrypts, and executes an encrypted store-key instruction to store a new set of decryption keys. After executing the store-key instruction, the microprocessor decrypts and executes a subsequent section of the encrypted program using the new set of decryption keys. On-the-fly key switching may occur numerous times with successive encrypted store-key instructions and successive sets of encrypted instructions.
74 Citations
15 Claims
-
1. A microprocessor comprising:
-
a secure memory configured to store and provide cryptographic keys for use in decrypting encrypted instructions; and an instruction-processing pipeline configured to fetch instructions from a cache and execute them, the pipeline comprising; a fetch unit configured to fetch both unencrypted and encrypted instructions of an instruction set architecture (ISA) supported by the microprocessor; a decryption circuit configured to decrypt encrypted instructions using cryptographic keys received from the secure memory; and one or more execution units configured to execute instructions or microinstructions translated from instructions; wherein the ISA includes a store-key instruction to store one or more cryptographic keys into the secure memory, and wherein the microprocessor supports store-key instructions that are encrypted; wherein when presented with an encrypted store-key instruction, the microprocessor is configured to use a first set of one or more cryptographic keys to decrypt the encrypted store-key instruction, and thereafter execute the decrypted store-key instruction, and thereafter use a second set of one or more cryptographic keys provided by the encrypted store-key instruction to decrypt a subsequent set of one or more encrypted instructions;
the microprocessor enabling an encrypted program to change the sets of cryptographic keys used to decrypt successive sets of the program'"'"'s instructions;wherein the ISA includes a secure execution mode (SEM) instruction to request a switch from a normal execution mode into the SEM, and wherein the microprocessor is configured to prevent decryption of an encrypted program unless the microprocessor is in the SEM. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of securely executing instructions in a microprocessor, the microprocessor for executing both unencrypted and encrypted instructions of an instruction set architecture (ISA) supported by the microprocessor, the method comprising:
-
storing a first set of one or more cryptographic keys for decrypting encrypted instructions into a secure memory; fetching a first set of encrypted instructions; decrypting the first set of encrypted instructions using the first set of one or more cryptographic keys; fetching an encrypted store-key instruction to store a second set of one or more cryptographic keys for decrypting encrypted instructions into a secure memory; decrypting the encrypted store-key instruction using the first set of one or more cryptographic keys; executing the decrypted store-key instruction by storing the second set of one or more cryptographic keys into the secure memory; fetching a second set of encrypted instructions; and decrypting the second set of encrypted instructions using the second set of one or more cryptographic keys; wherein the ISA includes a store-key instruction to store one or more cryptographic keys into the secure memory, and wherein the microprocessor supports store-key instructions that are encrypted; wherein when presented with an encrypted store-key instruction, the microprocessor is configured to use a first set of one or more cryptographic keys to decrypt the encrypted store-key instruction, and thereafter execute the decrypted store-key instruction, and thereafter use a second set of one or more cryptographic keys provided by the encrypted store-key instruction to decrypt a subsequent set of one or more encrypted instructions, the microprocessor thereby enabling an encrypted program to change the sets of cryptographic keys used to decrypt successive sets of the program'"'"'s instructions; and wherein the ISA includes a secure execution mode (SEM) instruction to request a switch from a normal execution mode into the SEM, and wherein the microprocessor is configured to prevent decryption of an encrypted program unless the microprocessor is in the SEM. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer program product encoded in at least one non-transitory computer usable medium for use with a computing device, the computer program product comprising:
-
computer usable program code embodied in said medium, for specifying a microprocessor, the microprocessor for executing both unencrypted and encrypted instructions of an instruction set architecture (ISA) supported by the microprocessor, the computer usable program code comprising; first program code for specifying a secure memory configured to store and provide cryptographic keys for use in decrypting encrypted instructions; and second program code for specifying an instruction-processing pipeline configured to fetch instructions from a cache and execute them, the pipeline comprising; third program code for specifying a fetch unit configured to fetch both unencrypted and encrypted instructions of an instruction set architecture (ISA) supported by the microprocessor, wherein the ISA includes an store-key instruction to store one or more cryptographic keys into the secure memory, and wherein the microprocessor supports store-key instructions that are encrypted; fourth program code for specifying a decryption circuit configured to decrypt encrypted instructions using cryptographic keys received from the secure memory; and fifth program code for specifying one or more execution units configured to execute instructions or microinstructions translated from instructions; and sixth program code for specifying a configuration of the microprocessor to respond to an encrypted store-key instruction by using a first set of one or more cryptographic keys to decrypt the encrypted store-key instruction, and thereafter executing the decrypted store-key instruction, and thereafter using a second set of one or more cryptographic keys provided by the encrypted store-key instruction to decrypt a subsequent set of one or more encrypted instructions; wherein the ISA includes a store-key instruction to store one or more cryptographic keys into the secure memory, and wherein the microprocessor supports store-key instructions that are encrypted; and wherein when presented with an encrypted store-key instruction, the microprocessor is configured to use a first set of one or more cryptographic keys to decrypt the encrypted store-key instruction, and thereafter execute the decrypted store-key instruction, and thereafter use a second set of one or more cryptographic keys provided by the encrypted store-key instruction to decrypt a subsequent set of one or more encrypted instructions, the microprocessor thereby enabling an encrypted program to change the sets of cryptographic keys used to decrypt successive sets of the program'"'"'s instructions; and wherein the ISA includes a secure execution mode (SEM) instruction to request a switch from a normal execution mode into the SEM, and wherein the microprocessor is configured to prevent decryption of an encrypted program unless the microprocessor is in the SEM.
-
Specification