CN117980907A - Secure programming of one-time programmable (OTP) memory - Google Patents
Secure programming of one-time programmable (OTP) memory Download PDFInfo
- Publication number
- CN117980907A CN117980907A CN202380013573.5A CN202380013573A CN117980907A CN 117980907 A CN117980907 A CN 117980907A CN 202380013573 A CN202380013573 A CN 202380013573A CN 117980907 A CN117980907 A CN 117980907A
- Authority
- CN
- China
- Prior art keywords
- lifecycle
- electronic device
- life cycle
- phases
- otp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007704 transition Effects 0.000 claims abstract description 63
- 230000004044 response Effects 0.000 claims abstract description 15
- 238000000034 method Methods 0.000 claims description 92
- 230000006870 function Effects 0.000 claims description 61
- 230000008569 process Effects 0.000 description 12
- 238000004519 manufacturing process Methods 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 229910052710 silicon Inorganic materials 0.000 description 4
- 239000010703 silicon Substances 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000002427 irreversible effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 101150051405 MFG1 gene Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Landscapes
- Techniques For Improving Reliability Of Storages (AREA)
Abstract
An electronic device may have a plurality of defined lifecycle phases and a one-time programmable (OTP) memory including a plurality of lifecycle bits, wherein respective bit patterns of the lifecycle bits may correspond to respective lifecycle phases of the defined lifecycle phases. The electronic device may also have a boot code stored in the read-only memory and executable by the processor to receive a request to transition from a current life cycle stage to a next life cycle stage, and in response to the received request, automatically generate a bit pattern corresponding to the next life cycle stage of the plurality of defined life cycle stages, and program the bit pattern corresponding to the next life cycle stage of the plurality of defined life cycle stages in the OTP memory during a time when the OTP memory is not accessible by the user.
Description
Priority
The present application claims priority from U.S. provisional patent application No. 63/311,331, filed 2/17 at 2022, the contents of which are hereby incorporated by reference in their entirety.
Technical Field
The present disclosure relates to electronic device pre-configuration (provisioning), and more particularly to a system and method for managing a lifecycle of an electronic device through secure programming of one-time programmable (OTP) memory of the electronic device.
Background
Conventional techniques for OTP memory programming of information during configuration of a device (e.g., chip) typically provide visibility of the entire configuration memory map, thus opening the OTP memory to attacks, e.g., to change the device configuration. Different steps in a typical device life cycle (including, for example, manufacturing, development, and customer programming by third parties) may require access to OTP memory. Thus, without controlled measures, all OTP areas may be accessible and vulnerable. For example, the factory mode configuration area may be changed at a later stage in the equipment life cycle, which may lock or unlock features that are not intended for a particular production line.
The present disclosure provides an irreversible lifecycle system for secure one-time programming of an electronic device over a plurality of defined lifecycle phases, wherein access to various resources of the electronic device may be restricted based on a current lifecycle.
Disclosure of Invention
According to one example, a system may include an electronic device. The electronic device may be a server, a device associated with a server, or a computing platform, and the system may be a secure boot controller for the server, the device associated with a server, or the computing platform. An electronic device may have a plurality of defined lifecycle stages and may include a one-time programmable (OTP) memory having a plurality of lifecycle bits. The respective bit patterns of the plurality of life cycle bits may correspond to respective life cycle phases of the plurality of defined life cycle phases. The electronic device may also have a boot code stored in a Read Only Memory (ROM). The boot code is executable by the processor to receive a request to transition from a current life cycle stage of the plurality of defined life cycle stages to a next life cycle stage of the plurality of defined life cycle stages. A request to transition from a current life cycle stage of the plurality of defined life cycle stages to a next life cycle stage of the plurality of defined life cycle stages may be received via a physical port of the electronic device or via firmware loaded onto the electronic device. According to one example, the request to transition from a current life cycle phase of the plurality of defined life cycle phases to a next life cycle phase of the plurality of defined life cycle phases may be a signed command. The boot code may be further executable to automatically generate a bit pattern corresponding to a next one of the plurality of defined lifecycle phases in response to the received request and program the bit pattern corresponding to the next one of the plurality of defined lifecycle phases in the OTP memory during a time when the OTP memory is not accessible by the user. In one example, the time that the OTP memory is not accessible by the user may be during a subsequent reset of the electronic device, which may be a device reset, reboot, or power cycle of the electronic device. According to one example, a boot code in the OTP memory that programs a bit pattern corresponding to a next life cycle phase of the plurality of defined life cycle states causes a transition from a current life cycle phase of the plurality of defined life cycle phases to the next life cycle phase of the plurality of defined life cycle phases.
In one example, the boot code may automatically generate the device unique information in response to the received request and program the device unique information in the OTP memory during a time when the OTP memory is not accessible to the user.
In one example, for a respective life cycle stage of the plurality of defined life cycle stages, the boot code makes available to the user a corresponding respective set of available functions that may be executable during the respective life cycle stage of the plurality of defined life cycle stages. According to one example, a respective set of available functions that may be executable during a first life cycle phase of the plurality of defined life cycle phases includes a first function; and a respective set of available functions that may be executable during a second life cycle phase of the plurality of defined life cycle phases may exclude the first function.
Another example provides a system that may include an electronic device having an OTP memory, where the OTP memory may include a plurality of life cycle OTP bits. The life cycle bitmap may be associated with a plurality of defined life cycle phases of the electronic device. The life cycle bitmap may specify a plurality of life cycle OTP bit patterns, wherein respective life cycle OTP bit patterns may correspond to respective life cycle phases of the electronic device. The life cycle function data may specify a set of available functions for a respective life cycle stage. The specified set of available functions for the respective lifecycle stage defines functions that may be executable during the respective lifecycle stage of the electronic device. The specified set of available functions for the respective first lifecycle stage may be different from the specified set of available functions for the respective second lifecycle stage. The example system may include boot code that may be stored in read-only memory. The boot code is executable by the processor to manage the pre-configuration of the electronic device through a series of lifecycle stages. The boot code may be executable by the processor to selectively program the plurality of life cycle OTP bits over time during times when the OTP memory is not accessible to the user to advance the electronic device through the series of life cycle phases. The boot code may be executable by the processor to allow access to only the set of available functions specified by the lifecycle function data for the respective first lifecycle stage when the electronic device is operating in the respective first lifecycle stage.
In one example, the boot code may be executable by the processor to automatically generate the device unique information and program the device unique information in the OTP memory during a time when the OTP memory is not accessible to the user.
According to one example, the boot code may be executable by the processor to selectively program the plurality of lifecycle OTP bits over time to advance the electronic device through the series of lifecycle stages in response to the signed command.
Another example provides a method for an electronic device having an OTP memory, a plurality of defined lifecycle stages, and a plurality of defined functions. The method may include: access to the first set of the plurality of defined functions is provided when the electronic device is in a first one of the plurality of defined lifecycle phases. The method may include: a request to transition an electronic device from a first life cycle phase of the plurality of defined life cycle phases to a second life cycle phase of the plurality of defined life cycle phases is received. In one example, a request to transition an electronic device from a first life cycle phase of the plurality of defined life cycle phases to a second life cycle phase of the plurality of defined life cycle phases may be received via a physical port of the electronic device or via firmware loaded onto the electronic device. In one example, the request to transition the electronic device from a first life cycle phase of the plurality of defined life cycle phases to a second life cycle phase of the plurality of defined life cycle phases may be a signed command. The method may include: in response to a received request to transition the electronic device from a first one of the plurality of defined lifecycle phases to a second one of the plurality of defined lifecycle phases, the electronic device is transitioned to the second one of the plurality of defined lifecycle phases by programming the OTP memory with information corresponding to the second one of the plurality of defined lifecycle phases during a first time period in which the OTP memory is not accessible to a user. In one example, the time that the OTP memory is not accessible by the user may be during a subsequent reset of the electronic device, which may be a device reset, reboot, or power cycle of the electronic device. The method may include: access to a second set of the plurality of defined functions is provided when the electronic device is in a second one of the plurality of defined lifecycle phases. In one example, the first set of the plurality of defined functions may include a first function and the second set of the plurality of defined functions may exclude the first function.
According to one example, the method may include: in response to a received request to transition an electronic device from a first life cycle stage of the plurality of defined life cycle stages to a second life cycle stage of the plurality of defined life cycle stages, device unique information is automatically generated and programmed in the OTP memory during a time when the OTP memory is not accessible to a user.
In one example, the method may include: after transitioning the electronic device to a second one of the plurality of defined lifecycle phases, disabling the electronic device from transitioning to the first one of the plurality of defined lifecycle phases.
In one example, the method may include: a request to transition an electronic device from a second life cycle phase of the plurality of defined life cycle phases to a third life cycle phase of the plurality of defined life cycle phases is received. The method may include: in response to a received request to transition the electronic device from a second one of the plurality of defined lifecycle phases to a third one of the plurality of defined lifecycle phases, the electronic device is transitioned to the third one of the plurality of defined lifecycle phases by programming the OTP memory with information corresponding to the third one of the plurality of defined lifecycle phases during a second time when the OTP memory is not accessible by the user. The method may include: access to a third set of the plurality of defined functions is provided when the electronic device is in a third one of the plurality of defined lifecycle phases. In one example, the method may include: after transitioning the electronic device to a third one of the plurality of defined lifecycle phases, disabling the electronic device from transitioning to a second one of the plurality of defined lifecycle phases.
Drawings
The figures illustrate example methods and systems for managing a lifecycle of an electronic device through secure programming of a one-time programmable (OTP) memory of the electronic device.
FIG. 1 illustrates a block diagram of an example system for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device.
FIG. 2 illustrates an example OTP memory that may be used to manage a lifecycle of an electronic device.
Fig. 3 illustrates an example of an effective transition from one lifecycle stage to another lifecycle stage in an electronic device.
Fig. 4 shows an example of a life cycle bitmap for an example set of nine (9) life cycle OTP bits.
Fig. 5 shows an example of using a manufacturer OTP configuration bit for a sub-phase of a lifecycle phase defined for an electronic device.
FIG. 6 illustrates an example command memory.
FIG. 7 illustrates a flow chart of an example method for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device.
FIG. 8 illustrates a flow chart of an example method for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device.
Fig. 9 a-9 f illustrate a flowchart of an example method for managing a life cycle of an electronic device through secure programming of an OTP memory of the electronic device.
FIG. 10 illustrates a flowchart of additional example operations for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device.
FIG. 11 illustrates a flowchart of additional example operations for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device.
FIG. 12 illustrates a flowchart of additional example operations for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device.
Fig. 13 shows a flowchart of an example method for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device.
The reference numerals for any illustrated element appearing in a plurality of different figures have the same meaning in the plurality of figures, and the references or discussion herein to any illustrated element in the context of any particular figure also apply to every other figure (if any) in which the same illustrated element is shown.
Detailed Description
When an electronic device (e.g., a microcontroller) is booted (e.g., powered on or after a hardware or software reset), the boot code may be loaded and executed by a processor on the device. The boot code may perform functions related to device initiation, such as initializing hardware, which may include disabling interrupts, initializing buses, setting the processor to a particular state, and initializing memory. After performing the hardware initialization, the boot code may then load the system software, for example, from the application image. The function performed by the boot code may be referred to as a boot process.
The electronic device may be capable of transitioning over time through various lifecycle stages. Various features or functions of the electronic device may be available during some lifecycle phases and may not be available during other lifecycle phases. Features and functions available during a particular lifecycle stage may relate to the security of the device. For example, a cryptographic key that may be used to verify a code running on an electronic device may be accessible during one or more lifecycle phases, but may not be accessible during other lifecycle phases. In another example, functionality that may establish or allow establishing security information for an electronic device may be available during one or more lifecycle phases, but may not be available during other lifecycle phases. In this way, the security level of the electronic device at a given time may correspond to the lifecycle phase of the electronic device at that time.
The electronic device may contain a security mechanism to prevent malicious attacks on the device. For example, because the security level of an electronic device may correspond to the lifecycle phase of the electronic device, it may contain features that prevent an attacker from changing the lifecycle phase of the electronic device.
The security features of the electronic device may be implemented using a boot code on the electronic device. In one example, the security feature may be implemented using immutable boot code. Immutable boot code, which may be referred to as a hardware trust root, may be built into the electronic device during manufacture and thus may be implicitly trusted because it cannot be modified.
For purposes of this disclosure, an electronic device may include any tool or set of tools operable to calculate, classify, process, transmit, receive, retrieve, originate, switch, store, display, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, entertainment, or other purposes. For example, the electronic device may be a personal computer, a PDA, a consumer electronics device, a network storage device, or any other suitable device, and may vary in size, shape, performance, functionality, and price. The electronic device may include memory, one or more processing resources, such as a Central Processing Unit (CPU), or hardware or software control logic. Additional components of the electronic device may include one or more storage devices, one or more communication ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, and a video display. The electronic device may also include one or more buses operable to transmit communications between the various hardware components.
Fig. 1 shows a block diagram of an example system 100 for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device 101. As depicted in fig. 1, system 100 may include an electronic device 101. The components of electronic device 101 may include, but are not limited to, one or more processors 160 and a system bus 121 that communicatively couples various system components including, for example, OTP memory 110, ROM 130, memory 170, I/O and port control 190, and network interface 150 to the processor 160. The system bus 121 may be any suitable type of bus structure including a memory bus, a peripheral bus, or a local bus using any of a variety of bus architectures.
Processor 160 may include any system, device, or means operable to interpret or execute program instructions or process data, and may include, but is not limited to, microprocessors, microcontrollers, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), or any other digital or analog circuitry for interpreting or executing program instructions or process data. In some examples, processor 160 may interpret or execute program instructions or process data stored locally (e.g., in memory 170, ROM 130, OTP memory 110, or another component of electronic device 101). In the same or alternative examples, processor 160 may interpret or execute remotely stored program instructions or process data.
OTP memory 110 (one-time programmable memory) may comprise any system, apparatus, or device that can be programmed only once and thereafter retains the programmed data. OTP memory 110 may include one-time programmable bits 120a, 120b, among others. In one example, bits 120a and 120b of OTP memory 110 may include conventional logic gates connected to metal wiring, and these connections may be paired with fuses. During programming, fuses may be blown to make these connections permanent. In this way, once programmed, OTP memory 110 may be unmodified. In one example, an unprogrammed bit (e.g., 120a, 120 b) may return a value of 0 when read by the processor 160, and a programmed bit may return a value of 1 when read by the processor 160. According to this example, once the bits 120a, 120b have been programmed with a1 value, they cannot be reprogrammed to a 0 value.
ROM 130 may include any system, device or apparatus (e.g., non-volatile memory) operable to retain program instructions or data after power to electronic device 101 is turned off. ROM 130 (e.g., boot ROM) may include boot code 140, which may be used by processor 160 during a boot process (or boot-up) of electronic device 101. According to one example, the boot code 140 may be immutable, i.e., built into the electronic device during manufacture, and thus may be implicitly trusted (e.g., a hardware trust root) because it cannot be modified. Boot code 140 may include code that performs functions including, but not limited to, functions F1 (145 a) and F2 (145 b), among others.
Memory 170 may comprise any system, device, or apparatus operable to retain program instructions or data for a period of time. Memory 170 may include random access memory (RAM, SRAM, DRAM), electrically erasable programmable read-only memory (EEPROM), PCMCIA cards, flash memory, magnetic storage, magneto-optical storage, hardware registers, or any suitable selection or array of volatile or non-volatile memory. In the illustrated example, memory 170 includes, but is not limited to, command memory 171, flash memory 172, and SRAM173.
I/O and port control 190 may comprise any system, device, or apparatus that is generally operable to receive data from/transmit data to/within electronic device 101. I/O and port control 190 may include, for example, any number of communication interfaces, graphical interfaces, video interfaces, user input interfaces, or peripheral interfaces (e.g., without limitation, JTAG, I2C, UART, test access ports). I/O and port control 190 may be communicatively coupled to external ports/pins 180-1, 180-2, …, 180-N (and other ports/pins not depicted).
Network interface 150 may be any suitable system, apparatus, or device operable to serve as an interface between electronic device 101 and network 155. Network interface 150 may enable electronic device 101 to communicate over network 155 using any suitable transmission protocol or standard. The network 155 and its various components may be implemented using hardware, software, or any combination thereof.
Although fig. 1 illustrates various components of electronic device 101, other example systems may include electronic devices having more or fewer components. In one example, an electronic device 101 according to the present disclosure may not include one or all of the components depicted in dashed lines without departing from the spirit and scope of these disclosed examples.
FIG. 2 illustrates an example OTP memory 110 that may be used to manage a lifecycle of an electronic device. As depicted in fig. 2, OTP memory 110 may include various defined regions including life cycle bit 203, manufacturer configuration information 213, customer information 223, and secret device unique information 233. In one example, the lifecycle bit 203 may be programmed (melted) by the boot code 140 and may cause transitions between different lifecycle phases in a defined series of lifecycle phases of the electronic device 101. In the same or another example, manufacturer configuration information 213 may be programmed (melted), for example, by a tester or other device used by the manufacturer to program OTP memory 110 during pre-configuration of electronic apparatus 101. Manufacturer configuration information 213 may include bits to enable, disable, or configure features on electronic device 101 (e.g., availability of GPIO pins, clock rate, and availability of security features); a public key of a public key crypto key pair; device identification information. In one example, the customer information 223 may include bits programmed (melted) by a customer of the electronic device 101.
In one example, the secret device unique information 233 may include: (a) A device identity key ("DevIK") (e.g., the private key of a public key cryptographic key pair) or information from which DevIK may be generated; (b) Critical device configurations, e.g., mirror authenticity and key authenticity; (c) other cryptographic keys used by the electronic device 101; or (d) other device unique information. In some examples, the secret device unique information 233 may include (a) a Unique Device Secret (UDS) or an encrypted UDS, or (b) a ROM seed (e.g., a random number generated by the boot code 140), where the boot code 140 may use such UDS and ROM seed as source data to generate DevIK or other device unique information.
Life cycle phase of electronic device 101
The electronic device 101 may be capable of transitioning over time through various lifecycle stages. In one example, the lifecycle phases may be defined by a manufacturer of the electronic device 101 and may include, but are not limited to, the lifecycle phases shown in table 1.
TABLE 1
| Stage(s) | Description of the invention |
| 1 | Initial stage of RAW-electronic device |
| 2 | MFG-manufacturing mode |
| 3 | DEV-development mode |
| 4 | PROD-production mode |
| 5 | FA-failure analysis mode |
| 6 | EOL-end of life |
In one example, six lifecycle phases may have the characteristics listed in tables 2-7. As disclosed in tables 2-7, different functions, features, and operations may be available in different lifecycle stages. An example method for making the functionality available is shown in fig. 13 and related text.
TABLE 2
TABLE 3 Table 3
TABLE 4 Table 4
TABLE 5
TABLE 6
TABLE 7
The transition between lifecycle stages may be linear (e.g., from stage 1 to stage 6), the lifecycle stages may be skipped, or a combination of linear transitions while skipping one or more lifecycle stages. In one example, a manufacturer of the electronic device 101 may define allowable transitions. The boot code 140 may implement manufacturer defined allowable transitions by managing transitions of the electronic device 101 through a series of lifecycle stages. Fig. 3 shows an example of an effective transition from one life cycle phase to another (manufacturer defined allowable transitions) by arrows between different life cycle phases in a series of life cycle phases 308. For example, from the RAW phase, the device may be limited to transitioning to the MFG phase. From the MFG phase, the device may transition to the DEV phase, or alternatively to the PROD phase. In some examples, the transition from one lifecycle phase to another lifecycle phase is staged and requires a reset of the electronic device 101 (e.g., a device reset, reboot, or power cycle) to effect the transition to the new lifecycle phase. According to one example, the RAW lifecycle phase may correspond to the time that silicon is shipped from the foundry where it is manufactured to the manufacturer (OEM). The MFG lifecycle phase may correspond to a time when silicon is dominated by a manufacturer, e.g., during manufacturer pre-configuration of the device. The remaining life cycle phase (DEV, PROD, FA, EOL) may correspond to the time that the silicon is dominated by the customer.
Fig. 4 shows an example of a life cycle bitmap, e.g., a set of example nine (9) life cycle bits (bits 0-8), where the corresponding life cycle bitmaps 203a-203f may correspond to the life cycle bits 203 in the OTP memory 110 of fig. 2. The life cycle bitmaps 203a-203f may specify six (6) life cycle OTP bit patterns (404 a-404 f) for nine (9) life cycle bits, with the respective OTP bit patterns corresponding to respective defined life cycle phases in the series of life cycle phases 408. As shown in this example, the life cycle OTP bit pattern 404a in the life cycle bitmap 203a may correspond to the life cycle phase RAW shown directly below the life cycle bitmap 203 a. Similarly, the life cycle OTP bit pattern 404b in the life cycle bitmap 203b may correspond to the life cycle phase MFG shown directly below the life cycle bitmap 203 b. Other illustrated life cycle OTP bit patterns (e.g., 404c-404f in life cycle bitmaps 203c-203 f) may correspond to the life cycle phases illustrated immediately below them.
As shown in fig. 4, the life cycle bitmap 203a may correspond to a life cycle OTP bit pattern 404a of a RAW life cycle phase (i.e., bits 0-8 are not programmed). Life cycle bitmap 203b may correspond to life cycle OTP bit pattern 404b for the MFG life cycle phase (i.e., bits 0 and 2 are programmed; bits 1 and 3-8 are unprogrammed). The life cycle bitmap 203c may correspond to a life cycle OTP bit pattern 404c of the DEV life cycle phase (i.e., bits 0 and 2-4 are programmed; bits 1 and 5-8 are unprogrammed). The life cycle bitmap 203d may correspond to a life cycle OTP bit pattern 404d for the PROD life cycle phase (i.e., bits 0,2, and 4-5 are programmed; bits 1,3, and 6-8 are unprogrammed). The life cycle bitmap 203e may correspond to the life cycle OTP bit pattern 404e of the FA life cycle phase (i.e., bits 0, 2-6, and 8 are programmed; bits 1 and 7 are unprogrammed). The life cycle bitmap 203f may correspond to the life cycle OTP bit pattern 404f of the EOL life cycle phase (i.e., bits 0-8 are programmed).
In one example, the electronic device 101 may be designed such that the boot code 140 may have exclusive write access to the lifecycle bits 203. In this way, the boot code 140 may selectively program the lifecycle bits over time, such as in response to a command, to advance the electronic device through a series of lifecycle stages in a unidirectional manner. For example, after boot code 140 programs lifecycle bit 203 in lifecycle OTP bit pattern 404b corresponding to the MFG lifecycle phase, transition 410 from the MFG lifecycle phase back to the RAW lifecycle phase may be disabled because it is not possible to "un-program" the lifecycle bits 0 and 2 (OTP memory may be permanently programmed). Thus, as shown by the example lifecycle OTP bit patterns 404a-404f in the lifecycle bitmaps 203c-203f, the electronic device 101 can be limited to advancing through the lifecycle phases in a unidirectional manner, i.e., left to right in FIG. 4.
Fig. 5 shows an example 101 of using a manufacturer OTP configuration bit for a sub-phase of a lifecycle phase defined for an electronic device. For example, a manufacturer may wish to pre-configure an electronic device in a phased manner to limit access to certain features or functions of the electronic device during pre-configuration. In the example shown, the manufacturer may define sub-phases 515 (MFG 0, MFG1, and MFG 3), which may correspond to unique states of the manufacturer OTP configuration bits in 513a-513c, respectively. In this example, the life cycle OTP bit patterns 404a-404f in the life cycle bitmaps 203a-203f may correspond to the life cycle OTP bit patterns depicted in FIG. 4. Similarly, a lifecycle stage defined in a series of lifecycle stages 508 may correspond to a lifecycle stage defined in 408, except that sub-stage 515 corresponds to an MFG stage in 408. Thus, when the electronic device is in the MFG lifecycle phase (lifecycle OTP bit pattern 404b, lifecycle bitmap 203 b), sub-phase 515 can be defined by programming the manufacturer OTP configuration bits stored in manufacturer configuration information 213 (fig. 2) of OTP memory 110. In one example, electronic device 101 may be designed such that boot code 140 may have exclusive write access to manufacturer OTP configuration bits in manufacturer configuration information 213. In another example, electronic device 101 may be designed such that other codes (manufacturer codes) may have write access to manufacturer OTP configuration bits in manufacturer configuration information 213. In yet another example, the manufacturer may program the manufacturer OTP configuration bit in manufacturer configuration information 213 via external hardware (e.g., JTAG debug interface). As illustrated, sub-stage 515 may be limited to proceeding in a unidirectional manner because it is not possible to "un-program" the manufacturer OTP configuration bit (the OTP memory may be permanently programmed).
Although fig. 5 shows an example of sub-phases defining MFG lifecycle phases, similar methods may be used to define sub-phases of other lifecycle phases of an electronic device. For example, a customer may desire sub-phases during development (DEV lifecycle phases) to limit access to certain features or functions of an electronic device. To achieve this, the customer may define customer configuration bits in customer information 223 of OTP memory 110 to define sub-phases (e.g., similar to sub-phase 515). The client configuration bits may be used by the client code to restrict access to certain features or functions of the electronic device.
Fig. 6 shows an example command memory 171. The command memory 171 may include a rewritable memory (e.g., a register) and may contain a lifecycle request bit 682, a command area 684, and a command parameter area 686. In one example, the lifecycle request bit 682, the command field 684, and the command parameter field 686 may be used (alone or in any combination) to initiate a request to be processed by the boot code 140. In one example, command memory 171 may be user accessible such that code other than boot code 140 (e.g., manufacturer code, customer code) may initiate a request to be processed by boot code 140. In another example, command memory 171 may be accessed via external hardware (e.g., JTAG debug interface, UART interface, I2C interface).
In one example, the lifecycle request bit 682, when set, may correspond to a request to transition the electronic device 101 from a current lifecycle stage to a next lifecycle stage. In the same or another example, the command area 684 may be programmed with commands corresponding to functions executable by the boot code 140 (e.g., functions F1, F2 shown as 145a and 145b in FIG. 1). The command parameters field 686 may be programmed with parameters corresponding to commands programmed into the field 684.
Fig. 7 illustrates a flow chart of an example method 700 for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device. According to one example, the method 700 may begin at block 710. In particular, method 700 may be performed by boot code 140. In some examples, start block 710 may represent a time at which electronic device 101 is first powered on or a time after an electronic device reset (e.g., device reset, reboot, or power cycle). Thus, method 700 may be performed by boot code 140 at a time when OTP memory 110 is not accessible to the user (e.g., because the user code has not yet been loaded). The teachings of the present disclosure may be implemented in a variety of configurations of system 100. Thus, the point of initialization of method 700 and the order of 710-760 that make up method 700 may depend on the particular implementation chosen.
At block 720, the boot code may determine a current life cycle phase (LCS) of the electronic device 101 by reading the life cycle bit 203 from the OTP memory 110. At block 730, the boot code may determine whether there is a pending (pending) lifecycle request, for example, by checking whether the lifecycle request bit 682 in the command memory 171 is set. If there is no life cycle request to process, the boot code may proceed to block 740 to take any action appropriate for the current life cycle stage. If the boot code determines at block 730 that the lifecycle request is pending, the boot code may proceed to block 750. At block 750, the boot code may program the lifecycle bit 203 with a lifecycle OTP bit pattern (e.g., 404a-404f in FIG. 4) corresponding to the next lifecycle stage. After programming, the boot code may proceed to block 760 and transition to the next life cycle phase.
Although fig. 7 discloses a particular number of operations related to method 700, method 700 may be performed with more or fewer operations than those depicted in fig. 7. For example, prior to block 750, the boot code may determine a next lifecycle stage based on, for example, the OTP configuration bit. Also prior to block 750, the boot code may generate a life cycle bit pattern corresponding to the next life cycle phase. In another example, at block 760, the boot code may cause a transition to the next lifecycle stage by forcing a reset of the electronic device 101. Further, although FIG. 7 discloses a certain order of operations to be performed with respect to method 700, the operations comprising method 700 may be performed in any suitable order.
Fig. 8 illustrates a flow chart of an example method 800 for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device. According to one example, the method 800 may begin at block 810. In particular, the method 800 may be performed by the boot code 140. In some examples, start block 810 may represent a time at which electronic device 101 is first powered on or a time after an electronic device reset (e.g., device reset, reboot, or power cycle). Thus, method 800 may be performed by boot code 140 at a time when OTP memory 110 is not accessible to the user (e.g., because the user code has not yet been loaded). The teachings of the present disclosure may be implemented in a variety of configurations of system 100. Thus, the point of initialization of method 800 and the order of 810-850 constituting method 800 may depend on the particular implementation chosen.
In method 800, blocks 810, 815, and 820 may correspond to blocks 710, 720, and 730, respectively, except when the boot code determines in block 820 that there is a pending lifecycle request, it may proceed to block 830 where the boot code determines whether a secure lifecycle request is needed. In some examples, the manufacturer may wish to securely program OTP life cycle bit 203 so that a malicious user cannot cause an irreversible life cycle transition. According to these examples, the boot code may require the user to provide a signed lifecycle request command, which may be signed with the cryptographic key of the public key pair. The boot code may have access to the other half of the key pair to verify the signed command. If the boot code determines that a secure lifecycle request is not needed at block 830, it may proceed to blocks 835 and 850, which may correspond to blocks 750 and 760, respectively, of method 700.
If the boot code determines in block 830 that a secure lifecycle request is needed, it may proceed to block 840 where it may receive a signed lifecycle request from the user. Commands may be received from command area 684 from command memory 171 shown in fig. 6. The command may include parameters from command parameters area 686. As discussed with respect to fig. 6, the user may write the secure lifecycle request command into the command memory 171 via firmware (e.g., customer code) or via a physical interface (e.g., JTAG debug interface, UART interface, I2C interface). After receiving the signed lifecycle request at block 840, the boot code may proceed to block 845. At block 845, the boot code may verify the signed lifecycle request, for example, by using a secret cryptographic key, which is the second half of the key pair used by the user to sign the request. If the boot code verifies the request, it may proceed to block 835 (then 850), as described above. If the signed lifecycle request is not verified, the boot code may proceed to block 825 where the current lifecycle phase resumes without transitioning to the next lifecycle phase.
Although fig. 8 discloses a particular number of operations related to method 800, method 800 may be performed with more or fewer operations than those depicted in fig. 8. For example, if the signed lifecycle request is not verified in block 845, the boot code may return to block 840 so that the user may attempt to submit the signed lifecycle request command a second time. In another example, the boot code may allow a limited number of attempts (e.g., for a predefined amount of time) before locking the command memory. In some examples, additional operations described with respect to method 700 may be similarly performed in method 800. Further, although FIG. 8 discloses a certain order of operations to be performed with respect to method 800, operations comprising method 800 may be performed in any suitable order.
Fig. 9 a-9 f illustrate a flowchart of an example method 900 for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device. According to one example, the method 900 may begin at block 902 in fig. 9 a. In particular, method 900 may be performed by boot code 140. In some examples, start block 902 may represent a time at which electronic device 101 is first powered on or a time after an electronic device reset (e.g., device reset, reboot, or power cycle). Thus, method 900 may be performed by boot code 140 at a time when OTP memory 110 is not accessible to the user (e.g., because the user code has not yet been loaded). The teachings of the present disclosure may be implemented in a variety of configurations of system 100. Thus, the initialization point of method 900 and the order of 902-984 comprising method 900 may depend on the particular implementation chosen.
At block 904, the boot code may determine a current life cycle phase (LCS) of the electronic device 101. At block 906, the boot code may determine whether the LCS is a RAW lifecycle phase. If so, the boot code may proceed to block 908 and stop executing code. For example, by stopping execution of the code, the boot code may not load any code image such that no feature or capability on the electronic device is enabled. This feature may prevent theft of silicon during transportation from the foundry to the manufacturer (e.g., the RAW life cycle stage in fig. 3). If the boot code determines in block 906 that the current LCS is not a RAW lifecycle stage, it may proceed to block 910 (continue in fig. 9 b). In this example, the boot code may not be able to cause a transition from the RAW LCS to the MFG LCS. The manufacturer may use an external tester to cause a transition from the RAW LCS to the MFG LCS to program a life cycle OTP bit pattern (e.g., 404b in fig. 4) corresponding to the MFG LCS into the life cycle bit 203 in the OTP memory 110. In other examples, the boot code 104 may program a life cycle OTP bit pattern (e.g., 404 b) corresponding to the MFG LCS into the life cycle bit 203, for example, in response to determining that one or more external pins (e.g., 180-1, 180-2, …, 180-N in fig. 1) are in a predefined state.
Fig. 9b may begin at block 910 and proceed to block 912. At block 912, the boot code may determine whether the LCS is a MFG lifecycle phase. If so, the boot code may proceed to block 914 where it may determine if there is a pending lifecycle request (e.g., as described with respect to FIGS. 7 and 8). If no lifecycle request is pending, the boot code may proceed to block 916 where the current MFG lifecycle phase resumes without transitioning to another lifecycle phase. If at block 914, the boot code determines that there is a life cycle request to process, the boot code may proceed to block 918. At block 918, the boot code may determine whether the JTAG capability of the electronic device 101 has been disabled. In one example, the boot code makes this determination by reading the configuration information from the manufacturer configuration information area 213 of the OTP memory 110. In this example, if JTAG is disabled, the manufacturer may determine that the transition from MFG LCS to PROD LCS is allowable. Thus, the boot code may enforce the limit at block 918.
If it is determined that JTAG is disabled, the boot code may proceed to block 920. At block 920, the boot code may generate a PROD lifecycle OTP bit pattern (e.g., 404d in fig. 4). Thereafter, the boot code may proceed to block 922 and program the OTP life cycle bit 203 in the OTP memory 110 with a PROD life cycle OTP bit pattern (e.g., 404 d). The boot code may then proceed to block 924 and transition to PROD LCS. In one example, at block 924, the boot code may cause a transition to the PROD lifecycle stage by forcing a reset of the electronic device 101. At block 924, the boot code may perform other operations corresponding to the transition to the PROD lifecycle stage (e.g., as shown in fig. 12).
If it is determined at block 918 that JTAG is not disabled, the boot code may proceed to block 926. At block 926, the boot code may generate a DEV lifecycle OTP bit pattern (e.g., 404c in fig. 4). Thereafter, the boot code may proceed to block 928 and program the OTP life cycle bit 203 in the OTP memory 110 with a DEV life cycle OTP bit pattern (e.g., 404 c). The boot code may then proceed to block 930 and transition to the DEV LCS. In one example, at block 930, the boot code may cause a transition to the DEV lifecycle stage by forcing a reset of the electronic device 101. At block 930, the boot code may perform other operations corresponding to the transition to the DEV lifecycle stage.
If the boot code determines that the LCS is not the MFG lifecycle phase, at block 912, the boot code may proceed to block 932 (continuing at fig. 9 c).
Fig. 9c may begin at block 932 and proceed to block 934. In block 934, the boot code may determine whether the LCS is a DEV lifecycle stage. If so, the boot code may proceed to block 936 where it may determine whether there is a pending lifecycle request (e.g., as described with respect to FIGS. 7 and 8). If no lifecycle request is pending, the boot code may proceed to block 938 where the current DEV lifecycle phase resumes without transitioning to another lifecycle phase. If at block 936, the boot code determines that there is a life cycle request pending, the boot code may proceed to block 940. Blocks 940 and 942 may operate like blocks 840 and 845 in fig. 8. In this example, the transition from the DEV LCS to the FA or EOL LCS may require a secure lifecycle request, which may be a signed lifecycle FA/EOL command. In one example, verification of the received request/command may proceed as described with respect to block 845 in fig. 8. In other examples, verification of the received request/command may be performed as shown in fig. 10 and 11. If verification of the received request/command fails (in block 942), the boot code may proceed to block 938. In other examples (not shown), the boot code may proceed to block 940 to receive an attempt to append the signed lifecycle FA/EOL command.
If verification of the received request/command is successful (in block 942), the boot code may proceed to block 944. At block 944, the boot code may determine whether the signed lifecycle FA/EOL command indicates a transition to FA LCS or EOL. For example, the signed lifecycle FA/EOL command may originate from the command memory 171 and may include a command parameter 686, which may indicate which transition is desired. In other examples, configuration information in OTP memory 110 (e.g., in manufacturer configuration information area 213 or customer information area 223) may indicate which transition is desired.
If the boot code determines in block 944 to make a transition to FA LCS, the boot code may proceed to block 952. At block 952, the boot code may generate the FA lifecycle OTP bit pattern (e.g., 404e in fig. 4). Thereafter, the boot code may proceed to block 954 and program the OTP life cycle bit 203 in the OTP memory 110 with the FA life cycle OTP bit pattern (e.g., 404 e). The boot code may then proceed to block 956 and transition to the FA LCS. In one example, at block 956, the boot code may cause a transition to the FA lifecycle phase by forcing a reset of the electronic device 101. At block 956, the boot code may perform other operations (not shown) corresponding to transitions to the FA lifecycle stage. In one example, the boot code may effectively erase all secrets stored in the OTP memory (e.g., by programming all bits in the OTP memory) and erase all memory. In this example, the customer may return the component to the manufacturer for failure analysis, and does not wish the manufacturer to access the customer's secret.
If the boot code determines to transition to EOL LCS in block 944, the boot code may proceed to block 946. At block 946, the boot code may generate an EOL lifecycle OTP bit pattern (e.g., 404f in fig. 4). Thereafter, the boot code may proceed to block 948 and program the OTP life cycle bit 203 in the OTP memory 110 with an EOL life cycle OTP bit pattern (e.g., 404 f). The boot code may then proceed to block 950 and transition to EOL LCS. In one example, at block 950, the boot code may cause a transition to the EOL lifecycle stage by forcing a reset of the electronic device 101. At block 950, the boot code may perform other operations (not shown) corresponding to transitions to EOL lifecycle phases. In one example, the boot code may effectively erase all secrets stored in the OTP memory (e.g., by programming all bits in the OTP memory) and erase all memory so that the component does not need to be physically destroyed to protect manufacturer and customer secrets.
If the boot code determines that the LCS is not a DEV lifecycle stage in block 934, the boot code may proceed to block 958 (continuing at fig. 9 d).
Fig. 9d may begin at block 958 and proceed to block 960. In block 960, the boot code may determine whether the LCS is a PROD lifecycle stage. If so, the boot code may proceed to block 962 where it may determine whether there is a pending lifecycle request (e.g., as described with respect to FIGS. 7 and 8). If no life cycle request is pending, the boot code may proceed to block 964 where the current PROD life cycle phase resumes without transitioning to another life cycle phase. If at block 962 the boot code determines that there is a life cycle request to process, the boot code may proceed to block 966. Blocks 966 and 968 may operate as blocks 840, 940 and 845, 942 (in fig. 8 and 9c, respectively), except that if verification fails in block 968, the boot code may proceed to block 964. Blocks 944, 946, 948, 950, 952, 954, and 956 in fig. 9d are described with identically numbered blocks in fig. 9 c.
If the boot code determines that the LCS is not a PROD lifecycle stage, at block 960, the boot code may proceed to block 970 (continuing at fig. 9 e).
Fig. 9e may begin at block 970 and proceed to block 972. At block 972, the boot code may determine whether the LCS is an FA lifecycle phase. If so, the boot code may proceed to block 974 where it may determine whether there is a pending lifecycle request (e.g., as described with respect to fig. 7 and 8). If no lifecycle request is pending, the boot code may proceed to block 976 where the current FA lifecycle phase resumes without transitioning to another lifecycle phase. If at block 974 the boot code determines that there is a life cycle request pending, the boot code may proceed to block 978. Blocks 978 and 980 may operate as blocks 840, 940, 966 and 845, 942, 968 (in fig. 8, 9c and 9d, respectively), except that if verification fails in block 980, the boot code may proceed to block 976. Blocks 946, 948, and 950 in fig. 9e are described with identically numbered blocks in fig. 9 c.
If the boot code determines that the LCS is not the FA lifecycle phase, at block 972, the boot code may proceed to block 978 (continuing at fig. 9 f).
Fig. 9f may begin at block 978 and proceed to block 980. At block 980, the boot code may determine whether the LCS is an EOL lifecycle stage. If so, the boot code may proceed to block 982 and stop executing code. For example, by stopping execution of the code, the boot code may not load any code patterns such that no features or capabilities on the electronic device are enabled. This may be a desirable result of components that have reached end of life (EOL). If in block 980 the boot code determines that the LCS is not an EOL lifecycle stage, the boot code may proceed to block 984. As shown, block 984 may be an LCS error state because the LCS does not match any of, for example, six (6) defined lifecycle phases of the electronic device 101. Alternatively, because an error condition is not expected, the boot code may transition from block 984 back to block 902 in fig. 9a and re-run the method 900.
Although fig. 9 a-9 f disclose a particular number of operations related to method 900, method 900 may be performed with more or fewer operations than those depicted in fig. 9 a-9 f (e.g., the operations described above or other operations). Fig. 10-12 provide additional examples of a method 900 having more operations than those depicted in fig. 9 a-9 f. Further, although fig. 9 a-9 f disclose a certain order of operations to be performed with respect to method 900, operations comprising method 900 may be performed in any suitable order.
Fig. 10 illustrates a flowchart of additional example operations of a method 900 for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device. Fig. 10 illustrates an example of additional operations that the boot code 140 may perform when receiving and verifying signed lifecycle FA/EOL commands as described with respect to blocks 940, 966, 978 and 942, 968, 980 of fig. 9c, 9d, 9 e. In this example, the manufacturer may enhance security related to transitioning to the FA or EOL lifecycle stage. Thus, blocks 940, 966, 978 and 942, 968, 980 of fig. 9c, 9d, 9e may be replaced with blocks 986-994 and 942, 968, 980 of fig. 10.
At block 986, the boot code may receive a request for Device Unique Data (DUD). In block 988, the boot code may obtain or generate the requested DUD. In one example, the DUD may include a random number. In another example, the DUD may include a serial number or other secret device unique information 233 (see fig. 2) that may be stored in the OTP memory 110. At block 990, the boot code may communicate the DUD to the user, for example, via a physical interface (e.g., JTAG debug interface, UART interface, I2C interface). At block 992, the boot code may receive a signed lifecycle FA/EOL command including the DUD previously transmitted in block 990. At block 994, the boot code may verify the signed lifecycle FA/EOL command including the DUD. In one example, the life cycle FA/EOL commands, which do not include a DUD, may not be verified, thereby enhancing the security of the electronic device.
Although fig. 10 discloses a particular number of operations related to method 900, method 900 may be performed with more or fewer operations than those depicted in fig. 10 (e.g., as shown in fig. 11). Further, although FIG. 10 discloses a certain order of operations to be performed with respect to method 900, operations comprising method 900 may be performed in any suitable order.
Fig. 11 illustrates a flowchart of additional example operations of a method 900 for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device. Fig. 11 shows the same operation as fig. 10 with the addition of block 996. At block 996, the boot code may implement a timeout period and determine whether the period has elapsed. The timeout period may begin running after the boot code transmits the DUD in block 990. If the timeout period elapses before the boot code receives the signed lifecycle FA/EOL command (block 992) including the DUD, the boot code may proceed as if the signed command was not verified. Thus, a user desiring to cause a transition to the FA or EOL lifecycle stage may be required to begin the process again, including requesting a DUD at block 986.
Fig. 12 illustrates a flowchart of additional example operations of a method 900 for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device. Fig. 12 illustrates an example of additional operations that the boot code 140 may perform between blocks 922 and 924 of fig. 9 b. In this example, the boot code may proceed from block 922 to block 923. In block 923, the boot code may generate device unique information. At block 925, the boot code may program OTP memory 110 with the device unique information generated in block 923. In one example, the device unique information may be a public cryptographic key, a ROM seed, or other device unique information. Although shown as operating between blocks 922 and 924, in one example, blocks 923 and 925 may operate between blocks 928 and 930 (fig. 9 b).
Fig. 13 illustrates a flow chart of an example method 1300 for managing a lifecycle of an electronic device through secure programming of an OTP memory of the electronic device. In one example, the electronic device 101 may include life cycle function data that specifies a set of available functions for a respective life cycle stage. The specified set of available functions for the respective lifecycle stage defines functions that can be performed during the respective lifecycle stage of the electronic device. In fig. 13, the boot code may receive a command at block 1302. In one example, the command may be received from a command memory 171 (e.g., FIG. 6). At block 1304, the boot code may determine whether the received command is a signed lifecycle FA/EOL command. If so, the boot code may proceed to block 1306 where the boot code determines whether the current lifecycle phase is a DEV LCS or a PROD LCS. If so, the boot code may proceed to block 1310 and process the received command. If the current lifecycle phase is neither DEV nor PROD, the boot code may proceed to block 1308 and ignore the received command. In this way, the boot code may specify a set of available functions for the respective lifecycle stage. In this example, the signed lifecycle FA/EOL command is not available in RAW, MFG, FA or EOL lifecycle stages. Thus, when the electronic device is operating in a respective lifecycle stage, the boot code may limit the available functions for the respective lifecycle stage as defined by the lifecycle function data.
Methods 700-1300 may be implemented using system 100 or any other system operable to implement methods 700-1300. Although examples have been described above, other modifications and examples can be made in accordance with this disclosure without departing from the spirit and scope of these disclosed examples.
Claims (23)
1. A system, the system comprising:
An electronic device having a plurality of defined lifecycle phases, the electronic device comprising a one-time programmable (OTP) memory comprising a plurality of lifecycle bits, wherein respective bit patterns of the plurality of lifecycle bits correspond to respective ones of the plurality of defined lifecycle phases;
boot code stored in read-only memory and executable by a processor to:
receiving a request to transition from a current life cycle phase of the plurality of defined life cycle phases to a next life cycle phase of the plurality of defined life cycle phases; and
In response to the received request, automatically generating a bit pattern corresponding to the next one of the plurality of defined lifecycle phases and programming the bit pattern corresponding to the next one of the plurality of defined lifecycle phases in the OTP memory during a time that the OTP memory is not accessible by a user.
2. The system of claim 1, wherein the boot code executable by the processor to automatically generate and program the bit pattern in the OTP memory corresponding to the next one of the plurality of defined lifecycle phases during a time the OTP memory is not accessible by a user comprises: a boot code executable by the processor to automatically generate and program the bit pattern in the OTP memory corresponding to the next one of the plurality of defined lifecycle phases during a subsequent reset of the electronic device.
3. The system of claim 2, wherein the subsequent reset of the electronic device comprises a device reset, reboot, or power cycle of the electronic device.
4. The system of any of claims 1-3, wherein the boot code programming the bit pattern in the OTP memory corresponding to the next life cycle stage of the plurality of defined life cycle states causes a transition from the current life cycle stage of the plurality of defined life cycle stages to the next life cycle stage of the plurality of defined life cycle stages.
5. The system of any of claims 1 to 4, wherein the boot code is executable by the processor to automatically generate device unique information in response to the received request and program the device unique information in the OTP memory during a time that the OTP memory is not accessible by a user.
6. The system of any of claims 1-5, wherein for a respective lifecycle stage of the plurality of defined lifecycle stages, the boot code makes available to a user a corresponding respective set of available functions executable during the respective lifecycle stage of the plurality of defined lifecycle stages.
7. The system of claim 6, wherein:
The respective set of available functions executable during a first life cycle phase of the plurality of defined life cycle phases includes a first function; and
The respective set of available functions executable during a second life cycle phase of the plurality of defined life cycle phases excludes the first function.
8. The system of any of claims 1-7, wherein the request to transition from a current life cycle stage of the plurality of defined life cycle stages to a next life cycle stage of the plurality of defined life cycle stages is received via a physical port of the electronic device or via firmware loaded onto the electronic device.
9. The system of any of claims 1-8, wherein the request to transition from a current life cycle phase of the plurality of defined life cycle phases to a next life cycle phase of the plurality of defined life cycle phases comprises a signed command.
10. The system of any of claims 1-9, wherein the electronic device comprises a server, a device associated with a server, or a computing platform, and wherein the system comprises a secure boot controller for the server, the device associated with the server, or the computing platform.
11. A system, the system comprising:
an electronic device having a one-time programmable (OTP) memory, the OTP memory including a plurality of life cycle OTP bits;
A life cycle bitmap associated with a plurality of defined life cycle phases of the electronic device, the life cycle bitmap specifying a plurality of life cycle OTP bit patterns, respective life cycle OTP bit patterns corresponding to respective life cycle phases of the electronic device;
life cycle function data specifying a set of available functions for a respective life cycle phase, wherein:
The specified set of available functions for a respective lifecycle stage defines functions that can be performed during the respective lifecycle stage of the electronic device; and
The specified set of available functions for the respective first lifecycle stage is different from the specified set of available functions for the respective second lifecycle stage; and
Boot code stored in read-only memory and executable by a processor to manage pre-configuration of the electronic device through a series of lifecycle stages, comprising:
Selectively programming the plurality of life cycle OTP bits over time during a time when the OTP memory is not accessible by a user to advance the electronic device through the series of life cycle phases; and
When the electronic device is operating in the respective first lifecycle stage, access is allowed to only the set of available functions specified by the lifecycle function data for the respective first lifecycle stage.
12. The system of claim 11, the system comprising:
The boot code executable by the processor to automatically generate device unique information and program the device unique information in the OTP memory during a time that the OTP memory is not accessible by a user.
13. The system of any of claims 11-12, wherein the boot code executable by the processor to selectively program the plurality of lifecycle OTP bits over time to advance the electronic device through the series of lifecycle phases comprises: boot code executable by the processor to selectively program the plurality of life cycle OTP bits over time to advance the electronic device through the series of life cycle phases in response to a signed command.
14. A method, the method comprising:
For an electronic device having a one-time programmable (OTP) memory, a plurality of defined lifecycle phases, and a plurality of defined functions, providing access to a first set of the plurality of defined functions when the electronic device is in a first lifecycle phase of the plurality of defined lifecycle phases;
receiving a request to transition the electronic device from the first one of the plurality of defined lifecycle phases to a second one of the plurality of defined lifecycle phases;
In response to a received request to transition the electronic device from the first one of the plurality of defined lifecycle phases to the second one of the plurality of defined lifecycle phases, transitioning the electronic device to the second one of the plurality of defined lifecycle phases by programming an OTP memory with information corresponding to the second one of the plurality of defined lifecycle phases during a first time period in which the OTP memory is not accessible to a user; and
Providing access to a second set of the plurality of defined functions when the electronic device is in the second one of the plurality of defined lifecycle phases.
15. The method of claim 14, wherein programming the OTP memory during the first time that the OTP memory is not accessible by a user comprises: the OTP memory is programmed during a subsequent reset of the electronic device.
16. The method of any of claims 14-15, wherein the subsequent reset of the electronic device comprises a device reset, a reboot, or a power cycle of the electronic device.
17. The method according to any one of claims 14 to 16, the method comprising:
In response to a received request to transition the electronic device from the first one of the plurality of defined lifecycle phases to the second one of the plurality of defined lifecycle phases, device unique information is automatically generated and programmed in the OTP memory during a time that the OTP memory is not accessible by a user.
18. The method of any one of claims 14 to 17, wherein:
The first set of the plurality of defined functions includes a first function; and
The second set of the plurality of defined functions excludes the first function.
19. The method according to any one of claims 14 to 18, the method comprising:
After transitioning the electronic device to the second one of the plurality of defined lifecycle phases, disabling the transitioning of the electronic device to the first one of the plurality of defined lifecycle phases.
20. The method of any of claims 14-19, wherein the request to transition the electronic device from the first one of the plurality of defined lifecycle stages to the second one of the plurality of defined lifecycle stages is received via a physical port of the electronic device or via firmware loaded onto the electronic device.
21. The method of any of claims 14-20, wherein the request to transition the electronic device from the first one of the plurality of defined lifecycle phases to the second one of the plurality of defined lifecycle phases comprises a signed command.
22. The method according to any one of claims 14 to 21, the method comprising:
Receiving a request to transition the electronic device from the second one of the plurality of defined lifecycle phases to a third one of the plurality of defined lifecycle phases;
In response to a received request to transition the electronic device from the second one of the plurality of defined lifecycle stages to the third one of the plurality of defined lifecycle stages, transitioning the electronic device to the third one of the plurality of defined lifecycle stages by programming the OTP memory with information corresponding to the third one of the plurality of defined lifecycle stages during a second time that the OTP memory is not accessible by a user; and
Providing access to a third set of the plurality of defined functions when the electronic device is in the third one of the plurality of defined lifecycle phases.
23. The method of claim 22, the method comprising:
after transitioning the electronic device to the third one of the plurality of defined lifecycle phases, disabling the electronic device from transitioning to the second one of the plurality of defined lifecycle phases.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US63/311,331 | 2022-02-17 | ||
| US18/110,434 | 2023-02-16 | ||
| US18/110,434 US20230259629A1 (en) | 2022-02-17 | 2023-02-16 | Secure programming of one-time-programmable (otp) memory |
| PCT/US2023/013271 WO2023158773A1 (en) | 2022-02-17 | 2023-02-17 | Secure programming of one-time-programmable (otp) memory |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117980907A true CN117980907A (en) | 2024-05-03 |
Family
ID=90863677
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202380013573.5A Pending CN117980907A (en) | 2022-02-17 | 2023-02-17 | Secure programming of one-time programmable (OTP) memory |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117980907A (en) |
-
2023
- 2023-02-17 CN CN202380013573.5A patent/CN117980907A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8478973B2 (en) | System and method for providing a secure application fragmentation environment | |
| CN102298529B (en) | Providing silicon integrated code for a system | |
| US10657260B2 (en) | Electronic devices and methods supporting unsecured system-on-chip secure boot functionalities | |
| US11354417B2 (en) | Enhanced secure boot | |
| CN101221509B (en) | Bus arbitration starting method of reliable embedded system | |
| US10489612B2 (en) | Memory controller to verify authenticity of data | |
| US8028165B2 (en) | Trusted platform field upgrade system and method | |
| CN103927490A (en) | OS secure startup method and device | |
| US8386763B1 (en) | System and method for locking down a capability of a computer system | |
| US11468171B2 (en) | Secure boot via system and power management microcontroller | |
| CN110781532B (en) | Card opening device and method for verifying and enabling data storage device by using card opening device | |
| KR102227263B1 (en) | System and Method for Changing of Secure Boot and Electronic Apparatus Equipped the System Thereof | |
| US11068599B2 (en) | Secure initialization using embedded controller (EC) root of trust | |
| US20230259629A1 (en) | Secure programming of one-time-programmable (otp) memory | |
| US20230083979A1 (en) | Method and system for secure boot and rma intervention | |
| US11416618B2 (en) | Bidirectional trust chaining for trusted boot | |
| CN117980907A (en) | Secure programming of one-time programmable (OTP) memory | |
| CN113642050B (en) | Self-configuration encrypted hard disk, configuration method and system thereof, and starting method of system | |
| CN115454517A (en) | Multi-medium secure startup method, system, storage medium, device and chip | |
| WO2023158773A1 (en) | Secure programming of one-time-programmable (otp) memory | |
| US11734457B2 (en) | Technology for controlling access to processor debug features | |
| CN113935011A (en) | Method for executing a secure boot sequence of a control device | |
| US11757646B2 (en) | Methods for generating an encrypted signal simulation with a cryptographic interface card (GCIC) and devices thereof | |
| TW202343231A (en) | Managing ownership of an electronic device | |
| CN115146306A (en) | Secure debug |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |