GB2311152A - Dual mode security architecture with protected internal operating system - Google Patents
Dual mode security architecture with protected internal operating system Download PDFInfo
- Publication number
- GB2311152A GB2311152A GB9605120A GB9605120A GB2311152A GB 2311152 A GB2311152 A GB 2311152A GB 9605120 A GB9605120 A GB 9605120A GB 9605120 A GB9605120 A GB 9605120A GB 2311152 A GB2311152 A GB 2311152A
- Authority
- GB
- United Kingdom
- Prior art keywords
- dual mode
- processor
- secure
- mode processor
- mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
- G06F12/1433—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a module or a part of a module
Description
2311152 1 DUAL PURPOSE SECURITY ARCHITECTURE WITH PROTECTED INTERNAL
OPMATING SYSTEM Backom=d The present invention concerns chip architecture and particularly a dual pm-pose secure chip architecture with a protected internal operating system.
For some processing applications, it is essential to operate in a secure environment so that operations cannot be probed or altered. In the prior art, various methods have been used to provide for a secure processing environment.
For example, a mechanical chassis can be used to house processing eqrdpment. This mechanical chassis can include tamper switches and other elements to detect and protect against tampering and alterations.
Unfortunately, such a mechanical chassis can add a signiflicant amount of expense to a product.
Alternately, in order to restrict access to particular integrated circuits, the integrated circuits can be covered with epoxy or other chemical materials to hinder access. Unfortunately, often this can be easily defeated and so provides only a nominal amount of protection.
Another method to provide for a secure processing environment is to implement the system on a single integrated circuit. However, if a sectue operating system is not implemented, these systems also, generally, can be defeated. However, implementation of a completely sec" operating system for all functions significantly limits the functionality of the system.
SknnnnalY of the Invention In accordance with the preferred embodiment of the present invention. a secure mode within a dual mode processor is implemented. In 2 a general/external mode, the dual mode processor executes instructions provided fron., an extenial source. The instructions are supplied to the processor via inputioutput to the processor. Upon receiving a special so or hardware interrupt, the dual mode processor enters a securelintenial mode. The interrupt specifies a secure function stored in a read-only memory within the dual mode processor. Upon receiving such an interrupt, Inputioutput to the dual mode processor is disabled. An internal pointer identified by the interrupt is used to identify the location of the se function stored in the read-only memory urithin the processor. The identified secure function is executed by the processor. During execution of the securie function, any attempt to insert instructions not originating from the read-only memory is ignored. However, the processor is allowed to access data specifically identified by secure function being executed.
Upon completion of performance of the secure function, an exit routine is executed to enable inputloutput to the processor and to resume execution of instructions provided via inputloutput "m the source external to the processor. The instructions for the exit routine are also stored within the read-only memory.
In the preferred embodiment, the exit routine utilizes a special hardware control circuit to enable inputioutput to the processor. Also in the preferred embodiment, upon reset, the processor performs self-testing in sec" mode, with inputloutput disabled. Upon successful completion of performance of the self test function, the exit routine is executed to enable inputioutput to the processor and to begin execution of instructions provided via inputloutput from the source external to the processor. Assurance hardware is used to provide protection against physical and electrical tampering a The dual mode processing system is used, for example, to perform cryptographic functions such as encryption or public key exchange. For example, in one such application, data blocks or packets are intercepted and sent to the dual mode processor. Primitives which encrypt/decrypt the data are stored in the read-only memory within the processor. These primitives are executed when the dual mode processor is in secure mode. Other system functions are performed in general mode.
The present invention allows for an inexpensive, efficient means to provide for dual mode processing. When operating in a general mode, all external instructions may be executed without any overhead associated with a secure operating system. During operation in secure mode operation, secure functions are executed in a manner protected from alteration and probing.
Brief Desefiption of the Drawino Figure 1 shows a block diagram of a system in which a dual mode processor is used in a secure mode for encryption and decryption in accordance with a preferred embodiment of the present invention.
Figure 2 shows a simplified block diagram of the dual mode processor shown in Figure 1 in accordance with a preferred embodiment of the present invention.
Figure 3 shows a flowchart which illustrates initialization of the dual mode processor shown in Figure 2 in accordance with a preferred embodiment of the present invention.
Figures 4 shows a flowchart which illustrates operation of the dual mode processor in the secure operating mode in accordance with the preferred embodiment of the present invention.
4 Figures 5 is a block diagram which indicates contents of a ROM within the dual mode processor shown in Figure 2 in accordance with the preferred embodiment of the present invention.
Desezipbon of the Prefemed ESbodinient Figure 1 shows a block diagram of a system in which a dual mode processor 12 is used in a secure (internal) mode for encryption and decryption in accordance with a preferred embodiment of the present invention. Dual mode processor 12 communicates with a control channel processor 11 through a data channel 18 and a data channel 19. Data channels 18 and 19, for example, are implemented as an input/output (I10) bus which operates in accordance with a inputloutput bus standard, such as, for example, the Industry Standard Architecture (ISA). Control channel processor 11 provides data to dual mode processor 12. In addition, when dual mode processor 12 is in general (external) mode, control channel processor provides instructions to be executed by dual mode processor 12.
Dual mode processor 12 is used to perform a cryptographic function such as encryption or public key exchange. For example, Figure 1 shows a demultiplexor 13 which receives an encrypted data stream 14 and produces a de-mtdtiplexed decrypted data stream 15. Encrypted data stream 14 and decrypted data streams 15 are, for example composed of data blocks or data packets being transferred to and from demultiplexor 13. Demultiplexor 13 forwards encrypted data to dual mode processor 12 through a data path 16. Dual mode processor 12 decrypts the data and returns the decrypted data to demultiplexor 13 through a data path 17.
In order to protect the integrity of the particular cryptographic scheme utilized, it is necessary to protect the cryptographic functions within dual mode processor 12 from access or alteration. For this purpose, dual mode processor 12 includes two operating modes. In a general mode, dual mode processor 12 performs instructions received from control channel processor 11. In a secure mode, dual mode processor performs cryptographic: functions in a secure environment, as discussed more fully below.
Figure 2 shows a simplified block diagram of dual mode processor 12 in accordance with a preferred embodiment of the present invention. Processing functions are performed by processing functions circuitry 21.
For example, processing functions circuitry 21 is a reduced instruction set computer (RISC) processor. Processing functions circuitry 21 interfaces with data channels 18 and 19 through bus inputloutput (I10) interface circuitry 23. Processing functions circuitry 21 interfaces with data paths 16 and 17 through crypto inputloutput (110) interface circuitry 25.
A random access memory (RAM) 22 is utilized by process functions circuitry 21, for example, for data storage and for high speed execution of small blocks of code. A read-only memory (ROM) 24 is used to contain secure primitives which are executed by processing functions circuitry 21 when dual mode processor 12 is in secure mode. An I/0 hardware control circuit 26 is addressed by a secure mode exit routine in order to release II0 controls when dual mode processor 12 is transitioning from secure mode to general mode. Hardware control circuit 26 contains exit logic which insures that dual mode processor 12 will execute a set sequence of commands that might not otherwise execute if dual mode processor 12 lost its step. The use of hardware control circuit 26 to transition between secure mode and general mode insures that if dual mode processor 12 loses step, for example due to a power glitch or tampering, the dual mode 6 processor 12 will not prematurely or incompletely exit the secure mode. When a tampering or a glitch affects operation of dual mode processor 12 during the secure mode, hardware control circuit 26 will lock up dual mode processor 12 and reqxdre a reset before operation of dual mode processor 12 5 resumes.
Upon entry of the secure mode, hardware control circuit 26 disables inputloutput to dual mode processor 12. Upon exit of secxwe mode, hardware control circuit 26 enables inputioutput to dual mode processor 12.
In secure mode, all external access to processing functions 21 is disabled. While in secure mode, processing functions 21 executes only the secure primitives in ROM 24. In secure mode, processing functions 21 still has the ability to access external memory for data, but only as allowed by the secure primitives within ROM 24. Further, in the secure mode, dxW mode processor 12 ignores all attempts to insert an illegal instruction.
Assurance logic 27 provides protection against physical and electrical tampering. Assurance logic is activated upon entering the secure mode.
Figure 3 shows a flowchart which illustrates initialization of dual mode processor 12. In a step 31, the system is reset. Upon reset, all input/output paths of dual mode processor 12 are disabled. In a step 32, dual mode processor 12 performs a self-test function to assure proper operation. The self-test routine executed is stored by ROM 24 as a secure routine. During execution of the self-test routine, assurance logic 27 is activated to prevent physical and electrical tampering vith dual mode processor 12. If dual mode processor 12 passes the self-test function, in a step 33, the secure mode exit routine is executed. The secure mode exit routine cleans up or clears all registers. The secure mode exit routine then addresses hards control cirmit 26 in order to release 110 controls. In a step 34, the exit 7 routine is exited and the program manager is called. In a step 35, the program manager manages execution of external progran code executed by dual mode processor 12 when dual mode processor 12 is in general mode.
Figures 4 shows a flowchart which illustrates operation of the dual mode processor in the secure operating mode in accordance with the preferred embodiment of the present invention. Before step 41, dual mode processor is in the general mode and the program manager manages execution of external programming code executed by dual mode processor 12. In a step 41, a special software or hardware interrupt (SW1) is asserted.
The special softwarelhardware interrupt directs dual mode processor 12 in order to cause dual mode processor 12 to enter the internal secure operating system. The special sofmhardware interrupt includes an address which indicates a function stored within ROM 24 to be executed.
In a step 42, the secure operating system is entered. All inputioutput is disabled by YO hardware control circuit 26. Assurance logic 27 is activated to protect dual mode processor 12 from physical or electrical tampering. In a step 43, the address function within ROM 24 specified by the address within the special softwarelhardware interrupt is located by an internal pointer. In a step 44, the addressed function is executed. In a step 45, the secure mode exit routine is executed. The secure mode exit routine cleans up or clears all registers. The secure mode exit routine then instructs hardware control circuit 26 to release I10 controls. In a step 46, the exit routine is exited and the program manager is called. In a step 47, the program manager manages execution of external programming code executed by dual mode processor 12 when dual mode processor 12 is in generalmode.
8 Figure 5 shows an example of contents within ROM 24. ROM 24 con a seexce mode entry routine 61. Sectre mode entry routine 61 is the first routine executedwhen secure mode is entered or when dual mode processor 12 is reset. Secure mode entry routine 51 disables all I/0 to dual mode processor 12 and uses internal pointers 52 to jurnp to secure functions 53. Each secure function in secure functions 53 is made up of one or more secure primitives. The particular secure functions stored within ROM 24 vary with the particular application to be implemented. For example, in the preferred embodiment, secure functions 53 include primitives used for cryptographic operations. After a secure function has been executed, the secure mode is exited using secure mode exit routine 54.
The foregoing discussion discloses and describes merely exemplary methods and embodiments of the present invention. As will be understood by those familiar with the art, the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.
9 r,lni" 1. A computer implemented method for providing a secure mode within a processor, the method comprising the following steps:
(a) executing instructions provided by a source external to the processor, the instructions being supplied to the processor via inputIoutput to the processor: and.
(b) upon receiving an interrupt specifying a secure function, performing the following substeps:
(b. 1) disabling inputloutput to the processor, (b.2) performing the secure function specified by the interrupt, instructions for the secure function being stored in a read-only memory within the processor, and (b.3) upon completion of performing the secure function, executing an exit routine which enables inputloutput to the processor and allows resmnption of execution of instructions provided by the source external to the processor, instructions for the exit routine being stored within the read-only memory.
2. A computer implemented method as in claim 1 wherein in substep (b.3), enabling inputIoutput to the processor is performed by a hardware control circuit.
3. A computer implemented method as in claim 1 additionally comprising the following steps:
(c) upon the processor receiving a reset, performing the following step:
(c.1) disabling inputloutput to the processor, (c.2) performing a selftest of the processor, instructions for the self test being stored in the read-only memory %%4thin the processor, and (a.3) upon successful completion of performing the self test 5 function, executing the exit routine.
4. A computer implemented method as in claim 1, wherein substep (b.2) includes using an internal pointer identified by the interrupt, the internal pointer pointing to the secure function.
5. A computer implemented method as in claim 1 wherein substep (b.2) includes performing primitives which encrypt/decrypt a data stream.
6. A dual mode processor comprising: instruction execution means for executing instructions; inputloutput means for providing external instructions by a source external to the dual mode processor; and, readonly memory storing primitives for a secure operating system the primitives including instructions which, when executed by the instmction execution means, perform the following functions: disable inputloutput to the dual mode processor, perform secure functions specified by interrupts to the dual mode processor, and upon completion of performing any of the secure functions, execute an exit routine which enables inputloutput to the dual mode processor and allows resumption of execution of instmetions provided by the source external to the dual mode processor.
11 7. A dual mode processor as in claim 6 additionally comprising specialty circudtry which, when called by the exit routine, enables inputloutput to the dual mode processor and which is used when entering a 5 secure mode to disable inputloutput to the dual mode processor.
8. A dual mode processor as in claim 7 additionally including assurance hardware which provides physical and electrical security to the dual mode processor when the dual mode processor is in the secure mode.
9. A dual mode processor as in claim 6 wherein the read-only memory additionally stores primitives which, when executed by the instruction execution means, perform the following functions in response to the dual mode processor receiving a reset: disable inputloutput to the dual mode processor, perform a self-test of the dual mode processor. and upon successful completion of performing the self test function, execute the exit routine.
10. A dual mode processor as in claim 6, wherein the read-only memory includes internal pointers which point to secure functions, the internal pointers being indicated by interrupts to the dual mode processor.
11. A dual mode processor as in claim 6 wherein the secure functions 25include primitives which encrypt/decrypt a data stream.
12 12. A system for performing a cryptographic function on data in a data stream, the system comprising: interception means for intercepting the data stream; and, a dual mode processor including, instruction execution means for executing instructions; inputloutput means for providing external instructions by a source external to the dual mode processor; read-only memory storing primitives for a secure operating system, the primitives including instructions which, when executed by the instruction execution means, perform the following functions: disable inputloutput to the dual mode processor, perform secure functions specified by interrupts to the dual mode processor, the special functions including primitives which encryptidecrypt the data in the data stream, and upon completion of performing any of the secure functions, execute an exit routine which enables inputloutput to the dual mode processor and allows resumption of execution of instructions provided by the source external to the dual mode processor.
13. A system as in claim. 12, wherein the dual mode processor additionally includes specialty circuitry whiCII4 when called by the exit routine, enables inputloutput to the dual mode processor.
14. A system as in claim 14 wherein the read-only memory 25additionally stores primitives which, when executed by the instruction execution means, perform the follon%ing functions in response to the dual mode processor receiving a reset:
13 disable inputIoutput to the dual mode processor, perform a self-test of the dual mode processor, and upon successful completion of performing the self test functioi-4 execute the exit routine.
15. A system as in claim 12, Wherein the read-only memory includes internal pointers which point to secure functions, the internal pointers being indicated by inten-upts to the dual mode processor.
16. A computer implemented system as claimed in claim 1. substantially as described herein with reference to the accompanying drawings.
17. A system as claimed In claim 12, substantially as described herein with reference to the accompanying drawings.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB9605120A GB2311152A (en) | 1996-03-11 | 1996-03-11 | Dual mode security architecture with protected internal operating system |
| DE19609865A DE19609865A1 (en) | 1996-03-11 | 1996-03-13 | Computer implementation of security mode within processor |
| FR9603303A FR2746199B1 (en) | 1996-03-11 | 1996-03-15 | DUAL FUNCTION SECURITY ARCHITECTURE WITH PROTECTED INTERNAL OPERATING SYSTEM |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB9605120A GB2311152A (en) | 1996-03-11 | 1996-03-11 | Dual mode security architecture with protected internal operating system |
| DE19609865A DE19609865A1 (en) | 1996-03-11 | 1996-03-13 | Computer implementation of security mode within processor |
| FR9603303A FR2746199B1 (en) | 1996-03-11 | 1996-03-15 | DUAL FUNCTION SECURITY ARCHITECTURE WITH PROTECTED INTERNAL OPERATING SYSTEM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| GB9605120D0 GB9605120D0 (en) | 1996-05-08 |
| GB2311152A true GB2311152A (en) | 1997-09-17 |
Family
ID=27216024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB9605120A Withdrawn GB2311152A (en) | 1996-03-11 | 1996-03-11 | Dual mode security architecture with protected internal operating system |
Country Status (3)
| Country | Link |
|---|---|
| DE (1) | DE19609865A1 (en) |
| FR (1) | FR2746199B1 (en) |
| GB (1) | GB2311152A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7543293B2 (en) * | 2000-12-04 | 2009-06-02 | Microsoft Corporation | Privelege level changing for virtual memory mapping |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2883998A1 (en) | 2005-04-05 | 2006-10-06 | St Microelectronics Sa | Coprocessor`s control execution securing method for e.g. microcontroller, involves placing coprocessor in default error mode from commencement of execution of control accomplished by coprocessor |
| FR2884000A1 (en) | 2005-04-05 | 2006-10-06 | St Microelectronics Sa | Cryptographic coprocessor control execution monitoring method for integrated circuit, involves carrying error signal if abnormal flow of execution is detected and preventing access to register as long as signal is given with active value |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0175487A2 (en) * | 1984-08-23 | 1986-03-26 | Btg International Limited | Software protection device |
| US5014191A (en) * | 1988-05-02 | 1991-05-07 | Padgaonkar Ajay J | Security for digital signal processor program memory |
| EP0468535A2 (en) * | 1990-07-27 | 1992-01-29 | Nec Corporation | Microcomputer having ROM data protection function |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5134700A (en) * | 1987-09-18 | 1992-07-28 | General Instrument Corporation | Microcomputer with internal ram security during external program mode |
| US5251304A (en) * | 1990-09-28 | 1993-10-05 | Motorola, Inc. | Integrated circuit microcontroller with on-chip memory and external bus interface and programmable mechanism for securing the contents of on-chip memory |
| WO1993010498A1 (en) * | 1991-11-12 | 1993-05-27 | Microchip Technology Inc. | Security for on-chip microcontroller memory |
| FR2704956B1 (en) * | 1993-05-06 | 1995-06-09 | Schlumberger Ind Sa | Microprocessor with secure memory. |
-
1996
- 1996-03-11 GB GB9605120A patent/GB2311152A/en not_active Withdrawn
- 1996-03-13 DE DE19609865A patent/DE19609865A1/en not_active Withdrawn
- 1996-03-15 FR FR9603303A patent/FR2746199B1/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0175487A2 (en) * | 1984-08-23 | 1986-03-26 | Btg International Limited | Software protection device |
| US5014191A (en) * | 1988-05-02 | 1991-05-07 | Padgaonkar Ajay J | Security for digital signal processor program memory |
| EP0468535A2 (en) * | 1990-07-27 | 1992-01-29 | Nec Corporation | Microcomputer having ROM data protection function |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7543293B2 (en) * | 2000-12-04 | 2009-06-02 | Microsoft Corporation | Privelege level changing for virtual memory mapping |
Also Published As
| Publication number | Publication date |
|---|---|
| GB9605120D0 (en) | 1996-05-08 |
| FR2746199B1 (en) | 1998-05-07 |
| DE19609865A1 (en) | 1997-09-18 |
| FR2746199A1 (en) | 1997-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5615263A (en) | Dual purpose security architecture with protected internal operating system | |
| EP1964316B1 (en) | Secure system-on-chip | |
| EP0583140B1 (en) | System for seamless processing of encrypted and non-encrypted data and instructions | |
| US7089419B2 (en) | Control function with multiple security states for facilitating secure operation of an integrated system | |
| US6957335B2 (en) | Initializing, maintaining, updating and recovering secure operation within an integrated system employing a data access control function | |
| US4634807A (en) | Software protection device | |
| US4603381A (en) | Use of implant process for programming ROM type processor for encryption | |
| DK1964016T3 (en) | Secure System-on-Chip | |
| US20020129245A1 (en) | Apparatus for providing a secure processing environment | |
| EP1840784B2 (en) | Semiconductor memory device | |
| US8656191B2 (en) | Secure system-on-chip | |
| US20170046280A1 (en) | Data processing device and method for protecting a data processing device against attacks | |
| GB2122777A (en) | Software protection apparatus and method | |
| EP1032869A1 (en) | An apparatus for providing a secure processing environment | |
| EP1305708B1 (en) | Sequence numbering mechanism to ensure execution order integrity of inter-dependent smart card applications | |
| CN101175268B (en) | Method and device for controlling operation authority of communication terminal chip | |
| GB2311152A (en) | Dual mode security architecture with protected internal operating system | |
| JPH09259104A (en) | Dual-purpose maintenance architecture having protected internal operating system | |
| CA2311392C (en) | Method and apparatus for controlling access to confidential data | |
| CA2638955C (en) | Initializing, maintaining, updating and recovering secure operation within an integrated system employing a data access control function | |
| JPH02311928A (en) | Ciphering firmware system | |
| KR20060075226A (en) | System with external memory of storing encrypted instruction and data | |
| MXPA00005081A (en) | An apparatus for providing a secure processing environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |