JP2021012679A - Controller with flash emulation function and control method - Google Patents

Abstract

To provide a controller and a control method that can realize a secure flash function with an inexpensive computing system.SOLUTION: A controller according to an embodiment of the present invention includes: a host interface for communicating with a host; and a processor. The processor receives a plurality of commands for execution by a nonvolatile memory (NVM) from the host via the host interface, identifies a command related to a secure monotonous counter and to be executed by the nonvolatile memory embedded in the secure monotonous counter from the commands, executes the identified command, and responds to the host according to the identified command instead of the nonvolatile memory.SELECTED DRAWING: Figure 1

Description

The present invention relates to a controller having a flash emulation function and a control method in a secure computing environment, and in particular, a controller having a flash memory simulation function provided with an embedded secure monotonic counters (ESMC). And the control method.

Personal computer (PC) platforms typically use serial flash memory to store non-volatile data, such as basic input / output system (BIOS) code. In some cases, serial flash memory provides important features such as security and power management as permanent storage support.

To meet security requirements, the flash device can include one or more replay protection monotonous counters (RPMCs). The RPMC combines the private key with the appropriate software to protect the flash from tampering, such as replay attacks.

Various techniques for security using monotonous counters are known in the art. For example, US Pat. No. 9,405,707 (Patent Document 1) describes a system including a flash memory device having a monotonous counter and a host device communicatively coupled to the flash memory device. The host device generates authentication credentials and uses the authentication credentials and the first signature generated by the device key to request a counter value from the monotonous counter contained in the flash memory device and is monotonous. It receives the counter value from the counter, receives the authentication credentials from the flash memory device, and sends the second signature generated by the device key and the command to increment the monotonous counter to the flash memory. .. Here, the flash memory device can increase the monotonous counter value by authenticating the above request and command using its own key.

U.S. Patent Application 9,405,707

An object of the present invention is to provide a controller and a control method capable of realizing a secure flash function in a computing system that is cheaper than a computing system having a flash that implements all flash instructions.

A controller according to an embodiment of the present invention includes a host interface for communicating with a host and a processor, the processor for executing in a non-volatile memory (NVM) via the host interface. An instruction is received from the host, and from the plurality of instructions, an instruction related to a secure monotonous counter and to be executed in a non-volatile memory in which a secure monotonous counter is embedded is identified, and the identified instruction is made. It executes an instruction and responds to the host in response to the identified instruction instead of the non-volatile memory.

In one embodiment, the controller further comprises a memory interface, the processor communicates via the memory interface with a non-volatile memory that does not incorporate a secure monotonous counter, other than the identified instructions. The instruction is set to be transferred and executed to a non-volatile memory in which the secure monotonic counter is not incorporated. In one embodiment, the processor is configured to execute the identified instruction, overwriting a chip select (CS) signal asserted by the host to select the non-volatile memory. In yet another embodiment, the processor receives an instruction to access the non-volatile memory by intercepting the chip select signal asserted by the host to select the non-volatile memory. Is set.

In some embodiments, the processor, along with a TPM (Trusted Platform Module), is configured to execute the identified instruction. In one embodiment, the TPM is integrated with the controller. In another embodiment, the TPM is located outside the controller, which further comprises a TPM interface for communicating with the TPM. In another embodiment, the TPM is located outside the controller and is connected to the host, and the processor is configured to communicate with the TPM via the host interface.

In one embodiment, the identified instruction complies with the RPMC (Replay Protected Monotonic Counter) specification, and the processor is configured to execute the identified instruction according to the RPMC specification.

In the control method according to the embodiment of the present invention, in the controller, a plurality of instructions for execution in the non-volatile memory are received from the host, and the plurality of instructions are related to a secure monotonous counter and are secure monotonous. The instruction to be executed in the non-volatile memory in which the counter is embedded is identified, and the identified instruction is executed by the controller instead of the non-volatile memory.

FIG. 1 is a block diagram schematically showing a computing system having a slave-attached-flash configuration that performs RPMC flash emulation according to one embodiment of the present invention. FIG. 2 is a block diagram schematically showing a computing system having a host-attacked Flash configuration that performs RPMC flash emulation according to another embodiment of the present invention. FIG. 3 is a block diagram schematically showing a computing system having a slave-connected flash configuration that performs RPMC flash emulation according to another embodiment of the present invention. FIG. 4 is a block diagram schematically showing a computing system having a host-connected flash configuration that performs RPMC flash emulation according to another embodiment of the present invention. FIG. 5 is a block diagram schematically showing a computing system having a slave-connected flash configuration that executes RPMC flash emulation according to a fifth embodiment of the present invention.

Hereinafter, the present invention will be described based on the embodiments shown in the figure.

Non-volatile memory devices (NVMs), such as flash memory, can be affected by computer hacking because they are used to store boot code or other sensitive information used in computer systems. Traditional NVMs can provide minimal protection. For example, the NVM sector has write protection, but it is still possible to copy some of it and rewrite all the data in the NVM. The use of secure monotonous counters that change (increase) monotonically is conceivable for enhanced protection against NVM.

An example of a secure monotonic counter is Replay-Protected-Monotonic-Counters (RPMC). The 2013 Intel Specification "Serial Flash Hardening Product Expert Architecture Specialization (EAS)" revision 0.7 (Document Number: 328802-001EN) describes the RPMC specification, including architecture and instruction set, for reference. Is cited herein as.

The RPMC specification includes a command to write a 256-bit "root key". This root key is stored in the flash so that it cannot be read externally and is programmed only once during the manufacture of the system. A 32-bit monotonous counter is associated with the root key. When a valid 256-bit root key write operation is performed regardless of the root key value, the 32-bit monotonic counter is initialized to zero.

An authenticated command and response is a command and response signed using a hash message authentication code key (“HMAC key”). The signature is verified using HMAC. The HMAC key is stored in flash and cannot be read even in test mode. Use the authenticated "HMAC key update command" to derive the 256-bit HMAC key. The HMAC key is obtained from the root key and key data provided during the command using HMAC-SHA-256. Therefore, this command performs two HMAC-SHA-256 operations. One gets the HMAC key and the other verifies the signature.

Other authenticated commands are used to support increasing the RPMC count value and reading the RPMC. The RPMC specification states that support for at least four counters with related resources such as root key registers and HMAC key registers is required. A list of RPMC commands can be found in Section 2.1 of the Intel RPMC specification cited above.

Embodiments of the invention disclosed herein use a non-secure flash (non-sure-Flash) and controller to emulate a secure NVM with an embedded monotonous counter (eg, a flash that supports RPMC). ) Provide methods and systems. The controller is located outside the non-secure flash and may be, for example, an embedded controller (EC), a baseboard management controller (BMC), a "Super I / O" controller, or any other suitable controller. Because non-secure flash devices are usually simpler (and therefore cheaper) than secure flash devices, computing systems according to embodiments of the present invention are more than computer systems including secure flash devices (eg, RPMC-Flash devices). It can be cheap.

Although the following description is primarily related to RPMC, the disclosed techniques of the present invention are also applicable to other suitable types of secure monotonous counters that can be incorporated into NVM. Also, although the following description primarily relates to serial flash, the disclosed techniques of the present invention are also applicable to other suitable types of NVM. It should be noted that the following description of the serial flash and RPMC is merely an example and is not intended to limit the present invention.

For simplicity, a flash that supports security features is called a secure flash, and a flash that does not support such features is called a non-secure flash. Further, a secure flash that supports RPMC is called an RPMC flash, and a flash that does not support RPMC is called a non-RPMC flash.

In one embodiment, the computing system comprises a controller that communicates with a host and a non-secure flash (eg, a conventional serial flash device). The host executes flash instructions, including instructions to access data stored in flash and security-related instructions (such as RPMC instructions). The controller works in conjunction with the non-secure flash to emulate the secure flash to the host. For example, in a system with a non-secure flash and a controller, the host can issue a monotonous increment counter instruction executed by the RPMC flash. The controller can intercept or execute instructions instead of flushing transparently to the host.

In some embodiments, the controller includes a host interface for communicating with the host. The processor receives instructions from the host via the host interface to execute in secure flash. The processor identifies security-related flash instructions (eg, RPMC instructions), executes at least some of the security-related instructions, and responds to the host. Non-security related instructions issued by the host can be executed by non-secure flush.

According to another embodiment of the invention, the computing system comprises a non-secure flash device and the controller comprises a flash interface unit coupled to the non-secure flash. Here, the configuration in which the flash is connected to the host via the controller is called a slave connection flash (SAF). The processor receives a flush instruction from the host (via the host interface unit). The processor executes security-related instructions, sends non-security-related instructions, and executes them in non-secure flash (via the flash interface). The processor responds to the host through the host interface unit.

In some embodiments, the host communicates with the controller via a serial bus such as a serial peripheral interface (SPI) or an extended serial peripheral interface (eSPI), where the serial bus is, for example, a bidirectional data line, a clock line, And multiple chip select (CS) lines (including one CS line for each device connected to the serial bus. The CS signal asserted by the host to communicate with Secure Flash is coupled to the controller and the controller. The controller relays the CS signal to the flash for non-security related instructions, while for security related instructions (such as the RPMC instruction), the controller relays the CS signal to the non-secure flash. Overwrite the flash.

In another embodiment of the invention, the non-secure flush is coupled to the host via the SPI or eSPI bus. The CS signal generated by the host to communicate with the secure flash is coupled to the CS input of the non-secure flash. However, non-secure flash is set not to respond to security-related instructions (instructions that non-secure flash cannot execute). The controller intercepts the CS signal that the host sends to the flash and confirms the type of instruction. The controller executes an instruction that the flush cannot execute.

In some embodiments, execution of a security-related instruction involves processing a security function (eg, a security signature, or verification of a security signature). In one embodiment, the host comprises a trusted platform module (TPM). The TPM is a dedicated microcontroller designed to protect hardware through an integrated cryptographic key in the International Standard for Secure Cryptographic Processors (ISO / IEC11889). The controller and TPM can share sensitive data, which enables secure communication between the controller and TPM. The controller can process security-related instructions issued by the host using the TPM as a secure NV storage unit with a secure link.

In some embodiments of the invention, the controller comprises a TPM, and communication between the controller and TPM takes place on-chip in an originally secure manner (or at least a more secure method than integrated circuit communication). ..

In yet another embodiment, the controller does not have an interface to the TPM and communicates with the TPM via the host. To access the TPM, the controller sends a request to the host, which relays the request to the TPM. When the TPM responds, the host receives the response and sends it to the controller.

In some embodiments according to the invention, security-related instructions executed by the controller instead of secure flush include RPMC instructions as defined in the RPMC specification or a portion thereof.

The RPMC specification-compliant flash device (“RPMC flash”) referenced above has a unique control (unique control), status, and configuration registers and mechanisms to respond to multiple dedicated RPMC instructions. The controller emulates such an RPMC instruction, and when the RPMC instruction is detected, it can overwrite the CS signal of the non-RPMC flash. In addition, the controller can include a flash busy register that overrides the non-secure flash flash busy, a flash extended status register (which emulates the extended status register of the RPMC), and a serial flash detectable parameter (SFDP) structure.

The controller also has some flash registers required for RPMC flash and some extension caches (eg mirrors) to respond on behalf of the flash.

In some embodiments, if the flash includes some of the RPMC features defined in the RPMC specification (eg, if the flash implements two of the four RPMC counters defined in the specification), the controller It is possible to emulate the missing function (missing functionality).

Accordingly, embodiments of the invention described herein provide emulation of secure flash in a system that includes a controller and TPM and does not include secure flash. In some embodiments, the TPM is a single module, but in other embodiments, the TPM may be incorporated into the controller. In some embodiments, the host is bound directly to the non-secure flash, and in other embodiments, the non-secure flash is coupled to the host via the controller, for example in a slave-attached flash configuration.

The above example of the RPMC specification is an example relating to a specific specification of the RPMC of the serial flash, and the present invention is not limited thereto. The present invention can be applied to any suitable RPMC specification in serial flash, parallel flash, or any other type of NVM.

Also, in some embodiments, the execution of some instructions issued by the CPU may be performed together by the non-secure flash and the controller (eg, if it supports a subset of the RPMC architecture that requires flash). ..

System description

FIG. 1 is a block diagram schematically showing a computing system 100 having a slave connection flash (SAF) configuration according to a first embodiment of the present invention. The computing system issues a host 102 that executes software instructions including instructions regarding secure access of a secure flash device (for example, a flash device equipped with an RPMM), a TPM 104 that implements a security function, and the host issues to the flash device. It includes a non-secure flash memory 106 that does not support some or all of the instructions and a controller 108 that emulates a flash security feature issued by the host.

In the exemplary embodiment of FIG. 1, the host communicates with the TPM via the Serial Protocol Interface (SPI) bus and with the controller via the Extended Serial Protocol Interface (eSPI) bus. The controller communicates with the TPM via the integrated circuit (I2C) bus and with the flash via the SPI bus. In alternative embodiments, other suitable buses, serial or parallel, can be used.

In the exemplary embodiment of FIG. 1, the flash is connected to a controller and all communication with the flash is done by the controller. This configuration is referred to herein as a slave connection flash (SAF).

Some of the instructions executed by the host relate to accessing flash memory, such as flash read / write and flash security features (eg, RPMC instructions). All instructions related to access to flash memory are hereinafter referred to as "flash instructions".

An enlarged view of the controller is shown at the bottom of FIG. The controller is configured to communicate between the processor 110, the host 102 and the processor, and the host interface 112, which includes an extended serial peripheral interface (eSPI) port, and the I2C (which is configured to communicate between the TPM 104 and the processor. It includes an Inter-Integrated Circuit-Bus) port 114 and a serial peripheral interface (SPI) port 116 configured to communicate between the flash 106 and the processor.

The host executes flush and non-flash instructions. To execute a flash instruction, the host is configured to communicate with the flash device over the eSPI bus. In the example of the SAF configuration of FIG. 1, the controller receives and responds to a flash instruction issued by the host.

In controller 108, processor 110 receives flash instructions via host interface 112. The processor 110 can send some instructions to the non-secure flash 106 for direct execution by the non-secure flash 106. The processor executes other instructions (for example, non-secure flash cannot be executed). Execution of other instructions requires access to TPM 104 and non-secure flash via I2C port 104.

The processor can complete some flush instructions by returning the requested data to the host or by returning an instruction indicating that the instruction execution is complete.

As described above, according to the exemplary embodiment shown in FIG. 1, the computing system may include slave-connected flashes that do not support some security features. This flash is connected to the host via the controller. The controller can communicate with the flash and TPM and execute all flash instructions either directly or in combination with a non-secure Flash or TPM transparently to the host (host unnoticed). Therefore, the secure flash function of the present invention can be realized in a computing system that is cheaper than a computing system having a flash that implements all flash instructions.

FIG. 2 is a block diagram schematically showing a computing system 200 having a host connection flash configuration according to a second embodiment of the present invention. The computing system of the second embodiment includes a host 202 configured to execute software instructions including flash instructions, a trusted platform module (TPM) 204 configured to implement security functions, and a host. It includes a flash 206 (hereinafter also referred to as a non-secure flash 206) that does not support some or all of the instructions issued to the flash device, and a controller 208 configured to emulate the flash security features issued by the host. ..

In the exemplary embodiment of FIG. 2, the host 202 communicates with the TPM 204, the controller 208, and the non-secure flash 206 via the SPI bus. Also, in alternative embodiments, other suitable buses such as serial buses or parallel buses can be used.

In the exemplary embodiment of FIG. 2, the non-secure flash 206 is configured to receive all flash communication data, but only respond to instructions that it can support. For example, if host 202 issues an RPMC instruction that the non-secure flash 206 does not support, the non-secure flash 206 ignores the instruction.

An enlarged view of the controller 208 is shown at the bottom of FIG. The controller 208 is a host interface 212 configured to communicate between the processor 210, the host 202 and the processor 210, and an I2C port 214 configured to communicate between the TPM 204 and the controller 210. And.

To execute the flash instruction, the host is configured to communicate with the secure flash device over the SPI bus. When communicating with secure flash, host 202 asserts a chip select (CS) line that is coupled to the non-secure flash and controller. When host 202 issues a security-related instruction that is not supported by non-secure flash, controller 208 reads and executes the instruction.

In the controller 208, the host interface 212 is connected to the SPI bus (including the CS line). Processor 210 receives all flash instructions from host 202 via host interface 212. If the processor 210 determines that the received instruction cannot be executed by the non-secure flash 206 (such as an RPMC instruction), the processor 210 executes the instruction. To execute an instruction that the non-secure flash 206 cannot execute, the TPM 204 may be accessed via the I2C port 104. For example, if some RPMC counters are installed in the TPM 204 and the host 202 issues an RPCM read instruction (a read-RPCM instruction), the processor 210 accesses the TPM 204 via the I2C port 214 to the RPCM. Request TPM204 to return the stored value. The processor 210 returns the requested data to the host 202 via the host interface 212.

The processor 210 completes some of the flush instructions by returning the requested data to the host 202 or by returning to the host 202 an instruction indicating that the execution of the instruction is complete.

As described above, according to the exemplary embodiment shown in FIG. 2, the computing system may include a non-secure flash connected to the host in parallel with the controller via a serial bus. Non-secure flash executes a subset of flash instructions, and the controller executes flash instructions that non-secure flash does not support. Therefore, the secure flash function of the present invention can be realized in a computing system that is cheaper than a computing system having a flash that implements all flash instructions.

FIG. 3 is a block diagram schematically showing a computing system 300 having a SAF configuration according to a third embodiment of the present invention. As shown in FIG. 3, the third embodiment is similar to the embodiment of FIG. 1 except that the controller is not directly coupled to the TPM.

The computing system 300 issues a host 302 configured to execute software instructions including (secure and non-secure) flash instructions, a TPM 304 configured to implement security functions, and a host 302 issued to a flash device. It includes a non-secure flash memory 306 that does not support some or all of the instructions to be issued, and a controller 308 configured to emulate a flash security feature issued by the host 302.

In the embodiment of FIG. 3, the host 302 communicates with the TPM 304 via the SPI bus and communicates with the controller 308 via the eSPI bus. The controller 308 communicates with the flash 306 via the SPI bus. Also, in alternative embodiments, other suitable buses such as serial buses or parallel buses can be used. In the SAF configuration of the embodiment of FIG. 3, the flash is attached to the controller.

The host executes a flash instruction that includes instructions that can be executed by the non-secure flash 306 and instructions that are not supported by the non-secure flash 306 executed by the controller 308.

An enlarged view of the controller 308 is shown at the bottom of FIG. The controller 308 is configured to communicate between the processor 310, the host 302 and the processor 310, the host interface 312 including the eSPI port, and the SPI configured to communicate between the flash 306 and the processor 310. It includes a port 316.

Host 308 is configured to communicate with the flash device via the eSPI bus. In the example of the SAF configuration of FIG. 3, the controller 308 receives and responds to the flash instruction issued by the host 308.

In controller 308, processor 310 receives a flush instruction via host interface 312. The processor 310 can send some instructions to the non-secure flash 306 for direct execution by the non-secure flash 306. Processor 310 executes other instructions (eg, non-secure flash 306 cannot execute). To execute other instructions, it is necessary to access the TPM 304 and the non-secure flash 306 via the I2C port 104.

The processor 310 completes some flush instructions by returning the requested data to the host or by returning an instruction indicating that the execution of the instruction is complete.

Here, an exemplary software driver according to an embodiment of the present invention will be briefly described with reference to FIG. According to an exemplary embodiment shown in FIG. 3, at least two drivers, namely the flash application driver 318 and the security service driver 320, have the host 302 active at the same time.

Flash application driver 318 provides a software interface to flash devices. In the exemplary embodiment of FIG. 3, the flash application driver 318 communicates with controller 308. However, the driver can be similar (or identical) to the driver available to the host in computing systems that include secure flash. The flash driver 318 can also be used in the examples of FIGS. 1 and 2).

The security service driver 320 provides an interface between the security service client and the TPM. In the exemplary embodiment shown in FIG. 3, the processor 310 can request a TPM service from the security service driver 320 via the host interface 312. The device driver accesses the TPM 304 to execute the service and responds to the processor 310 via the host interface 312 (in the controller).

In some embodiments, the TPM cannot be used for some security features (such as the monotonic counter function) because the TPM driver is not activated again in the initial preboot phase (such as ME booting the PC). At this time, the controller supports a "retroactive" RPMC at power up by reporting a monotonous value stored in the non-secure flash and waits for an authenticated monotonous counter reading from the TPM ( Holds the monotonous counter reading in the buffer). If the monotonous counter reading is not authenticated within the predefined time period, controller 308 resets or suspends the host and issues a security fault warning.

As described above, according to the exemplary embodiment shown in FIG. 3, the computing system may include slave-connected flashes that do not support some security features. The flash is connected to the host via the controller. The controller does not include an interface to the TPM. Instead, the controller accesses the TPM through a service driver running on the host. Therefore, the secure flash function can be realized in a computing system that is cheaper than a computing system having a flash that implements all flash instructions.

FIG. 4 is a block diagram schematically showing a computing 400 system having a host connection flash configuration according to a fourth embodiment of the present invention. In this embodiment, the controller has a TPM.

The computing system 400 includes a host 402 configured to execute software instructions including flash instructions, a non-secure Flash 406, and a controller 408 configured to emulate a flash security feature issued by the host. To be equipped.

In the exemplary embodiment of FIG. 4, the host 402 communicates with the controller 408 and the non-secure flash 406 via the SPI bus. Also, in alternative embodiments, other suitable buses such as serial buses or parallel buses can be used.

In the exemplary embodiment of FIG. 4, the non-secure flash 406 is configured to receive all flash communications, but only respond to supporting instructions. For example, if host 402 issues an RPMC instruction that the non-secure flash 406 does not support, the non-secure flash 406 ignores the instruction.

An enlarged view of the controller 408 is shown at the bottom of FIG. The controller 408 includes a processor 410, a host interface 412 configured to communicate between the host 202 and the processor 410, and an embedded TPM (embedded TPM) 414 configured to implement a security function.

To execute the flash instruction, the host 402 communicates with the secure flash device via the SPI bus. A chip select (CS) line asserted by host 402 when communicating with secure flash is coupled to non-secure flash 406 and controller 408. When host 402 issues a security-related instruction that non-secure flash 406 does not support, controller 408 reads and executes the instruction.

In controller 408, the host interface 412 is connected to the SPI bus (including the CS line described above). Processor 410 receives all flash instructions from host 402 via host interface 412. When the processor 410 recognizes that the received instruction (RPMC instruction, etc.) cannot be executed by the non-security flash memory 406, the processor 410 executes the instruction. Instructions that cannot be executed in the non-secure flash memory 406 may access the embedded TPM 414 during execution. For example, if some RPMC counters are installed in the embedded TPM 414 and the host 402 issues an RPCM read instruction, the processor 410 will access the embedded TPM 414 and return the data stored in the RPCM to the embedded TPM 414. Request. Processor 410 returns the requested data to the host via host interface 412.

The processor 410 completes some flush instructions by returning the requested data to the host 402 or by returning an instruction indicating that the instruction execution is complete.

As described above, according to the exemplary embodiment shown in FIG. 4, the computing system may include a non-secure flash connected to the host via a serial bus in parallel with the controller. Non-secure flash executes a subset of flash instructions, and the controller executes flash instructions that non-secure flash does not support. Therefore, the secure flash function can be realized in a computing system that is cheaper than a computing system having a flash that implements all flash instructions.

FIG. 5 is a block diagram schematically showing a computing system 500 having a SAF configuration according to a fifth embodiment of the present invention. In this embodiment, the controller 508 includes a TPM 514 and the non-secure flash configuration is a slave attached flash (SAF) configuration.

The computing system 500 includes a host 502 configured to execute software instructions including flash instructions, a non-secure flash 506, and a controller 508 configured to emulate the flash security features issued by the host 502. , Equipped with.

In the exemplary embodiment of FIG. 5, the host 502 sends a flash instruction, including a security instruction, to the controller 508. The non-secure flash 506 is coupled to the controller 508. Controller 508 includes processor 510, host interface 512, embedded TPM 514, and SPI port 516.

In controller 508, processor 510 receives a flash instruction via host interface 512. Processor 510 can send some instructions to the non-secure flash 506 for direct execution by the non-secure flash 506. The processor executes other instructions (eg, non-secure flash 506 cannot execute). Execution of other instructions requires access to TPM 504 and non-secure flash 506.

Processor 510 completes some flush instructions by returning the requested data to host 502 or by returning an instruction indicating that the instruction has been executed.

As described above, according to the exemplary embodiment shown in FIG. 5, the computing system may include a non-secure flash connected to the host via a controller in a SAF configuration. The controller executes all secure and non-secure flash instructions to access additional non-secure flash and internal built-in TPM. Therefore, the secure flash function can be realized in a computing system that is cheaper than a computing system having a flash that implements all flash instructions.

Since the embodiments of the computing system shown in FIGS. 1 to 5 are merely examples, the present invention is not limited to those embodiments. In an alternative embodiment, for example, other types of non-volatile memory can be used, and the bus connecting the various components of the system may also be different from the bus described above. Also, in some embodiments, there may be multiple hosts, multiple secure flash devices, and / or multiple controllers. In another embodiment, a single controller may be combined with multiple flash devices and / or multiple TPMs.

In some embodiments, the host may read the flash atomically and issue an instruction to increase the RPMC. The processor may emulate the above instructions by accessing the non-secure flash and TPM of the data and increasing the corresponding RPMC.

In some embodiments, the single TPM may be used as a general purpose secure NV storage device for other components on the board, in addition to its role as a TPM servicing the host. In another embodiment, the functionality of the controller described above may be performed by the TPM, in which case the controller may be absent.

In some non-SAF embodiments, the CS line that the host issues to the flash is coupled to the controller instead of the flash, the CS line that the flash receives may be coupled to the controller instead of the host, and the controller is from the host. CS signals may be generated depending on the CS received and other flash access cycles initiated to perform the secure flash function.

In some embodiments according to the invention, the controller may include cache memory for frequently accessed security data (eg, keys).

Controllers 108, 208, 308, 408, and 508, or elements thereof, may be implemented using any suitable hardware such as application specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs). Good. In some embodiments, some or all elements of the controller may be implemented using software, hardware, or a combination of hardware and software.

Typically, hosts 102, 202, 302, 402, and 502 may include general purpose processors programmed in software to perform the functions described herein. The software may be downloaded to the processor electronically, for example over a network, or may be provided and / or stored in an alternative or additional non-temporary tangible medium such as magnetic, optical, or electronic memory. You may.

The above examples are cited as an example, and the present invention is not particularly limited to those shown and described above. Rather, the scope of the invention includes both combinations and partial combinations of the various features described above, as well as modifications and modifications that can be conceived by those skilled in the art by reading the aforementioned description.

100, 200, 300, 400, 500 ... Computing system 102, 202, 302, 402, 502 ... Host 104, 204, 304, 414, 514 ... TPM
106, 206, 306, 406, 506 ... Flash 108, 208, 308, 408, 508 ... Controller 110, 210, 310, 410, 510 ... Processor 112, 212, 312, 412, 512 ... Host interface 114, 214, 414. , 514 ... I2C port 116, 316, 516 ... SPI port 318 ... Flash application driver 320 ... Security service driver

Claims (18)

A host interface for communicating with the host,
With a processor,
The processor receives a plurality of instructions from the host for execution in the non-volatile memory via the host interface.
From the plurality of instructions, the instruction related to the secure monotonous counter and to be executed in the non-volatile memory in which the secure monotonous counter is embedded is identified.
A controller comprising executing the identified instruction and responding to the host in response to the identified instruction instead of the non-volatile memory. With a memory interface,
The processor
Through the memory interface, it communicates with a non-volatile memory that does not have a secure monotonous counter built in.
The controller according to claim 1, wherein an instruction other than the identified instruction is set to be transferred and executed to a non-volatile memory in which the secure monotonous counter is not incorporated. The processor
The controller of claim 1, wherein when the identified instruction is executed, the controller is set to overwrite the chip select signal asserted by the host to select the non-volatile memory. The processor
The first aspect of claim 1 is set to receive an instruction to access the non-volatile memory by intercepting the chip select signal asserted by the host to select the non-volatile memory. controller. The controller according to claim 1, wherein the processor, together with a TPM, is configured to execute the identified instruction. The controller according to claim 5, wherein the TPM is integrated with the controller. The TPM is located outside the controller
The controller according to claim 5, wherein the controller further includes a TPM interface for communicating with the TPM. The TPM is located outside the controller and is connected to the host.
The controller according to claim 5, wherein the processor is configured to communicate with the TPM via the host interface. The identified instructions comply with the RPMC specification and
The controller of claim 2, wherein the processor is configured to execute the identified instruction in accordance with the RPMC specification. The controller receives multiple instructions from the host to execute in non-volatile memory and
From the plurality of instructions, the instruction related to the secure monotonous counter and to be executed in the non-volatile memory in which the secure monotonous counter is embedded is identified.
A control method that executes the identified instruction by the controller instead of the non-volatile memory. Communicates with non-volatile memory that does not have a built-in secure monotonous counter
The control method according to claim 10, wherein an instruction other than the identified instruction is transferred to a non-volatile memory in which the secure monotonous counter is not incorporated and executed. The control method according to claim 10, wherein the chip select signal asserted by the host is overwritten in order to select the non-volatile memory. 10. The control method of claim 10, wherein the control method of claim 10 receives an instruction to access the non-volatile memory by intercepting the chip select signal asserted by the host to select the non-volatile memory. The control method according to claim 10, wherein the identified instruction is executed together with the TPM. The control method according to claim 14, wherein the TPM is integrated with the controller. The TPM is located outside the controller
The control method according to claim 14, wherein the controller further includes a TPM interface for communicating with the TPM. The TPM is located outside the controller and is connected to the host.
The control method according to claim 14, wherein the processor communicates with the TPM via the host interface. The identified instructions comply with the RPMC specification and
14. The control method of claim 14, wherein the processor executes the identified instruction in accordance with the RPMC specification.