CN101872297B - Microprocessor and method for limiting access - Google Patents
Microprocessor and method for limiting access Download PDFInfo
- Publication number
- CN101872297B CN101872297B CN 201010222294 CN201010222294A CN101872297B CN 101872297 B CN101872297 B CN 101872297B CN 201010222294 CN201010222294 CN 201010222294 CN 201010222294 A CN201010222294 A CN 201010222294A CN 101872297 B CN101872297 B CN 101872297B
- Authority
- CN
- China
- Prior art keywords
- mentioned
- microprocessor
- user
- password
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
- Microcomputers (AREA)
Abstract
A microprocessor is provided with a control cache for a manufacturer to limit access. A manufacturer identifier is arranged for identifying the manufacturer. A user can read the manufacturer identifier from the exterior of the microprocessor. A key is arranged inside the microprocessor and can not be seen from outside. Corresponding to an order of the user, an encrypting engine is arranged for decoding a password provided by the user through the key, so as to generate a decoding result. The order of the user indicates the microprocessor to access the control cache and the password provided by the user is specific to the microprocessor. When the decoding result contains the manufacturer identifier, an execution unit allows the order of the user to access the control cache, or refuses.
Description
Technical field
The present invention relates in the microprocessor the special module buffer (Model Specific Register, MSR), particularly relevant for the restricted access of user to the special module buffer.
Background technology
Processor has many internal control buffers, and it only can carry out access by microcode (microcode) usually.Be used as example with total line traffic control buffer, its may command, for example actions in detail such as definite bus protocol of the sequential on the processor bus (timing), desire use.When the system with processor was just in use tested and debugs, test man/adjustor wanted to carry out the control buffer that outside program is set (or reading) processor inside usually.For instance, test man/adjustor may want to attempt different sequential on processor bus.In addition, also want the internal buffer of these processors of access with a part usually as the manufacturing test program.
The x86 structure, for instance, its instruction set comprise read the special module buffer (read from MSR, RDMSR) instruct and write the special module buffer (write to MSR, WRMSR) instruction special module buffer (MSR) is read or writes.Test man/adjustor can see through the internal control buffer that RDMSR instruction and WRMSR instruct access x86 processor.Yet if use incorrect words, the action of some internal control buffer of access will cause incorrect, the slow or incomplete work of working of processor work.Moreover the action of some internal control buffer of access will cause the user not to be subjected to security mechanism protection, for example allows kernel mode (ring 0) to carry out access in user's attitude (ring 3).In addition, these control buffers may be revealed the processor deviser and want to possess proprietorial information.Therefore, the manufacturer of different x86 processors can not provide the address of some control special module buffer of any description or the file of function publicly.
Yet address or its existence of undocumented control special module buffer are easy to be found by the programmer that the programmer can openly use their discovery traditionally to others then.Moreover processor manufacturer may need the address and the associated description of control special module buffer are disclosed to the client, tests and debugged program for the client.Yet the secret of may cause controlling the special module buffer disclose for client's information can become well known, so anyone or any processor all can use these control special module buffers.
Carry out RDMSR/WRMSR instruct shielded special module buffer carried out access before, stricter method need be placed secret access key (access key) in buffer.If the value of access key is incorrect, then the RDMSR/WRMSR instruction can be failed (fail), and processor can not carry out read/write to specified special module buffer.In theory, the value of access key is that manufacturer from processor obtains.Unfortunately, after value that manufacturer provides the access key was to the client, the value of access key will be disclosed soon, and uncommitted other people just can use the access key that has been disclosed to come the control buffer is carried out access.
Summary of the invention
The invention provides a kind of microprocessor, the manufacturer with above-mentioned microprocessor can limit a control buffer of access.Above-mentioned microprocessor comprises: one makes identifier, identifies above-mentioned manufacturer in order to unique, and wherein a user can take out above-mentioned manufacturing identifier from the external read of above-mentioned microprocessor; One key is manufactured in the inside of above-mentioned microprocessor, and wherein above-mentioned key can't be seen by the outside of above-mentioned microprocessor and look; One crypto engine, be coupled to above-mentioned key, instruct corresponding to a user, in order to use above-mentioned key that the password that one user provides is decrypted, to produce a decrypted result, wherein above-mentioned user instructs the above-mentioned microprocessor of indication that above-mentioned control buffer is carried out access, and the password that wherein above-mentioned user provides is exclusive by above-mentioned microprocessor; And, one performance element, be coupled to above-mentioned manufacturing identifier and above-mentioned crypto engine, when comprising above-mentioned manufacturing identifier when above-mentioned decrypted result, allow above-mentioned user to instruct the above-mentioned control buffer of access, and when above-mentioned decrypted result does not comprise above-mentioned manufacturing identifier, refuse above-mentioned user and instruct the above-mentioned control buffer of access.
Moreover, the invention provides a kind of method that limits access, be applicable to a control buffer of a microprocessor.Said method comprises: user instruction is deciphered, and wherein above-mentioned user instructs the above-mentioned microprocessor of indication that above-mentioned control buffer is carried out access; Corresponding to above-mentioned decoding step, the password that uses a key that one user is provided is decrypted to produce a decrypted result, the password that wherein above-mentioned user provides is exclusive by above-mentioned microprocessor, and wherein above-mentioned key is to be manufactured in the inside of above-mentioned microprocessor and can't to be seen by the outside of above-mentioned microprocessor and look; And, when above-mentioned decrypted result does not comprise a manufacturing identifier, refuse above-mentioned user and instruct the above-mentioned control buffer of access, wherein above-mentioned manufacturing identifier is to identify above-mentioned manufacturer in order to unique, and a user can take out above-mentioned manufacturing identifier from the external read of above-mentioned microprocessor.Above-mentioned decoding step, above-mentioned decryption step and above-mentioned refusal step are all performed by above-mentioned microprocessor.
Moreover, the invention provides a kind of microprocessor, the manufacturer with above-mentioned microprocessor can limit a control buffer of access.Above-mentioned microprocessor comprises: one makes identifier, identifies above-mentioned manufacturer in order to unique, and wherein a user can take out above-mentioned manufacturing identifier from the external read of above-mentioned microprocessor; One key is manufactured in the inside of above-mentioned microprocessor, and wherein above-mentioned key can't be seen by the outside of above-mentioned microprocessor and look; One crypto engine, be coupled to above-mentioned key,, come above-mentioned manufacturing identifier is encrypted in order to use above-mentioned key corresponding to user instruction, to produce an encrypted result, wherein above-mentioned user instructs the above-mentioned microprocessor of indication that above-mentioned control buffer is carried out access; And, one performance element, be coupled to above-mentioned crypto engine, when meeting the password that a user provides when above-mentioned encrypted result, allow above-mentioned user to instruct the above-mentioned control buffer of access, and when above-mentioned encrypted result does not meet the password that above-mentioned user provides, refuse above-mentioned user and instruct the above-mentioned control buffer of access, the password that wherein above-mentioned user provides is exclusive by above-mentioned microprocessor.
Moreover, the invention provides a kind of method that limits access, be applicable to a control buffer of a microprocessor.Said method comprises: user instruction is deciphered, and wherein above-mentioned user instructs the above-mentioned microprocessor of indication that above-mentioned control buffer is carried out access; Corresponding to above-mentioned decoding step, using a key to make identifier to one encrypts, to produce an encrypted result, wherein above-mentioned key is to be manufactured in the inside of above-mentioned microprocessor and can't to be seen by the outside of above-mentioned microprocessor and look, wherein above-mentioned manufacturing identifier is to identify above-mentioned manufacturer in order to unique, and a user can read above-mentioned manufacturing identifier from the outside of above-mentioned microprocessor; And, when above-mentioned encrypted result be not inconsistent the unification user provide password the time, refuse above-mentioned user and instruct the above-mentioned control buffer of access, the password that wherein above-mentioned user provides is exclusive by above-mentioned microprocessor.Above-mentioned decoding step, above-mentioned encrypting step and above-mentioned refusal step are all performed by above-mentioned microprocessor.
In one embodiment, the password that provides of above-mentioned user comprises a particular value that is offered above-mentioned user by above-mentioned manufacturer.In one embodiment, the password that above-mentioned user provides by above-mentioned manufacturer by an identical cryptographic algorithm to above-mentioned manufacturing identifier encrypt produce, wherein above-mentioned identical cryptographic algorithm is used by above-mentioned crypto engine, so that the password that above-mentioned user is provided is decrypted.In one embodiment, above-mentioned crypto engine comprises an advanced encryption standard (AES) engine.In one embodiment, above-mentioned key is only known by the above-mentioned manufacturer of above-mentioned microprocessor.In one embodiment, above-mentioned key is only read by a microcode of above-mentioned microprocessor.
Description of drawings
Fig. 1 shows according to the described microprocessor of one embodiment of the invention;
Fig. 2 demonstration is described in the calcspar of the step 402 of Fig. 4 to step 406;
Fig. 3 demonstration is described in the calcspar of the step 408 of Fig. 4 to step 432;
Fig. 4 shows according to the described operational flowchart of one embodiment of the invention; And
Fig. 5 shows according to step 408 among the described Fig. 4 of another embodiment of the present invention to the calcspar of step 432.
[primary clustering symbol description]
100~microprocessor; 132~special module buffer;
134~manufacturing identifier; 136~key;
138~special module buffer password; 202~encryption function;
302~indication; 601~extraction logic unit;
602~translation logic unit; 603~transfer interpreter;
604~microcode ROM (read-only memory); 605~buffer;
606~address; 607~be written into;
608~carry out;
609,611,613,615~micro-order formation;
610~integer unit; 612~floating point unit;
614~MMX unit; 616~SSE unit;
617~Cryptographic unit; 618~store;
619~write back; 620~load bus;
621~idle signal; 622~memory bus
624~EFLAGS buffer; 625~X position;
626~interrupt logic unit; 627~micro-order;
628~MSR buffer; 629~E position;
630~FCR buffer; 631~D position;
632~performance element; And 633~bus.
Embodiment
For above and other objects of the present invention, feature and advantage can be become apparent, cited below particularlyly go out preferred embodiment, and conjunction with figs., be described in detail below.
Embodiment:
In order to address the above problem, embodiments of the invention provide by making each preparation implement have different access keys that access key method is provided.Therefore, even the access key of a par-ticular processor is disclosed, potential risks will be limited at this par-ticular processor.
With reference to figure 1, Fig. 1 shows according to the described microprocessor 100 of one embodiment of the invention.The microprocessor 100 of Fig. 1 comprises a plurality of special module buffers (MSR) 132, makes identifier 134, key 136 and special module buffer password 138, and it is all received by performance element 632.
The special module buffer 132 of part is protected by password, and the special module buffer 132 of another part then is not subjected to cryptoguard.In one embodiment, microcode ROM (read-only memory) (ROM) 604 is storing the inventory of password-protected special module buffer 132, wherein in order to judge whether to be limited access, promptly requires effective password, and microcode will consider when go to carry out the RDMSR/WRMSR instruction.In one embodiment, each special module buffer 132 has a kind of in following four kinds of cryptoguard types: (1) unprotect, and can use the rule of framework to read or write; (2) fetch protection (for example special module buffer 132 is used for reading the microcode of microprocessor 100); (3) write protection (for example internal control buffer of the sequential of control bus or agreement or the different qualities of control microprocessor 100 or province's electrical feature); And read and write protection (4).
In addition, also RDMSR instructs microcode ROM (read-only memory) 604 and the WRMSR instruction so that carry out in order to store microcode routine (routine), and it is agreeing can to check the effectively password of (valid) earlier before the shielded special module buffer 132 of (grant) access.At last, Cryptographic unit 617 also can use 136 pairs of special module buffers of key password 138 to be decrypted, so that judge whether make identifier 134 is comprised in the decrypted result.
To be used as input, it will be further described in step 408 and Fig. 3 of Fig. 4 to special module buffer password 138 by user's provide.Wherein, 138 persons of being to use are received from the manufacturer of microprocessor 100 for special module buffer password, and it will be further described in step 406 and Fig. 2 of Fig. 4.
Making identifier 134 is the sequence numbers that are manufactured in microprocessor hardware inside, and it is each microprocessor exclusive (unique).Because making identifier 134 is sequence number, therefore relatively makes identifier 134 and be foreseeable number (predictable number).In one embodiment, make the 50 item sign indicating numbers that identifier 134 is burned fuses at microprocessor 100.The user is considerable to look (visible) to making identifier 134.In one embodiment, the user can instruct to read and make identifier 134 through RDMSR.
With reference to figure 4, Fig. 4 shows according to the described process flow diagram of one embodiment of the invention.The step 402 of Fig. 4 also is described in the calcspar of Fig. 2 to step 406, and the step 408 of Fig. 4 also is described in the calcspar of Fig. 3 to step 432.Flow process starts from step 402.
In step 402, the user wants the special module buffer 132 of microprocessor 100 is carried out read/write, so the user can obtain the manufacturing identifier 134 of microprocessor 100.In one embodiment, the user can read the special module buffer 132 of the non-cryptoguard of framework in the microprocessor 100.Then, the user can get in touch with the manufacturer of microprocessor 100 and provide and make identifier 134, gives special module buffer password 138 to require manufacturer.Then, flow process enters step 404.
In step 404, manufacturer uses 136 pairs of keys to make identifier 134 and encrypts, so that use encryption function 202 to produce special module buffer password 138, as shown in Fig. 2.Concerning not knowing anyone of key 136, even if knowing under the situation of making identifier 134, even the cicada cryptographic algorithm, also just can not use right calculation method to calculate special module buffer password 138.Therefore, for special module buffer password 138, use 136 pairs of keys to make identifier 134 and encrypt the security that can provide very high.In one embodiment, key 136 is 128 and the special module buffer password 138 that produced also is 128, yet other embodiment can also be considered.Moreover, even someone has manufacturing identifier 134 that manufacturer provides and the special module buffer password 138 that is produced, also just can not use right calculation method to find out key 136.In one embodiment, the employed encryption function 202 of manufacturer is that (Advanced EncryptionStandard AES) encrypt, yet other embodiment's advanced encryption standard can also be considered.It should be noted that plaintext (plain text) input and ciphertext (cypher text) output in the advanced encryption standard encryption have the figure place of equal number.Therefore, in making the embodiment of figure place that figure place that identifier 134 comprised is less than special module buffer password 138, manufacturer is before carrying out the advanced encryption standard encryption to manufacturing identifier 134, can will make earlier identifier 134 be filled up to special module buffer password 138 and have identical figure place so that generation special module buffer password 138.In one embodiment, manufacturer uses the program that is written into to encrypt to produce special module buffer password 138 making identifier 134.This program can be executed in any system, and wherein this system comprises the processor that can carry out aforesaid cryptographic algorithm.Though unnecessary, this system also can comprise according to microprocessor 100 of the present invention, it comprises that Cryptographic unit 617 carries out above-mentioned cryptographic algorithm.Then, flow process enters step 406.
In step 406, manufacturer can be provided at the special module buffer password 138 that step 404 produces and give the user, for example via modes such as phone, Email, website, file transfer protocol (FTP) (FTP), paper mails.Then, flow process enters step 408.
In step 408, user's program can will be loaded in the buffer of microprocessor 100 in the special module buffer password 138 that step 406 received from manufacturer.In one embodiment, this buffer is that x86 data stream SIMD extends (streaming SIMD extensions, SSE) the XMM7 buffer in the programmed environment.In another embodiment, user's program can be loaded on special module buffer password 138 in the system storage, and the general purpose buffer of loading microprocessor 100, wherein this buffer has the pointer of the memory location of indication special storage module buffer password 138.Then, flow process enters step 412.
In step 412, user's program is carried out RDMSR instruction or WRMSR instruction, and it can be specified and desire the specific special module buffer 132 that is read or writes.Then, flow process enters step 414.
In step 414, processor is deciphered RDMSR instruction or WRMSR instruction, and shifts the microcode routine that is controlled to microcode ROM (read-only memory) 604 in Fig. 1.Microcode can determine whether this specific special module buffer 132 is present in the inventory of password-protected special module buffer.In one embodiment, the special module buffer of framework is not included in the inventory of password-protected special module buffer.In one embodiment; by blowing the inventory that fuse in the microprocessor can change password-protected special module buffer; U.S. patent application case the 12/391st as application on February 24th, 2009; No. 781 describe; the full text of patent application case referred to above is incorporated herein by reference hereby, and constitutes the part of instructions.Then, flow process enters step 416.
In step 416, if do not appeared in the inventory of password-protected special module buffer by RDMSR instruction or the specified special module buffer 132 of WRMSR instruction, then flow process enters step 432.Otherwise flow process enters step 418.
In step 418, microcode can extract special module buffer password 138 from buffer (or storer), and indication Cryptographic unit 617 uses 136 pairs of special module buffers of key password 138 to be decrypted.Then, flow process enters step 422.
In step 422, Cryptographic unit 617 uses 136 pairs of special module buffers of key password 138 to be decrypted, so that produce the special module buffer password of having deciphered, as shown in Fig. 3.In one embodiment, Cryptographic unit 617 is an advanced encryption standard engine (AES engine).Then, flow process enters step 424.
In step 424, the special module buffer password of having deciphered that integer unit 610 can will be produced in step 422 compares with making identifier 134, as shown in Fig. 3.In Fig. 3, integer unit 610 can produce effectively indication (valid indicator) 302, and whether it can indicate manufacturing identifier 134 to be comprised in the special module buffer password of having deciphered.As described previously, the special module buffer password of having deciphered and make identifier 134 and may have figure place inequality, thus the relevant bits (relevant bits) of the special module buffer password that only will decipher of integer unit 610 with make identifier 134 and compare.Then, flow process enters step 426.
In the judgement of step 426, if the special module buffer password of having deciphered coupling is made identifier 134, then flow process enters step 432.Otherwise flow process enters step 428.
In step 428, microprocessor 100 can be ended (abort) RDMSR/WRMSR instruction.In one embodiment, microprocessor 100 can produce the mistake of general protection.Then, flow process ends at step 428.
In step 432, processor can be carried out the desired RDMSR instruction of user's program or the WRMSR instruction flow ends at step 432.
In another embodiment, key concept may extend to independent special module buffer 132.That is, each special module buffer 132 can have its exclusive special module buffer password 138, rather than each microprocessor 100 has its distinctive special module buffer password 138.In one embodiment, the user not only provides the manufacturing identifier 134 of microprocessor 100 in step 402, the buffer quantity (it ties up in the RDMSR/WRMSR instruction and is loaded the buffer in ECX) that more provides the user to want to carry out the special module buffer 132 of access.Then, manufacturer can use the buffer quantity of special module buffer 132 to add to make the encryption of identifier 134 in carry out step 404.In step 424, integer unit 610 can will be made identifier 134 simultaneously and be compared by the buffer quantity of the specified special module buffer 132 of RDMSR/WRMSR instruction and the value of having deciphered.
In another embodiment, in order to judge the correctness of the special module buffer password 138 that the user provides, can revise the step 422 and 424 among Fig. 4, make in step 422,100 pairs of manufacturings of microprocessor identifier 134 is encrypted and is born results, rather than the special module buffer password 138 that the user provided is decrypted.In addition, in step 424,100 pairs of the microprocessors special module buffer password that the user provided 138 with compare by the result that the step of having revised 422 produced, rather than with the decrypted result of the special module buffer password 138 that the user provided with make identifier 134 and compare.This embodiment is described among Fig. 5.
In order to prevent that password-protected special module buffer is carried out wrong access, the manufacturer that embodiment described in the invention can advantageously provide microprocessor very strictly controls password-protected special module buffer in the microprocessor is carried out access.
Though the present invention discloses as above with preferred embodiment, so it is not in order to qualification the present invention, have in any affiliated technical field and know the knowledgeable usually, without departing from the spirit and scope of the present invention, when doing a little change and retouching.For example, software can enable function, manufacturing, modelling, emulation, description and/or the test of device and method as described in the present invention, and it can see through and use universal programming language (for example C, C++), comprise that hardware description language (HDL) or other the available program of Verilog, HDL, VHDL etc. realize.Above-mentioned software can be arranged in any known computer-usable medium, for example tape, semiconductor, disk, CD (as CD-ROM, DVD-ROM etc.), network, wired online, wireless or other communication medium.It is intracardiac that the embodiment of device and method of the present invention can be included in the semiconductor intellectual property core, microcontroller core (specializing) for example by HDL, and convert the hardware product of integrated circuit to.In addition, the described device and method of the embodiment of the invention can hardware and the combination of software specialize.Therefore, the present invention should not be defined in the embodiment that has disclosed, is as the criterion and should look the accompanying Claim book scope person of defining.Particularly, invention can be implemented in the micro processor, apparatus, it can be used in multi-purpose computer.At last, any those who are familiar with this art can without departing from the spirit and scope of the present invention, can do a little change and retouch to reach identical purpose of the present invention based on disclosed notion of the present invention and specific embodiment.
Claims (14)
1. microprocessor, the manufacturer with above-mentioned microprocessor can limit a control buffer of access, comprising:
One makes identifier, identifies above-mentioned manufacturer in order to unique, and wherein a user can take out above-mentioned manufacturing identifier from the external read of above-mentioned microprocessor;
One key is manufactured in the inside of above-mentioned microprocessor, and wherein above-mentioned key can't be seen by the outside of above-mentioned microprocessor and look;
One crypto engine, be coupled to above-mentioned key, instruct corresponding to a user, in order to use above-mentioned key that the password that one user provides is decrypted, to produce a decrypted result, wherein above-mentioned user instructs the above-mentioned microprocessor of indication that above-mentioned control buffer is carried out access, and the password that wherein above-mentioned user provides is exclusive by above-mentioned microprocessor; And
One performance element, be coupled to above-mentioned manufacturing identifier and above-mentioned crypto engine, when comprising above-mentioned manufacturing identifier when above-mentioned decrypted result, allow above-mentioned user to instruct the above-mentioned control buffer of access, and when above-mentioned decrypted result does not comprise above-mentioned manufacturing identifier, refuse above-mentioned user and instruct the above-mentioned control buffer of access.
2. microprocessor as claimed in claim 1, the password that wherein above-mentioned user provides comprises a particular value that is offered above-mentioned user by above-mentioned manufacturer, this be by above-mentioned manufacturer by an identical cryptographic algorithm to above-mentioned manufacturing identifier encrypt produce, wherein above-mentioned identical cryptographic algorithm is used by above-mentioned crypto engine, so that the password that above-mentioned user is provided is decrypted.
3. microprocessor as claimed in claim 1, wherein above-mentioned key is only known by the above-mentioned manufacturer of above-mentioned microprocessor, and above-mentioned key is only read by a microcode of above-mentioned microprocessor.
4. microprocessor as claimed in claim 1 more comprises:
A plurality of control buffers,
Wherein above-mentioned user instructs and specifies the specific control buffer to above-mentioned a plurality of control buffers to read,
The password that wherein above-mentioned user provides is above-mentioned microprocessor and instructs specified above-mentioned specific control buffer exclusive by above-mentioned user.
5. microprocessor as claimed in claim 1, the password that wherein above-mentioned user provides are above-mentioned microprocessors and instruct indication above-mentioned control buffer that above-mentioned microprocessor read or write exclusive by above-mentioned user.
6. microprocessor as claimed in claim 1 more comprises:
A plurality of fuses, above-mentioned manufacturing identifier optionally is blown in described a plurality of fuses.
7. a method that limits access is applicable to that of a microprocessor controls buffer, comprising:
One user instruction is deciphered, and wherein above-mentioned user instructs the above-mentioned microprocessor of indication that above-mentioned control buffer is carried out access;
Corresponding to above-mentioned decoding step, the password that uses a key that one user is provided is decrypted to produce a decrypted result, the password that wherein above-mentioned user provides is exclusive by above-mentioned microprocessor, and wherein above-mentioned key is to be manufactured in the inside of above-mentioned microprocessor and can't to be seen by the outside of above-mentioned microprocessor and look; And
When above-mentioned decrypted result does not comprise a manufacturing identifier, refuse above-mentioned user and instruct the above-mentioned control buffer of access, wherein above-mentioned manufacturing identifier is to identify above-mentioned manufacturer in order to unique, and a user can take out above-mentioned manufacturing identifier from the external read of above-mentioned microprocessor
Wherein above-mentioned decoding step, above-mentioned decryption step and above-mentioned refusal step all are performed by above-mentioned microprocessor.
8. the method for restriction access as claimed in claim 7, the password that wherein above-mentioned user provides comprises a particular value that is offered above-mentioned user by above-mentioned manufacturer, this be by above-mentioned manufacturer by an identical cryptographic algorithm to above-mentioned manufacturing identifier encrypt produce, wherein above-mentioned identical cryptographic algorithm is used by a crypto engine, so that the password that above-mentioned user is provided is decrypted.
9. the method for restriction access as claimed in claim 7, wherein above-mentioned key is only known by the above-mentioned manufacturer of above-mentioned microprocessor, and above-mentioned key is only read by a microcode of above-mentioned microprocessor.
10. the method for restriction access as claimed in claim 7, wherein above-mentioned microprocessor comprises a plurality of control buffers, wherein above-mentioned user instructs and specifies the specific control buffer to above-mentioned a plurality of control buffers to read, and the password that wherein above-mentioned user provides is above-mentioned microprocessor and instructs the above-mentioned specific control buffer of appointment exclusive by above-mentioned user.
11. the method for restriction access as claimed in claim 7, the password that wherein above-mentioned user provides instructs the indication above-mentioned control buffer that above-mentioned microprocessor read or write exclusive by above-mentioned microprocessor and by above-mentioned user.
12. the method for restriction access as claimed in claim 7, wherein above-mentioned manufacturing identifier are optionally to be blown in a plurality of fuses of above-mentioned microprocessor.
13. a microprocessor, the manufacturer with above-mentioned microprocessor can limit a control buffer of access, comprising:
One makes identifier, identifies above-mentioned manufacturer in order to unique, and wherein a user can take out above-mentioned manufacturing identifier from the external read of above-mentioned microprocessor;
One key is manufactured in the inside of above-mentioned microprocessor, and wherein above-mentioned key is can't be seen by the outside of above-mentioned microprocessor look;
One crypto engine, be coupled to above-mentioned key,, come above-mentioned manufacturing identifier is encrypted in order to use above-mentioned key corresponding to user instruction, to produce an encrypted result, wherein above-mentioned user instructs the above-mentioned microprocessor of indication that above-mentioned control buffer is carried out access; And
One performance element, be coupled to above-mentioned crypto engine, when meeting the password that a user provides when above-mentioned encrypted result, allow above-mentioned user to instruct the above-mentioned control buffer of access, and when above-mentioned encrypted result does not meet the password that above-mentioned user provides, refuse above-mentioned user and instruct the above-mentioned control buffer of access, the password that wherein above-mentioned user provides is exclusive by above-mentioned microprocessor.
14. a method that limits access is applicable to that of a microprocessor controls buffer, comprising:
One user instruction is deciphered, and wherein above-mentioned user instructs the above-mentioned microprocessor of indication that above-mentioned control buffer is carried out access;
Corresponding to above-mentioned decoding step, using a key to make identifier to one encrypts, to produce an encrypted result, wherein above-mentioned key is to be manufactured in the inside of above-mentioned microprocessor and can't to be seen by the outside of above-mentioned microprocessor and look, wherein above-mentioned manufacturing identifier is to identify above-mentioned manufacturer in order to unique, and a user can read above-mentioned manufacturing identifier from the outside of above-mentioned microprocessor; And
When above-mentioned encrypted result be not inconsistent the unification user provide password the time, refuse above-mentioned user and instruct the above-mentioned control buffer of access, the password that wherein above-mentioned user provides is exclusive by above-mentioned microprocessor,
Wherein above-mentioned decoding step, above-mentioned encrypting step and above-mentioned refusal step are all performed by above-mentioned microprocessor.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US23223609P | 2009-08-07 | 2009-08-07 | |
| US61/232,236 | 2009-08-07 | ||
| US12/781,087 | 2010-05-17 | ||
| US12/781,087 US8341419B2 (en) | 2008-09-09 | 2010-05-17 | Apparatus and method for limiting access to model specific registers in a microprocessor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101872297A CN101872297A (en) | 2010-10-27 |
| CN101872297B true CN101872297B (en) | 2013-07-24 |
Family
ID=42997173
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010222294 Active CN101872297B (en) | 2009-08-07 | 2010-07-05 | Microprocessor and method for limiting access |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101872297B (en) |
| TW (1) | TWI428824B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102301777B (en) * | 2011-05-27 | 2013-10-09 | 华为技术有限公司 | Method and device for controlling parameter configuration |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101118577A (en) * | 2006-08-04 | 2008-02-06 | 大唐移动通信设备有限公司 | Process and device for preventing fraudulent use of terminal software |
| CN101256613A (en) * | 2007-02-27 | 2008-09-03 | 富士通株式会社 | Secure processor system without need for manufacturer and user to know encryption information of each other |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7272832B2 (en) * | 2001-10-25 | 2007-09-18 | Hewlett-Packard Development Company, L.P. | Method of protecting user process data in a secure platform inaccessible to the operating system and other tasks on top of the secure platform |
| US8130959B2 (en) * | 2006-09-07 | 2012-03-06 | International Business Machines Corporation | Rekeying encryption for removable storage media |
-
2010
- 2010-07-05 CN CN 201010222294 patent/CN101872297B/en active Active
- 2010-07-06 TW TW99122115A patent/TWI428824B/en active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101118577A (en) * | 2006-08-04 | 2008-02-06 | 大唐移动通信设备有限公司 | Process and device for preventing fraudulent use of terminal software |
| CN101256613A (en) * | 2007-02-27 | 2008-09-03 | 富士通株式会社 | Secure processor system without need for manufacturer and user to know encryption information of each other |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI428824B (en) | 2014-03-01 |
| TW201106260A (en) | 2011-02-16 |
| CN101872297A (en) | 2010-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11664994B2 (en) | Secure unlock systems for locked devices | |
| CN1655496B (en) | Apparatus and method for providing configurable cryptographic key size | |
| CN104202161B (en) | A kind of SoC crypto chips | |
| CN105027136B (en) | Safe key for integrated circuit derives and cryptologic | |
| CN100578473C (en) | Embedded system and method for increasing embedded system security | |
| CN110263087B (en) | Receipt storage method and node based on multi-dimensional information and with conditional restriction | |
| US20110055560A1 (en) | Conversion of cryptographic key protection | |
| US8316243B2 (en) | Apparatus and method for generating unpredictable processor-unique serial number for use as an encryption key | |
| CN101625674B (en) | Microprocessor having special module register and access protection method | |
| US8793785B2 (en) | Revokeable MSR password protection | |
| US8341419B2 (en) | Apparatus and method for limiting access to model specific registers in a microprocessor | |
| JP2005216027A (en) | Encryption device, encryption system therewith, decryption device and semiconductor system therewith | |
| CN101872297B (en) | Microprocessor and method for limiting access | |
| CN1661958B (en) | Microprocessor apparatus of block cryptographic functions and method | |
| Rekha et al. | Logically Locked I2C Protocol for Improved Security | |
| CN113158203B (en) | SOC chip, circuit and external data read-write method of SOC chip | |
| Kumar et al. | A novel holistic security framework for in-field firmware updates | |
| CN1658548B (en) | Microprocessor apparatus and method for configuring cryptographic engine data block | |
| TWI497344B (en) | Microprocessor and method for generating unpredictable key | |
| CN1684408B (en) | Microprocessor apparatus and method for providing configurable cryptographic block cipher round results | |
| Sisejkovic et al. | Processor Integrity Protection | |
| Johnston et al. | Finite State Models | |
| Tehranipoor et al. | Security Verification | |
| Xiao et al. | Advanced Encryption Standard algorithm applied research in medical reagent sales management | |
| Bronk et al. | Innovative smart cards operating system for electronic identification applications–implementation in the Common Criteria regime |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |