JP2011141888A - Single chip microcomputer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technology for improving security when a nonvolatile storage device, which is readable/writable by random access, is mounted as a program/data memory. <P>SOLUTION: A single chip microcomputer (100) includes a CPU (103) which can perform arithmetic processing based on a preset program and a nonvolatile storage device (101) readable/writable by random access by the CPU. The nonvolatile storage device includes, as storage areas, a nonvolatile hold area for storing the program and a nonvolatile hold invalidated area for storing data. A write operation is performed on the nonvolatile hold invalidated area in the storage areas according to a reset signal indicative of a reset state, thereby erasing data in the nonvolatile hold invalidated area. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a microcomputer, and relates to a technique effective for use in, for example, a single chip microcomputer formed on one semiconductor substrate.

  As described in Non-Patent Document 1, for example, a single-chip microcomputer is a program holding ROM (read only memory) and a data holding RAM (random access memory) centered on a central processing unit (CPU). And functional blocks such as an input / output circuit for inputting / outputting data are formed on one semiconductor substrate. Increasing use of a flash memory as a ROM of such a single chip microcomputer is increasing. The contents of the flash memory can be rewritten at any time, and the usability can be improved. The flash memory is a ROM that can be electrically written and erased. Due to its characteristics, the flash memory needs to be written after being erased once. A dedicated program for controlling writing / erasing can be stored in another memory and executed by the CPU (see, for example, Patent Document 1). Thus, since the flash memory cannot perform continuous read / write in an arbitrary address sequence by the CPU, random access is impossible. For these reasons, the flash memory cannot be used as a work data area for the CPU. A RAM is required as the work data area. With this RAM, with the miniaturization of a semiconductor integrated circuit, a holding current, a soft error, and the like become problems. In order to deal with soft errors, an increasing number of examples have error collection logic. A technique is known that uses flash memory to hold data at that time when the power is shut off (see, for example, Patent Document 2). Since the flash memory needs to be written after erasing, and it takes time to write / erase, in order to perform the writing for holding the data at a high speed, Erasing is performed. This prior erasure is also performed after confirming the contents of the flash memory. In other words, erasing is performed as initialization processing by program execution.

  On the other hand, a magnetoresistive random access memory (MRAM) is known as a non-volatile memory typified by a flash memory but having no limit on the number of times of reading and writing (for example, Patent Document 3). 4). The MRAM stores information using a magnetoresistive effect in which the resistance of an element differs depending on the direction of magnetization. The development of magnetic tunnel junction (MTJ) elements, which have a higher magnetoresistance change rate than conventional elements, enables high-speed read / write operations similar to static random access memories (SRAMs), which are as high as DRAMs. It is possible to realize the degree of integration. According to such an MRAM, it is possible to read / write by random access as in the conventional RAM. Moreover, it is not necessary to erase in advance before writing.

JP-A 63-266698 JP 2005-322293 A JP 2002-222589 A JP 2004-86986 A

November 30, 1984, published by Ohmsha "LSI Handbook" P540 and P541

  Since a RAM (NVRAM) that can be held in a nonvolatile manner such as an MRAM can be read and written by random access, it can be used as a program area for a CPU and a work data area. In addition, if data is stored in this NVRAM, the contents of the stored data can be retained even after the power is turned off. Therefore, by installing NVRAM, it is possible to refer to previous data when the power is turned on or reset. Therefore, the program memory and the working memory can be realized by one NVRAM. If only one type of memory is used in this way, hardware resources can be saved and the manufacturing process can be simplified.

  However, when the inventors of the present application have examined the installation of such NVRAM in a microcomputer, it has been found that it is not preferable in terms of security to hold all data in the NVRAM built in the microcomputer. For example, if secret information such as ID information, key information, and information after decryption of encryption is held in a nonvolatile manner, it is considered that the microcomputer can be illegally operated to read the secret information. is there.

  An object of the present invention is to provide a technique for improving security when a nonvolatile memory device (NVRAM) that can be read / written by random access is mounted as a program / data combined memory.

  The above and other objects and novel features of the present invention will become apparent from the description of the present invention and the accompanying drawings.

  The following is a brief description of an outline of typical inventions disclosed in the present application.

  [1] In a microcomputer comprising a CPU that enables arithmetic processing based on a preset program and a nonvolatile memory device that can be read and written by random access by the CPU, the nonvolatile memory device includes An area where nonvolatile retention is invalidated is provided in a part of the storage area.

  According to the above means, since the nonvolatile storage device is provided with an area in which nonvolatile retention is invalidated as a part of the storage area, this area is used for storing data that should be kept secret. As a result, it is possible to prevent the data to be kept secret from being held in the nonvolatile storage device in a nonvolatile manner. This achieves an improvement in security when a nonvolatile storage device that can be read / written by random access is mounted as a program / data combined memory.

  [2] In the above [1], a device that can rewrite stored information without performing an erasing process in advance at the time of writing can be applied to the nonvolatile storage device.

  [3] In the above [1], including a power supply detection unit capable of detecting a power supply voltage level, after the power is turned on, the operation of the nonvolatile memory device is started based on a detection result in the power supply detection unit. Can be configured.

  [4] In the above [1], an operation monitoring unit for monitoring the operation of the CPU is included, and the operation of the nonvolatile memory device is started based on a monitoring result in the operation monitoring unit. be able to.

  [5] In the above [1], the nonvolatile storage device includes a program area capable of storing a program executed by the CPU and a data area capable of storing data used in the program execution by the CPU. In addition, by executing the program in the CPU, data can be written into the data area, and after the nonvolatile retention in at least a part of the storage area in the nonvolatile storage device is invalidated, the CPU executes The read operation may be permitted.

  [6] In the above [1], the operation of invalidating the nonvolatile retention for at least a part of the storage area in the nonvolatile storage device may be a write operation of a predetermined value to the nonvolatile storage device.

[7] In the above [1], the nonvolatile storage device stores a program area capable of storing a program executed by the CPU, a data area capable of storing data used in program execution by the CPU, The CPU can write data to the data area by executing the program on the CPU, and the data area can be read after the CPU writes data to the data area. [8] In the above [1], the non-volatile storage device is arranged in a first address area and a second address area managed by the CPU, and the first address area Only the nonvolatile memory device can be read, and the nonvolatile memory device can be read from the second address area. And light is enabled.

  [9] In the above [1], data to be kept secret can be stored in the area where the nonvolatile holding is invalidated in the nonvolatile memory device.

  [10] In the above [1], in the non-volatile storage device, in the area where the nonvolatile retention is invalidated, the original data to be encrypted, the decrypted data, or the encryption or decryption Information can be stored.

  [11] In the above [6], the write operation for invalidating the nonvolatile retention for at least a part of the storage area in the nonvolatile storage device may be performed separately from the write operation by the program execution of the CPU. it can.

  [12] A CPU that enables arithmetic processing based on a preset program, a non-volatile storage device that can be read / written by random access by the CPU, and at least one of operation start or power-off of the non-volatile storage device The microcomputer can be configured to include a memory controller for invalidating non-volatile retention for a part of the storage areas in the non-volatile storage device.

  Even in such a configuration, since the nonvolatile storage device is provided with an area where nonvolatile retention is invalidated in a part of the storage area, this area is used for storing data that should be kept secret. This prevents the data to be kept secret from being held in the nonvolatile storage device in a nonvolatile manner. This achieves an improvement in security when a nonvolatile storage device that can be read / written by random access is mounted as a program / data combined memory.

  [13] In the above [12], the nonvolatile storage device can rewrite stored information without performing an erasing process in advance at the time of writing.

  [14] In [12], including a reset controller capable of generating a reset signal for returning the CPU and the nonvolatile memory device to an initial state and starting an operation, and the reset controller is supplied to the microcomputer A power supply detection unit for detecting the level of the power supply voltage to be generated, and the reset signal may be formed based on a detection result of the power supply detection unit.

  [15] In the above [12], a reset controller capable of generating a reset signal for returning the nonvolatile memory device to an initial state and starting an operation, and an operation monitoring unit capable of monitoring the operation of the CPU. In addition, the reset controller can be configured to form the reset signal based on the monitoring result of the operation monitoring unit.

  [16] In the above [12], the nonvolatile storage device includes a program area capable of storing a program executed by the CPU, and a data area capable of storing data used in program execution by the CPU. And the execution of the program by the CPU enables data to be written to the data area, and the memory controller invalidates nonvolatile retention for at least a part of the storage area in the nonvolatile storage device. Later, the read operation by the CPU can be permitted.

  [17] In the above [12], the nonvolatile storage device includes a program area capable of storing a program executed by the CPU, and a data area capable of storing data used in program execution by the CPU. And after the data is written into the data area by the CPU, a read operation of the data area is permitted.

  [18] In the above [12], the area in which nonvolatile retention is invalidated in the nonvolatile storage device can be a work area that does not include the CPU exception processing vector.

  [19] In the above [12], the CPU may be configured to store data that should be kept secret in an area where nonvolatile retention is invalidated in the nonvolatile storage device.

  [20] In the above [12], the memory controller includes a write control unit for generating a signal for invalidating nonvolatile holding, and a signal for invalidating nonvolatile holding and reading or writing of the CPU. And a multiplexer for selecting a signal for use.

  [21] In the above [12], the memory controller performs a write operation for invalidating non-volatile retention for at least a part of the storage area in the nonvolatile storage device separately from the write operation by the CPU. For this reason, the light control unit can be configured.

  [22] In a microcomputer including a CPU that enables arithmetic processing based on a preset program and a nonvolatile storage device that can be read and written by random access by the CPU, the nonvolatile storage device is the CPU. A first storage area that includes a program area that can store a program to be executed and a data area that can store data used in program execution by the CPU, and the data area can be held in a nonvolatile manner And a second storage area in which nonvolatile retention is invalidated, and the CPU uses the second storage area as a work area.

  According to the above means, the non-volatile storage device is provided with the second storage area in which the non-volatile retention is invalidated, and this area is used as the work area of the CPU. Even when the power supply is shut off with the power supply, the nonvolatile storage of the second storage area is invalidated, so that reading of work contents to the outside by the CPU can be avoided. This achieves enhanced security.

  [23] In the above [22], at least one of the operation start and the power shutdown of the nonvolatile memory device, a write or rewrite operation is performed on an area where nonvolatile retention in the nonvolatile memory device is invalidated It can be constituted as follows.

  [24] In the above [22], reading from the nonvolatile memory device can be prevented until writing or rewriting to an area where nonvolatile retention of the nonvolatile memory device is invalid is performed. .

  The effects obtained by the representative ones of the inventions disclosed in the present application will be briefly described as follows.

  That is, it is possible to improve security when a nonvolatile memory device (NVRAM) that can be read / written by random access is mounted as a program / data memory.

1 is a block diagram illustrating a configuration example of a microcomputer according to an embodiment of the present invention. It is another example block diagram of the microcomputer. It is a block diagram of a configuration example of NVMC included in the microcomputer. It is another example block diagram of NVMC included in the microcomputer. It is explanatory drawing of the address space managed by CPU contained in the said microcomputer. It is explanatory drawing of the stored data example of NVRAM contained in the said microcomputer. It is state transition explanatory drawing of NVMC contained in the said microcomputer. It is another state transition explanatory drawing of NVMC contained in the said microcomputer. It is an operation | movement timing diagram of the principal part in the said microcomputer. It is another operation | movement timing diagram of the principal part in the said microcomputer. It is another operation | movement timing diagram of the principal part in the said microcomputer. FIG. 5 is an operation timing chart of the microcomputer when the configuration shown in FIG. 4 is adopted. It is a flowchart at the time of reset cancellation | release of CPU contained in the said microcomputer. It is explanatory drawing of the example of application of the said microcomputer. It is a flowchart of the process in the application example shown by FIG.

  FIG. 1 shows a configuration example of a microcomputer according to the present invention.

  A microcomputer 100 shown in FIG. 1 is a single-chip microcomputer, and is not particularly limited, but includes a central processing unit (CPU) 103, a nonvolatile storage device (NVRAM) 101, a memory controller (NVMC) 102, a bus controller (BSC). ) 111, a reset controller (RESC) 113, an interrupt controller (INT) 112, a cryptographic processing function unit 106, and an input / output (I / O) unit 107, such as a single crystal silicon substrate by a known semiconductor integrated circuit manufacturing technique Formed on one semiconductor substrate.

  The I / O unit 107 is a buffer interposed between an internal bus (I bus) and an external bus (EXAB, EXDB), in addition to an input / output port that enables input / output of various signals to / from the outside. (BUF) 108, watchdog timer (WDT) 109 for monitoring the operation of CPU 103, serial communication interface (SCI) 110 enabling serial communication via a serial communication line, and converting an analog signal into a digital signal Various peripheral circuits such as an A / D (analog / digital) converter 122 for the purpose.

  Although not shown, the microcomputer 100 is provided with functional blocks such as a clock oscillator (CPG).

  The CPU 103 includes a control unit 104 and an execution unit 105, and mainly executes instructions fetched from the NVRAM 101. The NVRAM 101 is used as a work data area.

  The NVRAM 101 is not particularly limited, but is a magnetoresistive random access memory (MRAM) that is an example of a memory that is a non-volatile memory but has no limitation on the number of reading and writing. An MRAM is formed by arranging a plurality of memory cells in an array form that can store information using a magnetoresistive effect in which the resistance of an element varies depending on the direction of magnetization. This memory cell is a magnetic tunnel junction (MTJ) element or the like. The operation of the NVRAM 101 is controlled by the NVMC 102. The NVRAM 101 is connected to the I bus 115 via the NVMC 102 and can be read / written via the I bus 115. The NVMC 102 can write to a predetermined address, generates a control signal for this write, an address signal and data, multiplexes the corresponding signal with the I bus 115, and supplies the multiplexed signal to the NVRAM 101. That is, the NVRAM 101 can be written from the I bus 115 and from the NVMC 102. The NVMC 102 generates a wait signal as necessary and supplies it to the BSC 111.

  The microcomputer 100 has an I bus (first internal bus) 115 and a P bus (second internal bus) 116, and the functional blocks are connected to each other by these buses. In addition to the address bus and data bus, each bus has a control for transmitting a bus right request signal, a bus acknowledge signal, a bus command (or a read signal, a write signal, a bus size signal), a ready signal (or a wait signal), etc. Including buses.

  The I bus 115 enables high-speed access of the NVRAM 101 by the CPU 103. The NVRAM 101 is accessed in one state. Since the number of connection destinations is small, the bus width can be arbitrarily set, for example, 32 bits. When an internal bus master such as a DMAC (Direct Memory Access Controller) is provided, the bus master is connected to this I bus.

  The cryptographic function unit 106 is connected to the I bus 115 and performs encryption processing and decryption processing under the control of the CPU 103. The cryptographic function unit 106 may be a bus master or a bus slave. When the bus master is used, the NVRAM 101 is read / written. An encryption process using the key information stored in the nonvolatile holding invalid area is configured to be executable.

  The P bus 116 is connected to the I / O register 121 included in the I / O unit 107 and the peripheral circuit. Since the I bus 115 and the P bus 116 are separated, it is possible to increase the speed by reducing the load on the I bus 115 used mainly by the program read of the CPU 103, and the P bus when not in use. The power consumption can be reduced by maintaining the state of 116.

  The CPU 103 accesses the I / O register 121 connected to the P bus 116 through the I bus 115 and the BSC 111. Access to the I / O register 121 is performed in two states. Since there are many connection destinations and the physical scale increases when the bus width is widened, for example, 16 bits are set.

  The I bus 115 and the external bus 117 are interfaced by a buffer (BUF) 108. An external memory or the like can be connected to the external bus 117. These buses are controlled by a bus controller (BSC). A wait is requested from the NVMC 102 or the BUF 108 to the BSC 111. Further, the BSC 111 can request a wait from the CPU 103.

  The reset controller (RESC) 113 receives a reset factor such as a reset signal RES input from the outside of the microcomputer 100 and outputs a reset signal 120 for each module of the microcomputer 100. The reset signal 120 includes a reset signal supplied to the CPU 103 and a reset state transition signal supplied to the NVMC 102. The reset factor includes an overflow of the WDT 109 and the like. The RESC 113 includes a power supply detection circuit 114 for detecting the power supply voltage Vcc level, and can generate a reset signal based on the detection result of the power supply detection circuit 114.

  The microcomputer 100 has the following functions in addition to the above.

  The interrupt controller (INT) 112 receives an interrupt signal from the peripheral circuit (WDT 109, SCI 110, A / D converter 122) and outputs an interrupt request signal to the CPU 103. The WDT 109 detects a runaway of the CPU 103 and requests a reset.

  FIG. 3 shows a configuration example of the NVMC 102.

  The NVMC 102 includes a multiplexer 1021, a write control unit 1022, and an address determination unit 1023. The write control unit 1022 generates a write control signal 1024 for a predetermined address after the operation starts. The predetermined address may be one or more bits, a unit of data of the CPU 103 such as a byte / word, a unit of a word line of the NVRAM 101, or more. The write control signal 1024 includes an address, data, a write signal, and the like, and these are supplied to the NVRAM 101 via the multiplexer 1021. The write data is for invalidating non-volatile retention for a part of the storage area of the NVRAM 101, and may be a logical value “0” or a logical value “1”, and a mixture of “0” and “1”. It may be data or a predetermined arbitrary value that can be set by the user. The number of writes may be specified from outside the NVMC 102. This designation may be fixed. Regardless of this designation, it is desirable to always write to a partial area. By setting the size of the write data and the number of writes, the size of the nonvolatile holding invalid area can be arbitrarily changed.

  Further, when the NVMC 102 is writing to the NVRAM 101, a wait request is made to the CPU 103 and the BSC 111. The multiplexer 1021 selectively supplies the NVRAM 101 with the write control signal 1024 and the bus control signal from the I bus 115. During the period in which the write control is performed by the write control unit 1022, the write control signal 1024 is selected by the multiplexer 1021. The address determination unit 1023 determines the address (the address of the CPU 103) input from the I bus 115. When a write to a first area described later is performed, the address determination unit 1023 instructs the multiplexer 1021 to suppress writing to the NVRAM 101. A first area write suppression signal is provided.

  When the NVRAM 101 is divided into a plurality of modules and there is a module that does not have a non-volatile holding invalid area, the NVRAM 101 can be connected to the I bus 115 without going through the NVMC 102.

  FIG. 5 shows an address space managed by the CPU 103.

  Although not particularly limited, the address space of the CPU 103 is 4 Gbytes. The NVRAM 101 and the I / O register 121 inside the microcomputer 100 operate with unique addresses, bus widths, and access state numbers, respectively. As described above, the NVRAM 101 is connected to the internal bus (I bus 115) via the NVMC 102, and is normally read / written in one state. The NVRAM 101 is arranged at a plurality of addresses.

  The CPU 103 includes a first operation mode and a second operation mode. In the first operation mode, for example, as shown in FIG. 5A, the first area NVRAM-1 is mainly used for programs, and the second area NVRAM-2 is mainly used for data. The first area NVRAM-1 includes the CPU 103 exception processing vector. The first area NVRAM-1 and the second area NVRAM-2 may be arranged according to the addressing mode of the CPU 103 or the like. Writing to the first program area is prohibited by the NVMC 102 for program protection. The area to be rewritten after the operation starts (non-volatile holding invalid area) should not overlap with the exception processing vector. When the NVRAM 101 is divided into a plurality of modules, they may be arranged in different modules. In this example, a nonvolatile holding invalid area is formed in a part of the second area NVRAM-2. In the second operation mode, the first area NVRAM-1 is an external space as shown in FIG. In this case, the NVRAM 101 is mainly used as a data area, and a memory connected to an external bus is mainly used as a program.

  Note that, as shown in FIG. 5A, there may be an area (boot area) that stores a program for initial writing or rewriting (booting) of the program and is not used during normal operation. Are excluded from the non-volatile holding invalid area. This area may be readable only in a predetermined boot mode. When the program is executed in the boot mode or the boot area, writing to the first area NVRAM-1 may be permitted.

  FIG. 6 shows an example of data stored in the NVRAM 101.

  The NVRAM 101 can be read or written by random access, and unlike the flash memory, it is not necessary to perform a special operation such as erasing at the time of writing, and writing to the NVRAM 101 can be performed by executing a program on the NVRAM 101. it can. Therefore, a program area and a data area can be provided in a single NVRAM 101. The data area includes a data area that needs to be saved and a data area that should not be retained (to be erased). For example, a data area that should not be held (to be erased) for security reasons is the nonvolatile holding invalid area. A program and data storage area can be provided in a nonvolatile holding area other than the nonvolatile holding invalid area of the NVRAM 101. The non-volatile holding invalid area is a work area of the CPU 103 and stores secret information that should not be held (to be deleted). Work data that is not secret may be stored in the nonvolatile holding area.

  FIG. 7 shows the state transition of the NVMC 102.

  When the reset state transition signal rst from the RESC 113 is asserted to the logical value “1” by resetting the microcomputer 100 or the like, the NVMC 102 is transitioned to the reset state. After the reset, the NVMC 102 transitions to the write state, and a write cycle for a predetermined address in the nonvolatile holding invalid area is issued under the control of the write control unit 1022. Depending on the number of data to be written, the write state may be composed of a plurality of states. In this state, the NVRAM 101 cannot be read / written from the CPU 103. Therefore, when the CPU 103 attempts to read or write the NVRAM 101, the wait signal is activated, a wait is requested, and a predetermined write by the NVMC 102 ends (described later). After the CPU read / write state transition, the CPU 103 reads / writes the NVRAM 101. Alternatively, the reset may be continued in the CPU 103 when the NVMC 102 is in the write state. When the predetermined write is completed, the NVRAM 101 transitions to the read / write state of the CPU 103. It becomes possible to perform invalidation processing for the nonvolatile holding invalid area by a predetermined write state (write operation) after the reset.

  Note that when the power detection is detected by the power detection circuit 114 in the RESC 113, the NVMC 102 may be changed to the reset state, and the NVMC 102 may be changed to the write state after completion of the power supply or after a predetermined time has elapsed. In addition, a state that should be determined to be abnormal, such as an overflow of WDT 109 or an interrupt that cannot be masked, may be detected and transitioned to a reset state. Further, when the NVRAM 101 includes parameter information or the like, as shown in FIG. 8, a parameter read state may be added after writing is completed. Examples of the parameter information include trimming information of the NVRAM 101 and adjustment of an analog value of the A / D converter 122.

  FIG. 9 shows the operation timing of the main part in the microcomputer 100.

  As shown in FIG. 9, when the reset state transition signal rst becomes a logical value “1” in response to an external reset signal RES, the NVMC 102 transitions to the reset state, and the selection state of the multiplexer 1021 changes to the write control unit 1022. The read / write command from the CPU 103 is suppressed (nop). As a result, the address and data are initialized.

  Then, when the reset state transition signal rst becomes the logic value “0” and the reset is released, the write state is entered, and the write for a predetermined address (addr-1 to addr-4) is performed. In this example, the write operation is performed four times in succession. The address of such a write operation is generated in hardware by the write control unit 1022 so as to correspond to the nonvolatile holding invalid area in FIGS. The write data is not particularly limited, but has a logical value “0”. When the above write operation is completed, the NVMC 102 transits to the CPU read / write state and switches the selection state of the multiplexer 1021 to the I bus 115. The RESC 113 activates the reset signal rst_cpu for the CPU 103 during a period corresponding to the completion of the write (in this example, a time corresponding to four writes). Thereafter, read / write by the CPU 103 is accepted.

  FIG. 10 shows another operation timing of the main part in the microcomputer 100.

  When the power supply detection circuit 114 detects that the power supply Vcc of the microcomputer 100 is turned on and reaches a predetermined power supply voltage level, the reset state transition signal rst is set to a logical value “1”, whereby the NVMC 102 is reset. The state is changed, the selection state of the multiplexer 1021 is switched to the write control unit 1022, and the read / write command from the CPU 103 is suppressed (nop). Then, when the reset state transition signal rst becomes the logic value “0” and the reset is released, the write state is entered, and the write for a predetermined address (addr-1 to addr-4) is performed. Since the subsequent steps are the same as those shown in FIG. 9, description thereof will be omitted.

  FIG. 11 shows another operation timing of the main part in the microcomputer 100.

  When a decrease in the level of the power supply voltage Vcc of the microcomputer 100 is detected, the reset signal rst_pdwn is set to a logical value “1”. The reset signal rst_pdwn is generated by the RESC 113 based on the detection result of the power supply detection circuit 114. When the reset signal rst_pdwn is set to a logical value “1”, a write state is set, and a write to a predetermined address (addr−1) is performed. When the power supply voltage Vcc drops below a necessary minimum level, writing cannot be performed. For this reason, the writable region varies depending on the degree of voltage decrease and holding. It is desirable to combine this example with the operation shown in FIG. 9 and FIG. If writing is performed after the power is turned on as shown in FIGS. 9 and 10, the logically designated area can be reliably written. Writing can be performed at least before the operation of the CPU 103 is started.

  When the NVRAM 101 is divided into a plurality of modules and the nonvolatile holding invalid area and the exception processing vector area are arranged in different modules, the reset signal rst_cpu for the CPU 103 is set in the same manner as the reset state transition signal rst, and the CPU 103 is nonvolatile. When an area including the invalid holding area is accessed, a wait may be requested.

  Also, the same can be done when the exception processing vector area does not exist in the NVRAM 101, such as in the second operation mode shown in FIG. After detecting the rising edge of the reset state transition signal rst, the transition to the write state may be made without waiting for the falling edge of the reset state transition signal rst. In any case, automatic rewriting may be performed before the CPU 103 accesses the NVRAM 101. Even when the microcomputer 100 has a plurality of operation modes, automatic rewriting is performed regardless of the operation modes.

  FIG. 13 shows a flowchart when the reset of the CPU 103 is released.

  When the reset is released, the CPU 103 performs a reset exception process.

  At the time of reset exception processing, the CPU 103 has a step (NVRAM write 1 to 4) of writing to the nonvolatile holding invalid area. That is, the NVRAM 101 is automatically rewritten regardless of the NVMC 102. For this purpose, the execution unit 105 of the CPU 103 is provided with an address and data generation logic, that is, a normal instruction execution address and data selector, and the control unit 104 controls the selector, generates a bus command, Provide logic for control. Thereby, the CPU 103 reads the exception processing vector and branches to the first instruction of the program. This is the same as a normal CPU.

  The program for automatic rewriting may be executed after reset exception processing, and then branch to the first instruction of the original program. Alternatively, a DMA controller or the like may be provided, and after resetting, the DMA controller may be automatically activated to perform writing to the nonvolatile holding invalid area.

  FIG. 14 shows an application example of the microcomputer 100. FIG. 15 shows a process flowchart in the application example shown in FIG.

  As shown in FIG. 14, the microcomputer 100 communicates with another microcomputer 200 connected thereto. The microcomputer 100 performs a required operation according to the content of communication. The connection destination is changed. The communication information includes secret information such as ID information and key information unique to the connection destination microcomputer, and may authenticate the connection destination microcomputer 200. Even if secret information such as ID information and key information is encrypted and input from a connection destination during communication, there is decrypted data or data before encryption inside the microcomputer. If this is held in the NVRAM 101, the possibility that it will be read by malicious program execution increases. Since encryption is performed at the time of communication and the secret is kept, it should be prevented that secret information such as decrypted data in the microcomputer is read. In order not to hold such secret information undesirably, it may be possible to initialize or rewrite the secret information with the program of the microcomputer 100 after the completion of the required processing. If the power is cut off, initialization or rewriting may not be possible.

  In such a method of use, the microcomputer 100 initializes or rewrites the non-volatile holding invalid area (non-volatile holding invalidating process) after reset (S1). Thereafter, according to the program stored on the NVRAM 101, the microcomputer 100 inputs the ID information and key information of the connection destination microcomputer 200 via the SCI 110 at the time of connection based on the control of the CPU 103 (S2). . The input data is once written and held in the NVRAM 101. If this data is encrypted, it may be stored in the nonvolatile holding area of the NVRAM 101 (S3). Under the control of the CPU 103, the encryption function unit 106 decrypts the input data (S4). The encryption function unit 106 is appropriately provided with key information and the like. The ID information, the key information, and the decrypted data (plain text) are stored (written) in the nonvolatile holding invalid area at an arbitrary timing as necessary, and malicious read is suppressed (S5).

  Conversely, when encryption is performed, the original data (plain text) is stored in the nonvolatile holding invalid area. The encrypted data may be stored in the nonvolatile holding area. Even when the encryption function processes data, the plaintext can be stored in the nonvolatile holding invalid area, while the cipher can be stored in the nonvolatile holding area. This decrypted data is referred to (read / written) as needed for operations of the CPU 103 such as authentication (S6). If the authentication is confirmed, a required process is performed on the system (S7). If authentication is not performed, the process is terminated without performing processing.

  If the connection with the connection destination microcomputer is canceled, it is not necessary to hold secret information such as ID information and key information unique to the connection destination microcomputer 200. When connecting to another microcomputer, another ID information or key information is input to the nonvolatile holding invalid area, and the same processing is performed.

  In the microcomputer 100, if secret information that should not be held (to be deleted) such as the ID information, key information, and decrypted data is stored in the nonvolatile holding invalid area, There is no need to initialize or rewrite with such a program of the microcomputer 100, and even when the power is shut off during operation maliciously, the microcomputer 100 is turned on when the microcomputer 100 is turned on next time. Since it is rewritten before the operation starts, it cannot be read regardless of malicious / good intentions, so that security can be enhanced.

  According to the above example, the following operational effects can be obtained.

  (1) By using the NVRAM 101 that can be read / written by random access as the program area and work data area of the CPU 103, hardware resources can be saved and the manufacturing process can be simplified. Can be reduced. Since a general RAM is not installed separately from the NVRAM 101, it is not necessary to consider the current for holding the stored data in the RAM, and no countermeasure against soft errors is required. In this case, since a part of the storage area of the NVRAM 101 in which nonvolatile retention is disabled is provided, this area is used for storing data that should be kept secret. It is avoided that the data to be stored is held in the NVRAM 101 in a nonvolatile manner. As a result, it is possible to improve security when a nonvolatile memory device (NVRAM) that can be read / written by random access is mounted as a program / data memory.

  (2) By performing automatic rewriting (invalidation processing for the nonvolatile holding invalid area) in the NVMC 102, the CPU 103 can use the existing one. Even if there is a test mode in which the CPU 103 is stopped and the NVRAM 101 and other modules are read / written from the outside, automatic rewriting can be performed.

  (3) The internal state of the microcomputer 100 can be simplified by keeping the CPU 103 in a reset state during automatic rewriting by the NVMC 102.

  (4) When the exception processing vector area exists in a place other than the NVRAM 101 including the nonvolatile holding invalid area, the CPU 103 is operated even during automatic rewriting, and a wait is requested when the NVRAM 101 being automatically rewritten is accessed. Thus, an undesired waiting time can be suppressed.

  (5) By performing automatic rewriting by the CPU 103, the NVMC 102 can be made unnecessary.

  (6) By prohibiting the area used for the program in the NVRAM 102 from being written, it is possible to suppress rewriting of an undesired program due to easy rewriting unlike a flash memory or the like.

  FIG. 2 shows another configuration example of the main part of the microcomputer 100.

  The microcomputer 100 shown in FIG. 2 is composed of two semiconductor chips. That is, the microcomputer 100 shown in FIG. 2 is greatly different from that shown in FIG. 1 in that the NVRAM 201 and the NVMC 202 corresponding to the NVRAM 101 and the NVMC 102 are formed on a chip 300 different from the CPU 103, respectively. It is. Further, in this chip 300, a RESC 213 including a power supply detection circuit 214 capable of detecting the power supply voltage in the chip 300 is provided, and the NVMC 202 is reset by a reset state transition signal formed by this RESC 214. Yes. The NVMC 202 is coupled to the I bus 115 via the external bus 117 and the BUF 108. The functions of NVRAM 201, NVMC 202, and RESC 213 are the same as those of NVRAM 201, NVMC 202, and RESC 113 shown in FIG. As described above, even when the microcomputer system 100 is configured by a plurality of semiconductor chips, it is possible to obtain the same operational effects as those shown in FIG.

  FIG. 4 shows another configuration example of the NVMC 102.

  The NVMC 102 includes an address determination unit 1033 and a read control unit 1031. The address determination unit 1033 transitions to the read blocking state by reset after the operation starts. In this state, according to the determination result of the address, reading other than the nonvolatile holding invalid area is permitted. In addition, reading of the nonvolatile holding invalid area is prohibited. Writing is permitted regardless of the area. Furthermore, a write to the non-volatile holding invalid area is observed. It is determined that data has been written to all addresses in the nonvolatile holding invalid area, and a transition is made to a read permission state. In this state, reading is permitted regardless of the area. The read control unit 1031 permits / inhibits reading of the NVRAM 101 in accordance with read permission / inhibition of address determination. As a result, since the nonvolatile holding invalid area cannot be read until it is written, it is possible to prevent reading the contents before the start of the operation. Since the written content can be read, there is no inconvenience in using it as a work area. For prohibition of reading, a read signal to the NVRAM 101 may be suppressed, or read data may be masked.

  FIG. 12 shows the operation timing of the microcomputer 100 when the configuration shown in FIG. 4 is adopted.

  When the reset state transition signal rst becomes the logical value “1”, the NVMC 102 is transitioned to the read blocking state. When the CPU 103 detects a write to a predetermined address (addr-1 to addr-4), it shifts to a read permission state. In this example, a transition is made after four writes. In addition, you may make it permit the read with respect to the said address for every write.

  By prohibiting reading, the program execution of the CPU 103 after reset can be started early. When the work area is initialized by executing the program, there is no double writing or writing to an unused address.

  Although the invention made by the present inventor has been specifically described above, the present invention is not limited thereto, and it goes without saying that various changes can be made without departing from the scope of the invention.

  For example, the NVRAM 101 is not limited to the MRAM, and may be a random write access and a non-volatile storage. The configuration of the NVRAM 101 can also be arbitrarily set. For example, a plurality of NVRAMs 101 may be provided for programs and data. It is desirable to use a single type of NVRAM 101 for programs and data. The NVRAM 101 and the NVMC 102 may be configured integrally. It is only necessary to have a function corresponding to a memory array and NVMC. The NVRAM may have data and a syndrome so that error correction by ECC (Error-Correcting Code) can be performed.

  Further, the means for prohibiting reading can be arbitrarily set. Anything can be used as long as the contents before the operation start cannot be read and the contents written after the operation start can be read.

  The contents of data for automatic rewriting (invalidation processing for the non-volatile holding invalid area) can be arbitrarily set. It is sufficient that old data is not retained, and a fixed value or a random value may be used. Nonvolatile holding invalidation means that data already stored before the start of operation cannot be read, and is not limited to returning the state of a storage element to a writable state like a flash memory. This can be referred to as a nonvolatile retention invalidation operation. Address arrangement and address range for automatic rewriting can be arbitrarily set. The address range for automatic rewriting may be configured so that batch writing can be performed in units of blocks as employed in flash memory.

  Furthermore, the address range for automatic rewriting may be different from the write sequence by the CPU 103 executing the program. For example, instead of writing a byte area corresponding to an address, only bit 0 may be written to 8 addresses. This is because data having meaning in byte units does not make sense even by rewriting one bit. When error correction by the ECC is performed, only the syndrome may be written.

  The configuration of the microcomputer and the size and arrangement of the address space are not limited. In addition, various functional blocks can be changed. In addition to the CPU 103 and the cryptographic function unit 106, a module capable of writing to the NVRAM 101, such as a DMA controller, may be mounted.

  The partner to communicate with the microcomputer 100 is not limited to the microcomputer. Data to be communicated is not limited to ID information and key information, and may be any copyrighted work. Data to be stored in the nonvolatile holding invalid area is not limited to ID information and key information, and can correspond to all secret information generated or decrypted inside the microcomputer.

  In the above description, the case where the invention made mainly by the inventor is applied to the single-chip microcomputer, which is the field of use behind it, has been described. However, the present invention is not limited to this, and random access is possible. The present invention can be widely applied to microcomputers including nonvolatile storage devices.

101, 201 NVRAM
102,202 NVMC
103 CPU
104 Control Unit 105 Execution Unit 106 Cryptographic Function Unit 107 I / O Unit 108 BUF
109 WDT
110 SCI
111 BSC
112 INT
113,213 RESC
114, 214 Power supply detection circuit 115 I bus 116 P bus 117 External bus 121 I / O register 122 A / D converter 1021 Multiplexer 1022 Write control unit 1023 Address determination unit 1031 Read control unit

Claims (2)

A CPU that enables arithmetic processing based on a preset program;
A nonvolatile storage device that can be read and written by random access by the CPU;
A single chip microcomputer including
The non-volatile storage device includes a non-volatile holding area in which the program is stored as a storage area and a non-volatile holding invalidation area capable of storing data,
A single chip micro that erases data in the nonvolatile retention invalidation area by performing a write operation to the nonvolatile retention invalidation area in the storage area in response to a reset signal indicating a reset state. Computer.   The single-chip microcomputer according to claim 1, wherein the nonvolatile holding area includes a data storage area that holds data that is not erased by the reset signal.

Images