CN113260991A - Virtual flash memory - Google Patents

Virtual flash memory Download PDF

Info

Publication number
CN113260991A
CN113260991A CN201980088546.8A CN201980088546A CN113260991A CN 113260991 A CN113260991 A CN 113260991A CN 201980088546 A CN201980088546 A CN 201980088546A CN 113260991 A CN113260991 A CN 113260991A
Authority
CN
China
Prior art keywords
flash
firmware
platform
virtual flash
virtual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201980088546.8A
Other languages
Chinese (zh)
Inventor
J·范德格雷宁达尔
王倩
K·韦斯佐莱克
曾勇
余洋洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel Corp
Original Assignee
Intel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corp filed Critical Intel Corp
Publication of CN113260991A publication Critical patent/CN113260991A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Stored Programmes (AREA)

Abstract

Methods, apparatus, and at least one computer-readable medium for computing associated with provision of virtual flash (104) are provided herein. Provided is a virtual flash memory (104), the virtual flash memory (104) comprising circuitry (112) and firmware (114), the circuitry (112) and firmware (114) cooperating to facilitate access by one or more processor cores (102) of a computing platform to one or more platform firmware images from one or more flash memory devices (108) of the computing platform. The facilitating includes instead returning one or more platform firmware images for the one or more processor cores (102) from the one or more protected memory areas of the computing platform.

Description

Virtual flash memory
Background
In conventional computing systems, the firmware/BIOS image is typically stored in a flash memory device, where a main processor of the computer system retrieves the firmware/BIOS image from the flash memory device of the computer system. In emerging computing systems, it is desirable to enhance the security of firmware/BIOS images.
Drawings
Embodiments will be readily understood by the following detailed description in conjunction with the accompanying drawings. To facilitate this description, like reference numerals designate like structural elements. Embodiments are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings.
Fig. 1 shows an overview of the architecture of a computing platform, in accordance with various embodiments, in conjunction with the teachings of the present disclosure.
FIG. 2 illustrates an example circuit of a virtual flash memory in accordance with various embodiments.
FIG. 3 illustrates example virtual flash firmware, in accordance with various embodiments.
Fig. 4 illustrates an example virtual flash process, in accordance with various embodiments.
Fig. 5 illustrates an example virtual flash initialization process in accordance with various embodiments.
Fig. 6 illustrates an example virtual flash operation process, in accordance with various embodiments.
Fig. 7 illustrates an example computing device suitable for use to implement various aspects of the present disclosure, in accordance with various embodiments.
Fig. 8 illustrates a storage medium having executable instructions to implement aspects of the present disclosure, in accordance with various embodiments.
Detailed Description
To address the challenges/problems described in the background section, the present disclosure provides a virtual flash memory to a computing platform to facilitate a main processor of the computing platform to access the full platform firmware/BIOS image. At initialization, the virtual flash memory copies platform firmware/BIOS images from various flash memory devices of the computing platform and stores the platform firmware/BIOS images into a protected storage area of the computing platform. The main processor of the computing platform accesses the platform firmware/BIOS image via the virtual flash memory. In response to an attempted access by the host processor, the virtual flash memory instead returns the platform firmware/BIOS image of interest from the protected storage area.
As a result, the main processor of the computing platform is isolated from the platform firmware/BIOS image as needed. Furthermore, the present disclosure allows for a data center product to have a more secure firmware management architecture. It also provides out-of-band (OOB) access by a data center administrator to manage all firmware entities on the computing platform. These and other aspects of the disclosure will be further described with reference to the drawings.
In referring to the drawings, the same reference numbers may be used in different drawings to identify the same or similar elements. In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular structures, architectures, interfaces, techniques, etc. in order to provide a thorough understanding of the various aspects of the various embodiments. However, it will be apparent to those skilled in the art having the benefit of the present disclosure that the various aspects of the various embodiments may be practiced in other examples that depart from these specific details. In certain instances, descriptions of well-known devices, circuits, and methods are omitted so as not to obscure the description of the various embodiments with unnecessary detail.
Various operations will be described as multiple discrete operations, in turn, in a manner that is most helpful in understanding the illustrative embodiments, but the order of description should not be construed to imply that these operations are necessarily order dependent. In particular, these operations may not be performed in the order of presentation.
The phrases "in various embodiments," "in some embodiments," and the like are used repeatedly. The phrase generally does not refer to the same embodiment; it may refer to the same embodiment. The terms "comprising," "having," and "including" are synonymous, unless the context dictates otherwise. The phrase "A and/or B" means (A), (B) or (A and B). The phrases "A/B" and "A or B" mean (A), (B) or (A and B), similar to the phrases "A and/or B". For the purposes of this disclosure, the phrase "at least one of a and B" means (a), (B), or (a and B). The description may use the phrases "in an embodiment," "in some embodiments," and/or "in various embodiments," which may each refer to one or more of the same or different embodiments. Furthermore, the terms "comprising," "including," "having," and the like, as used with respect to embodiments of the present disclosure, are synonymous.
Example embodiments may be described as a process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel, concurrently, or simultaneously. In addition, the order of the operations may be rearranged. A process may terminate when its operations are completed, but may also have additional steps not included in the figure(s). A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a procedure corresponds to a function, its termination may correspond to a return to the function of the calling function and/or the main function.
Example embodiments may be described in the general context of computer-executable instructions, such as program code, software modules, and/or functional processes executed by one or more of the aforementioned circuits. Program code, software modules, and/or functional processes may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular data types. The program code, software modules and/or functional processes described herein may be implemented using existing hardware in existing communication networks. For example, the program code, software modules and/or functional processes discussed herein may be implemented using existing hardware at existing network elements or control nodes.
As used herein, the term "circuitry" refers to or includes, or is part of, a hardware component, such as an electronic circuit, a logic circuit, a processor (shared, dedicated, or group) and/or memory (shared, dedicated, or group), an Application Specific Integrated Circuit (ASIC), a Field Programmable Device (FPD) (e.g., an FPGA, a Programmable Logic Device (PLD), a complex PLD (cpld), a high capacity PLD (hcpld), a structured ASIC, or a programmable system on a chip (SoC)), a Digital Signal Processor (DSP), or the like, that is configured to provide the described functionality. In some embodiments, the circuitry may execute one or more software or firmware programs to provide at least some of the functionality.
As used herein, the term "processor circuit" may refer to or include a circuit capable of sequentially and automatically performing a sequence of arithmetic or logical operations; circuitry that records, stores and/or communicates digital data, or is part of such circuitry. The term "processor circuit" may refer to one or more application processors, one or more baseband processors, physical Central Processing Units (CPUs), single-core processors, dual-core processors, tri-core processors, quad-core processors, and/or any other device capable of executing or otherwise operating computer-executable instructions (e.g., program code, software modules, and/or functional processes). As used herein, the term "interface circuit" may refer to or include, or be part of, a circuit that provides for the exchange of information between two or more components or devices. The term "interface circuit" may refer to one or more hardware interfaces (e.g., a bus, an input/output (I/O) interface, a peripheral component interface, a network interface card, etc.).
As used herein, the term "computing platform" may describe any physical hardware device capable of sequentially and automatically performing a sequence of arithmetic or logical operations, equipped to record/store data on a machine-readable medium, and to transmit and receive data from one or more other devices in a communication network. A computing platform may be considered synonymous to (and may sometimes be referred to below as) a computer, computing device, or the like. The term "computer system" may include any type of interconnected electronic devices, computer devices, or components thereof. In addition, the terms "computer system" and/or "system" may refer to various components of computers that are communicatively coupled to each other. Furthermore, the terms "computer system" and/or "system" may refer to multiple computer devices and/or multiple computing systems communicatively coupled to each other and configured to share computing and/or networking resources. As used herein, the term "user equipment" or "UE" may refer to a device (e.g., a computer device) having radio communication capabilities and may describe a remote user of network resources in a communication network. The terms "user equipment" or "UE" may be considered synonymous to (and may sometimes be referred to below as) a client, handset (mobile), mobile device, mobile terminal, user terminal, mobile unit, mobile station, mobile user, subscriber, user, remote station, access agent, user agent, receiver, radio, reconfigurable mobile device, and the like.
Examples of "computer devices," "computer systems," "UEs," and the like may include cellular or smart phones, feature phones, tablet personal computers, wearable computing devices, autonomous sensors, laptop computers, desktop personal computers, video game consoles, digital media players, handheld messaging devices, personal data assistants, electronic book readers, augmented reality devices, server computer devices (e.g., standalone, rack-mounted, blade, etc.), cloud computing services/systems, network elements, in-vehicle infotainment (IVI), in-vehicle entertainment (ICE) devices, combination meters (ICs), heads-up display (HUD) devices, in-vehicle diagnostics (OBD) devices, instrument Desk Mobile Equipment (DME), Mobile Data Terminals (MDT), Electronic Engine Management Systems (EEMS), electronic/Engine Control Units (ECU), An electronic/Engine Control Module (ECM), an embedded system, a microcontroller, a control module, an Engine Management System (EMS), a networked or "smart" appliance, a Machine Type Communication (MTC) device, a machine-to-machine (M2M), an internet of things (IoT) device, and/or any other similar electronic device. Further, the term "vehicle-embedded computer device" may represent any computer device and/or computer system that is physically installed, built-in, or otherwise embedded in a vehicle.
Computing systems or platforms may employ a wide variety of devices coupled to a computer bus. A computer bus may include associated hardware components (wires, fibers, etc.) and software (including communication protocols). A Peripheral Component Interconnect (PCI) bus or PCI Express (PCIe, PCI-E) may be a computer bus based on a specification that provides mechanisms for system software or system drivers to perform various operations related to the configuration of devices coupled to the PCI bus or PCIe bus. Devices or components coupled to a computer bus may also be referred to as functions. PCIe can operate in consumer, server, and industrial applications as motherboard-level interconnects (linking motherboard-mounted peripherals), passive backplane interconnects, and as expansion card interfaces for add-in boards. PCIe devices communicate via logical connections (referred to as interconnects or links). A link is a point-to-point communication channel between two PCIe ports, allowing both of them to send and receive ordinary PCI requests, such as configuration, input/output (I/O), or memory read/write and interrupts. At the physical level, a link may be composed of one or more lanes. Low speed peripherals (e.g., 802.11 Wi-Fi cards) use a single channel (A
Figure DEST_PATH_IMAGE002
) Links, whereas graphics adapters typically use much wider and faster 16-channel links.
Referring now to fig. 1, shown therein is an overview of the architecture of a computing platform in accordance with various embodiments, in conjunction with the teachings of the present disclosure. As shown, computing platform 100 includes a processor core 102, virtual flash memory 104, Dynamic Random Access Memory (DRAM) 106, and flash memory device 108 of the present disclosure coupled to one another. Virtual flash 104 includes circuitry 112 and supplemental firmware 114. Circuitry 112 and supplemental firmware 114 cooperate to implement the functionality of virtual flash 104. Processor core 102 may be any of a number of processor cores known in the art, except that it uses virtual flash memory 104 to retrieve the firmware/BIOS image of interest. As previously described, virtual flash 104 facilitates access by processor core 102 to all platform firmware/BIOS images in all flash devices of a computing platform. In other words, virtual flash 104 appears as a flash device to processor core 102, abstracting the overall flash device of the computing platform for processor core 102. At initialization, virtual flash 104 copies the platform firmware/BIOS image from flash device 108 and stores the platform firmware/BIOS image into DRAM 106, which DRAM 106 is a protected storage area of computing platform 100 (or causes the copy and store operations to be performed, for example, by the services of an Operating System (OS)). In various embodiments, virtual flash firmware 114 controls and restricts access by processor core 102 to firmware/BIOS images stored in DRAM 106 in accordance with a predefined security configuration for those images. During operation, processor core 102 accesses the platform firmware/BIOS image of interest via virtual flash 104. Instead, virtual flash 104 returns the platform firmware/BIOS image of interest from DRAM 106 (protected memory area) in response to the access attempted by processor core 102. In various embodiments, processor core 102 may be part of a system on a chip (SoC) or a compute element of computing platform 100 (e.g., a Peripheral Controller Hub (PCH)). Hereinafter, processor core 102 may be referred to simply as core 102.
In various embodiments, virtual flash 104 is implemented as a combination of circuitry 112 supplemented with a set of virtual flash firmware 114, as previously described. In various embodiments, circuitry 112 is implemented as synchronization circuitry, including a frame buffer, command forwarding circuitry, command conversion circuitry, and a plurality of interface circuits. In various embodiments, the synchronization circuit is implemented with Register Transfer Logic (RTL) using a Field Programmable Gate Array (FPGA). In various embodiments, supplemental virtual flash firmware 114 includes initialization, decryption, and synchronization functions. In various embodiments, core 102 and virtual flash 104 communicate, inter alia, according to a Serial Peripheral Interface (SPI) protocol, where core 102 acts as an SPI master. These and other aspects will be further described with reference to fig. 2-4.
The DRAM 106 may be any dynamic random access memory known in the art, except that it is used as a protected storage area to store flash/BIOS images to allow access by the virtual flash 104 service core 102. In various embodiments, DRAM 106 may be double data rate synchronous DRAM (ddram), Static Random Access Memory (SRAM), on-chip embedded memory, or any other low latency high capacity memory capable of storing firmware/BIOS images. Similarly, the flash device 108 may be any of a number of flash devices known in the art, including but not limited to a Solid State Drive (SSD) storage device, an embedded multimedia controller (eMMC), and NAND, except that it is used to provide a flash/BIOS image for the virtual flash 104 to copy the flash/BIOS image and store the flash/BIOS image into the DRAM 106 to service the processor cores 102.
In various embodiments in which at least one of cores 102 is a processor core, processor core 102 and circuitry 112 of virtual flash 104 may be co-located in the same integrated circuit package (e.g., a system on a chip (SoC)). For example, circuitry 112 of virtual flash 104 is implemented using an FPGA of the SoC, and virtual flash firmware 114 is implemented (or executed) using a Hard Processor System (HPS) of the SoC. In various embodiments, the virtual flash 104 may be used as a virtual building block for a platform root of trust (PRoT). Additionally, before further describing the virtual flash memory 104, it should be noted that while the virtual flash memory 104 is shown coupled to the DRAM 106 and the flash device 108 without showing any intermediate elements for ease of understanding, in various embodiments the virtual flash memory 104 may be directly or indirectly coupled to the DRAM 106. For example, virtual flash memory 104 may be coupled to DRAM 106 via a DRAM controller of DRAM 106 of computing platform 100.
Referring now to FIG. 2, an example synchronization circuit for a virtual flash memory is shown, in accordance with various embodiments. As shown, an example synchronization circuit of a virtual flash memory 200, which may be part of the virtual flash memory 104 of FIG. 1, includes a frame buffer 212, a command forwarding circuit 214, a command translation circuit 216, a launch buffer 218, and a plurality of interface circuits 202 and 206 coupled to one another. In various embodiments, interface circuitry 202 and 206 includes core interface circuitry 202, firmware interface 204 and DRAM interface 206. Further, for the illustrated embodiment, the example circuitry of virtual flash memory 200 includes a plurality of registers 220 (also referred to as local registers).
As previously described, in various embodiments, the synchronization circuit of the virtual flash memory 200 is implemented in RTL using an FPGA. In various embodiments, element 202-220 of virtual flash memory 200 is configured to support communication with an access core according to the SPI protocol, where the access core acts as an SPI master to virtual flash memory 200. For these embodiments, elements 202 and 220 of virtual flash 200 cooperate to read and write data to external DRAMs in accordance with various SPI commands. For SPI read commands (received through firmware interface 204), virtual flash memory 200 reads data from external DRAM (via DRAM interface 206) and returns them to, for example, a core (not shown) of the computing platform via core interface 202. These read transactions do not affect the processor core or the flash memory device. For an SPI write data command (received via firmware interface 204), virtual flash 200 writes the data to external DRAM (via DRAM interface 206) and updates local register 220.
In various embodiments, virtual flash memory 200 uses the interrupt service of the computing platform to inform firmware 114 about the DRAM starting address and length of the write data. Virtual flash 200 may set a busy status to notify firmware 114 when an interrupt is triggered and clear the busy status when the processor core clears the interrupt. In various embodiments, virtual flash 200 holds data locally.
In various embodiments, core interface 202 is configured to interface with various cores (e.g., a host CPU, a PCH, a Network Interface (NIC), etc.), each at a clock rate of the corresponding core. The frame buffer 212 is configured to receive data/commands from the various cores via the core interface 202 at the clock rate of the cores and to buffer the received data/commands. In various SPI embodiments, the frame buffer 212 supports multiple modes of operation, including a single mode of operation and an extended single mode of operation, providing different numbers of data lines at the physical layer. In addition, the frame buffer 212 is configured to respond to both SPI register read and register write commands. In various embodiments, frame buffer 212 employs prefetching of SPI read commands. In addition, it is configured to add a dummy cycle to the prefetch of the SPI fast read command. In some embodiments, for prefetching, the frame buffer 212 requests a large number of 512 bytes. In various embodiments, frame buffer 212 transitions from the SPI clock rate to the local clock rate via oversampling. Still further, the frame buffer 212 transitions to a bit width of 8 bits regardless of whether the input is 1, 2, or 4 bits.
The command forwarding circuit 214 coupled to the frame buffer 212 is configured to retrieve buffered data/commands at a local clock rate and to forward the retrieved data/commands at the local clock rate for selective translation, in particular to the command translation circuit 216.
In various embodiments, command translation circuitry 216 coupled to command forwarding circuitry 214 is configured to receive forwarded commands at a local clock rate, selectively translate the forwarded commands, and forward the translated commands to firmware 114 or a memory controller of the protected memory region at the local clock rate. In the former case, forwarding the translated or "as is" command to firmware 114 occurs through firmware interface 204, which firmware interface 204 is configured to interface with the firmware. In the latter case, forwarding the converted or "as is" command to the DRAM occurs through DRAM interface 206, which DRAM interface 206 is configured to interface with a memory controller, such as a protected memory area.
In various embodiments, command translation circuitry 216 ignores all SPI register read commands. All SPI PRPOGRAM/ERASE/Non-voltate WRITE commands are forwarded "as is" to the processor core via the processor core interface 202. The SPI PROGRAM command is converted from an 8-bit format to 128-bits and forwarded to the DRAM through the DRAM interface 206. All SPI ERASE commands are converted to memory write commands and forwarded to DRAM through DRAM interface 206. The full SPI READ command is converted from an 8-bit format to 128-bits and forwarded to the DRAM through the DRAM interface 206.
In various embodiments, the transmit buffer 218 is configured to receive data/commands from the DRAM via the DRAM interface 206 at a local clock rate and to buffer the received data/commands. The transmit buffer 218 is further configured to output buffered data/commands for the core via the core interface 202 at the clock rate of the core. In various embodiments, it uses a first-in-first-out (FIFO) arrangement to accommodate pending requests from the memory controller of the external DRAM. In various embodiments, the transmit buffer 218 supports an input data width of 128 bits at the local clock rate and an output data width of 8 bits at the SPI clock rate. In various embodiments, transmit buffer 218 is implemented using Random Access Memory (RAM), with the SPI address byte used as the read address.
In various embodiments, firmware interface 204 is configured to notify firmware 114 with an interrupt in response to receipt of the SPI program/ERASE/Non-Volatile WRITE command/Address/Length command. In addition, the processor core interface 202 is configured to update the Non-Volatile pre-set from the processor core in response to receipt of the SPI Non-Volatile Write command. Further, firmware interface 204 is configured to update local register 220 in response to receipt of the SPI Write command. Still further, the processor core interface 202 is configured to generate and transmit local virtual registers to the command forwarding circuit 214, as well as receive ID/Parameter/Lock register information from the processor core.
In various embodiments, registers 220 are configured to store virtual flash configuration parameters and/or operation/translation information. In various embodiments, the registers 220 may include status and/or flag registers, similar to the register set exhibited by the flash device 108. These registers 220 are accessible by various cores via the core interface 202.
Referring now to FIG. 3, illustrated is an example virtual flash firmware, in accordance with various embodiments. As shown, virtual flash firmware 300, which may be virtual flash firmware 114 of FIG. 1, includes a set of virtual flash parameters 302, a decryption module 304, and a flash image synchronization module 306. The virtual flash parameter 302 is used to configure the virtual flash at initialization time, thereby setting the configuration of a particular instantiation of the virtual flash. In various embodiments, virtual flash parameter 302 configures virtual flash to support a particular SPI implementation. Examples of virtual flash parameters 302 may include, but are not limited to, a virtual flash ID, virtual flash parameters that support a read serial flash discovery parameters command, a non-volatile configuration, whether a firmware/BIOS image is encrypted, etc. In various embodiments, the virtual flash parameters also provide for secure configuration of the image, including access permissions of the cores, i.e., read-only, read-write, or not-allowed access. In various embodiments, virtual flash parameters 302 need to be initialized only once per power cycle.
For the illustrated embodiment, the virtual flash parameters 302 are retrieved by an initialization module 312 of a kernel 310 of an OS of the computing platform.
The initialization module 312, in turn, uses the virtual flash parameters 302 to configure the virtual flash 322, which virtual flash 322 may be the virtual flash 104 of FIG. 1 or the virtual flash 200 of FIG. 2. In an alternative embodiment, instead of setting initialization module 312 as part of kernel 310, initialization module 312 may be packaged along with virtual flash parameters 302, decryption module 304, and/or flash image synchronization module 306.
In various embodiments, platform firmware/BIOS images stored in various flash devices may be encrypted. For these embodiments, the decryption module 304 is configured to decrypt the flash/BIOS images as they are received at initialization, before storing them in protected storage of the computing platform. In various embodiments, the decryption 304 may retrieve the encrypted firmware/BIOS image from the flash device 326 via a Memory Technology Device (MTD) driver 316 of the kernel 310. As previously described, in various embodiments, Flash device 326 may be any non-volatile media accessible by virtual Flash firmware, i.e., SPI Flash, eMMC, SSD, and NAND. In various embodiments, decryption module 304 may be configured to support decryption of multiple encryption protocols, including but not limited to Data Encryption Standard (DES), Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA), message digest algorithm (MD 5), Secure Hash Algorithm (SHA), and the like. In various embodiments, upon decryption, decryption module 304 provides the decrypted firmware/BIOS image to DRAM driver 314 of kernel 310 for writing the decrypted firmware/BIOS image into a protected storage area of the computing platform. In various embodiments, the protected memory area may be a DDRAM and the DRAM driver 314 may be a DDRAM driver.
In various embodiments, the flash image synchronization module 306 is configured to update the flash/BIOS image in the flash device, such as through virtual flash firmware, when the copy of the flash/BIOS image stored and maintained in the protected storage area has changed to ensure that a nominal copy of the flash/BIOS image stored in the flash device and an operational copy of the flash/BIOS image stored in the protected storage area provided to the processor core are in synchronization, i.e., remain the same.
In various embodiments, the flash image synchronization module 306 is configured to provide updates to the MTD driver 316 of the kernel 310, which MTD driver 316 in turn updates the flash/BIOS image in the flash device 326 accordingly. In various embodiments, the flash image synchronization module 306 performs the synchronization in response to the processor core receiving a trigger signal or Application Programming Interface (API) notification notifying the system shutdown. In response, the flash image synchronization module 306 synchronizes subsequent data to the flash drive and non-volatile parameters to the back-end mass storage device via the MTD driver 316. Once the DC power of the computing platform is turned off, synchronization may be performed. In some embodiments, the synchronization API notification may be invoked by BIOS/ME/OOB management (ME = manageability engine). In other embodiments, the synchronization signal may be provided by a motherboard of the computing platform.
Referring now to FIG. 4, an example virtual flash process is shown, in accordance with various embodiments. As shown, virtual flash process 400 includes operations performed at blocks 402 and 408. Process 400 may be performed by, for example, virtual flash 104 of fig. 1. In other embodiments, process 400 may include more or fewer operations, or some of the operations may be performed in a different order.
Process 400 begins at block 402. At block 402, a virtual flash memory is initialized. The operation of initializing the virtual flash memory will be further described with reference to fig. 5.
Next, at block 404, upon initialization, the virtual flash memory continues to operate and service the processor core with respect to its needs for the firmware/BIOS image. The operation of the processor core with respect to its need for the firmware/BIOS image will be further described later with reference to fig. 6.
At block 406, a determination is made as to whether any of the firmware/BIOS images stored and maintained in the protected storage area have been updated. In various embodiments, this determination may be performed periodically in real-time. In other embodiments, the determination may be performed during a power down of the computing platform.
If the determination is performed periodically and the results of the determination indicate that none of the firmware/BIOS images stored and maintained in the protected storage area have changed, process 400 returns to block 404 and continues therefrom as previously described. In an alternative embodiment, where the determination is performed only when power is off, if the result of the determination indicates that none of the firmware/BIOS images stored and maintained in the protected storage area have changed, process 400 may continue to block 410 and power continues to be off.
However, if the result of the determination indicates that at least one of the firmware/BIOS images stored and maintained in the protected storage area has changed, the process 400 continues to block 408 and the updated firmware/BIOS image is saved from the protected storage area to the flash device. The process 400 continues to block 410 and continues to power down while the updated firmware/BIOS image is saved from the protected storage area to the flash device.
Referring now to fig. 5, an example virtual flash initialization process is shown, in accordance with various embodiments. As shown, the virtual flash initialization process 500 includes operations performed at block 502 and 508. Process 500 may be performed by initialization module 312 of virtual flash 104 of fig. 1 and/or kernel 310 of fig. 3, for example. In other embodiments, process 500 may include more or fewer operations, or some of the operations may be performed in a different order.
The process 500 begins at block 502. At block 502, a set of virtual flash parameters is received. Next, at block 504, the virtual flash is configured to operate in accordance with the received virtual flash parameters.
Next, at block 506, firmware/BIOS images are retrieved from various flash memory devices of the computing platform.
At block 508, the retrieved firmware/BIOS image is decrypted (if necessary) and then stored in a protected storage area of the computing platform.
Referring now to FIG. 6, an example virtual flash operation process is shown, in accordance with various embodiments. As shown, the virtual flash operation process 600 includes operations performed at blocks 602 and 604. Process 600 may be performed by, for example, virtual flash 104 of fig. 1. In other embodiments, process 600 may include more or fewer operations, or some of the operations may be performed in a different order.
Process 600 begins at block 602. At block 602, a request for a firmware/BIOS image of interest of a processor core is received. The request may be received in accordance with the SPI protocol, with the processor core acting as an SPI master to the virtual flash.
Next, at block 604, the request is serviced, wherein the firmware/BIOS image of interest is instead retrieved from a protected storage area of the computing platform (as opposed to from a flash memory device) and returned to the processor core.
Fig. 7 illustrates an example computing device suitable for use to implement various programming aspects of the present disclosure, in accordance with various embodiments. As shown, the apparatus 700 may include one or more processors 702 and virtual flash memory 703. Each processor 702 may include one or more processor cores. Processor core 702 may also include one or more hardware accelerators (not shown), which may be ASICs or FPGAs. Virtual flash memory 703 may be virtual flash memory 104 of fig. 1, having the circuitry and supplemental firmware previously described with reference to fig. 2-6. In various embodiments, processor core 702 and virtual flash memory 703 may be integrated together on an SOC, with circuitry of virtual flash memory 703 implemented with an FPGA of the SOC and virtual flash firmware implemented (executed by) with an HPS of the SOC.
Additionally, computing device 700 may include: a memory and storage controller 704, the memory and storage controller 704 may be any of a number of known non-persistent storage media and storage controllers; and a plurality of flash devices 708, including firmware/BIOS images 709. The Flash memory device 708 may be any non-volatile storage device, such as eMMC, SSD, NAND, Flash, etc.
Additionally, computing device 700 may include an I/O interface 718 coupled to one or more sensors 714 and a display screen 713. The I/O interface 718 may include a transmitter 723 and a receiver 717. Further, the computing device 700 may include a communication circuit 705, the communication circuit 705 including a transceiver (Tx) 711 and a Network Interface Controller (NIC) 712. The elements may be coupled to each other via a system bus 706, which system bus 706 may represent one or more buses, such as one or more PCIe buses. In the case of multiple buses, they may be bridged by one or more bus bridges (not shown).
In various embodiments, processor(s) 702, memory and storage controller 704, I/O interface 718, communication circuitry 705, and/or system bus 706 may be collectively disposed on a Printed Circuit Board (PCB), which may be referred to as a motherboard or motherboard.
In an embodiment, the processor(s) 702 (also referred to as "processor circuits 702") may be one or more processing elements configured to perform basic arithmetic, logical, and input/output operations by executing instructions. The processor circuit 702 may be implemented as a stand-alone system/device/package or as part of an existing system/device/package. The processor circuit 702 may be one or more microprocessors, one or more single-core processors, one or more multi-threaded processors, one or more GPUs, one or more ultra-low voltage processors, one or more embedded processors, one or more DSPs, one or more FPDs (hardware accelerators) (e.g., FPGAs, structured ASICs, programmable socs (psocs), etc.), and/or other processors or processing/control circuits. The processor circuit 702 may be part of a SoC, where the processor circuit 702 and other components discussed herein are formed as a single IC or a single package. As an example, the processor circuit 702 may include: one or more Intel Pentium, Core, Xeon, Atom or Core M processors; advanced Micro Devices (AMD) Accelerated Processing Units (APU), Epyc, or Ryzen processors; processor (S) of Apple inc. a series, S series, W series, etc.; qualcomm snapdragon processor(s); (one or more) Samsung Exynos ® processors, and the like.
In an embodiment, the processor circuit 702 may include a sensor hub that may act as a co-processor by processing data derived from one or more sensors 714. The sensor hub may include circuitry configured to integrate data derived from each of the one or more sensors 714 by performing arithmetic, logical, and input/output operations. In embodiments, the sensor hub may be capable of time stamping the resulting sensor data, providing sensor data to the processor circuit 702 in response to queries for such data, buffering the sensor data, continuously streaming the sensor data (including a separate stream for each of the one or more sensors 714) to the processor circuit 702, reporting the sensor data based on predefined thresholds or conditions/triggers, and/or other similar data processing functions.
In an embodiment, the memory 704 (also referred to as "memory circuitry 704," etc.) may be circuitry configured to store data or logic for operating the computing device 700. Memory circuit 704 may include multiple memory devices that may be used to provide a given amount of system memory. By way of example, memory circuitry 704 may be of any suitable type, number and/or combination of: volatile memory devices (e.g., Random Access Memory (RAM), dynamic RAM (dram), static RAM (sam), etc.) and/or nonvolatile memory devices (e.g., Read Only Memory (ROM), Erasable Programmable Read Only Memory (EPROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory, antifuses, etc.), which may be configured in any suitable implementation as is known. In various implementations, the separate memory devices may be formed from any number of different package types (e.g., Single Die Package (SDP), Dual Die Package (DDP), or four die package), dual in-line memory modules (DIMMs) (e.g., micro DIMMs or minidimms), and/or any other similar memory devices. To provide persistent storage of information (e.g., data, applications, operating systems, etc.), the memory circuitry 704 may include: one or more mass storage devices, such as Solid State Disk Drives (SSDDs); flash memory cards such as SD cards, microSD cards, xD photo cards, etc. and USB flash drives; on-die memory or registers associated with processor circuit 702 (e.g., in a low power implementation); a micro Hard Disk Drive (HDD); three-dimensional cross point (3D XPOINT) memories from Intel and Micron @, and the like.
Where FPDs are used, the processor circuit 702 and memory circuit 704 (and/or flash memory 708) may include logic blocks or structures, memory cells, input/output (I/O) blocks, and other interconnect resources that may be programmed to perform the various functions of the example embodiments discussed herein. The memory unit may be used to store data in a look-up table (LUT) used by the processor circuit 702 to implement various logic functions. The memory cells may include any combination of various levels of memory/storage, including but not limited to EPROM, EEPROM, flash memory, SRAM, antifuse, and the like.
In an embodiment, flash memory 708 (also referred to as "flash device or flash circuitry 708," etc.) with a shared or corresponding controller may provide persistent storage of information (e.g., firmware/BIOS images 709, operating systems, etc.). The flash memory circuit 178 may be implemented as: a Solid State Drive (SSD); a solid state drive (SSDD); a serial AT attachment (SATA) storage device (e.g., a SATA SSD); a flash memory drive; flash memory cards such as SD cards, microSD cards, xD photo cards, etc. and USB flash drives; a three-dimensional cross-point (3D Xpoint) memory device; on-die memory or registers associated with the processor circuit 702; a Hard Disk Drive (HDD); a micro HDD; a resistance change memory; a phase change memory; a holographic memory; or a chemical storage; among other things. As shown, flash memory circuit 708 is included in computer device 700; in other embodiments, however, flash memory circuit 708 may be implemented as one or more devices separate from the other elements of computer device 700.
In some embodiments, flash circuitry 708 may further include an Operating System (OS) (not shown), which may be a general-purpose operating system or an operating system that is specifically written and designed for computer device 700. The OS may include one or more drivers, repositories, and/or Application Programming Interfaces (APIs) that provide program code and/or software components, and/or control system configurations to control and/or obtain/process data from one or more sensors 714.
The firmware/BIOS image 709 may be software modules/components that may be used to perform various basic functions/services of the computing device 700 and/or to perform the functions of the example embodiments discussed herein. In embodiments in which processor circuit 702 and memory circuit 704 comprise hardware accelerators (e.g., FPGA units, hardware accelerator 703), and processor cores, the hardware accelerators (e.g., FPGA units) may be preconfigured (e.g., with appropriate bit streams, logic blocks/structures, etc.) with logic (instead of employing programming instructions to be executed by the processor core (s)) to perform some of the functions of the embodiments herein.
The components of the computing device 700 may communicate with each other over a system bus 706. The system bus 706 may include any number of technologies such as: a Local Interconnect Network (LIN); industry Standard Architecture (ISA); extended isa (eisa); PCI; PCI extensions (PCIx); PCIe (PCIe); inter-integrated circuit (I2C) bus; a parallel small computer system interface (SPI) bus; a Common Application Programming Interface (CAPI); a point-to-point interface; a power bus; proprietary buses, such as Intel @ hyper path interfaces (UPI), Intel @ accelerator links (IAL), or some other proprietary buses used in SoC-based interfaces; or any number of other techniques. In some embodiments, the bus 706 may be a Controller Area Network (CAN) bus system, a Time Triggered Protocol (TTP) system, or a FlexRay system that may allow various devices (e.g., one or more sensors 714, etc.) to communicate with each other using messages or frames.
The communication circuitry 705 may include circuitry for communicating with a wireless network or a wired network. For example, the communication circuit 705 may include a transceiver (Tx) 711 and a Network Interface Controller (NIC) 712. The communication circuit 705 may include one or more processors (e.g., baseband processors, modems, etc.) that are dedicated to particular wireless communication protocols.
NIC 712 may be included to provide a wired communication link to a network and/or other devices. Wired communications may provide an ethernet connection, ethernet over USB, etc., or may be based on other types of networks, such as DeviceNet, ControlNet, Data Highway +, PROFIBUS, or PROFINET, among many others. Additional NICs 712 may be included to allow connection to a second network (not shown) or other devices, such as a first NIC 712 that provides communication to the network over ethernet, and a second NIC 712 that provides communication to other devices over another type of network, such as a Personal Area Network (PAN) including Personal Computer (PC) devices. In some embodiments, various components of computing device 700 (e.g., one or more sensors 714, etc.) may be connected to processor(s) 702 via NIC 712 as discussed above rather than via I/O circuitry 718 as discussed below.
The Tx 711 may include one or more radios to communicate wirelessly with the network and/or other devices. The Tx 711 may comprise a hardware device that uses modulated electromagnetic radiation through a solid state or non-solid state medium to enable communication with a wired network and/or other devices. Such hardware devices may include switches, filters, amplifiers, antenna elements, and so forth to facilitate over-the-air (OTA) communication by generating or otherwise generating radio waves to communicate data to one or more other devices, and converting received signals into useable information (e.g., digital data, which may be provided to one or more other components of computing device 700). In some embodiments, various components of the device 700 (e.g., the one or more sensors 714, etc.) may be connected to the computing device 700 via the Tx 711 as discussed above rather than via the I/O circuitry 718 as discussed below. In one example, the one or more sensors 714 may be coupled with the computing device 700 via a short-range communication protocol.
The Tx 711 may include one or more radios compatible with any number of 3GPP (third generation partnership project) specifications, particularly Long Term Evolution (LTE), long term evolution-advanced (LTE-a), long term evolution-advanced Pro (LTE-a Pro), and fifth generation (5G) new air interface (NR). It can be noted that radios compatible with any number of other fixed, mobile or satellite communications technologies and standards may be selected. These may include, for example, any cellular wide area radio communication technology, which may include, for example, a 5G communication system, a global system for mobile communications (GSM) radio communication technology, a General Packet Radio Service (GPRS) radio communication technology, or an enhanced data rates for GSM evolution (EDGE) radio communication technology. Other third generation partnership project (3 GPP) radio communication technologies that may be used include UMTS (universal mobile telecommunications system), FOMA (free multimedia access), 3GPP LTE (long term evolution), 3GPP LTE-advanced (long term evolution-advanced), 3GPP LTE-advanced Pro (long term evolution-advanced Pro), CDMA2000 (code division multiple access 2000), CDPD (cellular digital packet data), Mobitex, 3G (third generation), CSD (circuit switched data), HSCSD (high speed circuit switched data), UMTS (3G) (universal mobile telecommunications system (third generation)), W-CDMA (UMTS) (wideband code division multiple access (universal mobile telecommunications system)), HSPA (high speed packet access), HSDPA (high speed downlink packet access), HSUPA (high speed uplink packet access), HSPA + (high speed packet access +), UMTS-TDD (universal mobile telecommunications system-time division duplex) ("HSPA +), TD-CDMA (time division-code division multiple Access), TD-SCDMA (time division-synchronous code division multiple Access), 3GPP Rel.8 (Pre-4G) (third Generation partnership project version 8 (Pre-fourth Generation), 3GPP Rel.9 (third Generation partnership project version 9), 3GPP Rel.10 (third Generation partnership project version 10), 3GPP Rel.11 (third Generation partnership project version 11), 3GPP Rel.12 (third Generation partnership project version 12), 3GPP Rel.13 (third Generation partnership project version 13), 3GPP Rel.14 (third Generation partnership project version 14), 3GPP LTE Extra, LTE Licensed Assisted Access (LAA), UTRA (UMTS terrestrial radio Access), E-A (UMTS evolved terrestrial radio Access), LTE advanced (4G) (Long term evolution advanced (fourth Generation))), cdmaOne (2G), CDMA2000 (3G) (code division multiple access 2000 (third generation)), EV-DO (evolution data optimized or evolution data only), AMPS (1G) (advanced mobile phone system (first generation)), TACS/ETACS (full access communication system/extended full access communication system), D-AMPS (2G) (digital AMPS (second generation)), PTT (push-to-talk), MTS (mobile phone system), IMTS (enhanced mobile phone system), AMTS (advanced mobile phone system), OLT (office of norway, international landinformation, public land mobile phone), MTD (mobile phone system D or swedish acronym for mobile phone system D), Autotel/PALM (public automatic land mobile), ARP (autoionophilin of finland, "car radio phone"), NMT (nordic mobile phone), am (r), and (r) are all-a common mode of the present invention, Hicap (high capacity version of NTT (japanese telegraph and telephony)), CDPD (cellular digital packet data), Mobitex, DataTAC, iDEN (integrated digital enhanced network), PDC (personal digital cellular), CSD (circuit switched data), PHS (personal handyphone system), WiDEN (broadband integrated digital enhanced network), iBurst, unlicensed mobile access (UMA, also known as 3GPP universal access network or GAN standard), wireless gigabit alliance (WiGig) standard, universal millimeter wave standard (wireless systems operating at 10-90 GHz and above, e.g., WiGig, IEEE 802.11 ad, IEEE 802.11 ay), and the like. In addition to the standards listed above, any number of satellite uplink technologies may be used for the uplink transceiver, including, for example, radios conforming to standards promulgated by the ITU (international telecommunications union) or ETSI (european telecommunications standards institute), among others. Accordingly, the examples provided herein are understood to be applicable to a variety of other communication technologies, both existing and yet to be formulated. The implementations, components, and details of the foregoing protocols may be known in the art and are omitted herein for the sake of brevity.
Input/output (I/O) interface 718 may include circuitry, such as an external expansion bus (e.g., a Universal Serial Bus (USB), FireWire, Thunderbolt, PCI/PCIe/PCIx, etc.), for connecting computer device 700 with external components/devices (e.g., one or more sensors 714, etc.). The I/O interface circuitry 718 may include any suitable interface controllers and connectors to interconnect one or more of: processor circuitry 702, memory circuitry 704, flash memory circuitry 708, communication circuitry 705, and other components of the computing device 700. The I/O circuitry 718 may couple the computing device 700 via a wired connection (e.g., using USB, FireWire, Thunderbolt, RCA, Video Graphics Array (VGA), Digital Visual Interface (DVI), and/or mini-DVI, High Definition Multimedia Interface (HDMI), S-Video, etc.) with one or more sensors 714, etc.
The one or more sensors 714 may be any device configured to detect an event or environmental change, convert the detected event into an electrical signal and/or digital data, and transmit/send the signal/data to the computing device 700. Some of the one or more sensors 714 may be sensors for providing computer-generated sensing inputs. Some of the one or more sensors 714 may be sensors for motion and/or object detection. Examples of such one or more sensors 714 may include, among others, Charge Coupled Devices (CCDs), Complementary Metal Oxide Semiconductor (CMOS) Active Pixel Sensors (APSs), lens-less image capture devices/cameras, thermographic (infrared) cameras, light imaging detection and ranging (LIDAR) systems, and so forth. In some implementations, the one or more sensors 714 can include a lens-less image capture mechanism that includes an array of aperture elements, wherein light passing through the array of aperture elements defines pixels of an image. In an embodiment, the one or more motion detection sensors 714 may be coupled to or associated with a light generating device (e.g., one or more infrared projectors that project a grid of infrared light onto a scene), where the infrared camera device may record the reflected infrared light to calculate depth information.
Some of the one or more sensors 714 may be used for position and/or orientation detection, ambient/environmental condition detection, and the like. Examples of such one or more sensors 714 may include, inter alia, micro-electro-mechanical systems (MEMS) having piezoelectric, piezoresistive, and/or capacitive components that may be used to determine environmental conditions or positional information associated with the computer device 700. In embodiments, the MEMS may include a 3-axis accelerator, a 3-axis gyroscope, and/or a magnetometer. In some embodiments, the one or more sensors 714 may also include one or more gravitometers, altimeters, barometers, proximity sensors (e.g., infrared radiation detector(s), etc.), depth sensors, ambient light sensors, thermal sensors (thermometers), ultrasonic transceivers, and the like.
Each of these elements (e.g., one or more processors 702, virtual flash memory 703, memory 704, flash circuitry 708 including firmware/BIOS images 709, input/output interfaces 718, one or more sensors 714, communication circuitry 705 including Tx 711 and NIC 712, system bus 706) may perform its conventional functions known in the art. In addition, they can be used to store and host the execution of programming instructions that implement various operating system functions and/or applications. The various programming instructions may be implemented by assembler instructions supported by processor(s) 702 or high-level languages such as, for example, C, capable of being compiled into such instructions. Operations associated with the computing device 700 that are not implemented in software may be implemented in hardware, for example, via hardware accelerators of the processor 702.
The number, capabilities, and/or capabilities of these elements may vary depending on the number of other devices the device 700 is configured to support. The composition of these elements other than the teachings of the present disclosure is otherwise known and, accordingly, will not be described further.
As noted, aspects of the present disclosure may take the form of a computer program product embodied in any tangible or non-transitory medium having a representation of computer-usable program code embodied in the medium. Fig. 8 illustrates an example computer-readable non-transitory storage medium that may be suitable for use to store instructions that, in response to execution of the instructions by a device, cause the device to implement selected aspects of the present disclosure. As shown, the non-transitory computer-readable storage medium 802 may include a plurality of programming instructions 804. Programming instructions 804 may be configured to enable a device (e.g., device 700) to perform various programming operations associated with, for example, operating system functions and/or applications in response to execution of the programming instructions. In various embodiments, programming instructions 804 may be instructions that configure firmware, such as virtual flash 703, to perform virtual flash operations as described herein.
In alternative embodiments, programming instructions 804 may instead be disposed on a plurality of computer-readable non-transitory storage media 802. In alternative embodiments, programming instructions 804 may be disposed on computer-readable transitory storage medium 802 (e.g., a signal). Any combination of one or more computer-usable or computer-readable media may be utilized. The computer-usable or computer-readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a transmission media such as those supporting the Internet or an intranet, or a magnetic storage device. Note that the computer-usable or computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory. In the context of this document, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The computer-usable medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave. The computer usable program code may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc.
Computer program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
Accordingly, the example embodiments described include:
example 1 is an apparatus for computing, comprising: virtual flash memory comprising circuitry and firmware that cooperate to facilitate access by one or more cores of a computing platform to one or more platform firmware images from one or more flash memory devices of the computing platform, wherein the facilitating comprises returning the one or more platform firmware images for the one or more cores from one or more protected storage areas of the computing platform instead.
Example 2 is example 1, wherein the circuitry comprises synchronous digital circuitry comprising: a frame buffer to receive commands from one of the one or more cores at a clock rate of the cores and to buffer the received commands; and command forwarding circuitry coupled to the frame buffer to retrieve the buffered commands at the local clock rate and forward the retrieved commands for conversion and to selectively pass the conversion to the supplemental virtual flash firmware of the virtual flash or the storage controller of the protected storage area at the local clock rate.
Example 3 is example 2, wherein the synchronous digital circuit further comprises a command translation circuit coupled to the command forwarding circuit to receive the forwarded commands at the local clock rate, translate the forwarded commands, and selectively forward the translations to the supplemental virtual flash firmware of the virtual flash or the storage controller of the protected storage area at the local clock rate.
Example 4 is example 3, wherein the synchronous digital circuit further comprises a virtual flash firmware interface coupled with the command forwarding circuit and the command conversion circuit to interface with a supplemental virtual flash firmware of the virtual flash.
Example 5 is example 3, further comprising a memory interface coupled to the command conversion circuit to interface with a memory controller of the protected memory region at the local clock rate.
Example 6 is example 2, further comprising a core interface coupled with the frame buffer to selectively couple the virtual flash memory to the one or more cores at a clock rate of the corresponding core.
Example 7 is example 1, wherein the virtual flash memory further comprises a plurality of registers to store a plurality of operating parameters of the virtual flash memory.
Example 8 is example 1, wherein the circuit is implemented using a Field Programmable Gate Array (FPGA).
Example 9 is example 8, wherein the apparatus is a system on a chip having one of the one or more cores and the FPGA coupled to each other.
Example 10 is example 1, wherein the firmware comprises an initialization module to load the one or more platform firmware images from the one or more flash devices into the protected storage area by retrieving the one or more platform firmware images and storing the one or more platform firmware images into the protected storage area.
Fig. 11 is example 10, wherein one or more platform firmware images in the one or more flash devices are encrypted, and the flash firmware further comprises a decryption engine to restore the one or more platform firmware images from the encrypted one or more platform firmware images stored in the one or more flash devices before the one or more platform firmware images are stored in the protected storage area.
Example 12 is example 10, wherein the firmware comprises a synchronization engine to synchronize an encrypted version of the one or more platform firmware images stored in the one or more flash memory devices with the one or more platform firmware images stored in the protected storage area in response to the one or more platform firmware images stored in the protected storage area having been updated.
Example 13 is a computing method, comprising: retrieving, using the virtual flash memory, one or more platform firmware images from one or more flash drives of the computing platform; storing, by the virtual flash memory, the one or more retrieved platform firmware images in one or more protected storage areas of the computing platform, the one or more protected storage areas managed by supplemental virtual flash firmware of the virtual flash memory; receiving, by the virtual flash memory from the one or more flash drives, an attempt by one or more cores of the computing platform to access one or more platform firmware images; and instead retrieving and returning, by the virtual flash, one or more platform firmware images from one or more protected storage areas managed by the supplemental virtual flash firmware of the virtual flash.
Example 14 is example 13, wherein the one or more platform firmware images in the one or more flash drives are encrypted, and the method further comprises decrypting, by the virtual flash, the one or more encrypted platform firmware images prior to storing the one or more platform firmware images in the one or more protected storage areas managed by the supplemental virtual flash firmware of the virtual flash, when retrieved by the virtual flash from the one or more flash drives.
Example 15 is example 13, further comprising synchronizing an encrypted version of the one or more platform firmware images stored in the one or more flash devices with the one or more platform firmware images stored in the one or more protected storage areas when updating the one or more platform firmware images stored in the one or more protected storage areas.
Example 16 is at least one computer-readable medium (CRM) having instructions stored therein to, in response to execution of the instructions, cause a computing platform to: receiving, from one or more flash drives, an attempt by one or more cores of a computing platform to access one or more platform firmware images, wherein a virtual flash has associated virtual flash firmware; and retrieving and returning one or more platform firmware images from the protected storage area of the computing platform using the virtual flash firmware, the virtual flash firmware having access control of the protected storage area of the computing platform.
Example 17 is example 16, wherein the computing platform is further caused to: pre-retrieving, by the virtual flash firmware, one or more platform firmware images from one or more flash drives of the computing platform; and pre-storing, by the virtual flash firmware, the one or more pre-fetched platform firmware images in the protected storage area.
Example 18 is example 17, wherein the one or more platform firmware images in the one or more flash drives are encrypted, and the computing platform is further caused to: decrypting the one or more encrypted platform firmware images prior to pre-storing the one or more platform firmware images in the protected storage area using the virtual flash firmware upon pre-retrieval of the one or more encrypted platform firmware images.
Example 19 is example 17, wherein the computing platform is further caused to: when the one or more platform firmware images stored in the protected storage area are updated by the virtual flash firmware, the encrypted versions of the one or more platform firmware images stored in the one or more unprotected flash devices are synchronized with the one or more platform firmware images stored in the protected storage area.
Example 20 is a System On Chip (SOC), comprising: one or more processor cores; and a Field Programmable Gate Array (FPGA) coupled with the one or more processor cores and configured to operate as a virtual flash to facilitate access by the one or more cores to the one or more basic input/output system (BIOS) images to act as one or more Serial Peripheral Interface (SPI) flash master; wherein the FPGA operating as a virtual flash memory returns one or more BIOS images from one or more protected storage areas that are co-located on the same computing platform as the SoC.
Example 21 is example 20, wherein the FPGA is configured to provide: a frame buffer to receive commands from one of the one or more cores acting as an SPI flash master at a clock rate of the SPI master and to buffer the received commands; and command forwarding circuitry coupled to the frame buffer to retrieve the buffered commands at the local clock rate and forward the retrieved commands for translation and to selectively pass the translations to the associated virtual flash firmware of the virtual flash or to the storage controller of the protected storage area upon translation.
Example 22 is example 21, wherein the FPGA is further configured to provide command conversion circuitry coupled to the command forwarding circuitry to receive the forwarded commands at the local clock rate, convert the forwarded commands, and selectively forward the conversions to the associated virtual flash firmware of the virtual flash or to the storage controller of the protected storage area.
Example 23 is example 22, wherein the FPGA is further configured to provide: a virtual flash interface coupled to the command forwarding circuit and the command conversion circuit to interface with associated virtual flash firmware of the virtual flash; and a memory interface coupled to the command conversion circuit to interface with a memory controller of the protected memory region.
Example 24 is example 21, wherein the FPGA is further configured to provide a core interface, the core interface coupled with the frame buffer to couple the FPGA to the access SPI master.
Example 25 is example 20, wherein the FPGA is further configured to provide a plurality of registers to store a plurality of operating parameters of the FPGA.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. As used herein, a "computer-implemented method" may refer to any method performed by one or more processors, a computer system having one or more processors, a mobile device such as a smartphone (which may include one or more processors), a tablet, a laptop, a set-top box, a game console, and so forth.
Embodiments may be implemented as a computer process, a computing system, or as an article of manufacture, such as a computer program product of computer readable media. The computer program product may be a computer storage media readable by a computer system and encoding a computer program of instructions for executing a computer process.
The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the disclosure. The embodiment was chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.
The foregoing description of one or more implementations provides illustration and description, but is not intended to be exhaustive or to limit the scope of the embodiments to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of various embodiments.

Claims (25)

1. An apparatus for computing, comprising:
virtual flash memory comprising circuitry and firmware that cooperate to facilitate access by one or more cores of a computing platform to one or more platform firmware images from one or more flash memory devices of the computing platform, wherein the facilitating comprises returning the one or more platform firmware images for the one or more cores from one or more protected storage areas of the computing platform instead.
2. The apparatus of claim 1, wherein the circuit comprises a synchronous digital circuit comprising:
a frame buffer to receive commands from one of the one or more cores at the clock rate of the core and to buffer the received commands; and
command forwarding circuitry coupled to the frame buffer to retrieve the buffered commands at a local clock rate and forward the retrieved commands for conversion, and to selectively pass the conversion to either supplemental virtual flash firmware of the virtual flash or a storage controller of the protected storage area at the local clock rate.
3. The apparatus of claim 2, wherein the synchronous digital circuitry further comprises command translation circuitry coupled to the command forwarding circuitry to receive forwarded commands at the local clock rate, translate the forwarded commands, and selectively forward the translations to the supplemental virtual flash firmware of the virtual flash or the storage controller of the protected storage area at the local clock rate.
4. The device of claim 3, wherein the synchronous digital circuit further comprises a virtual flash firmware interface coupled with the command forwarding circuit and the command conversion circuit to interface with the supplemental virtual flash firmware of the virtual flash.
5. The apparatus of claim 3, further comprising a memory interface coupled with the command conversion circuitry to interface with the memory controller of the protected memory region at the local clock rate.
6. The apparatus of claim 2, further comprising a core interface coupled with the frame buffer to selectively couple the virtual flash memory to the one or more cores at a clock rate of the corresponding core.
7. The apparatus of claim 1, wherein the virtual flash memory further comprises a plurality of registers to store a plurality of operating parameters of the virtual flash memory.
8. The apparatus of claim 1, wherein the circuit is implemented using a Field Programmable Gate Array (FPGA).
9. The apparatus of claim 8, wherein the apparatus is a system on a chip having one of the one or more cores and an FPGA coupled to each other.
10. The apparatus of claim 1, wherein the firmware comprises an initialization module to load the one or more platform firmware images from the one or more flash devices into the protected storage area by retrieving the one or more platform firmware images and storing the one or more platform firmware images into the protected storage area.
11. The apparatus of claim 10, wherein the one or more platform firmware images in the one or more flash devices are encrypted, and the flash firmware further comprises a decryption engine to restore the one or more platform firmware images from the encrypted one or more platform firmware images stored in the one or more flash devices before the one or more platform firmware images are stored in the protected storage area.
12. The apparatus of claim 10, wherein the firmware comprises a synchronization engine to synchronize an encrypted version of the one or more platform firmware images stored in the one or more flash devices with the one or more platform firmware images stored in the protected storage area in response to the one or more platform firmware images stored in the protected storage area having been updated.
13. A method of computing, comprising:
retrieving, using the virtual flash memory, one or more platform firmware images from one or more flash drives of the computing platform;
storing, by the virtual flash memory, the one or more retrieved platform firmware images in one or more protected storage areas of the computing platform, the one or more protected storage areas managed by supplemental virtual flash firmware of the virtual flash memory;
receiving, by the virtual flash from the one or more flash drives, an attempt by one or more cores of the computing platform to access the one or more platform firmware images; and
retrieving and returning, by the virtual flash instead, the one or more platform firmware images from the one or more protected storage areas managed by the supplemental virtual flash firmware of the virtual flash.
14. The method of claim 13, wherein the one or more platform firmware images in the one or more flash drives are encrypted, and the method further comprises decrypting, by the virtual flash, the one or more encrypted platform firmware images prior to storing the one or more platform firmware images in the one or more protected storage areas managed by the supplemental virtual flash firmware of the virtual flash, when retrieved by the virtual flash from the one or more flash drives.
15. The method of claim 13, further comprising synchronizing an encrypted version of the one or more platform firmware images stored in the one or more flash devices with the one or more platform firmware images stored in the one or more protected storage areas when updating the one or more platform firmware images stored in the one or more protected storage areas.
16. At least one computer-readable medium (CRM) having instructions stored therein to, in response to execution of the instructions, cause a computing platform to:
receiving, from one or more flash drives, an attempt by one or more cores of the computing platform to access one or more platform firmware images, wherein a virtual flash has associated virtual flash firmware; and
retrieving and returning the one or more platform firmware images from a protected storage area of the computing platform with the virtual flash firmware having access control of the protected storage area of the computing platform.
17. The CRM of claim 16, wherein the computing platform is further caused to:
pre-retrieving, by the virtual flash firmware, the one or more platform firmware images from one or more flash drives of the computing platform; and
pre-storing, by the virtual flash firmware, the one or more pre-fetch platform firmware images in the protected storage area.
18. The CRM of claim 17, wherein the one or more platform firmware images in the one or more flash drives are encrypted, and further causing the computing platform to: upon prior retrieval of the one or more encrypted platform firmware images, decrypting the one or more encrypted platform firmware images prior to prior storing the one or more platform firmware images in the protected storage area with the virtual flash firmware.
19. The CRM of claim 17, wherein the computing platform is further caused to: synchronizing an encrypted version of the one or more platform firmware images stored in the one or more unprotected flash devices with the one or more platform firmware images stored in the protected storage area when the one or more platform firmware images stored in the protected storage area are updated by the virtual flash firmware.
20. A system on a chip (SOC), comprising:
one or more processor cores; and
a Field Programmable Gate Array (FPGA) coupled with the one or more processor cores and configured to operate as virtual flash to facilitate access by the one or more cores to one or more basic input/output system (BIOS) images to act as one or more Serial Peripheral Interface (SPI) flash master; wherein the FPGA operating as a virtual flash returns the one or more BIOS images from one or more protected storage areas that are co-located on the same computing platform as the SoC.
21. The SOC of claim 20, wherein the FPGA is configured to provide:
a frame buffer to receive commands from one of the one or more cores acting as an SPI flash master at a clock rate of the SPI master and to buffer the received commands; and
command forwarding circuitry coupled to the frame buffer to retrieve the buffered commands at a local clock rate and forward the retrieved commands for translation and to selectively pass the translation to an associated virtual flash firmware of the virtual flash or a storage controller of the protected storage area at the time of translation.
22. The SoC of claim 21, wherein the FPGA is further configured to provide command translation circuitry coupled to the command forwarding circuitry to receive forwarded commands at the local clock rate, translate the forwarded commands, and selectively forward the translations to the associated virtual flash firmware of the virtual flash or the memory controller of the protected memory region.
23. The SoC of claim 22, wherein the FPGA is further configured to provide: a virtual flash interface coupled with the command forwarding circuit and the command conversion circuit to interface with the associated virtual flash firmware of the virtual flash; and a memory interface coupled to the command conversion circuitry to interface with the memory controller of the protected memory region.
24. The SoC of claim 21, wherein the FPGA is further configured to provide a core interface coupled with the frame buffer to couple the FPGA to the access SPI master.
25. The SoC of claim 20, wherein the FPGA is further configured to provide a plurality of registers to store a plurality of operating parameters of the FPGA.
CN201980088546.8A 2019-02-11 2019-02-11 Virtual flash memory Pending CN113260991A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/074776 WO2020163977A1 (en) 2019-02-11 2019-02-11 Virtual flash

Publications (1)

Publication Number Publication Date
CN113260991A true CN113260991A (en) 2021-08-13

Family

ID=72044340

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980088546.8A Pending CN113260991A (en) 2019-02-11 2019-02-11 Virtual flash memory

Country Status (4)

Country Link
KR (1) KR20210125477A (en)
CN (1) CN113260991A (en)
DE (1) DE112019006221T5 (en)
WO (1) WO2020163977A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117492798A (en) * 2024-01-03 2024-02-02 广云物联网科技(广州)有限公司 Multi-chip multi-channel remote upgrading method and system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113342697B (en) * 2021-07-19 2022-08-26 英韧科技(上海)有限公司 Simulation test system and method for flash translation layer

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102663301B (en) * 2012-04-13 2014-10-29 北京国基科技股份有限公司 Trusted computer and credibility detection method
CN103593622A (en) * 2013-11-05 2014-02-19 浪潮集团有限公司 FPGA-based design method of safe and trusted computer
US9158628B2 (en) * 2013-11-27 2015-10-13 American Megatrends, Inc. Bios failover update with service processor having direct serial peripheral interface (SPI) access
CN106462707B (en) * 2014-04-28 2019-06-14 英特尔公司 Safety guidance calculates equipment
CN106997438B (en) * 2017-03-29 2019-11-12 山东英特力数据技术有限公司 A kind of trusted servers CPU design method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117492798A (en) * 2024-01-03 2024-02-02 广云物联网科技(广州)有限公司 Multi-chip multi-channel remote upgrading method and system
CN117492798B (en) * 2024-01-03 2024-03-08 广云物联网科技(广州)有限公司 Multi-chip multi-channel remote upgrading method and system

Also Published As

Publication number Publication date
WO2020163977A1 (en) 2020-08-20
KR20210125477A (en) 2021-10-18
DE112019006221T5 (en) 2021-11-04

Similar Documents

Publication Publication Date Title
US11669481B2 (en) Enabling sync header suppression latency optimization in the presence of retimers for serial interconnect
US11789889B2 (en) Mechanism for device interoperability of switches in computer buses
EP3706005B1 (en) Secure stream protocol for serial interconnect
US10755156B2 (en) Configurable integrity protected link for secure accelerator communication
EP3789885B1 (en) Link layer communication by multiple link layer encodings for computer buses
US11818058B2 (en) Shared resources for multiple communication traffics
US10762875B2 (en) Synchronization of a display device in a system including multiple display devices
US11394531B2 (en) Overhead reduction for link protection
CN107077186B (en) Low power computational imaging
US11533170B2 (en) Hardware mechanisms for link encryption
US20200218394A1 (en) Input processing for computing devices with on-screen and off-screen inputs
US10664600B2 (en) Mechanisms for booting a computing device and programmable circuit
CN113260991A (en) Virtual flash memory
US11789891B2 (en) Multi-device read protocol using a single device group read command

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination