System and method for efficient security domain translation and data transfer
First Claim
1. A method of transferring encrypted data from an external source to an external destination, by a processor selectively operated in either a secure mode or a non-secure mode comprising:
- in a secure mode,managing cryptographic keys for first and second security domains; and
initializing a first secure Direct Memory Access (DMA) transfer into secure memory and a second secure DMA transfer from secure memory; and
in a non-secure mode,receiving data encrypted in a first security domain from the external source;
executing the first secure DMA transfer to move the encrypted data to a secure cryptographic module and clear text data to the secure memory;
executing the second secure DMA transfer to move clear text data from the secure memory to the secure cryptographic module; and
transferring data encrypted in the second security domain to the external destination.
1 Assignment
0 Petitions
Accused Products
Abstract
A mobile UE includes a CPU, a secure DMA module, a secure cryptographic module, secure memory, and non-secure memory. The secure cryptographic module and secure memory allow access only by secure processes, including the secure DMA module. The CPU manages cryptographic keys and initializes DMA transfers in secure mode. The CPU executes the DMA transfers in non-secure mode. A first DMA transfer moves data encrypted in a first security domain to the secure cryptographic module, and moves clear text data to the secure memory. A second DMA transfer moves the clear text data to the secure cryptographic module, and data encrypted in a second security domain out of the secure cryptographic module. The data encrypted in the second security domain are transmitted to an external device. The secure memory protects the clear text data from being copied; only encrypted data is accessible by non-secure processes.
34 Citations
12 Claims
-
1. A method of transferring encrypted data from an external source to an external destination, by a processor selectively operated in either a secure mode or a non-secure mode comprising:
-
in a secure mode, managing cryptographic keys for first and second security domains; and initializing a first secure Direct Memory Access (DMA) transfer into secure memory and a second secure DMA transfer from secure memory; and in a non-secure mode, receiving data encrypted in a first security domain from the external source; executing the first secure DMA transfer to move the encrypted data to a secure cryptographic module and clear text data to the secure memory; executing the second secure DMA transfer to move clear text data from the secure memory to the secure cryptographic module; and transferring data encrypted in the second security domain to the external destination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of efficiently translating encrypted data from a first security domain to a second security domain by a processor selectively operated in either a secure mode or a non-secure mode, while minimizing the required switching between modes, comprising:
-
in a secure mode, providing a decryption key operative in the first security domain; providing an encryption key operative in the second security domain loading the first domain decryption key and second domain encryption key into a secure cryptographic module; initializing a first secure Direct Memory Access (DMA) transfer from non-secure memory to the secure cryptographic module and from the secure cryptographic module to secure memory; and initializing a second secure DMA transfer from secure memory to the secure cryptographic module and from the secure cryptographic module to non-secure memory; and in a non-secure mode, receiving data encrypted in a first security domain and storing it in non-secure memory; executing the first secure DMA transfer to decrypt the data from the first security domain; executing the second secure DMA transfer to encrypt the data into the second security domain; and transferring data in the second security domain. - View Dependent Claims (11, 12)
-
Specification