CN117633920A - Sensitive data transmission bus architecture, control logic circuit and transmission system - Google Patents
Sensitive data transmission bus architecture, control logic circuit and transmission system Download PDFInfo
- Publication number
- CN117633920A CN117633920A CN202311719310.4A CN202311719310A CN117633920A CN 117633920 A CN117633920 A CN 117633920A CN 202311719310 A CN202311719310 A CN 202311719310A CN 117633920 A CN117633920 A CN 117633920A
- Authority
- CN
- China
- Prior art keywords
- sensitive data
- sensitive
- data
- bit
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 167
- 238000009826 distribution Methods 0.000 claims abstract description 124
- 238000012544 monitoring process Methods 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 20
- 238000012546 transfer Methods 0.000 claims description 20
- 238000000034 method Methods 0.000 claims description 15
- 238000004364 calculation method Methods 0.000 claims description 13
- 238000012795 verification Methods 0.000 claims description 13
- 238000013500 data storage Methods 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 230000003139 buffering effect Effects 0.000 claims description 5
- 125000004122 cyclic group Chemical group 0.000 claims description 5
- 239000004065 semiconductor Substances 0.000 abstract description 9
- 238000013461 design Methods 0.000 abstract description 5
- 235000019580 granularity Nutrition 0.000 description 38
- 238000010586 diagram Methods 0.000 description 10
- 230000002093 peripheral effect Effects 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 5
- 230000000873 masking effect Effects 0.000 description 5
- 101150046666 ureG gene Proteins 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- LHMQDVIHBXWNII-UHFFFAOYSA-N 3-amino-4-methoxy-n-phenylbenzamide Chemical compound C1=C(N)C(OC)=CC=C1C(=O)NC1=CC=CC=C1 LHMQDVIHBXWNII-UHFFFAOYSA-N 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000001143 conditioned effect Effects 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000005284 excitation Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Abstract
The application provides a sensitive data transmission bus architecture, a control logic circuit and a transmission system for the inside of a chip, which are applied to the technical field of semiconductor chip design, wherein the transmission bus architecture is defined with a transmission write enable signal interface, an address data signal interface, a sensitive data signal interface and a feedback waiting signal interface, so that in terms of an input side and an output side of distribution transmission, the distribution transmission has only write enable and no read enable, and therefore the distribution transmission can only be transmitted from a front stage to a rear stage and cannot be transmitted from a rear stage to the front stage, the possibility of reverse leakage of sensitive data can be avoided, and the uniformity and the expandability of the on-chip sensitive data transmission are realized based on the transmission of a new bus architecture, and the transmission safety is improved.
Description
Technical Field
The present disclosure relates to the field of semiconductor chip design technologies, and in particular, to a sensitive data transmission bus architecture, a control logic circuit, and a transmission system for use in a chip.
Background
For the reasons of protecting intellectual property and preventing hacking, modern semiconductor chip design implementations often integrate some more sensitive data (abbreviated as sensitive numbers), such as: tamper-proof but publicable CUID (Chipset Unique Identification, chip unique identification) data for identifying chip manufacturer identity information; root-key data which is not only forbidden to tamper but also needs to be kept secret and is used for an on-chip cryptographic processing engine to work; the input stimulus class data (including but not limited to keys, algorithm parameters, input packets) that are updated on demand and kept secret and required for certain encryption/decryption processing engines on-chip, etc.
The existing scheme does not take special handling consideration on the transmission process of the on-chip data with sensitive attribute, namely, the transmission process from a corresponding on-chip providing source (generating end, also called sensitive number source) to a known on-chip receiving place (namely, receiving end, also called sensitive number end), and the leakage, the tampering and the like of the data are easy to cause in the transmission process.
Disclosure of Invention
In view of this, the present embodiments provide a circuit architecture suitable for accomplishing within a semiconductor chip, at a small implementation cost (e.g., resource/power consumption cost, performance consumption, etc. of the chip), that chip sensitive data from a multitude of sensitive data sources is securely distributed to specified sensitive terminals within the chip.
The embodiment of the specification provides the following technical scheme:
the embodiment of the specification provides a sensitive data transmission bus architecture applied to sensitive data transmission between a sensitive data source and a sensitive data terminal in a chip, the sensitive data transmission bus architecture comprises:
a transmission write enable signal interface, wherein the transmission write enable signal interface is used for transmitting an enable signal of one-pass distribution operation of a group of sensitive data, the bit width of the transmission write enable signal is R and is valid in a single-hot mode, R represents the number of sensitive data terminals, and the sensitive data terminals are receiving terminals of the sensitive data;
The address data signal interface is used for transmitting operation data corresponding to the distribution operation, the operation data comprises an index number of a sensitive number source corresponding to the sensitive data, an address signal of a sensitive number end storage space, a first reference check value of the index number and a second reference check value of the address signal, the bit width of the address data signal interface is n+i+v, and n is the bit width of the address signal; i is the bit width of the index number; v is the bit width of the first reference check value and the second reference check value;
the sensitive data signal interface is used for transmitting sensitive data with the distribution operation corresponding to a preset bit width;
and the feedback waiting signal interface is used for setting a busy feedback signal when the sensitive data end is not ready to receive the sensitive data corresponding to the distribution operation, when the busy feedback signal is valid, the single transmission with the current granularity is not executed, and when the busy feedback signal is invalid, the single transmission is executed again.
Preferably, the bit width of the address data signal interface is a programmable bit width; and/or, the bit width of the sensitive data signal interface is a programmable bit width.
Preferably, the bit width of the sensitive data signal interface is not greater than the minimum value of a single set of sensitive data of all sensitive data sources, so that distribution transmission can be uniformly carried out on a plurality of sensitive data sources with different single sets of sensitive data.
Preferably, the operation data transmitted by the address data signal interface is used for: and when the target sensitive number terminal receives that the corresponding enabling signal bit in the transmission write enabling signal interface is valid, detecting and storing the data according to part or all of the received data in the operation data.
Preferably, the post-detection storage processing according to part or all of the received operation data includes:
detecting the addressing signals with n bits in the operation data and address bit segments corresponding to the storage areas, and shielding and receiving the sensitive data and emptying the sensitive data storage areas when the addressing signals are not in the addressing space corresponding to the sensitive data end;
and/or detecting index numbers with i bit length and index value bit sections of on-chip sensitive number sources in the operation data, and shielding and receiving the sensitive data and emptying a sensitive data storage area of the sensitive data when the index number sensitive number sources are found not to be legal corresponding to the local sensitive number end;
And/or comparing and checking the first reference check value and the second reference check value with v bit length in the operation data with a real-time check value generated by self calculation, and shielding and receiving the transmitted sensitive data and emptying a sensitive data storage area of the self when a check result is inconsistent, wherein the real-time check value is the check value generated by the real-time calculation of the sensitive data end according to the actually received addressing signal and the index number.
Preferably, the address signals transmitted by the address data signal interface are further used for: in the sensitive data source of the distributing operation, a single sensitive data source provides addressing signals of the sensitive data end storage space with the bit width and the full length in a one-time distributing process in a concomitant mode and sequentially changes in each transmission, so that the target sensitive data end stores sensitive data based on valid bits of the transmission write enabling signal interface and 2 bits of data in the addressing signals of the sequentially changing sensitive data end storage space.
Preferably, the first reference check value and/or the second reference check value are check values obtained based on any one of the following check modes: parity checking and cyclic redundancy code checking.
Preferably, the first reference check value and/or the second reference check value is generated when a sensitive data source inputs data to the sensitive data signal interface.
Preferably, the sensitive data transmission bus architecture further comprises a monitoring interface, wherein the monitoring interface is used for transmitting an abnormal configuration signal, so that the target sensitive digital terminal performs a set-up and/or predefined response mechanism based on the abnormal configuration signal, and automatically judges whether to receive or shield the current distribution transmission.
The embodiment of the present disclosure further provides a sensitive data transmission control logic circuit, disposed in a chip and located between a sensitive data source in the chip and a sensitive data transmission bus architecture as described in any one of the present application, where the sensitive data transmission control logic circuit includes: the system comprises a user register sub-module, a security sub-module, an arbitration sub-module and an input port corresponding to the sensitive number source;
the input port is used for connecting a sensitive number source;
the arbitration submodule is used for arbitrating sensitive number sources of a plurality of input ports;
the configuration register comprises at least one pair of register groups, each pair of register groups comprises a security distribution shielding enabling register and a security control register, the security distribution shielding enabling register is used for configuring legal sensitive number sources corresponding to security units of the security units, and the security control register is used for configuring legal sensitive number ends corresponding to the security units; the user register sub-module is connected with a universal bus in the chip so that the chip can configure the register set;
And each security unit of the security sub-module is used for distributing and protecting the transmission process of the sensitive data transmitted by the digital end of the sensitive data source Xiang Min after the arbitration of the arbitration sub-module according to the configuration data corresponding to the register group.
Preferably, the distribution protection comprises:
when determining that the target sensitive number source is distributed and shielded according to the configuration data corresponding to the register group, the security sub-module controls the arbitration sub-module so that the cache of the arbitration sub-module is not written into the sensitive data which is currently input;
and/or when the fact that the target sensitive number source does not need to be distributed and shielded is determined according to the configuration data corresponding to the register group, the security sub-module controls the arbitration sub-module to enable the cache of the arbitration sub-module to input sensitive data from the sensitive number source, and the sensitive data cached by the arbitration sub-module is distributed and transmitted to the sensitive number terminal in a broadcasting mode through the sensitive data transmission bus architecture.
Preferably, the triggering of the distribution protection of the one-pass distribution operation satisfies the following condition: and setting the security enabling bit in the security control register to be 1, setting the bit of the security distribution shielding enabling register corresponding to the appointed sensitive number source to be 1, and setting the sensitive number end storage space address given by the appointed sensitive number source during distribution transmission to be in the protection range of the target security unit.
Preferably, the security control register is further configured to configure a legal sensitive number end corresponding to the security unit, where the legal sensitive number end includes: and configuring protection enabling corresponding to the legal sensitive digital terminal, updating and locking protection of protection configuration and protecting a storage space range, wherein the security control register comprises 1-bit protection enabling, 1-bit protection configuration updating and locking protection and multi-bit storage space protection range setting bit fields.
Preferably, the multi-bit storage space protection range setting bit field includes: a 1-bit address mode configuration bit, a multi-bit base address and a multi-bit extra address; when the address mode configuration bit is set to 0, the protection range of the storage space is an address range from a basic address to an additional address; when the address mode configuration bit is set to 1, the memory space protection range is an address range formed by the logical AND result of the memory space protection address and the additional address and the spatial address of which the logical AND result of the base address and the additional address are equal.
Preferably, each security unit of the security sub-module is further configured to perform validity monitoring of real-time verification during the entire transmission process of one-pass distribution operation according to the configuration data corresponding to the register set, and output fault information.
Preferably, the validity monitoring of the real-time verification comprises any one or more of the following:
determining whether the sensitive number source is legal or not according to the configuration register of each security unit;
determining whether the sensitive number end is legal or not according to the configuration register of each security unit;
determining whether the protection enabling is modified according to the configuration register of each security unit;
and determining whether the protection address range is legal or not according to the configuration register of each security unit.
Preferably, the sensitive data transmission control logic circuit further comprises a data buffer submodule, wherein the data buffer submodule is used for providing a buffer space of sensitive data so as to realize preset granularity conversion processing and/or priority transmission control based on the buffer space.
The embodiment of the specification also provides a sensitive data transmission system, which comprises: a sensitive data source, a sensitive data transmission bus architecture as described in any one of the present application, a sensitive data transmission control logic circuit as described in any one of the present application, a universal bus in a chip, and a sensitive data terminal;
the sensitive data transmission control logic circuit comprises a sensitive data transmission control logic circuit, a universal bus, a user register submodule, a security submodule and a sensitive data terminal, wherein the sensitive data source is connected with an input port of the sensitive data transmission control logic circuit, the universal bus is connected with the user register submodule of the sensitive data transmission control logic circuit, and the security submodule of the sensitive data transmission control logic circuit is connected with the sensitive data terminal through a sensitive data transmission bus architecture.
Compared with the prior art, the beneficial effects that above-mentioned at least one technical scheme that this description embodiment adopted can reach include at least:
by providing a simple bus architecture suitable for use within a semiconductor chip, chip sensitive data from a multitude of on-chip sensitive data sources can be securely distributed to designated sensitive recipients on-chip at a low implementation cost (e.g., chip resource/power consumption penalty, performance consumption, etc.), resulting in sensitive data on-chip transmission with good uniformity, scalability, security, etc.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of the circuit architecture of an SDB proprietary bus and SDCTL controller in the present application;
FIG. 2 is a schematic diagram of the composition of the user register SDCTL_UREG in the present application;
FIG. 3 is a schematic diagram of the bit-domain definition of the PROP registers of a single DPU unit in the present application;
FIG. 4 is a schematic diagram of the bit-domain definition of the CTRL registers of a single DPU unit in the present application;
FIG. 5 is a schematic diagram of the masking conditions of the DPU unit for one pass of a dispatch operation in the present application;
fig. 6 is a schematic diagram of real-time verification for DPU protection configuration in the present application;
FIG. 7 is a schematic diagram of the real-time verification of the SDB_ADDR signal in this application.
Detailed Description
Embodiments of the present application are described in detail below with reference to the accompanying drawings.
Other advantages and effects of the present application will become apparent to those skilled in the art from the present disclosure, when the following description of the embodiments is taken in conjunction with the accompanying drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. The present application may be embodied or carried out in other specific embodiments, and the details of the present application may be modified or changed from various points of view and applications without departing from the spirit of the present application. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present application, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, apparatus may be implemented and/or methods practiced using any number and aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the application by way of illustration, and only the components related to the application are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details.
Common on-chip sensitive data and a data loading process schematic can be as follows:
CUID (Chipset Unique Identification, chip unique identification) data: usually, the chip is programmed in an NVM (Non-Volatile Memory) such as ROM/OTP/Flash (Flash) before leaving the factory, and after the chip is powered up and begins to work, CUID data is usually needed to be loaded out of the NVM and then transferred to a corresponding on-chip and off-chip module for use (for example, the CUID data is read by a CPU core of the chip to be used for checking or participating in function processing);
root-key data: either in plaintext or ciphertext, is programmed into a similar NVM before the chip reaches the user's hand. Wherein, when programmed in plaintext form, its provision is similar to the CUID data; when programmed in ciphertext form, its provision typically involves additional on-chip decryption processes. Whether provided in plaintext or ciphertext form, unlike CUID data, root-key data itself is often required to be secure—its secure object is not only a Master in a System On Chip (SOC) Chip architecture such as a CPU core, DMA host (Direct Memory Access, direct memory access controller), but also logic circuitry including other unrelated peripheral modules On Chip. In other words, sensitive data that needs to be kept secret should only be accessible to the allowed designated on-chip logic;
On-chip sensitive data of the excitation class is dynamically input: their generation, provision, etc. are generally not disposable and often require repeated refreshing of the product as required. Such as based on certain Root-key data and sub-key generator peripheral modules within the chip, and repeatedly updating the working keys or algorithm parameters required to generate certain on-chip cryptographic processing engine peripheral modules at specific time intervals. Unlike Root-key data, on-chip sensitive data of the dynamic input stimulus class is repeatedly transmitted to the allowed designated sensitive receiving end because of refreshing.
In the semiconductor industry, a system bus (such as an AHB bus derived from AMBA standard) in an SOC chip is used to implement an on-chip sensitive data distribution operation, while the uniformity and scalability of the distribution requirements can be considered, for example, a chip may suddenly add several supply sources and/or usage requirements of the on-chip sensitive data in the middle and later stages of the design, but the overall requirements of secure distribution cannot be met or even directly violated, because once the sensitive data can implement read/write access through the system bus, leakage and/or tampering of the sensitive data are most likely caused by objective defects of the chip software/hardware design or effective attacks imposed by external maliciousness.
In order to solve the above-mentioned defect problem in the aspect of security, the existing method is that after the generation end of the sensitive data encrypts it, the sensitive data in the form of ciphertext is distributed and transmitted through the system bus, and after the corresponding decryption processing is performed on the receiving end of the data, the sensitive data can be recovered for use. Obviously, the encryption processing and the decryption processing are added to the generation end and the receiving end of the sensitive data respectively, so that the encryption processing and the decryption processing can be realized only by a special hardware logic circuit (a software program cannot be executed by a CPU) for the safety of the encryption processing and the decryption processing, and a series of cost overheads such as more resources, more power consumption, more performance loss and the like are increased.
In addition, an end-to-end direct communication transmission path is built between a certain sensitive number source and a corresponding sensitive number end, although the safety of the distribution operation is guaranteed to a higher degree, the feasibility of achieving the uniformity and the expandability of the distribution operation is poor, objective faults or active attacks and the like possibly occurring on the data transmission path in the distribution process cannot be achieved, for example, the number of the end-to-end direct communication transmission paths cannot be monitored, and the same number of monitoring logic circuits are needed to be completely covered.
In addition, various on-chip sensitive data have different requirements in aspects of providing modes, using modes, security guarantee and the like, and the existing scheme cannot meet the requirements in addition to non-uniformity and unpredictability of actual types, quantity and the like of on-chip sensitive data integrated by various semiconductor chips.
In view of the foregoing, there is a need for a simple bus and controller circuit architecture for safely distributing chip sensitive data on-chip with relatively low implementation cost, while meeting the requirements of security, uniformity, scalability, etc. of various on-chip sensitive data in distribution operations.
Based on this, the present application aims to provide a bus structure and controller circuit architecture suitable for accomplishing the secure distribution of chip sensitive data from a multitude of on-chip sensitive data sources to an on-chip designated sensitive data receiving end (i.e. sensitive data end) within a semiconductor chip at a small implementation cost (e.g. resource/power consumption cost, performance consumption of the chip, etc.).
As shown in fig. 1, a simple and proprietary sensitive data transmission bus architecture for safely distributing chip sensitive data from a plurality of sensitive data sources to designated sensitive receivers in a chip is implemented by the present invention, and by defining simple protocol interfaces in a bus, a transmission process with good performance can be implemented in the aspects of uniformity, expandability, safety, etc. of sensitive data transmission based on the bus interfaces.
Also, based on the transmission protocol of the bus architecture, the control logic circuit can be utilized to realize the transmission control of sensitive data.
And based on the bus architecture and the logic control circuit, the sensitive digital source, the sensitive digital terminal and other functional modules (such as a general bus) in the chip form an on-chip sensitive data transmission system.
The following is an example of buses, logic, and systems.
As illustrated in fig. 1, from the input side of the distribution transmission, a set of sufficiently simple proprietary SDL (Secure Distribute bus Lite, secure distribution simplified bus) bus protocols is defined whose interfaces are only set with the following 4 classes of interface signals:
sdl_wren (transfer write enable signal interface): a single bit, write enable signal from a single distribution transmission of a given sensitive number source;
sdl_addr (address data signal interface): a bit width programmable multi-bit, distributing the addressing signal of the sensitive digital end storage space of the transmission;
sdl_wdat (sensitive data signal interface): multiple bits with programmable bit width, and single-time distributing and transmitting write data signals;
sdl_wait (feedback WAIT signal interface): the single bit, corresponding post-stage receive logic is not ready to receive the busy indication signal of the single transmission volume data currently being distributed.
Whereas from the output side of the distribution transmission, a set of sufficiently simple proprietary SDB (Secure Distribute Bus, secure distribution bus) bus protocols is defined whose interfaces only set 4 classes of interface signals:
sdb_wren (transfer write enable signal interface): multiple bits, write enable signal for single distribution transmission of multiple sensitive digital terminals;
sdb_addr (address data signal interface): the multi-bit programmable bit comprises addressing signals for distributing and transmitting a sensitive digital end storage space, index value signals of a sensitive digital source and reference check value signals of the first two sections of signals;
sdb_wdat (sensitive data signal interface): multiple bits with programmable bit width, and single-time distributing and transmitting write data signals;
sdb_wait (feedback WAIT signal interface): the single bit, corresponding post-stage receive logic is not ready to receive the busy indication signal of the single transmission volume data currently being distributed.
Thus, the input side and the output side of the integrated distribution transmission are seen:
on the one hand, the distribution transmission has only write enable and no read enable, so the distribution transmission can only be transmitted from the front stage to the rear stage, but not from the rear stage to the front stage, thereby avoiding the possibility of reverse leakage of sensitive data.
In both aspects, the SDx _addr signal (x=l/B, which may be adapted to both simplified and non-simplified buses) may be programmable in bit width to facilitate flexible and scalable setting of the overall mapping boundaries of all sensitive digital storage spaces within a system, starting from the specific practical needs of a particular SOC system.
In three aspects, the SDx _wdat signal (x=l/B) is programmable in bit width and is generally no greater than the minimum value of a single set of sensitive data amounts of all sensitive data sources in the system, so that the distribution transmission processing can be conveniently and uniformly performed for a plurality of sensitive data sources, which may be different from each other in the single set of sensitive data amounts in the system.
In some embodiments, the operation data transmitted by the address data signal interface is for: and when the target sensitive number terminal receives that the corresponding enabling signal bit in the transmission write enabling signal interface is valid, detecting and storing the data according to part or all of the received data in the operation data.
In some implementations, separate storage processes may be performed for different scenarios.
In one example, the addressing signal with n bits long in the operation data and the address bit segment corresponding to the storage area thereof are detected, and when the addressing signal is found not to belong to the addressing space corresponding to the local sensitive digital end, the sensitive data is received in a shielding manner, and the storage area of the sensitive data is emptied.
In one example, the index number with the i bit length and the index value bit section of the on-chip sensitive number source in the operation data are detected, and when the sensitive number source of the index number is found not to be the sensitive number source legal corresponding to the local sensitive number end, the sensitive data is received in a shielding manner, and the sensitive data storage area of the sensitive data is emptied.
In one example, the first reference check value and the second reference check value with v bits in the operation data are compared and checked with a real-time check value generated by self calculation, when the check result is inconsistent, the sensitive data are shielded and received, and a sensitive data storage area of the self is emptied, wherein the real-time check value is the check value generated by the sensitive data end by real-time calculation according to the actually received addressing signal and the index number.
It should be noted that the above examples may be combined to meet the storage processing requirement of the actual scenario, and the combination scheme is not limited herein.
In some embodiments, separate storage may be achieved by using the address signals transmitted by the address data signal interface.
For example, in the sensitive data source of the distributing operation, a single sensitive data source provides addressing signals of the sensitive data end storage space with the bit width and the full length in a one-time distributing process in a concomitant mode and sequentially changes in each transmission, so that the target sensitive data end stores sensitive data based on valid bits of the transmission write enable signal interface and 2 bits of data in the addressing signals of the sequentially changing sensitive data end storage space.
In some embodiments, the first reference calibration value and/or the second reference calibration value are calibration values obtained based on any one of the following calibration methods: parity checking and cyclic redundancy code checking.
In some embodiments, the first reference check value and/or the second reference check value are generated when a sensitive data source inputs data to the sensitive data signal interface.
In some embodiments, the sensitive data transmission bus architecture further includes a monitoring interface, where the monitoring interface is configured to transmit an abnormal configuration signal, so that the target sensitive digital terminal performs a set-up and/or predefined response mechanism based on the abnormal configuration signal, and determines whether to receive or mask the current distribution transmission by itself.
It should be noted that the foregoing has described various examples by way of example only, and those skilled in the art will be able to implement the following description.
As roles for on-chip intermediate security controllers for sensitive data distribution and transmission, SDCTL modules and corresponding logic circuits formally distributed in each sensitive data end meet the requirements of "security, uniformity and scalability of various on-chip sensitive data in distribution operations" by the following logic/mechanisms:
On the one hand, the uniformity requirement: the input side and the output side of the distribution transmission are based on a substantially consistent SDB proprietary bus protocol (the SDL bus on the input side can be considered as a simplified version of the SDB bus). On the input side, whatever there are more or less sensitive sources, they initiate distribution transmissions uniformly in the SDL bus protocol. On the output side, sensitive data is distributed in a broadcast manner. And in each sensitive end, on the premise of receiving the corresponding effective distribution transmission write enable signal, detecting whether the storage space of the sensitive end and the index number of the sensitive source of the received transmission are legal values defined by the sensitive end or not, and monitoring whether the storage space of the sensitive end and the index number of the sensitive source of the received transmission are tampered or not in real time.
Two aspects, scalability requirements: the legal or illegal distribution transmission path is specifically defined by the configuration of the DPU unit. If there is a need to increase or decrease the defined distribution transmission paths in the SOC system, this is more likely to be achieved by increasing or decreasing the number of enabled DPU units, in addition to possibly increasing or decreasing the number of sensitive sources and/or the sensitive ends themselves. Furthermore, if the distribution transmission path needs to be increased much, the expansion implementation can be easily achieved by simply increasing the corresponding configuration registers of the DPU unit. In addition, the bit width of the SDB_WDAT signal is programmable, which can facilitate the implementation of the present invention into SOC systems having different distribution and transmission granularities.
Three aspects, security requirements: (1) Based on the configuration content of each DPU unit when being initially configured by a system bus, performing real-time check fault monitoring at rest time of non-configuration; (2) Fault monitoring is performed during the whole transmission process of one-pass distribution operation based on the bit-width full-length sensitive digital end storage space addressing signal and the sensitive digital source index number value signal. The purpose of both types of fault monitoring is to greatly improve the difficulty of implementing the attack of 'malicious injection fault attack to open an illegal distribution transmission path'.
For the detection of the real-time check, there may be in particular the following example ways:
example 1: the fault monitoring logic circuit correspondingly comprises: configuration register logic of each DPU unit, reference check value calculation generation and preservation logic of the configuration registers when configured by a system bus, and real-time check value calculation generation and comparison logic of the configuration registers when the configuration registers are in the rest.
Wherein the PROP type register of the DPU unit integrates distribution shielding enabling for each sensitive number source, which determines legal sensitive number source set for one DPU unit;
the CTRL type register of the DPU unit integrates the protected storage space range of the DPU unit, so that a legal sensitive number end set for one DPU unit is determined; (two sections correspond to the definition of the configuration of "illegal distribution transmission paths", i.e., any distribution transmission path is considered illegal for a DPU unit, whether it is a transmitting end or a receiving end, as long as either end is illegal).
The CTRL class register of a DPU unit also integrates protection enabling, protection configuration update locking of this DPU unit, which may ensure that the enabling of the protection and the corresponding configuration are not unintentionally or maliciously modified.
Example 2: the fault monitoring logic circuit correspondingly comprises: calculating, generating and storing logic of a base check value of a sensitive number end storage space addressing signal and a sensitive number source index number value signal of the full length of the bit width; and the two types of signals are subjected to calculation generation and comparison logic of real-time check values at the sensitive digital end during the whole transmission process of one-time distribution operation, so that real-time fault monitoring processing is realized.
The above-mentioned corresponding checking logic for the sensitive end storage space addressing signal and the sensitive source index number value signal can continuously monitor whether the target distribution transmission path is tampered in the actual multiple transmission process of one-time distribution operation after passing through the detection of the definition validity for any distribution transmission path, so as to avoid distributing all or part of sensitive data of a certain sensitive source to an unexpected sensitive end (or obtaining all or part of sensitive data from an unexpected sensitive source for a certain sensitive end).
Controller logic: the security distribution of on-chip sensitive data from a sensitive data source to a permitted designated sensitive data end can be managed and controlled uniformly by globally managed manager identities. While the control logic itself acts as one of the peripheral modules on the chip (e.g., SOC system architecture), SOC system masters such as CPU cores/DMA hosts have been made to have only indirect preset control rights for the distribution operation (e.g., for which sensitive source(s), for which sensitive end(s), once set, these configurations can be made unalterable within the current reset period) without read/write access rights to the distributed data itself, based on the integration of their internal security mechanisms/policies.
In addition, based on a proprietary transmission bus protocol, that is, an SDB bus (Secure Distribute Bus, secure distribution bus) that defines only class 4 interface signals, implementation can be achieved with uniformity and scalability that facilitate distribution operations of various on-chip sensitive data.
Referring to the previous example, these 4 types of interface signals may be illustrated as follows:
sdb_wren, a transmission write enable signal (bit width R, one hot active-i.e., at most one bit active at the same time; R represents the number of sensitive peers integrated within the current system) corresponding to a single transmission of a set of sensitive data distribution operations (or one pass distribution) (the amount of data of a single transmission is referred to as the "granularity of the distribution transmission");
SDB_ADDR, the index number of the sensitive number source corresponding to the distribution operation, the addressing signal of the sensitive number end storage space, and the reference check value of the two small signals (the bit width is n+i+v: n, the bit width of the addressing signal of the sensitive data receiving end storage space in the chip; i, the bit width of the index number value of the sensitive data providing source in the chip; v, the bit width of the reference check value of the first two bit segments of SDB_ADDR);
sdb_wdat, the sensitive data signal corresponding to the single transmission (bit width w, i.e. "granularity of distribution transmission" is w bits);
Sdb_wait, feedback indication/WAIT signal corresponding to the single transmission. When it is valid, a single transmission of the previous granularity is not performed, but only until the signal is not valid.
Further, the SDB-specific bus protocol may optionally integrate other interface signals in addition to the interface signals described above, such as:
sdb_verr, an exception indication signal for checking in real time for failure of the relevant configuration of the DPU (Distribute Protection Unit, distribution protection unit; see below) associated with the current distribution path. The destination peer may determine itself whether to receive or mask the distributed transmissions for it based on the set-up of this signal and a predefined response mechanism.
In addition, for a single sensitive number source on the dispatch operation input side, its dispatch transport proprietary bus may be considered a simplified version of the SDB bus, or SDL bus.
Among the main differences between SDL and SDB buses include:
sdl_wren is a single bit distributed transmit write enable signal because it corresponds to a given single sensitive number source;
sdl_addr contains only the addressing signals (bit width also n) of the sensitive end memory space of the distribution operation.
In practice, the specific configuration of the controller logic (hereinafter SDCTL module) includes, but is not limited to, the following implementation components:
Input/output ports corresponding to the SOC system universal bus: system bus access (including reading and writing) to the corresponding user register (SDCTL _ UREG) within the SDCTL module is completed.
Alternatively, if the chip has a need to integrate a sensitive data source (colloquially, simply referred to as a software source) from a system host device such as a CPU core, DMA host, etc., this port is also responsible for accomplishing data input from such a sensitive data source (where the write 'granularity' input over the system bus may be different from the dispatch transfer granularity described). Sensitive data from the sensitive data source is firstly cached in an SDCTL-DBUF caching submodule which is also optional, and then is broadcast-distributed and transmitted to a designated sensitive data end through an SDB bus according to a given distribution transmission granularity under the control of an SDCTL-DPU security submodule;
sdctl_ureg user register submodule: the specific implementation of the SDCTL module-related user register, namely the 'indirect preset control right' of the SOC system to the controller logic circuit is integrated.
In some examples, illustrated with reference to fig. 2-4, the user registers include, but are not limited to:
and a plurality of groups of SDCTL_DPU_PROP and SDCTL_DPU_CTRL registers (one group of registers corresponds to one DPU distribution protection unit, so that the total group number is the number of DPU units actually integrated in a chip), wherein the former is used for controlling the distribution shielding enabling of a single DPU unit for each sensitive number source, and the latter is used for controlling the protection enabling, the protection configuration updating locking and the storage space range of the single DPU unit.
An sdctl_cr register: some of the more common control configurations for SDCTL modules are provided. For example, the monitored DPU configuration is checked in real time whether the fault is to report an interrupt to the CPU core and/or whether a reset enable signal is to be requested to the SOC system, and optionally the distribution target sensitive end storage space address of the software sensitive source.
One sdctl_sr register: some general status indication of SDCTL modules is provided. Such as an indication of the operating state of an integrated DPU unit, the validity of any one of its bits indicates that the "masking condition of the corresponding DPU unit for a certain pass of the distribution operation has been met", i.e. the corresponding DPU unit is considered to have been protected.
Sdctl_dbuf cache submodule: may be an alternative implementation component. In the limit, this cache may only provide a cache space for a set of sensitive data.
The functional characteristics of the cache at least comprise two major items:
atomicity guarantees: the data provision of the sensitive data sources must be implemented at a specified granularity, and a complete set of sensitive data must also be provided in a specified order and traversal, as well as possibly other additional assurance policies;
and (3) granularity conversion treatment: the method can accept the source data providing granularity different from the SDB distribution transmission granularity, and finally distributes a group of sensitive data to a designated sensitive number end at the output side with uniform transmission granularity.
A plurality of sets of input ports corresponding to a plurality of sets of internal sensitive number sources, and an sdctl_arbit arbitration sub-module: they mainly accomplish input arbitration and data caching for different sensitive number sources within the chip.
The functional characteristics of the input port and the arbitration at least comprise two major items:
further atomicity assurance (atomic assurance+): including the "atomic assurance" feature as described above, and assurance that the current set of sensitive data will not respond to receipt of a new set of input data (typically from another input port) until all of it has been received;
priority control: in the scene that a plurality of on-chip sensitive number sources can trigger a distribution operation at the same time, the plurality of sensitive number sources are subjected to one-to-one priority response processing based on a certain priority setting and arbitration algorithm.
Sdctl_dpu security submodule: as already mentioned above, the protection operation (i.e. the distribution mask) is performed on some sensitive number source that may be arbitrated, mainly based on a preset DPU configuration (see sdctl_dpu_pro and sdctl_dpu_ctrl registers).
Wherein the distribution mask is illustrated as follows:
when the protection operation (distribution mask) is effectively implemented, the input data of the distribution transmission is not generally collected and buffered (i.e., the buffer integrated in the sdctl_arbit sub-module is not written to the sensitive data currently being input and is simultaneously fed back to the inactive sdi_wait signal);
If the distribution mask is not triggered to be implemented, the sensitive data input from the sensitive data source and buffered will be broadcast out through the SDB bus on the output side, thereby transmitting the past to the designated sensitive data terminal.
Referring to FIG. 5, a dispatch mask for a one pass dispatch operation whose trigger implementation is conditioned on satisfaction of:
1) The guard enable of a certain DPU unit (hereinafter referred to as target DPU) is activated, i.e. the guard enable bit prot_en of the corresponding user register sdctl_dpu_ctrl of this DPU unit is set to 1, i.e. sdctl_dpu_ctrl.prot_en is set to 1;
2) The sdctl_dpu_prop register of the target DPU unit has been set to 1 for that bit that specifies the source of the nonce. It should be noted that, in the embodiment of the present invention, it is assumed that there are T non-software type sensitive number sources in total in the system, and in addition, the hardware logic is naturally aware of the index number value of Ren Yimin number sources, that is, as long as the corresponding bit of the specified sensitive number source in the sdctl_dpu_pro register is set to 1, the DPU unit is activated for the distribution mask of the specified sensitive number source;
3) The sdl_addr address (i.e., the memory address of the distribution destination) given by the sensitive number source during the distribution transfer is specified to fall within the protection scope of the target DPU unit (see addr_mask, bse_addr, ext_addr bit fields of sdctl_dpu_ctrl register).
In practice, different multiple target DPU units may be mapped with a single specified sensitive number source and their respective distribution protection ranges configured. At this point, their distribution masks are of course each implemented, and the corresponding DPU unit protection state may be set accordingly (see SDCTL_SR register).
A set of output ports corresponding to each on-chip sensitive number end: the physical interface implementation corresponding to the SDB proprietary bus protocol described earlier.
In practice, in the foregoing description of the bit widths of the SDB_WREN and SDB_ADDR interface signals, they are each R, (n+i+v) bits wide. This is a redundant arrangement from a functional point of view. It should be noted that, for a given sensitive digital terminal, the necessary condition for receiving and distributing transmission data is (here, no matter how the WAIT mechanism is used): the received SDB_WREN signal corresponding to a single bit is valid, and a certain bit section of the received SDB_ADDR signal with multiple bits is enough to enable a designated sensitive number end to divide how multiple transmissions corresponding to one-time distribution operation should be stored separately, and is beneficial to fault monitoring in the distribution transmission process. 6-7, the transmitting end index value and the receiving end address value may be updated only in a very small amount in a plurality of transmissions distributed in one pass, and for the portion which is not updated, check value comparison is performed for a plurality of times, so that the effect of fault monitoring is improved more favorably.
The principle of monitoring is briefly described as follows:
on the input side of the distribution operation: a single sensitive digital source will provide a full length (i.e., n bits) bit width during the entire transmission of a single pass distribution, with each transmission varying in sequence of sensitive digital end memory space addressing signals. Such as: distributing 128 bits of sensitive data from a sensitive data source A to a sensitive data terminal B, wherein single distribution transmission only involves 32 bits; again assuming n=16; then the transmission address of the sensitive number source a to the sensitive number terminal B is 1230H, 1231H, 1232H, 1233H (assumed) in that order four times; the system also defines a receiving memory area for the sensitive end B that is only as large as 128 bits (i.e., it only requires so much sensitive data). Thus, from the perspective of the sensitive end B, it suffices to arrange for the separate storage of four 32-bit data, as long as it receives the corresponding valid sdb_wren signal, and only 2 bits (instead of the full length n bits) of address signal. Thus, if only k bits of address signals are needed to arrange separate storage of data with corresponding granularity, only k bits of address signals are needed to be received and sequentially changed to arrange storage, so k can be used to represent the number of separate storage times when sensitive data is stored with preset storage granularity, generally k is not greater than full length n, for example, when 128 bits of data are stored with 32 bits wide granularity in the example, only 2 bits of address signals are needed to complete separate storage of 4 granularity data, and full bit length (i.e. n=16 bits) is not needed. In addition, the full-length receiving end storage addressing signal is used for judging whether the full-length receiving end storage addressing signal falls in the protection range of the target DPU unit or not, and generating a corresponding addressing reference check value, wherein the addressing reference check value and the full-length addressing signal are broadcast and distributed on the SDB bus together;
On the output side of the dispense operation: on the premise that a certain sensitive number end detects that the SDB_WREN signal of a corresponding single bit is valid, detection analysis and verification of the received SDB_ADDR address signal are developed.
Among others, detection and verification includes, but is not limited to:
1) Detecting an address bit segment which is n bits long and corresponds to a self storage area in the received SDB_ADDR signal, and judging whether the address bit segment is an addressing space legally defined by a system for a local sensitive digital terminal; if the address bit segment is found not to belong to the legal addressing space of the local sensitive digital terminal, the local sensitive digital terminal should shield the receiving of the transmitted sensitive data and empty the sensitive data storage area of the local sensitive digital terminal;
2) Detecting an index value bit segment of an i-bit length corresponding to an on-chip sensitive number source in the received SDB_ADDR signal, and judging whether the index value bit segment is a sensitive number source legally defined by a system for a local sensitive number end; if the index value of the sensitive number source is found not to belong to a legal source defined for the sensitive number end, the sensitive number end should shield the receiving of the transmitted sensitive data and empty the sensitive data storage area of the sensitive data;
3) And comparing and checking the reference check value of v bits in the received SDB_ADDR signal, which corresponds to the other two sub-bit sections, namely comparing the received reference check value with the received real-time calculation check value of the other two sub-bit sections, and if the two values are found to be inconsistent, the sensitive digital terminal should shield the receiving of the transmitted sensitive data and empty the sensitive data storage area of the sensitive data.
In the invention, the calculation source objects of the two check values are all sub-bit section signals with the full length of bit width (one n bit and one i bit), and compared with sub-bit section signals with less bit width after redundancy elimination, the attack resistance performance in cryptography is improved;
in addition, if a malicious attacker wants to implement a bypass attack in terms of real-time verification, the two verification values are driven to be always equal simultaneously in the whole transmission process of one-pass distribution operation, which is definitely very difficult based on the current fault injection attack technology.
Referring to FIG. 1, a corresponding output indication signal is provided to the SOC system after some anomalies are detected, including but not limited to:
sdctl_intreq: when the abnormality of 'the DPU configuration has real-time check fault' is detected, an interrupt request signal is sent to the CPU core;
sdctl_rstreq: when the abnormality of 'the DPU configuration has real-time check fault' is detected, a reset request signal is sent to the SOC system;
sdctl_dpusta: a status indication signal of whether each DPU protection unit triggers a protection operation;
sdctl_dpuverr: each DPU protection unit monitors an abnormal status indication signal of "the DPU configuration is checked for faults in real time". Wherein, it is generally considered that the real-time verification failure of the DPU configuration does not directly lead to the distribution shielding of the target, but rather attempts to drive the DPU configuration to return to normal by sending an interrupt to the CPU core or requesting a reset to the SOC;
In practice, specific checking mechanisms for the other two bit segments of SDB_ADDR include, but are not limited to: parity checking and cyclic redundancy code checking. The corresponding reference check value is generated by hardware logic of the SDCTL module when the input data of the sensitive data source is effectively cached; the real-time calculation check value is generated by the hardware logic of the target sensitive number end in real time during the multiple transmission of the distribution and reception.
Specific verification mechanisms for verifying the DPU configuration in real-time include, but are not limited to: parity checking and cyclic redundancy code checking. The corresponding reference check value is generated by the hardware logic of the SDCTL _ UREG sub-module when the configuration registers of the DPU unit are effectively configured via the system bus; while the real-time calculated check value is also repeatedly and continuously generated by the hardware logic of the SDCTL _ UREG sub-module during non-system bus configuration. Once the reference check value generated during bus configuration is found to be inconsistent with the real-time calculated check values repeatedly generated during the rest of the time, a real-time check failure is considered to occur (typically because a malicious attacker successfully deployed an intrusive tamper attack on the register).
In the following, some examples are schematically illustrated as follows:
as shown in fig. 1, a schematic circuit diagram of an SDB-specific bus and SDCTL controller of an embodiment of the invention. The components of the composite material comprise: the system comprises an SOC system general bus 1, sensitive data providing sources 21-23, an SDCTL controller module 3, an SDB special distribution bus 4, sensitive data receiving ends 51-53, other miscellaneous indication signal groups 6 and the like.
In the industry of semiconductor SOC chips, the system bus architecture generally includes two main types of internal components of the chip, namely a bus master and a bus slave. The master device acts as a global regulator, a common example being the CPU processor of each large CPU vendor, such as the Cortex-M3 core of ARM. The slave device is wrapped around the master device and acts as a peripheral function device (hereinafter simply referred to as a peripheral), and common examples are various communication protocol controllers (such as I2C/SPI/UART/USB), various on-chip memory modules (such as SRAM/OTP/eFlash), and various cryptographic processing hardware engines (such as AES/RSA/SM 3). The component of the SOC system universal bus 1 described in the present invention is an on-chip component that connects several bus masters and bus slaves together in a system bus architecture.
The main side of the SOC system universal bus 1 is connected to a bus master, such as a connectable CPU core (a CPU processor may be composed of 1 or more CPU cores of the same structure) or a DMA host. The slave side of the SOC system universal bus 1, in the present invention, is connected to the SDCTL controller module 3. Such a system connection architecture provides feasibility and high efficiency (not explained here in principle) for read-write access by any system master to SDCTL controller module 3.
As shown in SDCTL _ UREG sub-block 30 in fig. 1, which is one of the sub-components of SDCTL controller block 3, logic circuitry is mainly integrated that implements the user registers required for this peripheral of SDCTL controller block 3.
As shown in fig. 2, these user registers include, but are not limited to:
several sets of sdctl_dpu_pro registers 300 and sdctl_dpu_ctrl registers 301, wherein one set of pro+ctrl registers corresponds to one DPU unit, so the total number of sets is the number of integrated DPU units, such as N shown in fig. 2.
Sdctl_dpu_prop register 300: for controlling the distribution mask enable of a single DPU unit for each sensitive number source.
As shown in fig. 3-4, the [ T:1] bit segment (bit field) of sdctl_dpu_pro register 300 is enabled for each distribution mask of T total number of sensitive number sources corresponding to the target DPU unit. Somewhat specifically, the [0] bit field of SDCTL_DPU_PROP register 300 is either defined as a reserved field or as a number 0 sensitive number source (i.e., the optional software sensitive number source) is distribution mask enabled.
Sdctl_dpu_ctrl register 301: protection enable, protection configuration update lock, and protected memory space range for controlling a single DPU unit. In the embodiment of the present invention shown in fig. 3 to 4, the bit width of the SOC system universal bus is assumed to be 32 bits, so the size of the user register is typically 32 bits. If the bit width "n" of the addressing signal of the sensitive digital end memory space according to the present invention is not greater than 14, all sdctl_dpu_ctrl register bit fields associated therewith may be arranged in a standard size (e.g., 32 bits) user register.
An example of a bit width of 32 is shown in fig. 4:
the SDCTL_DPU_CTRL [31] bit field is defined as the protection configuration update lock of the present DPU unit, and is named prot_lock. When the DPU unit is configured as a valid value, a group of PROP+CTRL registers corresponding to the DPU unit can not be configured and updated any more;
the SDCTL_DPU_CTRL [30] bit field is defined as the protection enable of the present DPU unit, named prot_en. When it is configured as a valid value, the protection operation of the present DPU unit is considered to have been activated (it is one of the masking conditions for one pass of the distribution operation);
the three bit distributions SDCTL_DPU_CTRL [29]/[2n-1:n ]/[ n-1:0] are named addr_mask/ext_addr/bse_addr, and are combined to be defined as the storage space protection range setting bit domain of the DPU unit.
Specifically:
when addr_mask is configured to 0, the protection range is SDL_ADDR ε [ bas_addr, (bas_addr+ext_addr) ], referred to as an offset setting;
when addr_mask is configured to be 1, the protection range is
{ (bas_addr & ext_addr) = (sdl_addr & ext_addr) }, referred to as mask-type setting;
for example: if n=12, sdl_addr=423H, bas _addr=1a0h, when add_mask=0, ext_addr=024H, the protection range is sdl_addr e [1a0h,1c4h ]; and when add_mask=1, ext_addr=fc0h, the protection range is sdl_addr e [180H,1bfh ].
Sdctl_cr register 302: some of the more common control configurations for SDCTL modules are provided. Such as checking in real time for monitored DPU configurations whether a fault is to report an interrupt to the CPU core and/or whether a reset enable signal is to be requested to the SOC system, and optionally the distribution target sensitive end memory space address of the software sensitive source.
Sdctl_sr register 303: some general status indication of SDCTL modules is provided. Such as an indication of the operating state of an integrated DPU unit, the validity of any one of its bits indicates that the "masking condition of the corresponding DPU unit for a certain pass of the distribution operation has been met", i.e. the corresponding DPU unit is considered to have been protected.
As shown in sdctl_dbuf data cache sub-block 31 of fig. 1, which is one of the optional sub-components of SDCTL controller block 3, logic circuitry is primarily integrated to implement the caching and associated control of sensitive data originating from SOC system universal bus 1. In the limit, the buffering here may only provide a buffer space for a set of sensitive data.
The control involved includes at least two major items:
atomicity guarantees: the data provision of the sensitive data sources must be implemented at a specified granularity, and a complete set of sensitive data must also be provided in a specified order and traversal, as well as possibly other additional assurance policies.
For example, assuming that the capacity of a set of sensitive data of the sensitive number source is 192 bits and the write granularity of the SOC system universal bus 1 is 32 bits at maximum, at least six write accesses of the system bus are required to complete the data distribution transmission on the input side.
Wherein "data provision of the sensitive number source must be performed at a specified granularity" means that write accesses to the system bus must be at a granularity of 32 bits, and write accesses at other granularities should not be accepted;
"also having to provide a complete set of sensitive data in the specified order and traversably" means that the write accesses of the six system buses must exactly match 6 sequentially varying granularity addresses (1 granularity increment at a time from the lowest address or 1 granularity decrement at a time from the highest address);
"other possible additional assurance policies" refer primarily to some security assurance actions triggered after an anomaly is detected that requires normal distribution transmission actions of the sensitive digital source.
Security assurance actions, which include but are not limited to:
when the distribution transmission write access of the odd sequence granularity of a group of sensitive data, the adjacent even sequence cache space of the corresponding cache is also emptied. Taking this example, the 2/4/6 th granularity cache space is also emptied while the 1/3/5 th granularity data is cached (the 2/4/6 th granularity cache space is generally old content);
And (3) granularity conversion treatment: the method can accept the source data providing granularity different from the SDB distribution transmission granularity, and finally distributes a group of sensitive data to a designated sensitive number end at the output side with uniform transmission granularity. For example, assuming that the capacity of a set of sensitive data of the sensitive number source is 192 bits, the write granularity of the SOC system universal bus 1 is 32 bits, and the distribution transmission granularity of the output side SDB bus is 48 bits, the 32→48 bit conversion can be completed by the granularity conversion process here.
As shown in sdctl_arbit arbitration sub-block 32 in fig. 1, which is one of the sub-components of SDCTL controller block 3, logic circuitry is primarily integrated that implements input arbitration and data caching for different sensitive number sources within the chip.
The sdctl_arbit arbitration sub-module 32 functional characteristics include at least two major items:
atomicity assurance +: the "atomic assurance" feature, as described above, and assurance that the current set of sensitive data will not respond to receipt of a new set of input data (typically from another input port) until all of it has been received;
priority control: in the scene that a plurality of on-chip sensitive number sources can trigger a distribution operation at the same time, the plurality of sensitive number sources are subjected to one-to-one priority response processing based on a certain priority setting and arbitration algorithm.
As shown in sdctl_dpu security sub-module 33 of fig. 1, which is one of the sub-components of SDCTL controller module 3, the main integration implements logic circuitry that implements mask protection for arbitrated passes of dispatch operations based on DPU protection configuration.
As shown in fig. 5, the masking condition of the target DPU unit for one pass of the dispatch operation is the simultaneous satisfaction of three cases:
the protection enable specifying the DPU is activated, i.e., the prot_en bit field of the corresponding SDCTL_DPU_CTRL register is configured to be 1;
the distribution mask of the specified sensitive data source is activated, i.e., the bit (hereinafter abbreviated as pro i) in the corresponding sdctl_dpu_pro register that matches the specified sensitive data source is configured to be 1;
the destination address of the set of distributed transmissions is within the protection range of the specified DPU.
As shown in fig. 1, the circuit signal transmitted from sdctl_ureg sub-module 30 to sdctl_dpu security sub-module 33 mainly includes the register values corresponding to prot_en and prop [ i ] bit fields described in the previous section; if the optional sdctl_dbuf data cache sub-module 31 has an integrated implementation, it also includes the register value of the dispatch target-sensitive-side memory space address of the software-sensitive-source originating from the sdctl_cr register.
As shown in fig. 1, the circuit signals output from sdctl_dbuf data cache sub-module 31 to sdctl_dpu security sub-module 33 consist essentially of SDL proprietary bus interface signals from a software-based sensitive digital source, possibly granularity converted, as described above.
As shown in fig. 1, the circuit signals output from sdctl_arbit arbitration sub-module 32 to sdctl_dpu security sub-module 33 consist essentially of SDL proprietary bus interface signals from a non-software sensitive digital source, possibly processed by priority arbitration, as described previously.
As shown by SDB proprietary distribution bus 4 in fig. 1, which is one of the components of the present invention, the logic circuitry that primarily integrates the distribution and transmission of sensitive data from SDCTL controller module 3 to sensitive data receivers 51/52/53.
The class 4 interface signals contained by the corresponding SDB proprietary distribution bus are referred to in the previous examples and are not expanded.
As the other miscellaneous indication signal group 6 in fig. 1, which is optional as one of the components of the present invention, the logic circuit for giving an indication signal to the SOC system after the detection of the abnormality is mainly integrated. Reference is made to the previous examples for the output indication signal concerned, and no description will be given.
As shown in fig. 6, is a schematic diagram of the real-time verification for the DPU protection configuration. The corresponding reference check value is generated by hardware logic of the sdctl_ureg sub-module when the protection configuration registers of the DPU unit are effectively configured through the system bus; while the real-time calculated check value is also repeatedly and continuously generated by the hardware logic of the SDCTL _ UREG sub-module during non-system bus configuration. Once the reference check value generated during bus configuration is found to be inconsistent with the real-time calculated check values repeatedly generated at the rest of time, a real-time check failure is considered to occur (note: the general cause is that a malicious attacker successfully performs an invasive tamper attack on the register).
As shown in fig. 7, is a schematic diagram of the real-time verification for the sdb_addr signal. The corresponding reference check value is generated by hardware logic of the SDCTL module when the input data of the sensitive data source is effectively cached; the real-time calculation check value is generated by the hardware logic of the target sensitive number end in real time during the multiple transmission of the distribution and reception.
Based on the same inventive concept, the application also provides a sensitive data transmission system.
Referring to fig. 1 for illustration, a sensitive data transmission system includes: a number of sensitive data sources (such as sensitive data sources 21-23 illustrated in fig. 1), a sensitive data transfer bus architecture (such as SDB proprietary distribution bus 4 illustrated in fig. 1) as described in any of the foregoing examples, a sensitive data transfer control logic circuit (such as SDCTL controller module 3 illustrated in fig. 1) as described in any of the foregoing examples, an on-chip universal bus (i.e., SOC system universal bus 1 illustrated in fig. 1), and a number of sensitive data sinks (such as sensitive data sources 51-23 illustrated in fig. 1).
The sensitive data transmission control logic circuit comprises a sensitive data transmission control logic circuit, a universal bus, a user register submodule, a security submodule and a sensitive data terminal, wherein the sensitive data source is connected with an input port of the sensitive data transmission control logic circuit, the universal bus is connected with the user register submodule of the sensitive data transmission control logic circuit, and the security submodule of the sensitive data transmission control logic circuit is connected with the sensitive data terminal through a sensitive data transmission bus architecture.
It should be noted that, each module in the system may refer to the foregoing examples, and will not be further described.
In this specification, identical and similar parts of the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the description is relatively simple for the embodiments described later, and reference is made to the description of the foregoing embodiments for relevant points.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily conceivable by those skilled in the art within the technical scope of the present application should be covered in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (18)
1. A sensitive data transfer bus architecture for use in sensitive data transfer between a sensitive digital source and a sensitive digital side within a chip, the sensitive data transfer bus architecture comprising:
a transmission write enable signal interface, wherein the transmission write enable signal interface is used for transmitting an enable signal of one-pass distribution operation of a group of sensitive data, the bit width of the transmission write enable signal is R and is valid in a single-hot mode, R represents the number of sensitive data terminals, and the sensitive data terminals are receiving terminals of the sensitive data;
The address data signal interface is used for transmitting operation data corresponding to the distribution operation, the operation data comprises an index number of a sensitive number source corresponding to the sensitive data, an address signal of a sensitive number end storage space, a first reference check value of the index number and a second reference check value of the address signal, the bit width of the address data signal interface is n+i+v, and n is the bit width of the address signal; i is the bit width of the index number; v is the bit width of the first reference check value and the second reference check value;
the sensitive data signal interface is used for transmitting sensitive data with the distribution operation corresponding to a preset bit width;
and the feedback waiting signal interface is used for setting a busy feedback signal when the sensitive data end is not ready to receive the sensitive data corresponding to the distribution operation, when the busy feedback signal is valid, the single transmission with the current granularity is not executed, and when the busy feedback signal is invalid, the single transmission is executed again.
2. The sensitive data transfer bus architecture of claim 1, wherein the address data signal interface has a programmable bit width; and/or, the bit width of the sensitive data signal interface is a programmable bit width.
3. The sensitive data transfer bus architecture of claim 2, wherein the bit width of the sensitive data signal interface is no greater than a minimum value of a single set of sensitive data amounts for all sensitive data sources, so as to facilitate uniformly distributing transfers to a plurality of sensitive data sources having different single set of sensitive data amounts.
4. The sensitive data transfer bus architecture of claim 1, wherein the operation data transferred by the address data signal interface is to: and when the target sensitive number terminal receives that the corresponding enabling signal bit in the transmission write enabling signal interface is valid, detecting and storing the data according to part or all of the received data in the operation data.
5. The sensitive data transfer bus architecture of claim 4, wherein performing post-detection storage processing based on some or all of the received data in the operation data comprises:
detecting the addressing signals with n bits in the operation data and address bit segments corresponding to the storage areas, and shielding and receiving the sensitive data and emptying the sensitive data storage areas when the addressing signals are not in the addressing space corresponding to the sensitive data end;
And/or detecting index numbers with i bit length and index value bit sections of on-chip sensitive number sources in the operation data, and shielding and receiving the sensitive data and emptying a sensitive data storage area of the sensitive data when the index number sensitive number sources are found not to be legal corresponding to the local sensitive number end;
and/or comparing and checking the first reference check value and the second reference check value with v bit length in the operation data with a real-time check value generated by self calculation, and shielding and receiving the transmitted sensitive data and emptying a sensitive data storage area of the self when a check result is inconsistent, wherein the real-time check value is the check value generated by the real-time calculation of the sensitive data end according to the actually received addressing signal and the index number.
6. The sensitive data transfer bus architecture of claim 4, wherein the address signals transferred by the address data signal interface are further to: in the sensitive data source of the distribution operation, a single sensitive data source provides addressing signals of the sensitive data end storage space with the bit width and the full length in a one-time distribution process in a concomitant mode and sequentially changes in each transmission, so that the target sensitive data end stores sensitive data based on valid bits of the transmission write enable signal interface and k-bit data in the addressing signals of the sequentially changing sensitive data end storage space, k is used for representing the separated storage times when the sensitive data are stored according to preset storage granularity, and k is not more than n.
7. The sensitive data transmission bus architecture according to claim 1, wherein the first reference check value and/or the second reference check value is a check value based on any one of the following check means: parity checking and cyclic redundancy code checking.
8. The sensitive data transfer bus architecture of claim 7, wherein the first reference check value and/or the second reference check value are generated when a sensitive data source inputs data to the sensitive data signal interface.
9. The sensitive data transmission bus architecture according to any of claims 1-8, further comprising a monitoring interface, wherein the monitoring interface is configured to generate an anomaly indication signal, so that the target sensitive digital terminal can determine whether to receive or mask the current distribution transmission by itself based on whether the anomaly indication signal is set up or not and a predefined response mechanism.
10. A sensitive data transfer control logic circuit, disposed within a chip and between a sensitive data source within the chip and a sensitive data transfer bus architecture as claimed in any one of claims 1 to 9, the sensitive data transfer control logic circuit comprising: the system comprises a user register sub-module, a security sub-module, an arbitration sub-module and an input port corresponding to the sensitive number source;
The input port is used for connecting a sensitive number source;
the arbitration submodule is used for arbitrating sensitive number sources of a plurality of input ports;
the configuration register comprises at least one pair of register groups, each pair of register groups comprises a security distribution shielding enabling register and a security control register, the security distribution shielding enabling register is used for configuring a legal sensitive number source corresponding to the security unit, and the security control register is used for configuring a legal sensitive number end corresponding to the security unit; the user register sub-module is connected with a universal bus in the chip so that the chip can configure the register set;
and each security unit of the security sub-module is used for distributing and protecting the transmission process of the sensitive data transmitted by the digital end of the sensitive data source Xiang Min after the arbitration of the arbitration sub-module according to the configuration data corresponding to the register group.
11. The sensitive data transmission control logic of claim 10, wherein distributing protection comprises:
when determining that the target sensitive number source is distributed and shielded according to the configuration data corresponding to the register group, the security sub-module controls the arbitration sub-module so that the cache of the arbitration sub-module is not written into the sensitive data which is currently input;
And/or when the fact that the target sensitive number source does not need to be distributed and shielded is determined according to the configuration data corresponding to the register group, the security sub-module controls the arbitration sub-module to enable the cache of the arbitration sub-module to input sensitive data from the sensitive number source, and the sensitive data cached by the arbitration sub-module is distributed and transmitted to the sensitive number terminal in a broadcasting mode through the sensitive data transmission bus architecture.
12. The sensitive data transmission control logic of claim 10, wherein the triggering of the distribution protection for one pass of the distribution operation satisfies the following condition: and setting the security enabling bit in the security control register to be 1, setting the bit of the security distribution shielding enabling register corresponding to the appointed sensitive number source to be 1, and setting the sensitive number end storage space address given by the appointed sensitive number source during distribution transmission to be in the protection range of the target security unit.
13. The sensitive data transmission control logic circuit according to claim 10, wherein the security control register is further configured to configure a legal sensitive digital terminal corresponding to the security unit, including: and configuring protection enabling corresponding to the legal sensitive digital terminal, updating and locking protection of protection configuration and protecting a storage space range, wherein the security control register comprises 1-bit protection enabling, 1-bit protection configuration updating and locking protection and multi-bit storage space protection range setting bit fields.
14. The sensitive data transmission control logic of claim 13, wherein the multi-bit memory space protection range setting bit field comprises: a 1-bit address mode configuration bit, a multi-bit base address and a multi-bit extra address; when the address mode configuration bit is set to 0, the protection range of the storage space is an address range from a basic address to an additional address; when the address mode configuration bit is set to 1, the memory space protection range is an address range formed by the logical AND result of the memory space protection address and the additional address and the spatial address of which the logical AND result of the base address and the additional address are equal.
15. The sensitive data transmission control logic of claim 10, wherein each security unit of the security sub-module is further configured to perform validity monitoring of real-time verification during an entire transmission process of a one-pass dispatch operation according to configuration data corresponding to the register set, and output fault information.
16. The sensitive data transmission control logic of claim 15, wherein the real-time check validity monitoring comprises any one or more of:
Determining whether the sensitive number source is legal or not according to the configuration register of each security unit;
determining whether the sensitive number end is legal or not according to the configuration register of each security unit;
determining whether the protection enabling is modified according to the configuration register of each security unit;
and determining whether the protection address range is legal or not according to the configuration register of each security unit.
17. The sensitive data transmission control logic according to any one of claims 10-16, further comprising a data buffering sub-module, wherein the data buffering sub-module is configured to provide a buffering space for sensitive data to implement a pre-set granularity conversion process and/or priority transmission control based on the buffering space.
18. A sensitive data transmission system, comprising:
a sensitive number source;
the sensitive data transfer bus architecture of any of claims 1-9;
the sensitive data transmission control logic of any of claims 10-17;
a universal bus within the chip;
a sensitive number end;
the sensitive data transmission control logic circuit comprises a sensitive data transmission control logic circuit, a universal bus, a user register submodule, a security submodule and a sensitive data terminal, wherein the sensitive data source is connected with an input port of the sensitive data transmission control logic circuit, the universal bus is connected with the user register submodule of the sensitive data transmission control logic circuit, and the security submodule of the sensitive data transmission control logic circuit is connected with the sensitive data terminal through a sensitive data transmission bus architecture.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311719310.4A CN117633920A (en) | 2023-12-13 | 2023-12-13 | Sensitive data transmission bus architecture, control logic circuit and transmission system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311719310.4A CN117633920A (en) | 2023-12-13 | 2023-12-13 | Sensitive data transmission bus architecture, control logic circuit and transmission system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117633920A true CN117633920A (en) | 2024-03-01 |
Family
ID=90016291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311719310.4A Pending CN117633920A (en) | 2023-12-13 | 2023-12-13 | Sensitive data transmission bus architecture, control logic circuit and transmission system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117633920A (en) |
-
2023
- 2023-12-13 CN CN202311719310.4A patent/CN117633920A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11403014B2 (en) | Managing privileges of different entities for an integrated circuit | |
| US20200125756A1 (en) | Implementing access control by system-on-chip | |
| KR101010801B1 (en) | Method and apparatus for determining access permission | |
| CN210052161U (en) | Processing system, integrated circuit and microcontroller | |
| US20100106954A1 (en) | Multi-Layer Content Protecting Microcontroller | |
| US11256520B2 (en) | Tracing status of a programmable device | |
| CN111295645B (en) | SoC chip and bus access control method | |
| US20150161408A1 (en) | Protecting Information Processing System Secrets From Debug Attacks | |
| US20080072070A1 (en) | Secure virtual RAM | |
| CN109644129B (en) | Thread ownership of keys for hardware accelerated cryptography | |
| JP2022541662A (en) | Non-volatile memory devices with regions having individually programmable secure access features, related methods and systems | |
| US11544413B2 (en) | Cryptographic key distribution | |
| US11886717B2 (en) | Interface for revision-limited memory | |
| US8397081B2 (en) | Device and method for securing software | |
| US10949570B2 (en) | Processing system, related integrated circuit and method | |
| US10169616B1 (en) | Cryptographic processing of data and instructions stored off-chip | |
| CN117633920A (en) | Sensitive data transmission bus architecture, control logic circuit and transmission system | |
| US20230140975A1 (en) | Memory system verification | |
| KR20170138412A (en) | A device for managing a plurality of accesses to a security module of a system on chip of a device | |
| US20230208821A1 (en) | Method and device for protecting and managing keys | |
| JP2004070740A (en) | Data output limiting device, circuit element and data output limiting method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |