CN115146290A - Secure storage of encryption keys - Google Patents
Secure storage of encryption keys Download PDFInfo
- Publication number
- CN115146290A CN115146290A CN202210336712.5A CN202210336712A CN115146290A CN 115146290 A CN115146290 A CN 115146290A CN 202210336712 A CN202210336712 A CN 202210336712A CN 115146290 A CN115146290 A CN 115146290A
- Authority
- CN
- China
- Prior art keywords
- count value
- memory
- encryption key
- processing device
- monotonic counter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Abstract
Embodiments of the present disclosure relate to secure storage of encryption keys. The invention relates to a method for performing cryptographic operations, the method comprising: generating, by a monotonic counter of a processing device, a first count value; transferring the first count value from the monotonic counter to a memory of the processing device; selecting a first encryption key from the memory based on the first count value; and providing the selected first encryption key to a cryptographic processor.
Description
Cross Reference to Related Applications
The present application claims priority from french application No.2103316 filed on 31/3/2021, the entire contents of which are hereby incorporated by reference.
Technical Field
The present disclosure relates to the field of methods and devices for electronic circuit security, and more particularly, to devices and methods for securely using encryption keys.
Background
Some processing devices include a cryptographic processor that requires the use of an encryption key that is not accessible from outside the device.
For example, the processing device is operated by executing code stored in a non-volatile memory of the device, which code is used over the lifetime of the circuitry. For security reasons, some codes are stored in encrypted form, and encryption keys may be loaded to decrypt the codes.
Disclosure of Invention
There is often a need to improve the security of storing such encryption keys.
Embodiments herein address, at least in part, all or some of the disadvantages of known storage methods and apparatus.
One embodiment provides a method for performing cryptographic operations, the method comprising: generating, by a monotonic counter of a processing device, a first count value, transferring the first count value from the monotonic counter to a memory of the processing device, selecting a first encryption key from the memory based on the first count value; and providing the selected first encryption key to the cryptographic processor.
According to one embodiment, the selection of the first encryption key is performed by a selection circuit configured to prevent access to one or more other encryption keys stored in the memory in association with other count values of the monotonic counter.
According to one embodiment, the first encryption key is also selected by the first index.
According to one embodiment, the method further comprises: generating, by a monotonic counter of the processing device, a second count value; transferring a second count value from the monotonic counter to a memory of the processing device; selecting a second encryption key from the memory based on the second count value and the first index; and providing the selected second encryption key to the cryptographic processor.
According to one embodiment, the memory is configured to disallow access to the first encryption key based on a count value greater than the first count value.
According to one embodiment, providing the first encryption key to the cryptographic processor is performed based on a storage condition of the first encryption key. The cryptographic processor may perform the provisioning via a bus between the memory and the cryptographic processor. The cryptographic processor may also perform this provisioning via registers readable by the processor of the processing device.
According to one embodiment, the storage condition is that the first encryption key is stored in a first address range.
According to one embodiment, the storage condition is that the first encryption key is stored in the memory in association with the first value.
According to one embodiment, the bus is a bus dedicated to transferring encryption keys between the memory and the cryptographic processor.
According to one embodiment, the method further comprises: selecting a third encryption key from the memory based on the first count value and a second index; and providing the selected third encryption key to the cryptographic processor.
According to one embodiment, the monotone counter is initialized to a first count value at a first boot of the processing device, the method further comprising: the monotone counter is initialized to a second count value at a second boot of the processing device.
According to one embodiment, the method includes processing another boot of the device, during which boot, if a device state condition is satisfied, initializing a monotone counter to a first count value.
According to one embodiment, the device state condition corresponds to a programmed state of the memory region.
One embodiment provides a data processing apparatus comprising: a monotonic counter configured to generate a first count value; and a memory including a selection circuit configured to select a first encryption key stored in the memory based on the first count value and to provide the selected first encryption key to a cryptographic processor.
Drawings
The foregoing features and advantages, and other features and advantages, are presented by way of illustration and not limitation in the following description of specific embodiments in which:
fig. 1 shows in a very schematic way a method for decrypting data based on an encryption key according to one embodiment of the present description;
FIG. 2A very schematically shows, in block diagram form, an electronic device in accordance with one embodiment of the present description;
FIG. 2B schematically illustrates one embodiment of a memory for storing keys in a secure manner;
FIG. 3 illustrates a flowchart representative of the operation of a method for selecting keys and communicating the keys to a cryptographic processor in accordance with an example of one embodiment of the present description;
FIG. 4 illustrates a system for decrypting encrypted data stored in memory according to an example of one embodiment of the present description;
FIG. 5 shows data and code accessible during a secure boot according to one embodiment of the present description;
FIG. 6 illustrates a flowchart representative of operation of a secure boot of a processing device in accordance with an embodiment of the present description; and
FIG. 7 illustrates a flowchart representative of operations to securely boot a processing device in accordance with another embodiment of the present description.
Detailed Description
Like features are denoted by like reference numerals throughout the various figures. In particular, structural and/or functional features that are common in the various embodiments may have the same reference numerals and may be provided with the same structural, dimensional and material characteristics.
For the sake of clarity, only the operations and elements useful for understanding the embodiments described herein have been illustrated and described in detail. In particular, the design of the processing apparatus is well known to those skilled in the art and certain components are not described below.
Unless otherwise specified, when two elements are referred to as being connected together, this means a direct connection without any intervening elements other than conductors, and when two elements are referred to as being coupled together, this means that the two elements can be connected or that they can be coupled via one or more other elements.
In the following disclosure, unless otherwise indicated, when referring to absolute positional qualifiers, such as the terms "front", "back", "top", "bottom", "left", "right", etc., or to relative positional qualifiers, such as the terms "upper", "lower", "higher", "lower", etc., or to orientation qualifiers, such as "horizontal", "vertical", etc., refer to the orientation shown in the figures.
Unless otherwise indicated, the expressions "about", "substantially" and "in the range of" \8230%, "are meant to be within 10%, preferably within 5%.
Fig. 1 very schematically represents a method for decrypting data based on an encryption key according to one embodiment of the present description.
Input data (IN) comprising, for example, an encryption code, is provided to a CRYPTO processor 102 (CRYPTO) of a processing device (not shown IN fig. 1). For example, a general purpose processor (also not shown in FIG. 1) of the processing device directs the execution of code, such as boot code. The cryptoprocessor 102 is configured to decrypt input data using the encryption key and to provide decrypted data (OUT) at an output of the cryptoprocessor 102.
The encryption keys are stored in non-volatile memory 104 (key store), each key being stored, for example, in association with a Temporal Isolation Level (TIL). For example, the memory 104 stores multiple sets of keys, and each set of keys is associated with a respective isolation level. The TIL value is provided to the memory 104 and allows one or more keys to be selected, for example, from a set of keys associated with the isolation level corresponding to the TIL value. In some cases, the memory 104 is also provided with an index value that allows a given key to be selected from each set of keys.
The TIL value corresponds to a count value generated by a monotonic counter (not shown in fig. 1), and a key associated with the TIL value is accessible, for example, only when the count value generated by the monotonic counter equals the TIL value.
An example of the contents of the memory 104 is shown in the right-hand portion of fig. 1. In this example, the non-volatile memory 104 includes a first region 108 (KEYSET 0) in which a first set of keys is stored. The memory also includes a second region 110 (KEYSET 1) that stores a second set of keys, and a third region 112 (KEYSET 2) that stores a third set of keys. For example, the first, second, and third key sets are associated with three different isolation levels. For example, a first set of keys is associated with isolation level TIL0, a second set of keys is associated with isolation level TIL1, and a third set of keys is associated with isolation level TIL 2.
In the memory 104, each KEY is represented, for example, by a KEY VALUE (KEY _ VALUE) and is associated with an index VALUE and a SIZE VALUE (KEY _ SIZE), for example indicating the length of the KEY in bits.
In the example shown on the right side of fig. 1, the area 108 contains 11 encryption keys associated with the isolation level TIL 0. These keys are also each identified by an index ranging from 0 to 10. The area 110 contains two encryption keys associated with the isolation level TIL1 and identified by indices 0 and 1. The area 112 contains two encryption keys associated with the isolation level TIL2 and identified by indices 0 and 1. Thus, for some index values (in this example, values 0 and 1), the selected key depends on the TIL value. The key list shown in fig. 1 is only an example, and in other embodiments there may be other numbers of key sets and other numbers of keys in each set. In addition, some fields associated with each key, such as an index and/or a size value, may be omitted.
When a key for decrypting at least one encrypted input data is selected from the memory 104, a count value corresponding to the isolation level (TIL 0, TIL1, or TIL 2) and an index (index) of a desired key are transferred to the memory 104. The key corresponding to the isolation level and the index is then communicated to crypto processor 102, for example, via bus 106. In some implementations, the bus 106 may be a dedicated bus. Bus 106, for example, exclusively connects memory 104 to cryptographic processor 102.
Figure 2A very schematically shows in block diagram form one embodiment of an electronic device 200 comprising a processing device 202.
The electronic device 200 is, for example, an electronic card such as a microcircuit card, computer hardware, microprocessor circuits, etc.
The processing device 202 includes, for example, the cryptographic processor 102 (CRYPTO) described above in connection with fig. 1 and the non-volatile memory 104 (NV MEM). The memory 104 is implemented, for example, by flash memory, but other types of non-volatile memory may be used. Memory 104 includes first, second, and third regions 108, 110, and 112 (KEYSET 0, KEYSET1, and KEYSET 2) as described with respect to FIG. 1, for example. The memory 104 also includes, for example selection circuitry 206 (key selection). The selection circuit 206 (e.g., selection interface) is coupled to the output of the monotonic counter 204 (monotonic counter) and receives the TIL value for the counter. Selection circuit 206 is also coupled to an output of crypto-processor 102, for example, and receives an index value from the output. E.g., the index value is stored in a register (not shown) contained in crypto-processor 102, although the register may be elsewhere in the device 202.
Monotonic counters are known in the art, examples of such counters are described for example in section 3 in "Virtual monotonic counters and count-limited Objects using a TPM without a Trusted OS" of l.f.g.sarmenta, m.van Dijk, c.w.o' Donnell, j.rhodes and s.devadas, which is incorporated herein by reference in its entirety. This document describes embodiments of the counter implemented in hardware and/or software. For example, the monotonic counter 204 is implemented in hardware by a digital circuit such as an Application Specific Integrated Circuit (ASIC). The monotonic counter is configured to maintain a count value accessible at an output of the counter. The monotonic counter increases its count value by one or more units after an instruction is incremented, but after each increment, the operation is irreversible. In practice, the monotonic counter is configured such that its count value never decreases. Furthermore, between two increments, the count value is protected against any modification, for example, so that it cannot be erased or changed. Only the delta instruction allows the current value to be replaced with a new value that is higher than the current value.
The monotonic counter 204 is configured such that once an incrementing instruction is implemented, no instruction is allowed to return to the previous value except for a reset of the processing device to zero. In the case where the count value is stored in a volatile manner, the count value is lost every time the processing apparatus is turned off, and the monotonic counter generates the initial count value again every time the apparatus is rebooted. In the case where the count value is stored in the nonvolatile storage element, the initial count value is rewritten to the nonvolatile storage element of the monotonic counter, for example, at each boot.
The processing device 202 also includes a non-secure general purpose processor 210 (CPU, e.g., a central processing unit). For example, the general purpose processor 210 is coupled to the monotonic counter 204 and the non-volatile memory (NV MEM 2) 216 and the non-volatile memory 104 via a bus 214. The memories 104 and 216 are, for example, of the flash memory type. In one example, the general purpose processor 210 provides an index value in a register (not shown) of the cryptographic processor 102 from which the index value is transferred to the selection circuit 206.
The general purpose processor 210 is also coupled to the crypto processor 102 and a RAM (random access memory) 208 via a bus 214.
In some cases, the memory 104 includes a register 212 (key register) accessible via a bus 214.
The cryptographic processor 102 is connected to the memory 104, for example via a bus 106. For example, bus 106 is a dedicated bus that connects only cryptographic processor 102 to memory 104. In other words, in this example, no components other than the processor 102 and the memory 104 are connected to the bus 106.
For example, the non-volatile memory 216 contains encrypted boot code, and the encryption key is stored in the memory 104. In some cases, the TIL value is incremented during a boot step of the processing device, and the encryption key allows decryption of the boot code. For example, on each boot of the processing device, the TIL value is initialized by the monotonic counter 204 and transferred to the selection circuitry of the memory 104. The cryptographic processor 102 communicates to the selection circuit 206 index values for one or more first encryption keys associated with one or more first encrypted boot codes associated with one or more first encrypted boot code initial TIL values. The first key is communicated to cryptographic processor 102 via bus 106 or stored in register 212 and communicated to cryptographic processor 102 via bus 214. The first encrypted boot code is also communicated to the cryptographic processor 102 via the bus 214. The decrypted boot code is then transferred to the general purpose processor 210 via the bus 214. In one example, the processor 210 executes the decrypted boot code and instructs the monotonic counter to increment, which generates a new count value that is greater than the original count value. Other encrypted boot code associated with the next TIL value may be decrypted and executed in the same manner as the first code described above.
Fig. 2B shows an exemplary embodiment of the memory 104, and in particular the selection circuit 206.
In the example shown in FIG. 2B, the first region 108 contains a first set I associated with an isolation level TIL0 M (0) The key is encrypted. Each key is composed of a range from 1 to I M (0) Is identified by the index value of (a). The selection circuit 206 includes, for example, two multiplexers 218 and 220, allowing selection of a key based on the index value. Thus, each of these multiplexers 218, 220 receives as control inputs the index values communicated by, for example, the crypto processor 102. The multiplexer 218 is configured to direct the key to the bus (key bus) 106, while the multiplexer 220 is configured to direct the key to the register (key register) 212. In the example of FIG. 2B, the range is from 0 to the value I T Is provided to the data input of multiplexer 218, while in the example of fig. 2B the subset of keys identified by the index values ranging from I T +1 to I M (0) Is provided to the data input of multiplexer 220.
The second area 110 contains a second set I associated with an isolation level TIL1 M (1) Encryption keys (not shown in fig. 2B). Similarly, the third region 112 contains a third group I associated with an isolation level TIL2 M (2) Encryption keys (not shown in fig. 2B). For example, for each of regions 110 and 112, selection circuit 206 also includes two multiplexers (not shown in FIG. 2B), both of whichThe multiplexers are similar in operation to multiplexers 218 and 220 for directing the respective keys from each region 110, 112.
The selection circuitry 206 comprises for example two additional multiplexers 222 and 224 which are common to all regions 108, 110, 112 and allow selection of a key based on the TIL value. Thus, each of these multiplexers 222, 224 receives the TIL value communicated by the monotonic counter 204 as a control input. The multiplexer 222 comprises, for example, a data input coupled to an output of the multiplexer 218 of each region 108, 110, 112, respectively, and the multiplexer 224 comprises, for example, a data input coupled to an output of the multiplexer 220 of each region 108, 110, 112, respectively. Thus, each multiplexer 222, 224 includes a number of data inputs equal to the number of storage areas, which in the example of FIG. 2B is equal to 3. Multiplexers 222 and 224 prevent access to keys associated with inactive TIL values. Additionally, the multiplexer 222 is configured to direct the key to the bus 106, while the multiplexer 224 is configured to direct the key to the register 212.
In one example, I T The values are different in each of the regions 108, 110 and 112. In another example, I T The value is a fixed value.
Other embodiments of the memory 104 are possible. For example, instead of providing both multiplexers 218 and 220, a single multiplexer may be used to select keys based on the index, and the keys in each region are further associated with a flag indicating whether they are to be transferred via bus 106 or stored in register 212. For example, a multiplexer is provided that is set to direct the selected key to the bus 106 or the register 212 based on the flag.
FIG. 3 is a flowchart representing operations of a method for transmitting keys to a cryptographic processor according to an example of one embodiment of the present description. The method is implemented, for example, by the cryptographic processor 102 and the selection circuitry 206 of the memory 104.
In step 301 (initialize counter), a monotonic counter is initialized to an initial value, i.e., a natural number. In an example where the count value is stored in a volatile manner, each boot of the processing device causes the count value to be initialized to, for example, 0. In another example where the count value is stored in a non-volatile storage element, each boot of the processing device causes the current count value to be replaced with a new initial count value, e.g., 0. For example, step 301 occurs after boot-up of the processing device 202.
In some embodiments, the initial count value generated after booting may vary depending on the context of the processing device. For example, the one or more count values correspond to isolation levels reserved for the manufacturer of the device 202, and intermediate entities between the manufacturer and the end user and/or boot of the end user will trigger count values higher than these reserved count values. For example, if a count value of 0 is reserved for the manufacturer, then an intermediate entity between the manufacturer and the end user and/or the end user's boot will trigger a count value equal to 1, and the boot code(s) and sensitive data associated with isolation level 0 will not be accessible. For example, once manufactured, one or more bits stored in the non-volatile memory 104 or another memory are programmed to ensure that the count value is initialized to 1. In one example, these bits correspond to a signature protected value indicating an initial count value to apply. For example, the signature is generated based on an encryption key and may, for example, correspond to a MAC (message authentication code) signature. This value is provided to monotonic counter 204, for example, via bus 214. The monotonic counter 204 can then be restored to 0 (or another value) during the lifetime of the device by changing the signature protection value.
In step 302 (read index), the index value stored, for example, in the crypto-processor register 102 is read and transferred to the selection circuitry 206. In step 303 (is the index present on TIL i. If this is not the case (N branch), the method terminates in step 304 (error signal), where the device notifies the user that an error has occurred, for example by an audible signal or by displaying a text message.
In case there is an encryption key associated with the current TIL value and identified by the index value (Y branch), the method continues after step 303 at step 305 (access to the key index on TIL i). In step 305, the key identified by the index value and associated with the TIL [ i ] is selected. For example, the selection is made by the circuitry described with respect to fig. 2B.
At step 306 (will the key be transmitted on the key bus. For example, step 306 follows the selection according to the index values made by the circuit described with respect to FIG. 2B, where the indices 1 through I of region 108 T Is reserved for transmission via bus 106, and indexes I T +1 to I M (0) Is reserved for storage in register 212. In another example, the decision is made based on a flag or according to any other means that indicates to which component (bus 106 or register 212) the selected key should be transmitted.
If the selected key is to be transferred via the bus 106 (Y-branch), the method continues at step 308 (transfer key bus), where the key is transferred to the cryptographic processor via the bus 106. Otherwise (N branch at the output of step 306), the method continues at step 307 (load to register), where the selected key is stored in register 212. Once stored in the register 212, the selected key is accessible by the cryptographic processor via the bus 214.
In step 309 (read other key. If this is the case (Y-branch), then the new index value is stored in the cryptographic processor register and the method restarts at step 302. If all encryption keys associated with the current TIL value have been decrypted (N branch), a new TIL value (new value of TIL) is generated by incrementing the monotonic counter in step 310. For example, the TIL value is incremented by an instruction in an opcode executed by the general purpose processor 210. When the monotonic counter 204 passes a new TIL value to the selection circuit 206, the method restarts at step 302.
FIG. 4 illustrates a system for decrypting encrypted data according to one embodiment of the present description. For example, encrypted data is stored in the non-volatile memory 216 of the processing device 202, while decrypted data is stored in the memory 208, even though the encrypted data and/or the decrypted data may be stored in another memory.
In the example shown in FIG. 4, the non-volatile memory 216 includes three encrypted codes, such as boot codes. For example, a monotonic counter is initialized to a value TIL0, and the TIL value is communicated to the selection circuitry 206. For example, the general purpose processor 210 is instructed to perform decryption of the first encrypted CODE 402a (CODE 0_ U). The TIL value associated with the set of decryption keys for the first encrypted code 402a is, for example, the value 0. The first encrypted code 402a is transferred to the cryptographic processor 102 via the bus 214 under the control of the general purpose processor 210, as indicated by the dashed arrow in fig. 4. During decryption of the first encrypted code 402a, the crypto processor 102 passes index values of the encryption KEYs (of KEYs KEY # 1, KEY # 2 and KEY #3 in the example of fig. 4) associated with the value TIL0 to the selection circuit 206, for example, according to the rhythm of the decryption operation (rhythm). These keys from the storage area 108 of the memory 104 are then transferred by the selection circuit 206 to the cryptographic processor 102 via the bus 106. The crypto processor 102 decrypts the first encrypted CODE 402a and outputs a first decrypted CODE 402b (CODE 0_ C), which is stored in the RAM memory 208, e.g., via the bus 214. In one example, the decryption code 402b includes or incorporates a monotonic counter incrementing instruction. Accordingly, the general purpose processor 210, when executing the instruction, instructs the count value to increment and the monotonic counter 204 passes the new TIL value, e.g., 1, to the selection circuit 206.
For example, the general purpose processor 210 instructs to decrypt a second encrypted CODE 404a (CODE 1_ U), such as a boot CODE. As with the first encrypted code 402a, the second encrypted code 404a is communicated to the cryptographic processor 102, e.g., via the bus 214, and based on the key stored in the area 110 of the memory 104, the decryption operation proceeds in a similar manner as for the encrypted code 402 a. The crypto processor 102 decrypts the second encrypted CODE 404a and outputs a second decrypted CODE 404b (CODE 1_ C), which is stored in the RAM memory 208, e.g., via the bus 214. In one example, the decryption code 404b includes or incorporates a monotonic counter 204 increment instruction. Accordingly, the general purpose processor 210, when executing the instruction, instructs the count value to increment and the monotonic counter 204 passes the new TIL value, e.g., 2, to the selection circuit 206.
For example, the general purpose processor 210 instructs to decrypt a third encrypted CODE 406a (CODE 2_ U), such as a boot CODE. The third encrypted code 406a, like the first and second encrypted codes 402a and 404a, is communicated to the cryptographic processor 102, e.g., via the bus 214, and based on the key stored in the region 112 of the memory 104, the decryption operation proceeds in a similar manner as for the encrypted code 402 a. The crypto processor 102 provides the third decryption CODE 406b (CODE 2_ C) and stores it in the RAM 208. In one example, the decrypted code 406b includes or incorporates a monotonic counter 204 increment instruction. Accordingly, the general purpose processor 210 instructs the counter to increment when executing the instruction. The monotonic counter 204 passes the new TIL value, e.g., 3, to the selection circuit 206. Since this value does not correspond to any decryption key in the memory 104, the selection circuitry 206 prevents any access to the key stored in the memory 104.
Fig. 5-7 illustrate one embodiment of the present description in which the encrypted data is boot code and/or encryption keys associated with these codes, and the TIL value is incremented at the end of each step of the boot sequence. Each TIL value further corresponds to one or more boot codes associated with each boot step; when the current TIL value is greater than their associated TIL value, the codes become inaccessible.
In the example of FIG. 5, memory areas 506, 508, and 509 store sensitive data associated with boot code 500, 502, and 504, respectively, stored in non-volatile memory 216. Regions 506, 508, and 509 are, for example, separate from regions 500, 502, and 504, but remain associated with a level of isolation corresponding to boot code associated with the data. The sensitive data includes, for example, one or more encryption keys stored in each of the regions 506, 508, and 509, and each of these regions is contained in the non-volatile memory 104. According to another embodiment, each region 506, 508, and 509 is a sub-region corresponding to regions 500, 502, and 504.
During a first step 510 of booting the processing device shown at the top of fig. 5, the current count value is for example 0. In the example of fig. 5, isolation level 0 is associated with the first CODE (CODE 0) and the first sensitive data (KEY 0). For example, the memory access control circuit 216 (not shown) and the selection circuit 206 are configured such that the first code and the first data are exclusively accessible when the current count value is equal to 0. However, during step 510, the access control circuitry and selection circuitry allow access to, for example, all of the memory regions 500, 502, and 504 and all of the regions 506, 508, and 509. Indeed, in some cases, one or more other boot CODEs (CODE 1, CODE 2) may be accessed for reading during step 510 in anticipation of, for example, a subsequent step in the boot process.
For example, once the first CODE0 is executed, the general purpose processor 210 indicates a first increment of the current count value via the monotonic counter 204. For example, the first code includes an instruction requesting a counter to increment. The instruction is transferred to a control register (not shown) of the monotonic counter, for example.
After this first increment, the current count value of the monotonic counter 204 equals, for example, 1, corresponding to the second bootstrapping step 511. The access control circuitry and the selection circuitry receive the new current count value and are configured to prevent any access to the first code and the first data associated with isolation level 0 based on the count value being greater than 0. In other words, the storage areas 500 and 506 are locked based on any count value strictly greater than 0.
For example, once the second CODE1 is executed, the general purpose processor 210 indicates a second increment of the current count value via the monotonic counter 204. For example, after the second increment, corresponding to the third boot step 512, the current count value of the monotonic counter 204 is equal to 2. Isolation level 2 is associated with the third CODE2 and the third data (KEY 2). The access control circuitry and selection circuitry 206 receives the new count value and is configured to prevent any access to the first and second codes and the first and second data associated with an isolation level less than or equal to 1 based on the count value being greater than 1.
According to one embodiment, the general purpose processor 210 indicates a third increment of the current count value by a monotonic counter when the last boot code, e.g., a third boot code, is executed. The access control circuitry and selection circuitry 206 then locks all access to the first, second and third boot codes and the first, second and third data.
According to another embodiment, when the last boot code (e.g., the third boot code) is executed, the current count value is not incremented by the monotonic counter 204 and the access control circuit still allows access to the third boot code and third data.
FIG. 6 is a flowchart representing operations of a secure boot method of a processing device according to an example of one embodiment of the present description. The method is implemented, for example, by the general processor 210, monotonic counter 204, and access control and selection circuitry 206 of the processing device of fig. 2.
At step 601 (start boot sequence), the processing device 202 starts. In one example, this is the first boot of the device 202 after the device 202 is manufactured. In another example, it is a boot performed by an intermediate entity between the manufacturer of the device 202 and its end user. In yet another example, it is a so-called operational guidance of the electronic device 200 performed by the end user.
In step 603 (initialize counter) after step 601, the monotonic counter is initialized to an initial value, i.e., a natural number. In an example of storing the count value in a volatile manner, each boot of the processing device causes the count value to be initialized, e.g., to 0 or 1. In another example, where the count value is stored on a non-volatile storage element, each boot of the processing device causes the current count value to be replaced with an initial count value, e.g., equal to 0 or equal to 1.
In some embodiments, the initial count value generated after booting may vary depending on the state or context of the processing device 202. For example, one or more count values corresponding to one or more isolation levels reserved for the initial setup phase of device 102, including, for example, installation of firmware. Data and/or code associated with these isolation levels is used, for example, for this initial setup.
For example, after manufacture, the processing device 202 has a context of "blank" and the initial count value is equal to a value reserved for setting, e.g., 0. Once the establishment is completed, the context of the device becomes, for example, "establishment completed". Booting the device 102, e.g., by an intermediate entity between the manufacturer and the end user and/or by the end user, with this new context will then trigger a count value greater than the retained count value, e.g., equal to 1. Thus, the boot code associated with the isolation level corresponding to the reserved count value, as well as sensitive data, will not be accessible.
For example, the context of the device is detected by the presence of a voltage on a boot pin of the device, which is applied, for example, by adding a jumper between the boot pin and another pin at the supply voltage. Additionally or alternatively, the context of the device is detected by a value of one or more bits stored in a non-volatile, protected manner in memory 104 or another memory.
In one example, the general purpose processor 210 is arranged to detect the context of the device 102 when booting the device 102 and configure the initial count value of the monotonic counter 204 accordingly. In another example, the monotonic counter 204 is arranged to detect the context of the device 102 and configure its initial count value itself when booting the device 102.
In step 605 (reading and executing code at level i) following step 603, the data and boot code associated with isolation level i are read by the general purpose processor 210 and the boot code associated with isolation level i is executed. Once the code of isolation level i is executed, the general purpose processor 210 compares (i = N. For example, in the example of FIG. 5, N is equal to 2. If i is not equal to N (N branches), the method continues at step 609 (i = i + 1), where the general purpose processor triggers an increment of the count value. For example, the count value is increased from i to i +1. The increment may also increment the value i by several units. The method then restarts at step 605.
In case the count value is equal to N (Y branch) as a result of the comparison step 607, the method ends with step 611 (boot end), wherein the booting of the processing device ends. According to one embodiment, after step 611, the current count value remains equal to N. According to another embodiment, the count value is incremented at step 611 and the current count value becomes equal to N +1. In this second case, the access control circuit and the selection circuit are configured to prevent access to all boot codes based on the count value.
FIG. 7 is a flowchart representing operations of a secure boot method of a processing device according to another example embodiment of the present description. The method is implemented, for example, by the general processor 210, monotonic counter 204, and access control and selection circuitry 206 of the processing device of fig. 1.
In step 705 (access code at level i and i +1 execution code at level i) following step 703, general purpose processor 210 may access data and boot code associated with isolation level i +1 and execute the boot code associated with isolation level i.
In one example, the data or code associated with isolation level i contains one or more encrypted or unencrypted encryption keys to be used when executing one or more codes associated with isolation level i +1. Thus, for example, write access is granted on a memory region associated with isolation level i +1 to provide a key to the code associated with isolation level i +1.
In another example, the code associated with isolation level i contains instructions to verify the integrity of the data and/or code associated with isolation level i +1. Thus, read access to the memory region associated with isolation level i +1 is allowed in order to perform this verification.
In step 707 (i = i + 1) following step 705, the count value is incremented. For example, the count value increases from i to i +1. In other examples, the increment increases i by several units.
In step 709 (i = N. If the value i is not equal to N (N branch), the method returns to step 705.
In the event that the count value is equal to N (Y-branch) during the comparing step 709, the method continues to step 713 (executing code on level N), where the boot code associated with isolation level N is executed.
The boot of the processing device ends with step 715 (boot end), which is similar to step 611 in FIG. 6 and will not be described in detail.
The method whose implementation is represented by fig. 7 allows interleaved reading of the boot code. In effect, when the count value is lower than the isolation level value, the boot code associated with the isolation level is read. This saves time compared to the implementation of the method shown in fig. 6.
One advantage of the described embodiments is that the encryption key is not physically accessible by an unsecure general purpose processor.
Another advantage of the described embodiments is that the selection of the encryption key is based on a hardware implementation of a hardware monotonic counter. The encryption keys then receive additional protection because they are only accessible for a given TIL value.
Another advantage of the described embodiments is that they are readily adaptable to several boot architectures.
Various embodiments and modifications have been described. Those skilled in the art will appreciate that certain features of the embodiments may be combined, and that other variations will readily occur to those skilled in the art.
Finally, the actual implementation of the embodiments and variants described herein is within the abilities of one of ordinary skill in the art based on the functional description provided above. In particular, different types of processors may be used, and the implementation of the selection circuit and the number of isolation levels may vary.
Claims (20)
1. A method for performing cryptographic operations, the method comprising:
generating, by a monotonic counter of a processing device, a first count value;
transferring the first count value from the monotonic counter to a memory of the processing device;
selecting a first encryption key from the memory based on the first count value; and
the selected first encryption key is provided to the cryptographic processor.
2. The method of claim 1, wherein selecting the first encryption key is performed by a selection circuit configured to prevent access to one or more other encryption keys stored in the memory in association with other count values of the monotonic counter.
3. The method of claim 1, wherein the first encryption key is selected based on the first count value and a first index.
4. The method of claim 3, further comprising:
selecting a third encryption key from the memory based on the first count value and a second index; and
providing the selected third encryption key to the cryptographic processor.
5. The method of claim 3, further comprising:
generating, by the monotonic counter of the processing device, a second count value;
transferring the second count value from the monotonic counter to the memory of the processing device;
selecting a second encryption key from the memory based on the second count value and the first index; and
providing the selected second encryption key to the cryptographic processor.
6. The method of claim 1, wherein the memory is configured such that access to the first encryption key is disallowed based on a count value greater than the first count value.
7. The method of claim 1, wherein making the first encryption key available to the cryptographic processor is performed via a bus between the memory and the cryptographic processor or via a register readable by a processor of the processing device based on a storage condition of the first encryption key.
8. The method of claim 7, wherein the storage condition is that the first encryption key is stored in a first address range.
9. The method of claim 7, wherein the storage condition is that the first encryption key is stored in the memory in association with a first value of a flag.
10. The method of claim 7, wherein the bus is dedicated to transferring encryption keys between the memory and the cryptographic processor.
11. The method of claim 1, wherein the monotonic counter is initialized to the first count value at a first boot of the processing device, the method further comprising initializing the monotonic counter to a second count value at a second boot of the processing device.
12. The method of claim 11, further comprising: initializing the monotonic counter to the first count value if a device state condition is satisfied at a third boot of the processing device.
13. The method of claim 12, wherein the device state condition corresponds to a programming state of a region of the memory.
14. A method for performing cryptographic operations, the method comprising:
generating, by a monotonic counter of a processing device, a first count value;
transferring the first count value from the monotonic counter to a memory of the processing device;
selecting a first encryption key from the memory based on the first count value and a first index;
providing the selected first encryption key to the cryptographic processor;
selecting a second encryption key from the memory based on the first count value and a second index; and
providing the selected second encryption key to the cryptographic processor;
generating, by the monotonic counter of the processing device, a second count value;
transferring the second count value from the monotonic counter to the memory of the processing device;
selecting a third encryption key from the memory based on the second count value and the first index; and
providing the selected second encryption key to the cryptographic processor.
15. The method of claim 14, wherein the monotonic counter is initialized to the first count value at a first boot of the processing device, the method further comprising initializing the monotonic counter to the second count value at a second boot of the processing device.
16. The method of claim 15, further comprising: initializing the monotonic counter to the first count value if a device state condition is satisfied at a third boot of the processing device.
17. A data processing apparatus comprising:
a monotonic counter configured to generate a first count value; and
a first memory comprising a selection circuit configured to:
selecting an encryption key stored in the first memory based on the first count value, and
the selected encryption key is provided to the cryptographic processor.
18. The data processing apparatus of claim 17, wherein the first memory further comprises:
a first region associated with a first isolation level, the encryption key being stored in the first region;
a second region separate from the first region and associated with a second isolation level;
a multiplexer including a first input connected to the first region, a second input connected to the second region, a control input connected to the monotonic counter and configured to receive the first count value, and an output coupled to the cryptographic processor.
19. The data processing device of claim 17, further comprising:
a first bus connected between the cryptographic processor and the first memory, the first bus being dedicated to transferring encryption keys between the first memory and the cryptographic processor.
20. The data processing device of claim 19, further comprising:
a general purpose processor;
a second memory coupled to the general purpose processor and configured to store encrypted data decryptable using the encryption key; and
a second bus connecting the general purpose processor, the first memory, the second memory, and the cryptographic processor, the general purpose processor configured to receive the encryption key from the cryptographic processor and to indicate decryption of the encrypted data.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR2103316A FR3121564A1 (en) | 2021-03-31 | 2021-03-31 | Secure encryption key storage |
| FR2103316 | 2021-03-31 | ||
| US17/657,212 US20220318439A1 (en) | 2021-03-31 | 2022-03-30 | Secured storage of ciphering keys |
| US17/657,212 | 2022-03-30 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115146290A true CN115146290A (en) | 2022-10-04 |
Family
ID=83407151
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210336712.5A Pending CN115146290A (en) | 2021-03-31 | 2022-03-31 | Secure storage of encryption keys |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115146290A (en) |
-
2022
- 2022-03-31 CN CN202210336712.5A patent/CN115146290A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11562075B2 (en) | Secure booting method, apparatus, device for embedded program, and storage medium | |
| US8438658B2 (en) | Providing sealed storage in a data processing device | |
| US9536094B2 (en) | Mediated secure boot for single or multicore processors | |
| EP2854066B1 (en) | System and method for firmware integrity verification using multiple keys and OTP memory | |
| KR100294829B1 (en) | Method and apparatus for protecting flash memory | |
| US8006095B2 (en) | Configurable signature for authenticating data or program code | |
| US8572410B1 (en) | Virtualized protected storage | |
| US7975151B2 (en) | Decryption key table access control on ASIC or ASSP | |
| CN210052161U (en) | Processing system, integrated circuit and microcontroller | |
| US20070180271A1 (en) | Apparatus and method for providing key security in a secure processor | |
| US11914718B2 (en) | Secured boot of a processing unit | |
| US20070237325A1 (en) | Method and apparatus to improve security of cryptographic systems | |
| JP2010510574A (en) | Protection and method of flash memory block in secure device system | |
| EP2270707B1 (en) | Loading secure code into a memory | |
| CN113177201A (en) | Program checking and signing method and device and SOC chip | |
| JP2016146618A (en) | Information processing device | |
| US11874928B2 (en) | Security device, electronic device, secure boot management system, method for generating boot image, and method for executing boot chain | |
| EP3788536A1 (en) | Cryptographic key distribution | |
| JP2018508063A (en) | Secure element | |
| US20220318439A1 (en) | Secured storage of ciphering keys | |
| CN115146290A (en) | Secure storage of encryption keys | |
| US20220317184A1 (en) | Secured debug | |
| CN115150085A (en) | Method and apparatus for secure decryption of encrypted data | |
| US20220318434A1 (en) | Method and device for secured deciphering of ciphering data | |
| US7913074B2 (en) | Securely launching encrypted operating systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |