CN116710915A - Integrated circuit with asymmetric access privileges - Google Patents

Integrated circuit with asymmetric access privileges Download PDF

Info

Publication number
CN116710915A
CN116710915A CN202180088763.4A CN202180088763A CN116710915A CN 116710915 A CN116710915 A CN 116710915A CN 202180088763 A CN202180088763 A CN 202180088763A CN 116710915 A CN116710915 A CN 116710915A
Authority
CN
China
Prior art keywords
interface
state
integrated circuit
access
control unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202180088763.4A
Other languages
Chinese (zh)
Inventor
M·钱德勒-佩奇
P·萨米纳森
J·埃克伦德
N·怀特
J·A·比安科菲略
A·夏尔马
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cirrus Logic International Semiconductor Ltd
Original Assignee
Cirrus Logic International Semiconductor Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US17/232,514 external-priority patent/US11809334B2/en
Application filed by Cirrus Logic International Semiconductor Ltd filed Critical Cirrus Logic International Semiconductor Ltd
Priority claimed from PCT/GB2021/052016 external-priority patent/WO2022157467A1/en
Publication of CN116710915A publication Critical patent/CN116710915A/en
Pending legal-status Critical Current

Links

Abstract

An integrated circuit includes a first interface and a second interface, an internally addressable space comprising a plurality of address ranges, and a control unit. Each of the first interface and the second interface is coupled to the internal addressable space via the control unit. The control unit may be configured to be in a first state in which the control unit is configured to allow or deny the second interface access to a subset of the plurality of address ranges of the internal addressable space.

Description

Integrated circuit with asymmetric access privileges
Technical Field
Examples described herein relate to integrated circuits, such as integrated circuits for protecting and/or controlling the functionality of itself and/or output components, such as transducers.
Background
Many computing platforms are coupled to output components via integrated circuits (hereinafter "ICs"). In these examples, the processor may be in communicative contact, i.e., coupled, with the output component via the first signal path, e.g., to protect and/or control the functionality of the IC and/or the output component. The first signal path may include an IC.
Fig. 1 illustrates an example prior art system 100. In this system 100, a processor 101 is coupled to an IC 150, the IC 150 including a control interface 151, a data interface 152, a bus 153, an on-chip processor 154, and a plurality (n) of address ranges 155 1 To 155 n (hereinafter collectively 155). The IC or chip 150 may include or be associated with at least one output component 190 (e.g., coupled to at least one output component 190). Control interface 151 may provide processor 101 with access to an address range 155 of IC 150 via bus 153. The address range 155 of the IC 150 may include a set of registers, e.g., addressable'A control ' memory space (hereinafter referred to as an "addressable control space"), and a set of memories for data storage, such as an addressable ' data ' memory space (hereinafter referred to as an "addressable data space"), such as a RAM block. The processor 154 of the IC may output control signals and/or data signals, such as audio and/or video and/or haptic data signals, etc., to the output component 190. The system 100 also includes a controller 103 (e.g., a Microcontroller (MCU), such as a secure microcontroller) or a processor (e.g., a microprocessor, such as a secure microprocessor). The on-chip processor 154 may control the functions of the output component 190 based on data received via the data interface 152. The processor 154 of the IC may include a Digital Signal Processor (DSP) and may be configured to process signals received at the data interface 152 and may output control signals and/or data signals to the output component 190, which output component 190 then acts on the received signals.
According to prior art system 100, during a boot-up (e.g., secure boot-up) or start-up of IC 150 (and/or output component 190), processor 101 instructs MCU 103 to load firmware into address range 155 of IC 150 (e.g., into the data space of the IC). Additionally and/or alternatively, MCU 103 may autonomously load firmware after it powers up, and/or system 100 may be designed such that processor 101 does not boot before MCU 103 signals it that MCU 103 has initialized the system hardware. MCU 103 can also program other control settings into one or more address ranges of IC 150, such as run-time settings of IC processor 154 and/or one or more output components 190.
However, during the runtime of the IC 150, the external processor 101 can only control the IC 150 to switch between an ON (ON) state and an OFF (OFF) state. Thus, during runtime of the IC 150, the processor 101 has only basic on/off control of the IC 150 (e.g., the processor 101 may access a power pin (not shown) of the IC 150 via a general purpose input/output (GPIO) interface).
It is desirable that processor 101 have more control over the protection and/or function of IC 150 and/or output component 190.
However, if prior art processor 101 is granted runtime access to IC 150, any malware running on processor 101 may access IC 150 (e.g., its address range 155) and may override any or all of the control settings, firmware, runtime firmware settings, etc., for example. This may allow for irreversible damage (e.g., overload) to the IC 150 and/or the output component 190 by malware. It is highly desirable to prevent malicious actions set at runtime from being performed by system-level software and to ensure the security of a device (e.g., a device that includes any of the components of the system 100).
The IC 150 may also include a digital-to-analog converter (DAC) 156 for converting the output signal to an analog output signal to drive the transducer 190. Whether DAC 156 is included is a simple design choice depending on the system requirements, as will be apparent to the skilled artisan.
The present examples are directed to providing an integrated circuit that may allow an external processor to implement run-time control and/or protection of an IC and thus an output component controlled by the IC. More particularly, the present examples relate to providing an integrated circuit that may allow an external processor to access a set of addressable ranges within an IC to allow the external processor to implement run-time control and/or protection of the IC and/or output components.
Disclosure of Invention
According to an example, an integrated circuit is provided that includes an addressable space that includes one or more (e.g., multiple) address ranges, wherein the integrated circuit is configured to allow an external processor to access an authorized subset of the one or more address ranges. The circuitry of this example permits an external processor (e.g., executing driver software) to access a subset of the address range and in this manner grants the processor some, but not all, control over the functions of the integrated circuit and/or the output component. In this way, the authorized subset may include those spaces that are considered "secure" for the processor to access, for example during runtime, rather than just during boot/startup as in prior art integrated circuits and processors. The integrated circuit may be configured to allow a processor to access the authorized subset of the one or more address ranges during runtime of the integrated circuit. In this manner, the integrated circuit of this example provides runtime control to an external processor, allowing the external processor to access some address ranges of the integrated circuit (e.g., read, write, or read-write access) during runtime of the integrated circuit. The prior art processor does not have such control. The integrated circuit may include an interface configured to allow a processor to control access to the authorized subset of the one or more address ranges.
According to another example, an integrated circuit is provided that includes an interface configured to provide controlled access to an authorized subset of one or more address ranges of the integrated circuit. With respect to the above example, the circuitry of this example grants an external processor (e.g., executing driver software) access to a subset of the address range, and in this manner grants the processor some (but not all) control over the functions of the integrated circuit and/or output component. In this way, the authorized subset may include those spaces that are considered "secure" for the processor to access, for example during runtime, rather than just during boot/startup as in prior art integrated circuits and processors. The interface may be configured to provide access control to an authorized subset of one or more address ranges of the integrated circuit during runtime of the integrated circuit. With respect to the above example, in this manner, the integrated circuit provides runtime control of the processor, allowing the processor to access some address ranges of the integrated circuit, whereas prior art processors did not have such control. The interface may comprise a control interface.
The integrated circuit may also be configured to allow an external processor (e.g., a microcontroller) to access each of the one or more address ranges during boot/start-up of the integrated circuit. In one example, for this purpose, the integrated circuit may include another interface configured to allow the processor to control access to each of the one or more address ranges of the integrated circuit during boot/startup. The other interface may comprise a control interface. In this way, according to some examples, the integrated circuit may include: an interface configured to grant a processor access to a subset of the one or more address ranges of the integrated circuit during runtime; and another interface configured to permit the processor to access one or more of the address ranges (e.g., a plurality of address ranges, e.g., each of a plurality of address ranges) in an addressable space of the circuit during boot/startup. The interface may thus be referred to as a "restricted interface" or "restricted control interface" (because the interface grants access to a limited amount of space, e.g., a subset), while the other interface may thus be referred to as an "unrestricted interface" or "unrestricted control interface". Hereinafter, in this specification, an unrestricted interface is referred to as a 'first interface' and a restricted interface is referred to as a 'second interface', taking into consideration the order of use time of each interface during use of the integrated circuit.
According to another example, an integrated circuit is provided that includes one or more address ranges, wherein the integrated circuit is configured to allow an external processor to access at least one of the one or more address ranges during runtime control of the integrated circuit. The circuit of this example permits an external processor (e.g., executing driver software) to access the address range of the integrated circuit during runtime, thereby granting the processor runtime control of the functions of the integrated circuit and/or output component. The prior art integrated circuits do not provide such runtime access to the integrated circuit address range. The integrated circuit may include an interface configured to allow the external processor to control access to at least one of the one or more address ranges or to allow the external processor to controllably access at least one of the one or more address ranges during runtime control of the integrated circuit.
According to another example, an integrated circuit is provided that includes an interface (e.g., a control interface) configured to allow an external processor to access at least one address range of the integrated circuit during runtime control of the integrated circuit. With respect to the third example, the circuitry of this example permits an external processor (e.g., executing driver software) to access an address range of the integrated circuit during runtime, thereby granting the external processor runtime control of the functions of the integrated circuit and/or output component. The prior art integrated circuits do not provide such runtime access to the space of the integrated circuit. The interface may comprise a control interface.
In any of the above examples, the integrated circuit may be configured to allow the processor to access each of the one or more address ranges during boot/startup of the integrated circuit. The integrated circuit may further comprise another interface or control interface, wherein the other interface is configured to allow the processor to control access to, or to allow the processor to controllably access, each of one or more address ranges of the integrated circuit during boot/startup of the integrated circuit.
According to another example, which will be explained below, an integrated circuit may include two interfaces and may be capable of adopting the configuration described with respect to the above example. In these examples, the integrated circuit can take a configuration or state in which one of the two interfaces is permitted to access a subset of the addressable space (as described above) or prevented from accessing a subset of the addressable space (as described above), and thus is configured as a "restricted" interface and the other interface is configured as an "unrestricted" interface.
In any of the examples, the integrated circuit may be configured to set/designate access privileges for one or more address ranges to designate a subset of the one or more address ranges as an authorized subset, or designate a particular one or more of the address ranges as accessible during runtime of the integrated circuit. For example, the integrated circuit may include a control unit configured to set access privileges for one or more address ranges to designate a subset of the one or more address ranges as an authorized subset.
According to another example, an integrated circuit is provided that includes one or more address ranges, wherein the integrated circuit is configured to set access permissions to at least one of the one or more address ranges. With respect to the above example, the integrated circuit in this example may designate a subset of its address range as accessible, and the external processor may access, for example, via an interface during runtime of the integrated circuit. The integrated circuit may comprise a control unit configured to set the access permissions to the at least one address range. The integrated circuit may include a control interface, wherein the interface is configured to provide access to an authorized or restricted subset of the one or more address ranges, the authorized subset including a set of address ranges determined by the integrated circuit. The integrated circuit may further comprise a further interface or control interface, wherein the further interface is configured to provide access, e.g. unrestricted access, to each of the one or more address ranges, e.g. at boot-up/start-up.
In any of the examples, the one or more address ranges may include a set of addressable control spaces and a set of addressable memory spaces, and the authorized subset may include at least one addressable control space and at least one addressable memory space. The one or more address ranges may include any one or more of an internal addressable space of an IC, electronic registers, programmable data storage, and/or programmable data structures. Each of the address ranges may be configured to store a respective bit of a binary word, e.g., a data byte.
An integrated circuit according to any of the above examples may include a circuit processor or an on-chip processor, such as a Digital Signal Processor (DSP). The circuit processor may control the output components in conjunction with one of the addressable control and/or data spaces of the circuit and may thus also protect the output components. The output component may include a transducer that converts energy from one form to another. The transducer may comprise: an active transducer; a passive transducer; an electrical (resistive, inductive, and/or capacitive) transducer; an analog transducer; a digital transducer; a heat transducer; a pressure transducer; a displacement transducer; an oscillator transducer; a flow transducer; a piezoelectric transducer; a chemical transducer; a mutual inductance transducer; a magnetic transducer; a hall effect transducer; an electrochemical transducer; mass-based transducers and/or optical transducers.
The integrated circuit may include a data interface. Thus, the data interface together with the above-mentioned two interfaces, e.g. the control interface, may define a third interface of the circuit. The data interface may be configured to receive data, such as an input signal. In some examples, the data interface may be configured to receive an audio signal, such as a digital signal, e.g., a Pulse Code Modulation (PCM) signal.
The integrated circuit may include a bus (e.g., on-chip) optionally, wherein the bus is coupled to at least one of: one or more interfaces, at least one addressable space, and/or a circuit processor. The (external) processor may be configured to access at least one of the address ranges in the addressable space of the circuit by communicating with the space via the bus (and via one of the interfaces). In examples where the integrated circuit includes a control unit (e.g., a programmable access control or PAC unit), the control unit is configured to set access privileges for one or more address ranges to designate a subset of the one or more address ranges as an authorized subset. The PAC unit may be coupled to the unrestricted interface and the bus. Through the bus, the PAC unit may be configured to access one or more address ranges to change permissions for the address ranges and designate a subset as an authorized subset to be accessible via the restricted interface. A processor (e.g., DSP) may also be coupled to the on-chip bus and may receive data via a codec (external to the integrated circuit).
The control unit (e.g., PAC unit) may be implemented in hardware and/or software in the integrated circuit. The control unit may be configured to send a signal to the filter or gate indicating whether a particular access request (e.g. read or write) from the interface is allowed or blocked. The integrated circuit may comprise a filter, e.g. an address filter, which may be connected to the restricted interface and the control unit. The filter may be configured to block and/or allow access to at least one address range of the integrated circuit. The control unit may comprise a policy table. The policy table or comparison table may comprise a data structure, such as a look-up table (LUT) with one or more access policy entries. Each entry may define a block or region within the addressable space of the integrated circuit in combination with an associated access grant for at least one address range in the addressable space. For example, the policy table may define a set of address ranges associated with access permissions. The access permissions may include permissions to read, write or read/write at least one address range in the addressable space. Access permissions may be stored for a set of address ranges, and the set of address ranges may be defined by a start address and an end address or a start address and an address length (defining the length of the end address). In this way, the subset of address ranges designated as authorized may be so designated by the associated access permissions stored in the policy table. The control unit may further comprise an auditing unit or module, which may comprise hardware and/or software (e.g., comparators and/or combinational logic) that may be configured to compare incoming information regarding access requests received via an interface with entries in the policy table and may also be configured to determine whether to block or allow requests regarding access information. The auditing unit may also be configured to provide an "allow access" signal to the filter or gate (e.g., address gate) to grant the interface access to space related to the request that may otherwise be denied or blocked. "access information" is meant to include details of incoming requests from external entities (e.g., external processors) to addressable space within the integrated circuit. The access information or request may include one or more of an address (or location) of a space, a nature of the request (e.g., read or write), and data to be written into the space. More specifically, according to an example, a request to read or write or read or write at least one address range of an addressable space may be received via an interface (e.g., a restricted interface as described above). An auditing unit or module of the control unit compares at least one address range contained in the incoming information with an associated access permission (e.g., stored in a policy table) to determine whether to block or allow the request. For example, it may be determined whether at least one address range is within a set of address ranges associated with write or read write access permissions. For example, if the request is to read a given address range, it may be determined whether the given address range is associated with a read permission. And if so, allowing the access request. In examples where access permissions for multiple sets of address ranges are stored, it may be determined whether at least one address range is contained within the multiple sets of address ranges associated with a given access permission (e.g., whether an address range is between a range defined by a start range and an end range, or in examples where the set of address ranges is defined by a start address and a length, it may be determined whether an address is between the range "start address + block/address length-1" associated with a particular access permission.
The control unit may specify the authorized subset of the address range via access permissions stored in a policy table. Thus, the subset may be designated as authorized by programming the policy table. The access permissions stored in the policy table may be modifiable, but may also be lockable, such that any further writing of the policy table (and thus modification of the policy table) is prevented. The authorized subset may include at least one address range associated with an access permission including permission to read, write, or read from or write to the at least one range. The authorization subset may thus include at least one of a read subset, a write subset, and a read-write subset. In examples where the policy table is lockable, the access permissions of the policy table may be set such that none of the access permissions can be changed unless the policy table is effectively cleared by resetting the integrated circuit.
In another example, the integrated circuit may include a plurality of interfaces, wherein each interface may be configured as a restricted interface or an unrestricted interface. In one example, an integrated circuit may include N interfaces (N is an integer of 1 or greater), each of which may be configured as a restricted interface or an unrestricted interface, and according to one configuration, one interface is configured as an unrestricted interface and N-1 interfaces are configured as restricted interfaces. In a two interface example, each of the two interfaces is connected to the control unit (which may include a policy table and audit module as described above) and each of the two interfaces is connected to a respective associated filter. To this end, the integrated circuit may include a private address range configured to open one filter and close the other filter-the interface associated with the open filter is a restricted interface because incoming access requests will be checked by the mechanism described above without performing such checks on the other interface (with the filter closed), and thus this interface is an unrestricted interface because the interface has access to all space. Unlike a dedicated address range, an IC may be configured to designate one interface as unrestricted and the remaining interface(s) as restricted (e.g., by non-volatile memory, such as one-time programmable (OTP) memory). In this way, the IC enables the user to select which interface is unrestricted and which interface(s) of the remaining interfaces are restricted interfaces.
In another example, the integrated circuit may include one unrestricted interface and multiple (e.g., more than one, such as M, where M is an integer) restricted interfaces as described above. In this example, each restricted interface may be associated with its own policy table such that each restricted interface has a unique access permission because each restricted interface may be able to access a unique subset of spatial grants.
Thus, in one example, an integrated circuit is provided that includes an interface, an internal addressable space comprising a plurality of address ranges, wherein the interface is coupled to the internal addressable space, wherein the integrated circuit is configurable in a first state to allow or deny the interface access to a subset of the plurality of address ranges of the internal addressable space.
Thus, in one example, an integrated circuit is provided that includes an interface, a plurality of memory locations, wherein the interface is coupled to the plurality of memory locations, wherein the integrated circuit is configurable in a first state to allow or deny access by the interface to a subset of the plurality of memory locations.
In another example, an integrated circuit is provided that includes an interface, an internal addressable space comprising a plurality of address ranges, wherein the interface is coupled to the internal addressable space, and wherein access to a first subset of the plurality of address ranges is granted via the interface and access to a second subset of the plurality of address ranges is blocked via the interface.
In another example, an integrated circuit is provided that includes an interface and a plurality of memory locations, wherein the interface is coupled to the plurality of memory locations, and wherein access to a first subset of the plurality of memory locations is granted via the interface and access to a second subset of the plurality of memory locations is blocked via the interface.
In another example, an integrated circuit is provided that includes a first interface and a second interface, an internally addressable space that includes one or more address ranges, and a control unit. Each of the first interface and the second interface is coupled to the internal addressable space via the control unit, and the control unit is configurable to be in a first state in which the control unit is configured to allow or deny the second interface access to a subset of the one or more address ranges of the internal addressable space.
The configuration of the control unit may be set via the first interface.
The control unit may include a door having an open state and a closed state. The second interface may be coupled to the internal addressable space via the gate. The control unit being configured to be in the first state may correspond to the door being configured to be in the open state. The state of the door may be lockable, for example by the control unit, such that the state of the door is prevented from being changed. It may be possible to change the state of the gate (e.g., from on back off) only by resetting the integrated circuit to effectively reset the gate to its default off configuration.
The control unit may comprise a policy table storing access permissions for the internally addressable space. The access permissions may define the subset of address ranges that the control unit allows or denies access to when in the first state.
The control unit may comprise a policy table storing access permissions for the internally addressable space. The access permissions may define the subset of address ranges that the control unit allows or denies access to when in the first state. The door may be coupled to the policy table such that in the open state the door is configured to allow or deny access to the subset of the internally addressable space according to the policy table.
The control unit may further comprise an auditing module configured to, for an incoming request received via the second interface to access at least one address in the one or more address ranges, access the policy table to determine an access permission associated with the at least one address and send a signal to the gate. The door in the open state may be configured to adopt a configuration upon receipt of the signal from the auditing module depending on access permissions associated with the at least one space, the received access request being allowed or denied in accordance with the configuration.
The open/close state of the gate may be configured to be controllable via a nonvolatile memory. The non-volatile memory may include one-time programmable (OTP) memory.
The auditing module includes a comparator or combinational logic.
The incoming access request received via the second interface may comprise a request to read, write or read from or to write to the at least one address. The associated access permissions may include permissions to read, write or read/write the at least one address.
The policy table may be configured to store access permissions for a set of address ranges in the internal addressable space. The access permissions in the policy table may be configured to be set via the first interface.
The integrated circuit may be configured such that after booting of the integrated circuit, modification of the access permissions stored in the policy table is prevented.
In the first state, the control unit may be configured to store an access grant defining the subset of address ranges for which access is allowed or denied via the second interface. The access permissions may be configured to be set via the first interface.
When in the first state, the control unit may be configured to allow the first interface to access the one or more address ranges of the internal addressable space.
The control unit may include a door having an open state and a closed state. The first interface may be coupled to the internal addressable space via the gate. The control unit being configured to be in the first state may correspond to the door being configured to be in the closed state.
According to an example, an integrated circuit may be provided when the control unit is configured to be in the first state.
The integrated circuit may include a plurality of second interfaces. Each of the plurality of second interfaces may be coupled to the internal addressable space via the control unit. The control unit may be configurable in a state in which the control unit is configured to allow or deny access to the subset of address ranges to a subset of the plurality of second interfaces.
The integrated circuit may include a plurality of second interfaces and a plurality of control units. Each of the plurality of second interfaces may be coupled to the internal addressable space via a respective control unit. Each control unit may be configurable to be in a first state in which the control unit is configured to allow or deny access to at least a respective subset of the address range to a respective second interface.
The configuration of each of the plurality of control units is set via the first interface.
According to another example, an integrated circuit is provided that includes a first interface and a second interface and an internally addressable space that includes one or more address ranges. Each of the first interface and the second interface is coupled to the internal addressable space and grants access to a first subset of the one or more address ranges via the second interface and prevents access to a second subset of the one or more address ranges via the second interface.
Access to the one or more address ranges may be granted via the first interface.
The integrated circuit may include a policy table configured to store access permissions for at least a subset of the one or more address ranges such that the first subset and the second subset are defined according to associated access permissions of the first subset and the second subset stored in the policy table.
The access permissions may be configured to be set via the first interface.
The integrated circuit may also include a gate and an audit module. The auditing module may be coupled to the policy table and the gate. The auditing module may be configured to, for an incoming request received via the second interface to access at least one address in the one or more address ranges, access the policy table to determine access permissions associated with at least one space and signal to the gate. The door may be configured to adopt a configuration upon receipt of the signal from the auditing module in dependence on the access permissions associated with the at least one space, the received access request being allowed or denied in accordance with the configuration.
According to an example, a system includes an integrated circuit as described above, and includes: a secure microcontroller coupled to the addressable space via the first interface; and a processor coupled to the addressable space via at least one second interface.
The processor may be configured to trigger the secure microcontroller to initialize the integrated circuit.
The processor may be configured to initialize an operating system. The secure microcontroller may be configured to initialize the integrated circuit before the processor completes initializing the operating system.
According to another example, an integrated circuit is provided that includes a first interface and a second interface and an internally addressable space that includes one or more address ranges. The integrated circuit is configurable such that access to the one or more address ranges is granted via one of the first interface and the second interface, and access to a first subset of the one or more address ranges is denied via the other of the first interface and the second interface.
Other examples provide a system comprising an integrated circuit as described above. In addition to the integrated circuit, the system may also include an external processor configured to access the integrated circuit, for example, via an interface (e.g., a control interface) of the integrated circuit. This processor may be referred to as a "host processor" or an "application processor" to distinguish this processor from other processors in the system, such as processors of the integrated circuit. The system may further comprise a motherboard, and the host processor may communicate with the integrated circuit via the motherboard, which may further comprise a chipset (or platform control hub), a Microcontroller (MCU) (or microprocessor, which term shall be considered synonymous hereinafter), and/or a codec. The host processor may be configured to execute driver software and application software, for example to access the integrated circuit via the motherboard.
The codec may be coupled to the integrated circuit via a data interface and may send signals to the processor (e.g., DSP) of the integrated circuit via a data interface. An on-chip processor (e.g., DSP) of the integrated circuit may thus be configured to receive data from the codec via a data interface. The host processor may be coupled to both the chipset/PCH and the MCU. For example, the chipset/PCH may be coupled to the host processor and the second or restricted interface, and the MCU may be coupled to the host processor and the first or unrestricted interface. Then, via the chipset/PCH, the main processor may be configured to access an addressable space of the circuit via the second interface.
As described above, the (authorized) subset of address ranges accessible via the host processor through the second interface is a restricted set (because it is a subset of one or more address ranges), and this subset may allow the host processor executing driver software to access at least one control space (or register) of the integrated circuit during runtime of the circuit (or output component coupled to the circuit). In this way, the host processor has run-time control of the circuitry through the second interface, but cannot fully access the address range of the circuitry. In another aspect, the first interface allows unrestricted access to each of the address ranges of the circuits, and the processor is thus connected to the first interface via the secure MCU to access the address ranges during start-up or boot-up of the integrated circuit. Runtime control may include real-time control or reactive control, and may include control of the integrated circuit and/or output components at times other than the booting or starting of the circuit.
As understood by those skilled in the art, the secure MCU is configured to be immune to malware. In this way, while the host processor (via the first interface) may access all addressable space of the integrated circuit, malware cannot access the addressable space via the first interface since such access is via the secure MCU. Via the secure MCU, the host processor may be configured to execute application software, download and/or load firmware and/or any other security critical settings into at least one address space of the integrated circuit in a secure manner that is not affected by malware.
Access to the addressable space via the second interface is not via the secure MCU. The authorized subset of the address range accessible to the processor via the second interface may thus include those spaces that do not jeopardize or destroy security. In this way, if any malware were to access any of the authorized subsets of the address range via the second interface, the risk of circuit damage and/or failure would be low or non-existent, as those address ranges that may cause circuit damage/failure are not part of the authorized subset and therefore are only accessible via the secure MCU that is not affected by malware.
In one specific (but non-limiting) example, the system comprises an audio system. The codec includes an audio codec (e.g., a High Definition Audio (HDA) codec) for sending digital (e.g., PCM) audio signals to a DSP of the circuit. The output component is an amplifier transducer that amplifies the signal received at the DSP and outputs it to a speaker that outputs audio in the form of sound waves. In this example, the integrated circuit may include an amplifier integrated circuit.
According to an example, an integrated circuit is provided that includes an interface and a gate, wherein the interface is coupled to the gate, and wherein the gate is configurable to be in one of two states, wherein the state of the gate is based on data associated with an access request received via the interface. In another example, an integrated circuit is provided that includes an interface and a gate, wherein the interface is coupled to the gate and is configured to receive an access request, wherein the gate is configured to allow or deny access to the interface based on data associated with the access request. The two states of the gate may include an ALLOW (ALLOW) state in which the gate is configured to ALLOW the access request and a DENY (DENY) state in which the gate is configured to DENY the access request. The access request may describe a register, e.g. an address range, of the circuit to be accessed, and in an enabled state the gate may be configured to enable access to the register of the circuit described by the access request via the interface. The integrated circuit may include a control module and/or policy table as described above to set the state of the gates in the manner described above.
According to another example, there is provided an integrated circuit comprising: an internally addressable space comprising a plurality of address ranges; a control unit configurable to be in a first state and a second state; and an interface coupled to the internal addressable space via the control unit, wherein the interface accesses the plurality of address ranges unrestricted via the control unit when the control unit is configured in the first state, and accesses a restricted subset of the plurality of address ranges via the control unit when the control unit is configured in the second state.
In this example, the integrated circuit may be provided with a single interface (as opposed to the two interfaces in some of the examples listed above) and the configuration of the control unit and thus the integrated circuit is set via the single interface. The control unit is configurable via the interface to be in the second state when the control unit is configured to be in the first state. In other words, the default configuration of the control unit (and thus the circuit) is a first state in which access to the interior space is not restricted, but the default configuration is configurable via the interface to a second state in which access becomes restricted. One advantage of this configuration is that a single processor (e.g., an application processor) can securely cause the integrated circuit to load firmware and configure the integrated circuit (when in a first state) and have runtime control over the integrated circuit (when in a second state). Thus, a separate safety controller is not required. The separation between a system boot loader (e.g., unified Extensible Firmware Interface (UEFI) boot that is considered secure) and a host operating system (that is considered non-secure) within a processor may be used to complete secure loading and configuration of the integrated circuit via a single external processor. In an unrestricted first state, the integrated circuit grants a UEFI boot loader on the processor to load the integrated circuit and configure address range access for the host operating system. The external processor may then transition the control unit to the restricted second state in a manner described below. This transition from the first state to the second state may be irreversible without resetting the control unit in a manner described below. Once in the second state, the host operating system may be initialized and the external processor may have run-time control of the integrated circuit. Thus, the restricted subset of the plurality of address ranges may not include a configuration register for the control unit.
The control unit may include a policy table as described above with respect to other examples. The policy table is configured to store access permissions for the internally addressable space, the access permissions defining the restricted subset of the plurality of address ranges accessed by the interface when the control unit is configured to be in its second state. The access permissions may be written to the policy table via the interface when the control unit is configured to be in the first state. In this way, configuring the control unit to be in its second state may correspond to configuring the policy table and defining a subset of the address ranges for which access is restricted, for example by writing policies and/or access permissions to the policy table.
When the control unit is configured to be in its second state, the access permissions of the policy table may be prevented from being modified via the interface. In this way, the control unit may be locked in its second state and may only be reset to be in its first state by resetting the access grant the policy table. In some examples, this may only be possible through a full reset of the integrated circuit.
The control unit may comprise a door as described above in relation to other examples. The door may have an open state and a closed state, and the interface may be coupled to the interior addressable space via the door. The door may be configured to be in an off state when the control unit is configured to be in the first state, and the door may be configured to be in an on state when the control unit is configured to be in the second state. In this way, configuring the control unit to be in its second state may correspond to configuring the door to be in its open state. The internal addressable space may be accessed via the door, so configuring the door in an open state may limit the range of addresses that may be accessed via the interface.
When the control unit is configured to be in the first state, the state of the door may be settable via the interface. When the control unit is configured to be in the second state, the state of the door may be prevented from being changed via the interface. When the control unit is configured to be in the second state, the control unit may only be placed in the first state by resetting the integrated circuit.
The integrated circuit may also include an auditing module as described above with respect to other examples. The auditing module may be configured to, for an incoming access request received from an external processor via the interface to access at least one address of the plurality of address ranges, access the policy table to determine an access permission associated with the at least one address and signal the gate. The door, when in an open state, may be configured to take a configuration upon receipt of the signal from the auditing module, depending on the access permissions associated with the at least one space stored in the policy table, in accordance with which the received access request is allowed or denied.
In summary, configuring the control unit to be in the second state may comprise defining access permissions stored in a policy table and/or configuring the gate to be in an open state such that access to the address range is according to the policy.
The interface may be a first interface and the integrated circuit may include a plurality of interfaces including the first interface. For example, the integrated circuit may include other interfaces, such as those described above with respect to other examples.
According to another example, there is provided a system comprising an integrated circuit as described above and a processor connected to the interface of the integrated circuit, wherein the processor comprises a first state and a second state such that when configured in the first state, the processor is configured to execute a bootloader firmware and when configured in the second state, the processor is configured to initialize and execute an operating system, wherein the processor is in its first state corresponds to the control unit being in its first state and wherein the processor is in its second state corresponds to the control unit being in its second state.
When configured to be in the first state, the processor may be configured to cause the control unit to transition from its first state to its second state. In other words, the processor may be configured to restrict access (to a subset of the complete set of address ranges) via the interface, as discussed above. When configured to be in the first state, the processor may be configured to write the access permissions defining the restricted subset of the plurality of address ranges to the policy table. When configured to be in the first state, the processor may be configured to cause the door to transition from its closed state to its open state. As discussed above, any of these actions may cause the controller to transition from its first state to its second state. When configured to be in its second state, the processor may be configured such that the processor cannot cause the control unit to transition from its second state to its first state (e.g., by rebooting the processor) without causing the processor to transition itself to its first state.
According to another example, an integrated circuit is provided, the integrated circuit comprising a first interface and a second interface, an internal addressable space comprising a plurality of address ranges, and a control unit, wherein each of the first interface and the second interface is coupled to the internal addressable space via the control unit, wherein the control unit is configurable to be in a first state, a second state, and a third state, wherein the first interface has unrestricted access to the plurality of address ranges via the control unit when the control unit is configured to be in the first state, and wherein the first interface has access to a restricted subset of the plurality of address ranges via the control unit when the control unit is configured to be in the second state, and wherein the control unit is configured to allow or deny the second interface access to the subset of the plurality of address ranges of the internal addressable space when the control unit is configured to be in the third state.
In this example, a dual interface integrated circuit is provided and access to multiple address ranges may be restricted via either interface. Via an interface the control unit may be placed in a state according to which access to the internally addressable space is restricted by said interface or by another interface. From the preceding paragraphs, it will be appreciated that some examples herein relate to a dual interface solution for an integrated circuit (according to which one unrestricted interface may configure a circuit such that another interface becomes restricted), while other examples relate to a single interface solution (according to which an initially unrestricted interface may configure a circuit such that the circuit becomes restricted).
With respect to the previous examples, when the control unit is configured to be in the first state, the control unit may be configurable to be in the second state via the first interface, and/or the configuration of the control unit may be set via the first interface.
According to another example, there is provided an integrated circuit comprising: an internally addressable space comprising a plurality of address ranges; a control unit storing policies; and an interface coupled to the internal addressable space via the control unit, wherein the control unit is configurable via the interface to be in a lockable state in which the interface accesses a restricted subset of the plurality of address ranges via the control unit as defined by the policy stored in the control unit.
The policy stored in the control unit may be set via the interface, as described above, and configuring the control unit to be in the lockable state may include setting the policy via the interface. The integrated circuit may further comprise a gate as described above, wherein the interface is coupled to the internal addressable space via the gate, and wherein the gate comprises an on state and an off state such that when in its on state the gate allows or denies access to a given address via the interface according to an entry corresponding to the given address in the policy stored in the control unit, and configuring the control unit to be in the lockable state comprises configuring the gate to be in the on state.
According to another example, an integrated circuit is provided that includes a first interface and a second interface coupled to an internal addressable space, the integrated circuit configurable in a first mode and a second mode such that in the first mode the first interface has unrestricted access to the plurality of address ranges and the integrated circuit is configurable such that the first interface has restricted access to a subset of the plurality of address ranges, the restricted access is restricted to a subset of the plurality of address ranges, and in the second mode the first interface has unrestricted access to the plurality of address ranges of the internal addressable space and the restricted access is restricted to the subset of the plurality of address ranges. In an example, an integrated circuit configured to be in the first mode is provided. In another example, a device configured to be in the second mode is provided.
In another example, an integrated circuit is provided that includes a first interface and a second interface coupled to an internally addressable space having a plurality of address ranges. The first interface is unrestricted access to the plurality of address ranges and is configurable such that the first interface or the second interface is restricted access to the plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges.
Each of the first interface and the second interface may be associated with a respective gate having an open state and an closed state such that each gate, when in its open state, grants access to the internal addressable space according to policies stored in the integrated circuit. Unrestricted access by the first interface to the plurality of address ranges corresponds to a door closure associated with the first interface. The integrated circuit is configured such that the first interface or the second interface has restricted access to the plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges, including changing a gate associated with the first interface or the second interface from off to on. In an example, a door associated with the first interface is closed and a door associated with the second interface is closed. In another example, a door associated with the first interface is closed and a door associated with the second interface is open. In yet another example, a door associated with the first interface is open and a door associated with the second interface is closed.
In any of the above examples, a processor (e.g., an external processor) may load firmware into the IC that, when executed, causes the IC (or its control unit) to adopt some configuration (e.g., set a gate configuration/on or off state, program a policy table, etc.), but in other examples, firmware may be preloaded onto the IC. In these latter examples, the IC includes firmware. The firmware may be stored on an IC in non-volatile memory. For example, the gate configuration and/or policy table configuration may be stored on an IC in non-volatile memory. Thus, any given IC may be configured at the time of its manufacture (e.g., preloaded before the IC is delivered to the customer), configured by the customer (e.g., through OTP operations), and may be configured by executing firmware stored on the IC in non-volatile memory.
In the following of this document, the following abbreviations introduced in the previous section will be used: "IC" means an integrated circuit, "MCU" means a microcontroller, "OTP" means one-time programming, "PAC" means programmable access control, "PCM" means pulse code modulation (or modulation), "HDA" means high definition audio, "PCH" means platform control hub, "DSP" means digital signal processor, "OS" means operating system, and "UEFI" means unified extensible firmware interface.
Drawings
The disclosure may be understood with reference to the accompanying drawings, in which:
FIG. 1 shows a prior art system;
fig. 2A-2E each illustrate a simplified schematic diagram of an integrated circuit according to five examples of the present disclosure; and
FIG. 3 is a simplified schematic diagram of an example integrated circuit;
FIG. 4 shows a table illustrating access and control of a processor to an integrated circuit according to the present disclosure when compared to prior art integrated circuits;
FIG. 5 is a simplified schematic diagram of an example system including an integrated circuit according to the present disclosure;
FIG. 6 is a simplified schematic diagram of an example control module of an integrated circuit;
FIG. 7 is a simplified schematic diagram of an example integrated circuit;
FIG. 8 is a simplified schematic diagram of an example integrated circuit;
FIG. 9 is a simplified schematic block diagram of an example integrated circuit;
FIG. 10 is a sequence diagram showing an example boot sequence for the integrated circuit of any of the examples of FIGS. 1-9;
FIG. 11 is a simplified schematic block diagram of an example integrated circuit;
FIG. 12 is a simplified schematic block diagram of an example integrated circuit;
FIG. 13 is a simplified schematic diagram of an example system including an integrated circuit according to the present disclosure;
FIG. 14 is a sequence diagram showing an example boot sequence for the integrated circuit of any of the examples of FIGS. 11-13;
FIG. 15a is a substantially simplified schematic block diagram of an example integrated circuit; and is also provided with
Fig. 16 a-16 c are simplified schematic block diagrams of the example integrated circuit illustrated in fig. 15a and 15 b.
Detailed Description
Fig. 2A-2E each show a simplified schematic diagram of an example IC 150 a-150E. Each IC includes one or more address ranges, which may include any one or more of an internal addressable space of the IC, electronic registers, programmable data storage, and/or programmable data structures. In this document, the terms "address range" and "addressable space" and "address range" and "addressable space" may be used interchangeably. Furthermore, the terms "address range" and "memory location" and "address range" and "memory location" may be used interchangeably.
In each of these figures, an open padlock represents an unlimited/unprotected address range, while a locked padlock represents a limited/protected address range. As will be explained further below, according to some examples, access is granted to only those ranges specified with an open padlock, those ranges including a subset of address ranges and may be referred to as "authorized", "secure", "specified", "open", or "restricted" subsets of address ranges (restricted in the sense that they are subsets of multiple address ranges).
FIG. 2A illustrates a memory that includes a plurality of address ranges 255 1 To 255 (V) n Is provided for the IC 250a. IC 250a is configured to allow processor 101 (not shown) to access an authorized subset 255 of the plurality of address ranges, i.e., "authorized address ranges" (indicated in the figure by an open padlock). This allows the host processor 101 to access a subset of the multiple address ranges 255 of the IC 250a during the runtime of the IC 250a, because the processor 101 may access only those address ranges designated as authorized (padlock-on), whereas prior art ICs did not allow the processor to access any addresses during the runtime of the IC, nor did it allow access to any subset of the address ranges, whether authorized or not. Those address ranges designated as authorized may thus be considered "secure" accessible to the processor during the runtime of IC 250a, and thus may not include any address ranges having security critical controls for IC 250a and/or output component 190. Authorized address ranges may also be referred to as accessible or secure or reliable or protected or designated or open address ranges. As will be explained below, IC 250a may include an interface to grant access to authorized subset 255 of the address range.
FIG. 2B illustrates a memory that includes a plurality of address ranges 256 1 To 256 n Is provided for the IC 250b. IC 250b is configured to allow processor 101 (not shown) to access a plurality of address ranges 256 during runtime control of IC 250b, as indicated by the dashed lines. In the example of fig. 2A, a subset of the IC address ranges are designated as authorized and therefore accessible during runtime, while in the example of fig. 2B, each of the plurality of address ranges 256 of IC 250B are designated as accessible during runtime. In this way, all or each of the plurality of address ranges 256 of IC 250b may be an "authorized" set of address ranges and be designated for secure access by processor 101 during runtime of IC 250b, and thus may not include any address ranges that have security critical control over IC 250 c. Thus, in the example of FIG. 2A, the set of address ranges is divided into address ranges that are accessible during runtime and address ranges that are not accessible, while the IC 250B of the example of FIG. 2B includes a set of address ranges that are all accessible during runtime of the IC 250B. As will be explained below, IC 250b may include an interface to grant access to authorized subset 255 of the address range.
Fig. 2C shows an IC 250C that includes an interface 202a (which may include a control interface). The interface 202a is configured to provide access to an authorized subset (indicated by an open padlock) of the plurality of address ranges 257 of the integrated circuit 250c. As described above with respect to fig. 2A, this allows processor 101 (not shown) to access a subset of the plurality of address ranges 257 of IC 250c via interface 202A, for example, during the runtime of IC 250c, because processor 101 may access only those address ranges that are designated as authorized and thus may be considered "secure" for the processor to access during the runtime of IC 250c, and thus may not include any address ranges that have security critical control over IC 250c.
Fig. 2c illustrates an example IC 250c including an interface 202a, an internal addressable space including a plurality of address ranges 257, wherein the interface 202a is coupled to the internal addressable space, wherein the IC 250c is configurable in a first state to allow or deny the interface 202a access to a subset of the plurality of address ranges 257 of the internal addressable space, as will be described in more detail below.
Fig. 2c also shows an example IC 250c that includes an interface 202a, a plurality of memory locations 257, wherein the interface 202a is coupled to the plurality of memory locations 257, wherein the IC 250c is configurable in a first state to allow or deny the interface access to a subset of the plurality of memory locations 257, as will be described in more detail below.
Fig. 2c also shows an example IC 250c that includes an interface 202a, an internal addressable space that includes a plurality of address ranges 257, wherein the interface 202a is coupled to the internal addressable space, and wherein access to a first subset of the plurality of address ranges 257 is granted via the interface 202a, and access to a second subset of the plurality of address ranges 257 is blocked via the interface 202a, as will be described in more detail below.
Fig. 2c also shows an example IC 250c that includes an interface 202a and a plurality of memory locations 257, wherein the interface 202a is coupled to the plurality of memory locations 257, and wherein access to a first subset of the plurality of memory locations 257 is granted via the interface 202a and access to a second subset of the plurality of memory locations 257 is blocked via the interface 202a, as will be described in more detail below.
Although fig. 2C shows IC 250C including a single interface 202a, in some examples, IC 250 may include two interfaces, e.g., a first interface and a second interface. IC 250c may include a control unit. In these examples, each of the first interface and the second interface (and, for example, in examples where IC 250c includes a control unit, is coupled to the internal addressable space (and/or address range and/or memory location, etc.) via the control unit the IC 250c may be configurable (or in examples where IC 250c includes a control unit, the control unit may be configurable) to be in a first state in which the second interface is allowed or denied access to a subset of the plurality of address ranges or memory locations of IC 250c (e.g., the control unit may be configured to allow or deny the second interface access to a subset of address ranges or memory locations).
In examples where IC 250c includes two interfaces (e.g., a first interface and a second interface), each of the first interface and the second interface is coupled to the internal addressable space and/or address range and/or memory location, and may grant access to a first subset of the plurality of address ranges or memory locations via the second interface and block access to a second subset of the plurality of address ranges via the second interface. In these examples, the second interface may include the depicted interface 202a.
In examples where the IC 250c includes two interfaces (e.g., a first interface and a second interface), the IC 250c may be configurable such that access to the plurality of address ranges or memory locations is granted via one of the first interface and the second interface, and access to a first subset of the plurality of address ranges or memory locations is permitted via the other of the first interface and the second interface and access to a second subset of the plurality of address ranges or memory locations is denied. IC 250c may include a control unit. The configuration of the IC 250c and/or the control unit may be set via "one" of the first interface and the second interface (multiple address ranges or memory locations may be accessed). The "other" of the first interface and the second interface may include the depicted interface 202a of fig. 2 c.
Referring to fig. 2c, those address ranges or memory locations 257 illustrated with an unlocked padlock may include a subset of the address ranges or memory locations for which access is allowed or granted, and those address ranges or memory locations illustrated with a locked padlock may include a subset of the address ranges or memory locations for which access is denied or blocked, as described above.
Fig. 2D shows an IC 250D that includes an interface 202b (which may include a control interface). Interface 202b is configured to allow processor 101 (not shown) to access at least one address range 258 of IC 250d during runtime control of IC 250d 1 To 258n as shown by the dashed line. Similarly, as described above with respect to FIG. 2B, illustrated in FIG. 2CA subset of the IC address ranges are designated as authorized and therefore accessible during runtime, while in the example of fig. 2D, all of the plurality of address ranges 258 of IC 250D are designated as accessible during runtime. In this manner, all or each of the plurality of address ranges 258 of IC 250d may be a set of "authorized" address ranges and designated as being securely accessible to the processor during the runtime of IC 250d, and thus may not include any address ranges that have security critical control over IC 250d.
FIG. 2E illustrates a memory including a plurality of address ranges 259 1 To 259n IC 250e. IC 250e is configured to set at least one address range 259 of a plurality of address ranges 259 1 Access permissions to 259n, the at least one address range is schematically indicated in fig. 2E by each address range comprising a padlock locked/unlocked. IC 250e may be configured to store at least one address range 259 of a plurality of address ranges 1 To 259n are designated "authorized", "secure", "designated", "open" or "restricted" (restricted in the sense that they are a subset of the plurality of address ranges), etc., and in this manner, IC 250e may be configured to create a subset of address ranges from the plurality of address ranges that are accessible, for example, by processor 101 (not shown) during runtime of IC 250e. IC 250e may also be configured to set access permissions such that each of the plurality of address ranges 259 is accessible, for example, by processor 101 (not shown) at boot-up or start-up. As will be described below, IC 250e may include a control unit (e.g., PAC unit) configured to set at least one address range 259 of the plurality of address ranges 1 Access permissions to 259 n.
The term "runtime" is intended to include the time after the boot or initialization process of the IC is complete and/or after the processor operating system is fully initialized and executing an application program, and/or any time other than the boot or initialization of the IC.
The integrated circuit of any of the above examples includes: an integrated circuit comprising a plurality of address ranges, each address range configurable to be in a first state or a second state, each state associated with an access grant (e.g., a read, write, or read write access grant), wherein the integrated circuit is configured to provide run-time control of the address ranges to an external processor based on the access grant for each state. The access permissions associated with each address range may be permission permissions and the set of address ranges associated with permission access permissions may include an authorized set of address ranges. The permission status may include permission to read requests (e.g., read only), permission to write requests (e.g., write only), or permission to read and write requests. This will be described further below.
The address range of any of the ICs as discussed above with respect to fig. 2A-2E may include a set of registers, such as an addressable "control" memory space (hereinafter "addressable control space"), and a set of memories for data storage, such as an addressable "data" memory space (hereinafter "addressable data space"), such as a RAM block.
Fig. 3 shows an IC 300.IC 300 may include any of ICs 250a through 250E described above with reference to fig. 2A through 2E. Fig. 3 is intended to illustrate an example IC 300 that includes multiple elements, each performing a specified function, and although the multiple elements are shown in combination in fig. 3, it will be understood that if the function permitted by the elements is desired in one of the ICs 205a to 250E, the ICs 250a to 250E shown in fig. 2A to 2E may include any one or more or any combination of these elements. Accordingly, the combination of features shown in fig. 3 should not be construed as limiting.
The IC 300 includes a first interface 351 (e.g., a first control interface), a second interface 302 (e.g., a second control interface), a data interface 352, a bus 353 (e.g., an on-chip bus or an internal bus, such as a communication bus), an on-chip processor 354, a control module 340, a filter or gate 341, an output component 390, and an addressable space including a plurality of address ranges 355, 356. The plurality of address ranges 355, 356 may include a set of addressable 'control' memory spaces (e.g., registers or register spaces) or addressable control spaces 355 and a set of addressable 'data' memory spaces or addressable data spaces 356 (e.g., RAM blocks), as discussed above with respect to fig. 2A-2E and described in more detail below.
IC 300 is configured to be coupled to an external processor 101 (not shown). The external processor 101 may be configured to be coupled to one or more of the interfaces 302, 351, 352 of the IC 300, which is schematically indicated in fig. 3 by an arrow into the interface. The external processor may be configured to access the IC 300 (e.g., components of the IC) via one or more of the interfaces 302, 351, 352. Bus 353 may be a communication network that couples the various components of IC 300 to one another, as shown for example in fig. 3. As shown in fig. 3, bus 353 couples first and second interfaces 351, 302 and IC processor 354 to at least address ranges 355, 356 of IC 300.
The data interface 352 may receive data from a data source, for example, via a codec. For example, the data interface 352 may include, for example, an audio data interface to receive audio data, such as digital signals (e.g., PCM signals). The internal processor 354 may process any data received at the data interface 352 and send the processed signal to the output component 390 via a signal path from the data interface 352 to an output terminal to which the output component 390 is coupled. The data received at the interface 352 to be processed by the on-chip processor 354 and transmitted to the output component 390 may include, for example, any digital data such as audio data, ultrasound data, haptic data, and the like. The output component 390 may include a transducer, such as an audio transducer (e.g., a speaker), a haptic transducer, and/or an ultrasound transducer, in some examples.
The plurality of address ranges includes a set of addressable control spaces 355 (m are shown) and a set of addressable data spaces (n are shown) (n and m may be equal or unequal such that IC 300 may include the same or different numbers of addressable control spaces 355 and addressable data spaces 356). At least one or each of the addressable data spaces 356 may comprise one or more units of memory. The addressable data space 356 may include volatile or nonvolatile memory such as RAM (e.g., DRAM or SRAM), ROM, flash memory, and the like. Addressable data space 356 may be configured to store, for example, code upon which IC 300 operates. For example (and as will be explained later with reference to fig. 6), addressable data space 356 may be configured to store firmware, for example, to be executed by an on-chip processor 354. At least one or each of the addressable control spaces 355 may be configured to control and/or monitor the function of the IC 300 and/or the output component 390 controlled by the IC 300. Specific examples will be described later with reference to IC 300 controlling an audio transducer.
Each addressable control space 355 may include one or more units of memory that store information that may control and configure the functions of IC 300. Each addressable control space 355 may also store control state data regarding the current state of functions within IC 300. These functions may include, but are not limited to, certain features of IC 300 that are considered necessary for functional operation of IC 300 and/or other external components associated with IC 300 (e.g., output component 390 or any and all external transducers). Rather, each addressable data space 356 may comprise one or more units of memory that contain programs and/or data required for operation of the on-chip processor 354. These locations may also include data outputs and/or temporary variables of the processor 354.
For example, the addressable control space may be configured to store a plurality of bits that may be configured to control and/or configure functions within IC 300, and/or to provide status information regarding IC 300 that may be read via interfaces 302 and/or 351. Additionally and/or alternatively, addressable data space 356 may be configured to store a plurality of bits, which may be configured to function as firmware for proper operation of on-chip processor 354 and/or to store run-time control and/or to store data, such as temporary data (e.g., temporary data required by addressable data space 356) and/or to store data from interface 352 (e.g., PCM data) and/or to temporarily store processed data to be transferred to output component 390 via a DAC.
Fig. 3 shows that each of the addressable spaces (control and data) may be designated as being in one of two states, or having one of two access privileges. The two states are indicated in fig. 3 by an opened padlock (state 1) and a locked padlock (state 2), respectively, which may correspond to an authorized state (i.e., an allowed state) and an unauthorized state (i.e., a denied state), respectively. The set of spaces specified with the unlocked padlock may be considered an authorized subset or a specified subset. Allowing the state may include allowing the read from and/or allowing the write to the state. As shown in fig. 3, for illustrative purposes, every second space 355 of the control spaces 355 2 To 355 m Is designated as authorized, and every second one 356 of the data space 2 To 356 to n Designated as authorized. Those spaces other than the authorized space may include unauthorized spaces. The plurality of addressable spaces 355, 356 may thus be divided into an authorized space and an unauthorized space. The two groups may be complementary to each other (such that the set of authorized spaces may include all unauthorized addressable spaces and the set of unauthorized spaces may include all unauthorized addressable spaces). As shown in fig. 3, for illustrative purposes, each first space 355 of the control spaces or control spaces 355 is addressable 1 To 355 m-1 Designated as unauthorized and addressable data space or every first space 356 of the data space 1 To 356 to n-1 Designated as unauthorized.
As described above, authorized spaces may include those spaces that have control over the runtime functions of IC 300 (and/or output component 390 coupled to the IC), while unauthorized spaces may include those spaces that have security functions (e.g., security critical functions) or are capable of accessing security critical content. Thus, unrestricted reading and/or writing to the "authorized" spaces may be prevented by designating those "authorized" spaces as part of an authorized subset. Unauthorized spaces may include those spaces that may cause irreversible damage and/or failure to IC 300 and/or output component 390 and/or any other components (e.g., any peripheral components) to which IC 300 is later coupled in the event of a configuration error (e.g., if accessed by malware). Additionally and/or alternatively, unauthorized spaces may include those spaces that, if accessed by malware, may promote some other type of security vulnerability of the system, such as continually compromising a coupled processor, or performing unauthorized modification or revealing of data through interface 352. Specific but non-limiting examples relating to audio will be given below. Thus, authorized subsets of spaces may include those spaces that do not have security critical functionality or cannot access security critical content. In this way, if any malware will access the authorization space during the runtime of the IC 300, this will not cause any damage and/or failure to the IC 300, whether irreversible or otherwise. Thus, the division of the set of spaces into authorized and unauthorized subsets may be based on those spaces that would cause damage/failure to IC 300 and/or output component 390 and/or any other component if the malware accessed the spaces (e.g., during runtime) and those spaces that were not.
The second interface 302 may provide an authorized subset of the address range during runtime (in FIG. 3, every second control space 355 2 To 355 m And every second memory space 356 2 To 356 to n ) Such as those marked with an unlocked padlock. Thus, during runtime, IC 300 provides access (via second interface 302) to those 'secure' sets of address ranges, thereby providing the processor with runtime control of IC 300 (and thus output component 390), and since malware cannot cause damage/failure to IC 300 if it can access those address ranges, IC 300 can provide the processor with runtime control of IC 300 in a secure and predictable manner. On the other hand, the first interface 351 may access each of the addressable spaces-e.g., an authorized subset and an unauthorized subset. Thus, while the second interface 302 only grants access to a subset of spaces designated as secure, the first interface 351 provides access to all spaces, including those unauthorized spaces that have security critical functionality. Although the second interface 302 mayFor permitting the host processor to access the IC 300 during runtime, but the first interface 351 may be used to permit the secure MCU or embedded controller to access the IC 300 during boot-up or start-up (e.g., to load firmware onto the data space of the IC 300 during secure boot-up). This will be explained further below. IC 300 thus provides a second signal path between second interface 302 and an authorized subset of the addressable spaces and a first signal path between first interface 351 and each of the plurality of addressable spaces. Thus, the second interface 302 may confer the ability to conduct reads and/or writes to and/or to authorized subsets of the address range, while the first interface 351 may therefore confer the ability to conduct reads and/or writes to and/or to all address ranges (e.g., the first interface 351 grants full read and write access).
The setting of the address range, such as dividing or designating the address range as an authorized subset and an unauthorized subset, may be accomplished by or via the control module 340 (which may include PAC units). For example, the control module 340 itself may be configured to set access permissions for each of the address ranges that designate a particular address range or set of address ranges as authorized or unauthorized and via which interface the address range is accessible, as described below. Thus, an authorized subset of the address range may be specified by the control module 340 by specifying a subset of the address range (an unauthorized subset) that is only accessible by the first interface 351, the authorized spaces including the remainder (e.g., those spaces that are not specified as unauthorized) because the authorized spaces are accessible via both interfaces 302, 351. In summary, the control module 340 may configure the unauthorized space (accessible only via the first interface 351) such that the authorized space is designated as including the remainder of the space.
The second interface 302 may be considered a restricted interface in that the interface grants access to only a restricted subset of the address range, while the first interface 351 may be considered an unrestricted interface in that the interface grants access to all space (e.g., the entire set). Via the first interface 351, the processor may thus be configured to gain low-level access to the IC 300 hardware itself (e.g., for redirecting, controlling any status lights, recalibrating inputs, etc.), such functions being controlled by unauthorized control space and/or data space that is accessible only to the first interface 351.
In one example, the IC 300 (e.g., its control module 340) may be configured to block a subset of the plurality of address ranges 355, 356. In this example, the IC 300 (or its control module 340) may create a blocking list of spaces that may include those spaces that are not accessible via the second interface 302, and thus, the second interface 302 may be configured to access all address ranges except those on the blocking list. In this example, the address ranges on the blocking list include those unauthorized spaces in fig. 3 (padlocks with locks). Additionally or alternatively, the IC 300 (e.g., its control module 340) may be configured to allow a subset of the plurality of address ranges 355, 356, thereby creating an allow list that may include those address ranges that are only accessible by the second interface 302, and thus, the second interface 302 may be able to access those spaces on the allow list, such that those spaces on the allow list include those authorized spaces (with unlocked padlocks) that are only accessible via the first interface 351. In each case, the permission or blocking list may include those address ranges for which read accesses and/or write accesses are permitted or blocked, respectively.
Details of PAC module 340 will be set forth with reference to fig. 6, however filter or gate 341 is configured to grant or deny second interface 302 access to the addressable space in the following manner. Filter 341 may include a security filter. PAC unit 340 may define address ranges 355, 356 and their corresponding access permissions, and when a request (e.g., a read request or a write request) is sent through second interface 302, the request is a request to access (e.g., read from and/or write to) a given address range 355, 356 of IC 300, PAC module 340 examines the associated access permissions to determine whether the address range 355, 356 associated with the request is authorized (e.g., authorized to read from and/or write to the address range). If a given space is designated as authorized (e.g., associated with read and/or write access permissions), PAC module 340 is capable of outputting an allow access signal to filter 341 to allow interface 302 to access the space (e.g., read from or write to the space); if not, the PAC module 340 may not send such a signal or send a denial of access signal. In this manner, access through the second interface 302 is allowed and/or denied by controlling the state of the door (or filter or portal) 341, which door (or filter or portal) 341 is controlled by the PAC module 340 upon receiving a read or write request through the second interface 302. Thus, filter 341 includes a gate configured to block and/or allow access to addressable locations of IC 350 via second interface 302. This will be further explained with reference to fig. 6.
An address range may also refer to a register or register space, e.g. an (addressable) control register or control register space, an (addressable) data register or data register space, etc. Thus, available only through the first interface 351 may be a set of control registers (e.g., programmable access control modules of the chip 300) within a particular subspace or set of address ranges that determine whether driver software executable by an external processor connected to the IC 300 via the second interface 302 will access a given subspace of the IC 300.
A table illustrating access permissions possible with ICs according to the present disclosure when compared to prior art ICs is shown in fig. 4, the IC of the bottom row of the table is according to the present disclosure and may include an IC as depicted in fig. 2A-2E or fig. 3 above or in the following figures.
Fig. 5 illustrates an example system 500 that includes a host processor 501, a set of motherboard components 510, and an IC 550. Fig. 5 provides one illustrative and non-limiting example of how an IC according to the present disclosure may be used as part of a broader system. IC 550 may include any of ICs 250a through 250e or 300 as described above. With respect to IC 550 (and elsewhere in this document), like features/elements will be denoted by like reference numerals, and thus a description of the above features will be omitted for brevity.
Processor 501 is the main processor and is external to IC 550. As in blocks 505 and 507As indicated, the processor is configured to execute driver software 505 and application software 507. Motherboard 510 includes a chipset or PCH 511, a secure MCU or embedded controller 503, and a codec 512, and data interface 552 may include an I2S interface, or the like. Although in some examples IC 550 may not include codec 512 and in these examples there may be a link from chipset 511 directly to data interface 552, in such examples data interface 552 may include a Soundwire TM An interface. As shown in fig. 5, processor 501 communicates with IC 550 via chipset 511 and second interface 502, via chipset 511, codec 512, and data interface 552. The processor 501 may also be configured to send a signal to trigger the secure MCU (or embedded controller) 503. According to this example, there is thus a signal path between the processor 501, the chipset 511 and the second interface 502, a signal path between the processor 501, the chipset 511, the codec 512 and the data interface 552, and a signal path between the secure MCU 503 and the first interface 551.
In one example, the secure MCU 503 or embedded controller is configured to load the IC 550 at a very early stage of system boot, for example, before the device driver 505 has begun execution, and possibly before the processor 501 has begun booting. The trigger to cause the secure MCU or embedded controller 503 to start initializing the system (initialization may include loading and configuring the IC 550) may be a signal from early boot firmware running on the processor (which may start executing earlier than the operating system, device drivers, and/or application software), and/or may be a trigger from some other component in the system (e.g., power management), and/or the trigger may be inferred from the reset circuit of the secure MCU 503 or embedded controller sensing that it has been powered on and not reset (i.e., the secure MCU or embedded controller automatically initializes the system once powered on and not reset).
In another example, processor 501, once fully booted and at runtime, is configured to reinitialize the circuitry within IC 550-e.g., if firmware running on-chip processor 554 encounters an unrecoverable error. In that case, the device driver 505 may be configured to send a signal to the embedded controller 503 via the chipset 511 to reinitialize the IC 550 (although this is not part of a normal boot). Since the MCU 503 is not affected by malware, any malware running on the processor cannot access (an unauthorized subset of) the address range (if accessed, the IC 550 may be permanently damaged, for example), and therefore booting is secure. During runtime, processor 501 has control over an authorized subset of the address range of IC 550 via second interface 502 and chipset 511. During booting or startup, the processor 501 does not execute the driver software 505 because the driver software is not active and therefore cannot access the IC 550 via the second interface 502. This may be implemented by system boot hardware and software. For example, an IC 550 setting comprising a processor 501 having access to only an authorized address range and/or not an unauthorized address range via the second interface 502 may be programmed into the IC 550 at boot/start-up, e.g. by firmware running on the secure MCU 503 or an embedded controller. Alternatively or additionally, executing the firmware may cause an access restriction to be imposed on the address range of the IC 550 (e.g., designating a subset as the authorized subset). For example, firmware running on the secure MCU 503 or embedded controller may instruct the PAC unit 540 (or the control unit 540) how the address ranges and/or their respective access permissions may be set such that a predetermined subset of the address ranges of the IC 550 is designated as an authorized subset. The entitlement subset may thus be set or specified at boot/start-up and may be set by the MCU 503. After booting/starting, control of the IC 550 is then passed to driver software 505 (e.g., the processor 501 executes the driver software 505) (e.g., during runtime) which has free access to those authorized address ranges that may have been set early. In this way, the first interface 551, which may access all address ranges of the IC 550, may be configured to set access privileges for the space and define the authorized subset (e.g., the secure MCU 503 or the embedded controller may configure the authorized subset via the first interface 551). It will be appreciated that PAC unit 540 cannot be configured by the second interface.
The chipset may be poweredIs configured to manage the flow of data between the processor 501 and the IC 550. The codec 512 may include any codec (e.g., an HDA codec) and the processor 501 may be connected to the codec 512 via, for example, an HDA connection or connector. The codec 512 may be configured to encode and/or decode signals (e.g., audio signals). Although in other examples (as described above) system 500 may not include codec 512, in which case there may be a link from chipset 511 directly to data interface 552, data interface 552 may include a Soundwire TM An interface.
Fig. 6 illustrates an example control module 640, which may include the PAC module 640. Fig. 6 shows only a simplified arrangement of IC 600, where only elements necessary for the following explanation are presented, and it should be understood that other elements shown in ICs 300 and 550 have been omitted from fig. 6 for clarity and brevity of the following explanation. Either of the control modules 340, 540 described above may include a module 640 according to the example of fig. 6. PAC module 640 is shown in combination with a filter/gate/portal 641 (which may include filter 341 of the example of fig. 3 above) and bus 653 (which may include either of buses 353, 553 as described above) and restricted interface 602 (the same type of interface is referred to as the second interface in the example described above), which are components of IC 600. The filter 641 may be configured to block or allow access paths from the restricted interface of the IC 600 to the address range. Thus, the filter 641 is configured to gate (allow/block) access to addressable locations within the IC via the first interface 602.
PAC module 640 in this example may include hardware and/or software and may be configured to signal to filter 641 whether to block or allow a particular access request (see an "incoming request" tag in the figures), as will be described below. The module 640 may be configured to send an "allow access" signal to the filter 641. The filter 641 may thus be referred to as a security filter/gate/portal 641 and may be used to control access to and also protect the address range of the IC.
PAC module 640 includes policy table 643 and audit module 642. Policy table 643 may include hardware and/or software and may include a data structure storing one or more access policy entries. In particular, table 643 may store access permissions for each space of the IC and/or table 643 may store definitions of address ranges and corresponding access permissions. For example, each entry may be a logical block/region corresponding to one of an address range/location/register within an addressable location of the IC and an associated access permission for that address range. In this way, a subset of authorized address ranges may be set, specified, or programmed by setting associated access permissions for those address ranges in the policy table. In other words, the policy table may specify address ranges as authorized or unauthorized, and the authorized subset of address ranges may be those address ranges for which access permissions are authorized. The authorization specification may include read-only, write-only, and/or read-write access permissions to a particular address range.
The incoming request via the first interface 602 includes information that may include details of the incoming request from an external entity (e.g., an external processor) to an address range within the integrated circuit 600. The access information or request may include one or more addresses (e.g., discrete addresses), the type of request (e.g., read-only, write-only, or read-write), data to be read from the address in the example of a read request or written to the address if the request is a write request, and so forth. An access request containing an address to be accessed (read or write) is received via the second interface 602. The audit module 642 may include hardware and/or software (e.g., comparators and/or combinational logic and/or validators and/or validation mechanisms/logic, and/or any hardware and/or software configured to validate transactions against the policy table) and may be configured to compare incoming access information (e.g., address or addresses) to information in the policy table (e.g., address ranges) and determine whether to allow or block the request. In particular, the auditing module 642 may be configured to compare an address related to a request that an external entity is attempting to access via the second interface 602 with a corresponding entry in the policy table for the address range in which the requested address is located in order to check access permissions. If access permissions for the address range are specified as authorized (the space thus becomes part of an authorized subset) (e.g., authorized read/write), the audit module 642 is configured to send an "allow access" signal to the filter 641 that will cause the filter to allow access requests (read/write). If the address range does not have the correct access permission, no such signal is sent to the filter 641 and the request is denied. Referring back to fig. 5, a read or write access request may be created by the chipset and sent to the IC via the first interface 602. The audit module 642 is thus configured to validate transactions against the policy table.
In the example of fig. 6, it will be appreciated that a first (unrestricted) interface (not shown) may access bus 653.
The configuration of IC 600 and/or its control module 640 may be lockable. For example, IC 600 and/or its modules 640 may include logic (e.g., gating logic in the form of logic circuitry) such that when activated, further writing to policy table 643 is prevented and/or changing the state of gate 641 is prevented. To activate the logic circuitry, signals may be received via interface 602 (and via bus 653, etc., e.g., via lines from bus 653 to policy table 643). The logic circuit prevents write access to the policy table 643 and prevents write access to the enable portion of the gate 641 when activated (the enable portion switches the gate 641 open).
Fig. 7 illustrates another example IC 750. Also, fig. 7 shows only a simplified arrangement of IC 750, where only elements necessary for the following explanation are presented, and it should be understood that other elements as shown in ICs 300 and 550 have been omitted from fig. 7 for clarity and brevity of the following explanation. The IC 750 of this example includes a PAC module 740, the PAC module 740 including a policy table 743 and an auditing module 742. These components are as described above with respect to fig. 6. However, in the fig. 7 example, each interface 702, 751 is associated with its own gate such that IC 750 includes a first gate 747 associated with first interface 751 and a second gate 741 associated with second interface 702 (each gate, e.g., address gate, may include a security filter, e.g., a security address filter). Each of the first and second gates 741, 747 may be as described above with respect to the filter 641 of fig. 6. In this way, via the mechanism described above, with both gates 741, 747 in the on state, then each interface 702, 751 can function as a second (restricted) interface, as described above in the example of fig. 6. However, by switching the gate to the off state, the interface associated with the gate may thus be designated as the first (unrestricted) interface, since the first interface has no restrictions on its access to the IC addressable locations as the gate is closed, in practice because access permissions in the policy table are not enforced as the gate is closed. Thus, IC 750 of fig. 7 is an example that includes configurable interfaces, each of which may be configured (or specifiable) as either a second (restricted) interface or a first (unrestricted) interface. The MCU may designate each interface of the IC 750 as either a restricted or unrestricted interface, and may designate this by closing the filter associated with the unrestricted interface.
To this end, the IC 750 includes an addressable control register 759 that can control the on/off state of each of the filters 741, 747. Thus, via accessing the addressable control registers 759 (e.g., via the MCU), the IC 750 may be configured by designating one of the interfaces 702, 752 as unrestricted by switching its associated gate 741, 747 off. In one example, IC 750 (and more specifically its interfaces) may include a default configuration according to which each filter is open and each interface is thus a second (restricted) interface, or may include a default configuration according to which each filter is closed and each interface is thus a first (unrestricted) interface. In this example, IC 750 may be configured by virtue of (standard) register access to space 759. In another example, IC 750 may include a default configuration according to which one or more interfaces cause a filter to be closed and one or more interfaces cause a filter to be open; such a configuration may be advantageous. IC 750 may be configured with a non-volatile memory, such as an OTP memory, to specify which interface is restricted and which interface is unrestricted. Thus, in practice, the OTP may define the configuration of IC 750 to be unset such that the OTP actually provides a flexible configuration of desired default settings of IC 750 (e.g., any of those default configurations described above).
One advantage of being able to configure which interfaces are limited and unrestricted is that this allows the end user to select an interface configuration that best suits their system layout requirements so that placement and signal routing of components external to IC 750 can be optimized.
Fig. 8 illustrates an example IC 850 including a plurality of second (restricted) interfaces 802a and 802b (two shown in fig. 8). Fig. 8 also shows only a simplified arrangement of IC 800, where only elements necessary for the following explanation are presented, and it should be understood that other elements shown in ICs 300 and 550 have been omitted from fig. 8 for clarity and brevity of the following explanation. Each second interface 802a, 802b is shown as being associated with its own filter/gate/portal 841a, 841b and PAC modules 840a, 840b (each including a respective policy table 843a, 843b and audit modules 842a, 842 b). Each filter 841a, 841b may be configurable to be in an on state and an off state such that either of interfaces 801a, 801b may be configurable as a restricted interface or an unrestricted interface (although in the example of fig. 8, the interfaces are all depicted as a second restricted interface, one unrestricted interface 851 being shown). Since each of the second interfaces 802a, 802b is associated with a policy table 843a, 843b, this provides an example of a different authorized subset of the address range that each restricted interface grants access to the IC 800. For example, the second interface 802a may grant access to a first authorized subset of the address range and the first interface 802b may grant access to a second authorized subset of the address range. The first subset and the second subset may be different, but one subset may be a subset of the other subset (e.g., the first subset may be a subset of the second subset), and in this manner, the interfaces 802a, 802b grant permission to nest authorized subsets of the access address range. Of course, in some examples, multiple first interfaces may be associated with the same policy table and thus may grant access to the same authorized subset of the address range.
The advantages of the present disclosure are as follows. However, prior art ICs provide basic on/off functionality to the processor only during the runtime of the IC, or may be unsafe because malware on the host has unrestricted access, which may jeopardize the integrity or security of the IC and the system, and according to the present disclosure, the IC of the present disclosure includes at least two interfaces (e.g., control interfaces) that provide asymmetric access permissions to any entity (e.g., processor) coupled to the IC via the interfaces. In the prior art, a processor cannot access the address range of an IC and therefore cannot control the IC (and/or hence the output components connected to the IC) except for turning the IC on and off, while an IC of the present disclosure includes a specified subset of the address range of the IC that is considered to be securely accessible by the processor during the runtime of the IC. Thus, the processor has run-time control over the IC and can control the functions of the IC or output device that do not pose a security threat because even if malware can access those authorized address ranges of the IC, it does not cause damage to the IC or output components. Thus, an IC according to the present disclosure provides a processor with run-time control of the IC in a safe and reliable manner without significantly increasing the footprint or manufacturing cost of the IC.
By way of summary of the disclosed examples presented so far, fig. 9 shows a schematic diagram of an example integrated circuit comprising a first interface 951 and a second interface 902, an internally addressable space 959 comprising a plurality of address ranges, and a control unit 940. Each of the first and second interfaces 951, 902 is coupled to the internally addressable space 959 via a control unit 940. The control unit 940 may be configured to be in a first state in which the control unit 940 is configured to allow or deny the second interface 902 access to a subset of the plurality of address ranges of the internal addressable space. The control unit 940 may include any of the features described above with reference to other figures. For example, the control unit 940 may include a gate and audit module and store a policy table or the like such that allowing or denying access to the subset by the second interface 902 may be accomplished via use of the audit module and gate, allowing/denying access according to the policy table.
Fig. 10 is a sequence diagram illustrating a flow of an example boot sequence for an integrated circuit. As shown in fig. 10, the processor 1001 (e.g., the processor 501 in the example of fig. 5) is in an inactive state or reset state (S1010), and the integrated circuit 1003 (e.g., any of the integrated circuits described above) is configured to be in a state (S1012) in which one interface of the integrated circuit is restricted (e.g., a "first state" as described above with respect to other examples). For example, at S1012, the integrated circuit 1003 (e.g., its control unit) may be configured to be in its state by an OTP operation (e.g., an operation of setting a door of the control unit to open as described above). Thus, an interface is limited in that it can only access a subset of the multiple address ranges of the IC 1003, rather than the entire set. As shown in S1013, the processor 1001 cannot access the internal addressable space of the IC 1003. At S1014, a system initialization operation begins with controller 1002 (e.g., controller 503 of the example of fig. 5) where the IC is securely loaded with firmware and configured for run-time control by processor 1001, processor 1001 being inactive at this stage of the sequence. Operation S1014 includes the controller 1002 loading (S1016) firmware into a control register of the IC 1003 and executing (S1018) the loaded firmware. The controller 1002 loads the firmware via the first interface of the IC 1003, as the first interface has unrestricted access to the internal addressable space of the IC 1003 (including the control registers of the IC) at this stage. At S1020, the IC 1003 initializes firmware, which may include a configuration policy table (S1022). The configuration policy table may include at least one access permission to write to at least one address range of the IC 1003. The write access permissions may include defining a range of addresses for which access is permitted or defining a range of addresses for which access is prevented. Thus, the policy table may include at least one permission associated with at least one address range, the permission defining whether to grant or block access via the second interface. Thus, the subset of address ranges accessed by the second interface defined by the corresponding access permissions stored in the policy table may be configured at S1022 and may be configured after the firmware is initialized. Thus, after S1022, at S1024, the processor 1001 has limited (restricted) access, i.e., access only to the subset of address ranges defined by the policy table configured at S1022. Optionally, the configuration of the IC 1003 may be locked (S1026). This may include preventing further writing of the policy table (e.g., write locking) and may be implemented via logic in the IC 1003 that prevents potential requests to write the policy table from being completed. In any case, the IC may be configured such that the policy table locks in an irreversible manner until the IC is reset. Thus, the IC may include a write lock that prevents modification of the policy table, and the write lock may be irreversible until the IC is reset. The process is then complete (S1028) and the system initialization is complete (S1030). Thereafter, the processor 1001 controls the IC 1003 via the second interface (S1032).
Examples so far have disclosed an integrated circuit comprising two interfaces, one of which is granted restricted access to an address range (e.g. a subset of the access address range) of the integrated circuit, via which the processor can have run-time control over the IC, while the other of the two interfaces has unrestricted access for configuring the IC. Examples will now be described involving an integrated circuit comprising an interface, which is initially unrestricted, but through which the integrated circuit is configured such that access via the interface becomes limited to, for example, a subset of a plurality of address ranges. In these examples, a single interface thus has an unrestricted state and a restricted state.
Fig. 11 schematically discloses an example integrated circuit 1150. The IC 1150 includes: an internal addressable space 1159 including a plurality of address ranges, a control unit 1140 configurable in a first state and a second state, and an interface 1151 coupled to the internal addressable space 1159 via the control unit 1140. When the control unit 1140 is configured in the first state, the interface 1151 accesses the plurality of address ranges unrestricted via the control unit 1140, and when the control unit 1140 is configured in the second state, the interface 1151 accesses a restricted subset of the plurality of address ranges via the control unit 1140. When the control unit 1140 is configured in the first state, the control unit 1140 is configurable in the second state via the interface 1151. In other words, with the IC illustrated in fig. 11, a processor (e.g., processor 1001) is allowed to access an address range initially unrestricted and then access the address range restricted. For example, when the control unit 1140 is in a first state and access is not restricted, the external processor may load firmware into the control registers of the IC 1150 and may then specify a subset of the address ranges to define a restricted subset that the processor is allowed to access during runtime/when the main operating system begins to initialize and when the control unit 1140 is in a second state. The transition from the first state to the second state may be unidirectional in that the transition is irreversible prior to resetting the IC and the transition from the second state to the first state is not possible (without resetting the IC). This will be explained in more detail below.
To illustrate the principle of an example where an external processor may configure an IC through a "single interface" (interface 1151) and may perform run-time control of the IC, fig. 11 shows only a single interface 1151. However, it will be appreciated that in the example of fig. 11 and also for subsequent examples (e.g., fig. 12 and 13) where only one interface is shown, the IC may include other interfaces (e.g., as shown in fig. 9). In these examples, any "other" interface (e.g., the second interface) may be turned off or unconnected. In other examples, any "other" interface (e.g., a second interface) may be configured in the same manner as interface 1151, and thus may be unrestricted or limited, etc. Thus, even in examples where only a single interface is depicted, this is for illustration purposes only; other interfaces than the one/those shown may be present in an IC.
Fig. 12 illustrates an example IC 1250, such as IC 1150, in which like features/elements will be indicated by like reference numerals and thus a description of such features will be omitted for brevity. With respect to IC 1150, IC 1250 includes a control unit 1240, in this example, control unit 1240 includes a gate 1241 (which may also be referred to as a filter), an audit module 1242, and a policy table 1243.IC 1250 also includes a bus 1253 and an addressable space 1259 that includes a plurality of address ranges. These components 1241, 1242, 1243, 1253 and 1259 may be as described above with respect to earlier figures. Further, although not shown for simplicity, IC 1250 may also include other components, such as internal processors, data interfaces, DACs, and/or output components (see, e.g., fig. 5), depending on the example.
Policy table 1243 is configured to store access permissions for internal addressable space 1259, the access permissions defining a restricted subset of a plurality of address ranges that interface 1251 is able to access when control unit 1240 is configured to be in its second state. Thus, when the control unit 1240 is configured in the first state, access permissions may be written to the policy table 1243 via the interface 1251 (see lines from the bus 1253 indicated by 1261).
The door 1241 has an open state and an closed state. The interface 1251 is coupled to the internal addressable space 1259 via gates 1241 (and via bus 1253). When the control unit 1240 is configured in a first state, the door 1241 is configured in an off state, and when the control unit 1240 is configured in a second state, the door 1241 is configured in an on state. When the control unit 1240 is configured in the first state, the state of the door 1241 may be set via the interface 1251. Changing the state of the door from closed to open will cause the control unit 1240 to transition from its first state to its second state.
For an incoming access request from a processor (not shown) via interface 1251 to access at least one address in a plurality of address ranges, audit module 1242 is configured to access policy table 1243 to determine an access permission associated with the at least one address and to signal gate 1241. The door 1241, when in an on state, is configured to, upon receipt of a signal from the auditing module 1242, assume a configuration in dependence on the access permissions associated with the at least one space, according to which the received access request is allowed or denied.
As described above with respect to fig. 5, policy table 1243 may designate an address range as either authorized or unauthorized, and the restricted subset of address ranges may include an authorized or approved subset of address ranges. The subset of address ranges may be those address ranges for which access permissions are granted. The authorization specification may include read-only, write-only, and/or read-write access permissions to a particular address range.
The incoming request via interface 1251 includes information that may include details of the incoming request from an external entity (e.g., an external processor) to an address range within integrated circuit 1250. The access information or request may include one or more addresses (e.g., discrete addresses), the type of request (e.g., read or write), and the data to be read from the address in the example of a read request or written to the address if the request is a write request, etc. An access request containing an address to be accessed (read or write) is received via the interface 1251. The audit module 1242 may include hardware and/or software (e.g., comparators and/or combinational logic and/or validators and/or validation mechanisms/logic, and/or any hardware and/or software configured to validate transactions against the policy table) and may be configured to compare incoming access information (e.g., address or addresses) to information in the policy table (e.g., address ranges) and determine whether to allow or block the request. In particular, the auditing module 1242 may be configured to compare the address related to the request that the external entity is attempting to access via the interface 1251 with a corresponding entry in the policy table for the address range in which the requested address is located in order to check for access permissions. If access permissions for the address range are specified as authorized (the space thus becomes part of an authorized subset) (e.g., authorized to read/write), the audit module 1242 is configured to send an "allow access" signal to the gate 1241, which will cause the gate 1241 to allow access requests (read and/or write) when the control unit 1240 is in the second state and thus when the gate 1241 is open. If the address range does not have the correct access grant, no such signal is sent to gate 1241 and the request is denied. When the control unit 1240 is in the second state, the audit module 1242 is thus configured to validate the transaction against the policy table 1243.
In other words, the first state of IC 1250 may include an unrestricted (unrestricted) state of access to multiple address ranges via unique interface 1251. However, in this state, IC 1250 may be configured to be in another (restricted) state where access to multiple address ranges is restricted (limited to a permissible or authorized subset). Once in this restricted state, IC 1250 may be prevented from transitioning back to the unrestricted state. Configuring control unit 1240 (and thus IC 1250) to be in such a second (or restricted) state may include, in a first example, configuring policy table 1243, in a second example, opening door 1241, or, in a third example, configuring policy table 1243 and opening door 1241. These examples will now be described in more detail.
In a first example, configuration policy table 1243 may place control unit 1240 in its second (restricted) state. Policy table 1243 may not provide access to the address ranges of the IC in the default state, and once configured, policy table 1243 may define access permissions specifying a subset of the accessible address ranges (e.g., permitted address ranges). Thus, policy table 1243 in this example includes an allow list, and the second state of control unit 1240 may correspond to access according to the allow list. Alternatively, the policy table 1243 may include a blocking list, and the second state of the control unit 1240 may correspond to an access according to the blocking list. According to the blocking list example, the 'default' policy in the policy table may not impose any restrictions or constraints on the address range accessible via interface 1251. Placing control unit 1240 in a second state includes writing a policy to policy table 1243 that specifies a subset of the address range as inaccessible (e.g., a control register of IC 1250), the complement of which is a restricted subset that is permitted access via interface 1251 when control unit 1240 is in its second state. In some examples, policy table 1243 may define a mix of access permissions such that a first subset of the range of addresses is granted access while a second subset of the range of addresses is denied access, and so on.
In a second example, opening the door 1241 may place the control unit 1240 in its second (restricted state) because once the door 1241 is open, access to the internally addressable space will be according to policies stored in the table 1243, which may have been written to the table 1243. Alternatively, the policy table may include a blocking list, in which case opening the gate 1241 would block all access to the IC's address range. Thus, by opening the door 1241, the audit module 1242 will block and allow access to the address range according to the policy table 1243, regardless of the door being configured.
In a third example, placing control unit 1240 in its second (restricted) state includes configuring policy table 1243 and opening door 1241, as described above.
Thus, in one example, in the first state, the door 1241 is closed and the closed state of the door 1241 represents the default state of the door 1241. In this example, policy table 1241 may be blank. However, in the first state, the control unit 1240 may be configured to be in the second state. This may involve an initialization process performed by the configuration policy table 1243 and/or an external processor that sets the door open. This control unit 1240 may exist in this state until IC 1250 is reset, in which case the register may default to 0.
Writing access permissions to the policy table may be performed directly by an external processor (e.g., an application processor) because the interface 1251 is not restricted when the door 1241 is closed (when the control unit 1240 is in the first state) and thus the processor may directly access to write the policy table 1243 entry itself. Further, when the control unit 1240 is in the first state, the processor is able to open the door (e.g., by register writing). When control unit 1240 is in its first state, the external processor may access registers of IC 1250, which may be necessary to write policy table 1243 and/or change the state of gate 1241. Thus, when control unit 1240 is in its second state, the subset of address ranges accessed by interface 1251 does not include those registers. In this manner, when the processor configures the control unit 1240 to be in the second state, this substantially prevents the processor from subsequently modifying the policy table 1243 and/or changing the state of the gate 1241. That is why in some examples, a transition back to the first state is only possible via the reset control unit 1240 and/or the IC 1250 and/or the processor (the processor will be discussed with reference to fig. 13 and 14).
As described above, in the first state, unrestricted access to the address range allows the external processor to write firmware to the processor within the IC, set the firmware to execute, and initialize the stages of the integrated firmware to write (grant access to) policy table 1243 and/or set gate 1241 to open. Further, in the first state, IC 1250 may be lockable to prevent further writing to policy table 1243 and/or to change the state of gate 1241 so that neither can change until reset, as discussed above. To lock in this manner, IC 1250 (e.g., its control unit 1240) may include logic (e.g., gating logic in the form of logic circuitry) such that when activated, further writing to policy table 1243 is prevented and/or the state of gate 1241 is prevented from being changed. To activate the logic circuitry, a signal may be received via the first interface 1251 (and via the bus 1253, etc., e.g., via lines identified at 1261). The logic circuit, when activated, prevents write access to the policy table 1243 and prevents write access to the enable portion of the gate 1241 (the enable portion opens the gate 1241). The lock is irreversible until the IC is reset, so once configured such that write access to the enabled portion of the policy table 1243 and/or the or gate 1241 is prevented, the logic circuitry may only be configured such that write access is again granted after the IC is reset. In other examples, the lock may be non-volatile.
In these examples, policy table 1243 and gate 1241 include volatile memory because the states of policy table 1243 and gate 1241 may be cleared/changed at reset. However, in other examples, policy table 1243 and gate 1241 may include non-volatile memory, in which case they are not changeable after reset once programmed. The lock may also be a non-volatile lock.
A restricted subset of the plurality of address ranges (e.g., those on the allow list, etc.) does not include configuration registers for the control unit 1240 such that, while the control unit 1240 is in its first state, the processor has unrestricted access to the address ranges (e.g., so that the processor may load firmware into the IC 1250), in the second state, the processor cannot access those registers that may reconfigure the policy table 1243, change the state of the gate 1241, and/or cause damage if accessed by malware. For this final reason, when control unit 1240 is in the second state, the external processor is permitted to have run-time control over IC 1250.
IC 1250 may include additional interfaces, for example, as depicted in fig. 8. In these examples, IC 1250 includes multiple interfaces and interface 1251 is the first interface. Each of the plurality of interfaces may be associated with a respective control unit in the manner described above, or the plurality of interfaces may be associated with the same control unit. In either example, each interface may configure the control unit to be in its second state (e.g., by configuring a policy table and/or opening a door, as described above), so via multiple interfaces of the IC, it may be possible to access the address range unrestricted (when the control unit is in its first state), followed by restricted access to the address range (when the control unit is configured to be in its second state).
Fig. 13 shows a system 1300 including a processor 1303 associated with an IC 1250 to illustrate some of the advantages of the example of fig. 12. In this example, processor 1303 has a first state and a second state, which correspond to the first state and the second state, respectively, of the control unit of IC 1250.
Processor 1303 is connected to interface 1251, thus accessing the address range of IC 1250 via interface 1251. As described above, such access is initially unrestricted (e.g., access to all of the plurality of address ranges) when the control unit of IC 1250 is in its first state, but then restricted (e.g., limited to a subset) by configuring the control unit of IC 1250 to be in its second state. Processor 1303 includes a first state and a second state defining how processor 1303 interacts with IC 1250 according to the state of the control unit. When the processor 1303 is configured in the first state, the processor is configured to execute a boot loader firmware. Thus, the first state of processor 1303 corresponds to the first state of the control unit, because processor 1303 needs unrestricted access to all address ranges of IC 1250, including the control registers, in order to execute the boot loader firmware. In other words, processor 1303 executing its boot loader firmware includes loading the firmware in IC 1250 and starting to execute the firmware, which is why access to IC 1250 is not limited at this stage. When the processor is configured to be in the second state, the processor is configured to initialize and execute an operating system. Thus, the second state of processor 1303 corresponds to the second state of the control unit, in that in the execution of the operating system, any malware may pose a hazard if they can access the address ranges of IC 1250, and thus the processor's access to IC 1250 in the second state is limited to those address ranges that are not security critical. Thus, the subset of address ranges that are allowed to be accessed when processor 1303 is in its second state (and when the control unit is in its second state) does not include a security critical control register for IC 1250. In other words, processor 1303 may access certain control registers for IC 1250 that are not security critical, but not control registers for host interface security features (e.g., those related to policy tables, gate activation, etc.).
When the processor 1303 is configured in its first state, the processor is configured to cause the control unit 1240 to transition from its first state to its second state. As described above, this may include the processor 1303 causing the access permissions to be written to a policy table defining a policy under which access to the address range is restricted, and/or this may include the processor 1303 causing the door to switch to its open configuration. Thus, when the processor 1303 is configured to be in its first state, the processor may be configured to write access permissions defining a restricted subset of the plurality of address ranges to the policy table and/or may be configured to transition the door from its off state to its on state. Also as described above, the processor 1303 may set a lock bit of the logic circuit to prevent any writing to the policy table 1243 and/or to prevent the state of the gate 1241 from being changed.
In an example, when the processor 1303 is configured to be in its second state, the processor cannot cause the control unit to transition from its second state to its first state without causing itself to transition to its first state. Thus, the system 1300 may be considered to have a first system state and a second system state. In the first system state, both the processor 1303 and the control unit are in their first states, and in the second system state, both the processor 1303 and the control unit are in their second states. Thus, according to these examples, in addition to having runtime control over IC 1250, a single external processor 1303 may also be used to load firmware onto IC 1250 via a single interface 1251.
Fig. 14 is a sequence diagram illustrating a flow of an example boot sequence for an integrated circuit. As shown in fig. 14, an integrated circuit 1403 (e.g., IC 1150 or 1250 as described above) and a processor 1401 (e.g., processor 1303 as described above) are initially in respective first states (S1402 and S1404), as described above. Thus, IC 1403 is configured such that access to its address range is not restricted, and processor 1401 may therefore access all address ranges to configure IC 1403. This is done as follows. The boot driver of the processor 1401 is started and initialized (S1406 and S1407). The processor 1401 starts loading firmware into the control register of the IC 1403 and executes the firmware (S1410). The firmware is initialized by the IC 1403 (S1412). The control unit of the IC 1403 is then configured to be in its second state (at S1414). As described above, this may be accomplished by the processor 1401 via an interface of the IC 1401 (e.g. interfaces 1151, 1251) by configuring the state of the policy table and/or the door (as shown in dashed lines). At S1416, the control unit (and thus the IC 1404) is configured to be in its second state. Thus, after S1416, access to the address range of the IC 1401 is restricted (limited to a subset). The IC 1403 signals the processor 1401 that the processor has completed its boot process (S1420), and subsequently, the boot process of the processor 1401 ends (S1422). The processor 1401 may then have run-time control of the IC 1401, e.g. for use by the host operating system after it has been booted (S1426).
Optionally, at S1418, the configuration of the control unit (and thus the IC 1404) may be locked as described above, e.g., in its second state, thereby preventing writing of a policy table and/or preventing the state of the door from being changed (e.g., from on back off).
Fig. 15 illustrates another example integrated circuit 1550 including first and second interfaces 1551, 1552. The IC 1550 further includes an internal addressable space 1559 and a control unit 1540. Each of these components may be as described above with respect to fig. 11-14. Each interface 1551, 1552 is coupled to an internally addressable space via a control unit 1540.
As will now be described, the control unit 1540 of fig. 15 may be configured to be in a first state, a second state, and a third state. When the control unit 1540 is configured in the first state, the first interface 1551 accesses the plurality of address ranges unrestricted via the control units 1540, and when the control unit 1540 is configured in the second state, the first interface 1551 accesses a restricted subset of the plurality of address ranges via the control unit 1540. In other words, the control unit 1540 is configurable such that the processor may access the IC 1550 via only one of the interfaces (interface 1551) to load and execute firmware for subsequent run-time control, as described with reference to fig. 11-14. However, the control unit 1540 may also be configured to be in a third state in which the control unit 1540 is configured to allow or deny the second interface 1542 access to a subset of the plurality of address ranges of the internal addressable space 1559, and the first interface 1551 access the plurality of address ranges without limitation. In other words, the control unit 1540 may also be configured via one interface such that the other interface is a restricted interface (a subset of address ranges may be accessed), as described with reference to fig. 1-10.
The control unit 1540 may include any of the policy tables and/or gates and/or auditing modules described above with reference to other figures, and configuring the control unit 1540 to be in any of the first to third states may include configuring the policy tables and/or changing the states of the gates in the manner described above. The configuration of the control unit 1540 may be set via the first interface 1551, and when the control unit 1540 is configured to be in the first state, the control unit 1540 may be configured to be in the second state via the first interface 1551. The IC 1550 may include any of the components discussed above with reference to other ICs.
It will be appreciated that the IC 1550 of fig. 15 having first and second interfaces 1551, 1552 may be configured in first and second modes shown in fig. 15a and 15b, respectively. In the first mode, first interface 1551 has unrestricted access to multiple address ranges, but IC 1550 is configurable (e.g., as described above) such that first interface 1550 then has restricted access to multiple address ranges, limited to a subset of the multiple address ranges. In the second mode, the first interface 1551 has unrestricted access to a plurality of address ranges of the internal addressable space, while the second interface 1552 has restricted access to a plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges.
In other words, in the first mode, the IC 1550 is configured as discussed above with respect to fig. 11-14, and in the second mode, the IC 1550 is configured as discussed above with respect to fig. 1-10.
The following table summarizes the patterns:
first interface 1551 Second interface 1552
First mode Initially unrestricted, then restricted X
Second mode Is not limited by Restricted by
The 'X' in the table indicates that the status of the second interface 1552 is restricted, unrestricted, or even closed or unconnected. In other words, the second interface 1552 may not be used when the IC 1550 is configured to be in the first mode.
The mode of the IC 1550 may correspond to an association mode of the control unit 1540.
Also as described above, to configure one of the two interfaces as restricted, the associated door may be opened, or an associated policy table or the like may be configured.
In another example, the IC 1550 of fig. 15 has an initial configuration according to which the first interface has unrestricted access to multiple address ranges. The IC 1550 may be configurable into a subsequent configuration according to which the first interface or the second interface has restricted access to a plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges. In other words, the IC 1550 of fig. 15 may have an initial configuration according to which the first interface has unrestricted access to a plurality of address ranges, but may include a first other configuration according to which the first interface or the second interface has restricted access to a plurality of address ranges, respectively, and a second other configuration according to which the restricted access is limited to a subset of the plurality of address ranges. More specifically, each of the first and second interfaces 1551, 1552 is associated with a respective door having an open state and a closed state such that each door, when in its open state, grants access to the internal addressable space 1559 according to policies stored in the integrated circuit. In this example, unrestricted access to the internal addressable space by the first interface 1551 corresponds to the gate associated with the first interface being closed, and the integrated circuit 1550 is configured such that the first or second interface 1551, 1552 has restricted access to a plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges, including changing the gate associated with the first or second interface 1551, 1552 from closed to open.
The following table summarizes this, which describes an initial configuration in which the first interface is unrestricted, but two possible subsequent configurations depend on which of the first interface and the second interface becomes restricted.
First interface Second interface
Initial configuration Is not limited by X
First subsequent configuration Restricted by X
Second subsequent configuration Is not limited by Restricted by
As previously described, X represents that the state of the second interface 1552 is restricted, unrestricted, or even closed or unconnected.
The above table is depicted in fig. 16 a-16 c, where fig. 16a depicts "initial configuration", fig. 16b depicts "first subsequent configuration", and fig. 16c depicts "second subsequent configuration".
Thus, the IC 1550 may exist in a variety of states. According to one such state, the door associated with the first interface 1551 is closed and the door associated with the second interface 1552 is closed. According to another such state, the door associated with the first interface 1551 is closed and the door associated with the second interface 1552 is open. According to another such state, the door associated with the first interface 1551 is open and the door associated with the second interface 1552 is closed.
Features of any given aspect or example may be combined with features of any other aspect or example, and various features described herein may be implemented in any combination in the given example.
The skilled person will appreciate that the above-described apparatus and method may be embodied as processor control code, for example on a carrier medium such as a magnetic disk, CD-or DVD-ROM, a programmed memory (firmware) such as read only memory, or on a data carrier such as an optical or electrical signal carrier, where appropriate. For many applications, embodiments of the present invention will be implemented on a DSP (digital signal processor), an ASIC (application specific integrated circuit) or an FPGA (field programmable gate array). Thus, the code may comprise conventional program code or microcode, or code for example, to set up or control an ASIC or FPGA. The code may also include code for dynamically configuring a reconfigurable device, such as a reconfigurable array of logic gates. Similarly, the code may include code for a hardware description language such as verilog (tm) or VHDL (very high speed integrated circuit hardware description language). The skilled person will appreciate that the code may be distributed among a plurality of coupling components in communication with each other. Implementations may also be implemented using code running on a field (re) programmable analog array or similar device to configure analog hardware, where appropriate.
It should be noted that the above-mentioned examples illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. The word "comprising" does not exclude the presence of elements or steps other than those listed in a claim, "a" or "an" does not exclude a plurality, and a single feature or other unit may fulfill the functions of several units recited in the claims. Any reference sign in a claim should not be construed as limiting the scope of the claim.

Claims (60)

1. An integrated circuit, the integrated circuit comprising:
a first interface and a second interface;
an internally addressable space comprising a plurality of address ranges; and
a control unit;
wherein each of the first interface and the second interface is coupled to the internal addressable space via the control unit, wherein the control unit is configurable to be in a first state in which the control unit is configured to allow or deny the second interface access to a subset of the plurality of address ranges of the internal addressable space.
2. The integrated circuit of claim 1, wherein a configuration of the control unit is set via the first interface.
3. The integrated circuit of claim 1 or 2, wherein the control unit comprises a gate having an on state and an off state, wherein the second interface is coupled to the internally addressable space via the gate, and wherein the control unit is configured to be in the first state corresponds to the gate being configured to be in the on state.
4. An integrated circuit as claimed in any preceding claim, wherein said control unit comprises a policy table storing access permissions for said internally addressable space, said access permissions defining said subset of address ranges for which said control unit allows or denies access when in said first state.
5. The integrated circuit of claim 3, wherein the control unit includes a policy table storing access permissions for the internally addressable space, the access permissions defining the subset of address ranges that the control unit allows or denies access to when in the first state, and wherein the gate is coupled to the policy table such that in the open state the gate is configured to allow or deny access to the subset of the internally addressable space according to the policy table.
6. The integrated circuit of claim 3, wherein the control unit further comprises an auditing module configured to, for an incoming request received via the second interface to access at least one address of the plurality of address ranges, access the policy table to determine an access permission associated with the at least one address and send a signal to the gate, wherein the gate in the on state is configured to take a configuration depending on the access permission associated with the at least one space when the signal from the auditing module is received, permit or deny the received access request in accordance with the configuration.
7. The integrated circuit of any of claims 3 to 6, wherein the on/off state of the gate is configured to be controllable via a non-volatile memory.
8. The integrated circuit of claim 7, wherein the non-volatile memory comprises a one-time programmable (OTP) memory.
9. An integrated circuit as claimed in any one of claims 6 to 8, wherein the auditing module comprises a comparator.
10. The integrated circuit of any of claims 6 to 9, wherein the incoming access request received via the second interface comprises a request to read, write or read from or to the at least one address, and wherein the associated access permission comprises a permission to read, write or read from or to the at least one address.
11. The integrated circuit of any one of claims 4 to 10, wherein the policy table is configured to store access permissions for a set of address ranges in the internally addressable space.
12. The integrated circuit of any one of claims 4 to 11, wherein the access permissions in the policy table are configured to be set via the first interface.
13. The integrated circuit of any one of claims 4 to 12, wherein the integrated circuit is configured such that, following booting of the integrated circuit, modification of the access permissions stored in the policy table is prevented.
14. The integrated circuit of claim 1, wherein the control unit, when in the first state, is configured to store access permissions defining the subset of address ranges that are allowed or denied access via the second interface.
15. The integrated circuit of claim 14, wherein the access permissions are configured to be set via the first interface.
16. An integrated circuit as claimed in any preceding claim, wherein, when in the first state, the control unit is configured to allow the first interface to access the plurality of address ranges of the internal addressable space.
17. The integrated circuit of claim 1 or 16, wherein the control unit comprises a gate having an on state and an off state, wherein the first interface is coupled to the internally addressable space via the gate, and wherein the control unit is configured to be in the first state corresponds to the gate being configured to be in the off state.
18. An integrated circuit as claimed in any preceding claim, wherein the control unit is configured to be in the first state.
19. An integrated circuit as claimed in any preceding claim, comprising a plurality of second interfaces, wherein each of the plurality of second interfaces is coupled to the internal addressable space via the control unit, and wherein the control unit is configurable to be in a state in which the control unit is configured to allow or deny access to a subset of the plurality of second interfaces to the subset of the address range.
20. The integrated circuit of claim 1, further comprising a plurality of second interfaces and a plurality of control units, wherein each of the plurality of second interfaces is coupled to the internal addressable space via a respective control unit, wherein each control unit is configurable to be in a first state in which the control unit is configured to allow or deny access to at least a respective subset of the address range by the respective second interface.
21. The integrated circuit of claim 20, wherein a configuration of each of the plurality of control units is set via the first interface.
22. An integrated circuit, the integrated circuit comprising:
a first interface and a second interface;
an internally addressable space comprising a plurality of address ranges;
wherein each of the first interface and the second interface is coupled to the internal addressable space, and wherein access to a first subset of the plurality of address ranges is granted via the second interface and access to a second subset of the plurality of address ranges is blocked via the second interface.
23. The integrated circuit of claim 22, wherein access to the plurality of address ranges is granted via the first interface.
24. The integrated circuit of claim 22 or 23, wherein the integrated circuit comprises a policy table configured to store access permissions for at least a subset of the plurality of address ranges such that the first subset and the second subset are defined according to associated access permissions of the first subset and the second subset stored in the policy table.
25. The integrated circuit of claim 24, wherein the access permissions are configured to be set via the first interface.
26. The integrated circuit of any one of claims 24 or 25, further comprising a gate and an auditing module, wherein the auditing module is coupled to the policy table and the gate, and wherein the auditing module is configured to, for incoming requests received via the second interface to access at least one address in the plurality of address ranges, access the policy table to determine access permissions associated with at least one space and send signals to the gate, wherein the gate is configured to employ a configuration upon receipt of the signals from the auditing module depending on the access permissions associated with the at least one space, to permit or deny the received access requests according to the configuration.
27. A system comprising the integrated circuit of any preceding claim, the system comprising:
a secure microcontroller coupled to the addressable space via the first interface; and
a processor coupled to the addressable space via at least one second interface.
28. The system of claim 27, wherein the processor is configured to initialize an operating system, and wherein the secure microcontroller is configured to initialize the integrated circuit before the processor completes initializing the operating system.
29. The system of claim 27 or 28, wherein the processor is configured to trigger the secure microcontroller to initialize the integrated circuit.
30. An integrated circuit, the integrated circuit comprising:
a first interface and a second interface;
an internally addressable space comprising a plurality of address ranges;
wherein the integrated circuit is configurable such that access to the plurality of address ranges is granted via one of the first interface and the second interface, and access to the first subset of the plurality of address ranges is denied via the other of the first interface and the second interface.
31. An integrated circuit, the integrated circuit comprising:
an internally addressable space comprising a plurality of address ranges;
a control unit configurable to be in a first state and a second state; and
an interface coupled to the internal addressable space via the control unit;
wherein the interface accesses the plurality of address ranges unrestricted via the control unit when the control unit is configured in the first state, and wherein the interface accesses a restricted subset of the plurality of address ranges via the control unit when the control unit is configured in the second state.
32. The integrated circuit of claim 31, wherein the control unit is configurable to be in the second state via the interface when the control unit is configured to be in the first state.
33. The integrated circuit of claim 31 or 32, wherein the control unit comprises a policy table configured to store access permissions for the internally addressable space, the access permissions defining the restricted subset of the plurality of address ranges accessed by the interface when the control unit is configured in its second state, and wherein the access permissions are writable to the policy table via the interface when the control unit is configured in the first state.
34. The integrated circuit of claim 33, wherein, when configured in its second state in the control unit, the control unit is configured such that the access permissions of the policy table are blocked from being modified via the interface.
35. The integrated circuit of any of claims 31 to 34, wherein the control unit comprises a gate having an open state and a closed state, wherein the interface is coupled to the internal addressable space via the gate, and wherein the gate is configured to be in the closed state when the control unit is configured to be in the first state and the gate is configured to be in the open state when the control unit is configured to be in the second state.
36. The integrated circuit of claim 35, wherein the state of the gate is settable via the interface when the control unit is configured to be in the first state.
37. An integrated circuit as claimed in claim 35 or 36, wherein the state of the gate is prevented from being changed via the interface when the control unit is configured to be in the second state.
38. An integrated circuit as claimed in any one of claims 31 to 37, when the control unit is configured to be in the second state, the control unit can only be placed in the first state by resetting the integrated circuit.
39. The integrated circuit of any of claims 31 to 38, wherein the restricted subset of the plurality of address ranges does not include a configuration register for the control unit.
40. The integrated circuit of any one of claims 33 to 39, further comprising an auditing module configured to, for an incoming access request received from a processor via the interface to access at least one address in the plurality of address ranges, access the policy table to determine an access permission associated with the at least one address and to send a signal to the gate, wherein the gate, when in the on state, is configured to take a configuration depending on the access permission associated with the at least one space when the signal from the auditing module is received, permit or deny the received access request in accordance with the configuration.
41. An integrated circuit as claimed in any one of claims 31 to 40, wherein the interface is a first interface, and wherein the integrated circuit comprises a plurality of interfaces including the first interface.
42. A system comprising the integrated circuit of any of claims 31 to 41 and a processor connected to the interface of the integrated circuit, wherein the processor comprises a first state and a second state such that when configured in the first state, the processor is configured to execute boot loader firmware and when configured in the second state, the processor is configured to initialize and execute an operating system, wherein the processor is in its first state corresponds to the control unit being in its first state and wherein the processor is in its second state corresponds to the control unit being in its second state.
43. A system as defined in claim 42, wherein when configured in the first state, the processor is configured to load firmware onto the IC, the firmware, when executed by the IC, causing the control unit to transition from its first state to its second state.
44. The system of claim 42 or 43, wherein when configured in the first state, the processor is configured to load firmware onto the IC, the firmware, when executed by the IC, writing the access permissions defining the restricted subset of the plurality of address ranges to the policy table.
45. A system as claimed in any one of claims 42 to 44, wherein when configured in the first state, the processor is configured to load firmware onto the IC, the firmware when executed by the IC causing the gate to transition from its off state to its on state.
46. A system as claimed in any one of claims 42 to 45, wherein when configured in its second state, the processor is configured such that the processor cannot cause the control unit to transition from its second state to its first state without causing itself to transition to its first state.
47. An integrated circuit, the integrated circuit comprising:
a first interface and a second interface;
an internally addressable space comprising a plurality of address ranges; and
a control unit;
wherein each of the first interface and the second interface is coupled to the internal addressable space via the control unit,
Wherein the control unit is configurable in a first state, a second state and a third state,
wherein when the control unit is configured in the first state, the first interface accesses the plurality of address ranges unrestricted via the control unit, and wherein when the control unit is configured in the second state, the first interface accesses a restricted subset of the plurality of address ranges via the control unit, and when the control unit is configured in the third state, the control unit is configured to allow or deny the second interface access to a subset of the plurality of address ranges of the internal addressable space.
48. The integrated circuit of claim 47, wherein the control unit is configurable to be in the second state via the first interface when the control unit is configured to be in the first state.
49. An integrated circuit as claimed in claim 47 or 48, wherein the configuration of the control unit is set via the first interface.
50. An integrated circuit, the integrated circuit comprising:
an internally addressable space comprising a plurality of address ranges;
A control unit storing policies; and
an interface coupled to the internal addressable space via the control unit;
wherein the control unit is configurable via the interface to be in a lockable state in which the interface is capable of accessing a restricted subset of the plurality of address ranges via the control unit as defined by the policy stored in the control unit.
51. The integrated circuit of claim 50, wherein the policies stored in the control unit are settable via the interface, and wherein configuring the control unit to be in the lockable state comprises setting the policies via the interface.
52. The integrated circuit of claim 50 or 51, further comprising a gate, wherein the interface is coupled to the internal addressable space via the gate, and wherein the gate comprises an on state and an off state such that when in its on state, the gate allows or denies access to a given address via the interface according to an entry corresponding to the given address in the policy stored in the control unit, and wherein configuring the control unit to be in the lockable state comprises configuring the gate to be in the on state.
53. An integrated circuit, the integrated circuit comprising:
a first interface and a second interface, the first interface and the second interface coupled to an internal addressable space;
wherein the integrated circuit is configurable in a first mode and a second mode such that in the first mode the first interface has unrestricted access to a plurality of address ranges and the integrated circuit is configurable such that the first interface has restricted access to the plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges, and in the second mode the first interface has unrestricted access to the plurality of address ranges of the internal addressable space and the second interface has restricted access to the plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges.
54. The integrated circuit of claim 53, wherein the integrated circuit is configured to be in the first mode.
55. The integrated circuit of claim 53, wherein the integrated circuit is configured to be in the second mode.
56. An integrated circuit, the integrated circuit comprising:
a first interface and a second interface, the first interface and the second interface coupled to an internally addressable space having a plurality of address ranges;
Wherein the first interface has unrestricted access to the plurality of address ranges, and wherein the integrated circuit is configurable such that the first interface or the second interface has restricted access to the plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges.
57. The integrated circuit of claim 56, wherein each of the first interface and the second interface is associated with a respective gate having an open state and a closed state, such that each gate, when in its open state, grants access to the internal addressable space in accordance with policies stored in the integrated circuit;
wherein unrestricted access by the first interface to the plurality of address ranges corresponds to the door associated with the first interface closing;
wherein the integrated circuit is configured such that the first interface or the second interface has restricted access to the plurality of address ranges, the restricted access being limited to a subset of the plurality of address ranges, including changing the gate associated with the first interface or the second interface from closed to open.
58. The integrated circuit of claim 57, wherein the gate associated with the first interface is closed and the gate associated with the second interface is closed.
59. The integrated circuit of claim 57, wherein the door associated with the first interface is closed and the door associated with the second interface is open.
60. The integrated circuit of claim 57, wherein the gate associated with the first interface is open and the gate associated with the second interface is closed.
CN202180088763.4A 2021-01-19 2021-08-04 Integrated circuit with asymmetric access privileges Pending CN116710915A (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US63/138,950 2021-01-19
US17/232,514 US11809334B2 (en) 2021-01-19 2021-04-16 Integrated circuit with asymmetric access privileges
US17/232,514 2021-04-16
GB2106226.0 2021-04-30
PCT/GB2021/052016 WO2022157467A1 (en) 2021-01-19 2021-08-04 Integrated circuit with asymmetric access privileges

Publications (1)

Publication Number Publication Date
CN116710915A true CN116710915A (en) 2023-09-05

Family

ID=87826227

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202180088763.4A Pending CN116710915A (en) 2021-01-19 2021-08-04 Integrated circuit with asymmetric access privileges

Country Status (1)

Country Link
CN (1) CN116710915A (en)

Similar Documents

Publication Publication Date Title
TWI402682B (en) Memory protection for embedded controllers
CN101238473B (en) A secure terminal and a method of protecting a secret key
AU771129B2 (en) Partitioned memory device having characteristics of different memory technologies
US9389793B2 (en) Trusted execution and access protection for embedded memory
JP5975629B2 (en) Memory protection unit and storage element access control method
US20100131729A1 (en) Integrated circuit with improved device security
US9015437B2 (en) Extensible hardware device configuration using memory
EP1927065B1 (en) Method for computing platform data protection
KR20150033695A (en) Memory protection
WO2018104711A1 (en) Memory protection logic
JPH05324951A (en) Pc card for microcomputer capable of executing inner program
KR102432451B1 (en) Semiconductor device and method for operating semiconductor device
CN103366814A (en) Flash data security protection circuit and method
CN116710915A (en) Integrated circuit with asymmetric access privileges
US11809334B2 (en) Integrated circuit with asymmetric access privileges
US20220229937A1 (en) Integrated circuit with asymmetric access privileges
WO2022157467A1 (en) Integrated circuit with asymmetric access privileges
WO2018132477A1 (en) A security architecture and method
US20210200876A1 (en) Computer apparatus and authority management method based on trust chain
US8924672B2 (en) Device with processing unit and information storage
US20020166036A1 (en) Multiple memory block disable function
CN117472808A (en) Data protection method, device and system
JP2003223362A (en) Memory protecting circuit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination