CN1711526A - Exception types within a secure processing system - Google Patents
Exception types within a secure processing system Download PDFInfo
- Publication number
- CN1711526A CN1711526A CN 200380103534 CN200380103534A CN1711526A CN 1711526 A CN1711526 A CN 1711526A CN 200380103534 CN200380103534 CN 200380103534 CN 200380103534 A CN200380103534 A CN 200380103534A CN 1711526 A CN1711526 A CN 1711526A
- Authority
- CN
- China
- Prior art keywords
- security
- mode
- unusual
- safe
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012545 processing Methods 0.000 title claims abstract description 88
- 238000012544 monitoring process Methods 0.000 claims description 288
- 238000000034 method Methods 0.000 claims description 212
- 239000013598 vector Substances 0.000 claims description 111
- 230000008569 process Effects 0.000 claims description 98
- 238000003860 storage Methods 0.000 claims description 90
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 230000004044 response Effects 0.000 claims description 9
- 230000005856 abnormality Effects 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims description 3
- 230000015654 memory Effects 0.000 description 237
- 230000006870 function Effects 0.000 description 109
- 238000006243 chemical reaction Methods 0.000 description 48
- 230000000875 corresponding effect Effects 0.000 description 45
- 238000012795 verification Methods 0.000 description 40
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 29
- 230000005055 memory storage Effects 0.000 description 28
- 230000008859 change Effects 0.000 description 25
- 238000007726 management method Methods 0.000 description 23
- 230000007246 mechanism Effects 0.000 description 22
- 230000001276 controlling effect Effects 0.000 description 19
- 238000012546 transfer Methods 0.000 description 19
- 230000014509 gene expression Effects 0.000 description 17
- 238000013507 mapping Methods 0.000 description 14
- 102100024061 Integrator complex subunit 1 Human genes 0.000 description 12
- 101710092857 Integrator complex subunit 1 Proteins 0.000 description 12
- 230000008878 coupling Effects 0.000 description 12
- 238000010168 coupling process Methods 0.000 description 12
- 238000005859 coupling reaction Methods 0.000 description 12
- 238000005192 partition Methods 0.000 description 11
- 238000012360 testing method Methods 0.000 description 11
- 229910052799 carbon Inorganic materials 0.000 description 10
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 9
- 102100033265 Integrator complex subunit 2 Human genes 0.000 description 9
- 108050002021 Integrator complex subunit 2 Proteins 0.000 description 9
- 230000000694 effects Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 230000008901 benefit Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000005429 filling process Methods 0.000 description 5
- 230000036961 partial effect Effects 0.000 description 5
- 238000004321 preservation Methods 0.000 description 5
- 238000011084 recovery Methods 0.000 description 5
- 239000000284 extract Substances 0.000 description 4
- 238000000638 solvent extraction Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000002349 favourable effect Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 238000003780 insertion Methods 0.000 description 3
- 230000037431 insertion Effects 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 230000004224 protection Effects 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 101100494729 Syncephalastrum racemosum SPSR gene Proteins 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 239000003990 capacitor Substances 0.000 description 2
- 230000002596 correlated effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000009830 intercalation Methods 0.000 description 2
- 230000002687 intercalation Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000010076 replication Effects 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- LHMQDVIHBXWNII-UHFFFAOYSA-N 3-amino-4-methoxy-n-phenylbenzamide Chemical compound C1=C(N)C(OC)=CC=C1C(=O)NC1=CC=CC=C1 LHMQDVIHBXWNII-UHFFFAOYSA-N 0.000 description 1
- NRTLIYOWLVMQBO-UHFFFAOYSA-N 5-chloro-1,3-dimethyl-N-(1,1,3-trimethyl-1,3-dihydro-2-benzofuran-4-yl)pyrazole-4-carboxamide Chemical compound C=12C(C)OC(C)(C)C2=CC=CC=1NC(=O)C=1C(C)=NN(C)C=1Cl NRTLIYOWLVMQBO-UHFFFAOYSA-N 0.000 description 1
- 241001269238 Data Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000003760 hair shine Effects 0.000 description 1
- 230000005764 inhibitory process Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 230000032696 parturition Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000000547 structure data Methods 0.000 description 1
- 230000000153 supplemental effect Effects 0.000 description 1
- 210000003813 thumb Anatomy 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Abstract
There is a provided apparatus for processing data, said apparatus comprising: a processor operable in a plurality modes and either a secure domain or a non-secure domain including: at least one secure mode being a mode in said secure domain; and at least one non-secure mode being a mode in said non-secure domain; wherein when said processor is executing a program in a secure mode said program has access to secure data which is not accessible when said processor is operating in a non-secure mode; said processor is responsive to one or more exception conditions for triggering exception processing using an exception handler, said processor being operable to select said exception handler from among a plurality of possible exception handlers in dependence upon whether said processor is operating is said secure domain of said non-secure domain.
Description
Technical field
The present invention relates to data handling system. More particularly, the present invention relates to the Exception Type that in the data handling system with security domain and non-security territory, provides.
Background technology
Data processing equipment generally includes the processor that is carried in the application program on the data processing equipment for operation. This processor will operate under the control of operating system. Moving the required data of any specific application program is stored in the memory of data processing equipment usually. To recognize that data can form by being included in the instruction in the application program and/or carrying out the real data value of using between those order periods at processor.
The data that appearance is used by at least one application program are should be by many examples of the sensitive data of other application access that can move at processor. Example such as data treating apparatus are smart cards, and application program is to use sensitive data, the security application of carrying out affirmations, checking, deciphering etc. such as for example safe key. In these cases, guarantee that those sensitive data safety are so that can not be by other application programs that can be loaded on the data processing equipment, for example for attempting to access the purpose of that secure data, the hacker application access that has been loaded on the data processing equipment is very important.
In known system, the task of operating system developer is to guarantee that operating system provides enough securities can not be by other application access that move under the control of operating system with the secure data of guaranteeing an application program. Yet along with system becomes more complicated, it is larger and more complicated that common trend is that operating system becomes, and in these cases, becomes day by day to be difficult to guarantee enough securities in the operating system itself.
At U.S. Patent application US2002/0007456A1 and United States Patent (USP) US6,282,657B and US6 disclose the example of attempting to provide the safety storing of sensitive data and the system of the protection of preventing the rogue program code being provided among 292, the 874B.
Therefore, expectation is provided for attempt keeping being included in the improvement technology of the security of those secure datas in the memory of data processing equipment.
Summary of the invention
Can find out that from an aspect the invention provides the device for the treatment of data, described device comprises:
Processor can be used in various modes and a plurality of territory, and described a plurality of territories comprise security domain or non-security territory, and described various modes comprises:
At least one safe mode for the pattern in the described security domain;
At least one non-security mode for the pattern in the described non-security territory; And
Monitoring mode is characterized in that,
When described processor is being carried out program in the safe mode, the secure data that described routine access just can not accessed during operation in non-security mode when described processor; And
Described processor response is used for using exception handler, trigger unusual one or more exceptional conditions of processing, described processor can be used to just operate in described security domain or described non-security territory according to described processor, selects described exception handler from a plurality of possible exception handlers.
The present invention recognizes unusual processing has provides security fragility in security system possibility. The present invention solves this problem by the system that the one or more unusual combination with one or more unusually non-security with one that can control special use and the security exception handler that can control selectively safe or non-security exception handler is provided. Provide and to select unusual to allow in unusual the processing, to realize desired flexibility ratio to wait for simultaneously special-purpose unusual mode more to be difficult to destroy in order to satisfy the demand of various operating systems, the constraint of specific unusual concurrency and the response of good definition are provided. For example, monitor that the security timer can be unusually related by the special use of security exception handler processing with assurance, in order to can not block the conventional security verification that triggers as by watchdog timer.
The present invention through this pattern, must such as when switching, refresh the monitoring mode of register value etc. advantageously in conjunction with monitoring mode is provided by being responsible for the data security activity, carries out all switchings between security domain and non-security territory.
Special-purpose unusual preferred example is that safe interrupt signal is unusual, pattern is switched the software interrupt signal and resets unusual. Selectable unusual preferred example is that interrupt signal is unusual, software interrupt signal, undefined instruction are unusual, look ahead and end unusual, data and end unusual and quick-speed interruption abnormal signal.
On the other hand, the invention provides the method for deal with data, described method comprises step:
By the processor performing a programme that can operate in a plurality of patterns and a plurality of territory, described a plurality of territories comprise security domain or non-security territory, and described a plurality of patterns comprise:
At least one safe mode for the pattern in the described security domain;
At least one non-security mode for the pattern in the described non-security territory;
It is characterized in that,
When described processor just in safe mode during performing a programme, described program can be used when described processor just operates in non-security mode, the secure data that can not access;
Respond one or more exceptional conditions, use exception handler, trigger unusually and process, wherein,
Described unusual at least one is selectable unusual by a processing of the selection of the non-security exception handler that is just operating in non-security mode or the security exception handler that just operating in safe mode; And
Described unusual at least one is can be unusual by the Special safety of the processing of special use of the security exception handler that operates in the non-security exception handler that is just operating in non-security mode and the safe mode.
Description of drawings
With reference to as described preferred embodiment in the accompanying drawings, only further describe by way of example the present invention, wherein:
Fig. 1 is the block diagram of schematically example explanation data processing equipment according to a preferred embodiment of the invention;
Fig. 2 is the distinct program of example explanation operation in non-security territory and security domain (secure domain) schematically;
Fig. 3 is the example explanation tupe matrix relevant from different security domains schematically;
Figure 4 and 5 are the different relations between example explanation tupe and security domain schematically;
Fig. 6 example illustrates according to tupe, programmer's model of the register group of processor;
The explanation of Fig. 7 example is provided for the example of the independent register group in security domain and non-security territory;
Fig. 8 schematically example explanation has a plurality of tupes of the switching through between the security domain that independent monitoring mode carries out;
Fig. 9 schematically example explanation use pattern switches software interrupt instruction, is used for the situation that security domain switches;
How Figure 10 schematically example explanation carries out the non-security interruption request example that interruption is asked with safety by system;
Schematically the example explanation is according to Figure 10 for Figure 11 A and 11B, and the example that non-security interruption request is processed and safety are interrupted the example that request is processed;
The explanation of Figure 12 example is compared with shown in Figure 10, for the treatment of another program of non-security interrupt request singal and safe interrupt request singal;
Figure 13 A and the explanation of 13B example are according to scheme shown in Figure 12, for the treatment of the sample situation of non-security interruption request and safety interruption request;
Figure 14 is the example of vector interrupt table;
Figure 15 is the example explanation a plurality of vector interrupt tables relevant from different security domains schematically;
Figure 16 is example specification exception control register schematically;
Figure 17 is that example explanation is revised the mode that security domain arranges, and how the instruction of attempting to revise the treatment state register generates and trigger conversely the independent pattern that enters monitoring mode and operation monitoring program and change unusual flow chart;
Figure 18 is shown schematically in the thread of the control of the processor that operates in a plurality of patterns, wherein interrupts the task in the monitoring mode;
Figure 19 is shown schematically in the different threads of the control of the processor that operates in a plurality of patterns;
Figure 20 is shown schematically in another thread of the control of the processor that operates in a plurality of patterns, wherein allows to interrupt in monitoring mode;
The explanation of Figure 21 to 23 example is according to another exemplary embodiment, for the different disposal pattern of switching between safety and non-security territory and the view of situation;
Figure 24 schematically example explanation is increased to principle on traditional RAM kernel with the safe handling option;
Figure 25 schematically example explanation has safe and non-security territory and the processor that resets;
Figure 26 schematically example explanation uses the software pseudo-interrupt, will process the operating system of asking to be delivered to time-out;
Figure 27 schematically example explanation is delivered to the processing request another example of the operating system of time-out through the software pseudo-interrupt;
Figure 28 is the flow chart of the processing carried out after the software pseudo-interrupt of the type that produces in being received in Figure 26 and 27 of schematically example explanation;
Figure 29 and 30 schematically example explanation follows the tracks of by the task after the possible task switching of non-security operating system execution at SOS;
Figure 31 is the flow process of the processing carried out when the calling at the SOS place that receives Figure 29 and 30 of schematically example explanation;
Figure 32 is the figure of the problem of the interrupt priority level counter-rotating that occurs in having the system of a plurality of operating systems of schematically example explanation, wherein can process different the interruption by different operating system;
Figure 33 is that schematically example explanation uses pitching pile to interrupt) processor avoids the figure in the problem shown in Figure 32;
How Figure 34 schematically example explanation processes dissimilar and interruption priority, depends on whether they can be interrupted by the interruption of adopting different operating system to realize;
How the explanation of Figure 35 example comes the overriding processor structured data with the specific processor structure data of supervisory programme pattern when processor operates in monitoring mode;
Figure 36 be example explanation according to one embodiment of present invention, when between security domain and non-security territory, changing, the flow chart of handoff processor structured data how;
Figure 37 is the figure of the usefulness storage management logic in one embodiment of the invention of example explanation access control memory;
Figure 38 is that example explanation is used for the block diagram of storage management logic of the second embodiment of the present invention of access of control storage;
Figure 39 is that the flow chart of the process of carrying out is in one embodiment of the invention processed in the storage management logic of the memory access request of specifying virtual address in the example explanation;
Figure 40 is that example illustrates in the storage management logic of processing the memory access request of specifying physical address the flow chart of the process of carrying out in one embodiment of the invention;
Schematically example explanation is when the equipment that sends memory access request just operates in non-security mode Figure 41, and how the subregion checker of preferred embodiment (partition checker) is used for preventing from accessing physical address;
Figure 42 is that example illustrates in a preferred embodiment of the invention the figure of the usage of non-security page table and safe page table;
Figure 43 is the figure that example explanation is used in the mark of two kinds of forms in the main translation look aside buffer (TLB) of preferred embodiment;
Figure 44 example explanation in one embodiment of the invention, partitioned memory how after the guiding level;
The explanation of Figure 45 example according to the performance of boot partition, is shone upon non-security memory by MMU according to embodiments of the invention;
Figure 46 example explanation is according to embodiments of the invention, how the right of a part of memory is modified as and allows security application and non-security application program shared storage;
How the explanation of Figure 47 example connects devices to the external bus of data processing equipment according to one embodiment of present invention;
Figure 48 be example explanation according to a second embodiment of the present invention, how equipment is coupled to the block diagram of external bus;
Figure 49 example illustrates in the embodiment that uses single page table collection, the configuration of physical storage;
The explanation of Figure 50 A example carries out through intermediate address the configuration of the conversion from the virtual address to the physical address with two MMUs;
Figure 50 B by way of example, example explanation comes through intermediate address with two MMUs, another configuration of the conversion of execution from the virtual address to the physical address;
Figure 51 by way of example, example explanation is used for security domain and the physical address space in non-security territory and the corresponding relation in intermediate address space;
The explanation of Figure 52 example exchanges the memory block by the operation page table relevant with the 2nd MMU between safety and non-security territory;
Figure 53 is the embodiment that the realization of single MMU is used in the example explanation, and wherein, the mistake among the main TLB will cause being called to determine virtual the unusual of physical address conversion that arrive;
Figure 54 is that example explanation is carried out by processor cores so that the unusual flow chart that works the process of using to occurring sending when miss in the main TLB of the MMU of Figure 53;
Figure 55 is the block diagram of the element that provides in the data processing equipment of an embodiment of example explanation, and wherein to have the relevant data that are stored in the single cache line be secure data or the information of non-security data to high-speed cache;
The explanation of Figure 56 example is in the structure of the MMU shown in Figure 55;
Figure 57 is example explanation flow chart that carry out in the data processing equipment of Figure 55, that process the processing of non-security memory access request;
Figure 58 is that the example explanation is carried out in the data processing equipment of Figure 55 in order to process the flow chart of the processing of secure memory access request;
Figure 59 schematically shows the possible granularity of the function for monitoring of the program of moving at processor for different mode;
Figure 60 represents to start the possible mode of different function for monitoring;
Figure 61 represents the table be used to the controlling value of the availability of controlling different function for monitoring;
Figure 62 represents just along the trigger view that triggers;
Figure 63 represents scan chain cell (scan chain cell);
Figure 64 is illustrated in a plurality of scan chain cells in the scan chain;
Figure 65 represents to debug the TAP controller;
Figure 66 A represents to have the debugging TAP controller of JADI input;
Figure 66 B represents to have the bypass register scan chain cell of (bypass register);
Figure 67 schematically example explanation comprises the processor of kernel, scan chain and debugging mode and control register;
Figure 68 schematically example illustrates that control is debugged or the factor of tracking initiation;
Figure 69 A and 69B represent to debug the general introduction of granularity;
Figure 70 is the debugging granularity of example explanation when operation schematically; And
Figure 71 A and 71B are illustrated respectively in the safety zone when allowing debugging and the supervision when not allowing to debug is debugged.
The specific embodiment
Fig. 1 is the structure chart of example explanation data processing equipment according to a preferred embodiment of the invention. Data processing equipment comprises processor cores 10, provides to carry out the ALU (ALU) 16 of command sequence within it. The required data of ALU16 are stored in the register group 14. Kernel 10 has various function for monitoring to allow to capture the diagnostic data of the activity that represents processor cores. For example, provide to embed tracking module (ETM) 22, be used for according to the content of definition with a certain control register 26 in the EMT22 of the activity of tracking, the real-time tracking that produces some activity of processor cores. Usually, tracking signal is outputed to trace buffer, can analyze it from trace buffer subsequently. Vectored interrupt controller 21 is provided, is used for management by the maintenance of a plurality of interruptions of various peripheral hardware (not shown) initiations.
In addition, as shown in Figure 1, kernel 10 interior another function for monitoring that can provide are debug functioies, the external debugging utility of data processing equipment can be communicated by letter with kernel 10 via joint test access group (JTAG) controller 18, joint test access group (JTAG) controller 18 and one or more scan chain 12 couplings. Can be through scan chain 12 and jtag controller 18, the information of the state of the various piece of relevant processor cores 10 is outputed to outside debugging utility. Use built-in online artificial circuit (ICE) 20 will identify the condition that when starts and stop debug function and be stored in the register 24, therefore, for example, will be used for store breakpoint, point of observation etc.
Be configured to the storage management logic 30 of the memory access request of the unit in the memory of managing the visit data treating apparatus that is sent by kernel 10, kernel 10 is coupled to system bus 40. By being directly connected to system bus 40, close coupling memory (TCM) 36 and the high-speed cache 38 shown in Fig. 1 for example can embed some part of memory. Also can provide other equipment, be used for these memories of access, for example direct memory access (DMA) controller 32. Usually, will provide various control registers 34, for some control parameter of each element that defines chip, these control registers are also referred to as coprocessor (CP) 15 registers at this.
Through external bus interface 42, the chip that comprises kernel 10 also can be coupled to external bus 70 (for example according to by " the advanced microcontroller bus architecture " of ARM Limited exploitation (AMBA) bus of specification operation), and also various device can be connected to external bus 70. These equipment can comprise main equipment, such as digital signal processor (DSP) 50, or direct memory access (DMA) controller 52, and various from equipment, such as guiding ROM44, screen drive 46, external memory storage 56, I/O (I/O) interface 60 or key memory cell 64. The parts that comprise at the various whole memories that also all can be considered as data processing equipment from equipment of shown in Fig. 1 these. For example, guiding ROM44 will form the part of the addressable memory of data processing equipment, such as external memory storage 56. In addition, comprise respectively inner memory element such as the equipment of screen drive 46, I/O interface 60 and key memory cell 64, such as register or buffer 48,62,66, addressing is the part of the whole memory of data processing equipment individually. Such as after a while in more detail discussion, the part of memory, for example the part of external memory storage 56 will be used for storing one or more page tables 58 of the definition information relevant with memory access control.
To recognize such as the technical staff of one's respective area, external bus 70 will have arbiter and decoder logic 54 usually, use arbiter by a plurality of main equipments, arbitrate between a plurality of memory access request that for example kernel 10, DMA32, DSP50, DMA52 etc. send, and determine that with decoder on the external bus which will process any specific memory access request from equipment.
Although in certain embodiments, can outside the chip that comprises kernel 10, provide external bus, in other embodiments, also can provide external bus at the chip with kernel 10. Its advantage is that with external bus be that chip is compared when outer, and the secure data on the external bus is easier maintains secrecy. In the time of outside external bus is chip, can increase with data encryption technology the security of secure data.
Fig. 2 schematically example illustrates the various programs of moving in the treatment system with security domain and non-security territory. This system has at least partially in the supervisory programme 72 of carrying out in the monitoring mode. In this exemplary embodiment, what the safe condition mark only can be accessed in monitoring mode writes, and can write by supervisory programme 72. Supervisory programme 72 is in charge of the back and forth change between security domain and non-security territory. Viewpoint outside core, supervisory programme pattern always safety and supervisory programme are arranged in safe storage.
In non-security territory, non-security operating system 74 is provided and works in coordination with a plurality of non-security application programs 76,78 of carrying out with non-security operating system 74. In security domain, provide secure kernels 80. Secure kernels 80 can be considered as forming SOS. Usually, these secure kernels 80 will be designed to those functions of only providing very crucial to the processing activity that must provide in security domain, so that security kernel 80 can be as far as possible little and simple, because this will make its safety that more becomes. Show a plurality of security applications 82,84 of carrying out in conjunction with security kernel 80.
The matrix of the tupe that the explanation of Fig. 3 example is relevant from different security domains. In this exemplary example, with respect to security domain, tupe is symmetrical, and therefore, pattern 1 and pattern 2 exist with safety and non-security form.
Monitoring mode has the highest secure access level in system, and in this exemplary embodiment, is to have the right in either direction, unique pattern of switched system between non-security territory and security domain. Therefore, through switching, switch and execution monitoring program 72 in monitoring mode in all territories that occur to monitoring mode.
Fig. 4 schematically example illustrates that another organizes non-security territory tupe 1,2,3 and 4 and security domain tupe a, b and c. Opposite with the symmetric arrays of Fig. 3, Fig. 4 represents that some tupes may not be present in one or the other of security domain. Monitoring mode 86 same examples are illustrated as and are across non-security territory and security domain. Monitoring mode 86 can be considered as the safe handling pattern, because the supervisory programme 72 that can change in this pattern in safe condition mark and the monitoring mode has the ability that the safe condition mark is set oneself, generally speaking, effectively provide maximum safe level in the system.
Fig. 5 schematically example explanation about another configuration of the tupe of security domain. In this configuration, identification safety and non-security territory and other territory. This other territory can be do not need with shown in the interactive mode of security domain or non-security territory, be independent of the miscellaneous part of system, like this so that its emission is irrelevant with these affiliated parts.
As will be appreciated, treatment system has register group 88 usually such as microprocessor, wherein, and can storage operation numerical value. The explanation of Fig. 6 example has programmer's pattern view of the exemplary register group of the special register that provides for some register number in some tupe. More particularly, the example of Fig. 6 is to have for the special-purpose save routine status register of each tupe, special-purpose stack pointer register and be connected the known ARM register group that connects register R14 (for example at the arm processor of ARM Limited, Cambridge, provide among the England) expansion, but in this case, by providing monitoring mode to expand. As shown in Figure 6, interrupt mode has the other special register that provides so that when entering the quick-speed interruption pattern, does not need to preserve, and then recovers content of registers from other patterns. With with the mode of quick-speed interruption pattern similarity, at other embodiment, monitoring mode can have other special register in order to accelerate the processing of security domain conversion, and reduces with these and change the relevant system wait time.
Fig. 7 schematically example illustrates another embodiment, wherein with the form of two complete and independent register groups being used in respectively security domain and non-security territory, provides register group 88. This is when switching to non-security territory, can prevent from being stored in the accessed a kind of method of secure data in the register that can operate in security domain. Yet, configuration hinders the possibility that data transmit from non-security territory to security domain like this, and by using in register fast and effective mechanism is replaced it, then can allow and be desired, this register all can be accessed in non-security territory and security domain.
Important advantage with safe register group is to avoid refreshing the needs of the content of register before being transformed into another from a zone. If the stand-by period is not subject matter, can use for the security domain zone, do not have the simpler hardware system of repetition register, for example Fig. 6. Monitoring mode is responsible for being transformed into another territory from a territory. By at least partially in the supervisory programme of carrying out in the monitoring mode, carry out and recover context, preserve previous context and refresh register. This system shows as virtual pattern thus. The below will further discuss this embodiment. Programmer's pattern with reference to the ARM7 that for example constructs security feature described herein thereon.
Processor mode
Replace the replication mode in the safe mode, identical pattern support safety and non-security territory (seeing Fig. 8). Monitoring mode is known the current state of kernel, no matter be safe or dangerous (for example, as reading as the coprocessor configuration register from the S position of storing).
In Fig. 8, as long as SMI (software supervision interrupt instruction) occurs, kernel enters monitoring mode in order to suitably switch to another from a zone.
With reference to figure 9, wherein allow SMIs from user model:
1. the scheduler program active thread 1
3. supervisory programme is carried out following task:
-S position (safe condition sign) is set
If-be kept in the storehouse so that when the security of operation application program to major general R14_mon and SPS_mon, occur unusually, can not lose non-security context.
Whether-verification moves new thread: safe thread 1. Mechanism (in certain embodiments through the Thread Id table) expression thread 1 is effective in the safety zone.
-again allow IRQ/FIQ to interrupt. Then, in secured user's pattern, Secure Application can begin.
4. then security of operation thread 1 shifts (SIM) and (when kernel enters monitoring mode, forbid that IRQ/FIQ interrupts) to " returning from safety " function of supervisory programme pattern until it finishes.
5. " return " function from safety and carry out following task:
-show termination of security thread 1 (for example, in the situation of Thread Id table, shifting out thread 1 from table).
-recover and remove required register from the non-security context of stack, as long as in order to turn back to non-security territory, just can't read secure data.
-then by SUBS instruction (this makes program counter return to correct point and update mode sign), transfer to non-security territory, recover PC (recovering from R14_mon) and CPSR (from SPSR_mon). Therefore, the reentry point in the non-security territory is the instruction behind the SMI of front execution in thread 1.
6. thread 1 is carried out until then end returns to scheduler program with control.
According to specific embodiment, can separate between supervisory programme and SOS that some are above-mentioned functional.
In other embodiments, be not desirably in appearance permission SMIs in the user model.
The safety zone enters
Reset
When hardware reset occurring, forbid MMU and by set S position, make ARM kernel (processor) transfer to the safety supervision pattern. As long as stop safe guidance, can carry out the SMI that enters monitoring mode, and if necessary, supervision can switch to the OS (non-security svc pattern) in the non-security zone. If traditional OS is used in expectation, this can guide and ignore safe condition simply in the safety supervision pattern.
The SMI instruction
Can call this instruction (pattern switching software interrupt instruction) (as previously mentioned by any non-security mode from non-security territory, can expect SMIs is restricted to the special permission pattern), but the target approach point of being determined by relevant vector is always fixing and in monitoring mode. Until the SMI handling procedure is in order to transfer to the suitable safe function (for example by the operand control of transmitting by instruction) that must move.
The shared register of the register group of use in Fig. 6 type register group is carried out parameter is delivered to the safety zone from non-security zone.
When in non-security zone, SMI occurring, use hardware, the ARM kernel can be carried out following action:
-SMI vector (owing to will be in the monitoring mode now, allowing secure memory access) is transferred in the monitoring mode
-be kept at PC among the R14_mon and CPSR is kept among the SPSR_mon
-use supervisory programme, the S position is set
-in monitoring mode, begin to carry out security exception handler (in the situation of multithreading, recovering/preserve context)
-transfer to secured user's pattern (or another pattern, such as the svc pattern) in order to carry out suitable function
-forbid IRQ and FIQ, and kernel is in (increase stand-by period) in the monitoring mode
The safety zone is withdrawed from
Withdraw from two kinds of possibilities of safety zone:
-termination of security function and turn back to the previous non-security mode that calls this function.
-interrupt security function by non-security unusual (for example IRQ/FIQ/SMI).
The normal termination of safe function
Safe function fair termination and need to recover application program in the non-security zone with the instruction behind SMI just in time. In secured user's pattern, carry out " SMI " instruction in order to turn back to by the suitable parameter corresponding to " returning from the safety zone " routine, turn back to monitoring mode. In this stage, refresh register to avoid the data leak between non-security and safety zone, then recover non-security context general register and be used in the value that has had in the non-security zone to upgrade non-security group of register. R14_mon and SPSR_mon obtain suitable value thus, by carrying out the non-security application after " MOVS PC, R14 " instruction recovers SMI.
Because the non-security safe function that unusually causes withdraws from
In this case, termination of security function not, and after entering non-security exception handler, must preserve safe context, no matter whether need to process these interruptions.
Safety is interrupted
Safety is interrupted, have several possibilities.
According to following, two kinds of possible solutions are proposed, specifically depend on:
-be which kind of interrupts (safe or non-security)
-when IRQ occurring (no matter being in safety or non-security zone), which kind of pattern kernel is in.
Solution one
In this solution, require two different pins to support safe and non-security interruption.
When in non-security zone, if
-IRQ appears, and kernel enters the IRQ pattern in order to process this interruption, as in the ARM kernel, such as ARM7.
-SIRQ appears, and kernel enters monitoring mode in order to preserve non-security context, then enters safe IRQ handling procedure and interrupts in order to process safety.
When in the safety zone, if
-SIRQ appears, and kernel enters safe IRQ handling procedure. Kernel does not leave the safety zone
-IRQ appears, and kernel enters monitoring mode, wherein preserves safe context, then enters non-security IRQ handling procedure in order to process this non-security interruption.
In other words, when occurring not belonging to the interruption of current region, kernel directly enters monitoring mode, otherwise rests on current region (seeing Figure 10).
IRQ appears in the safety zone
See Figure 11 A:
1. the scheduler program active thread 1.
3. supervision handling procedure (program) is carried out following task:
-the S position is set.
-be kept at (and also may be pressed into other registers) in the storehouse to major general R14_mon and SPSR_mon, if so that in the security of operation application program, occur unusually, also unlikelyly lose non-security context.
-verification moves new thread: safe thread 1:(is through the Thread Id table) mechanism table open-wire line journey 1 in the safety zone effectively.
-then in secured user's pattern, begin security application. Then again allow IRQ/FIQ.
4. IRQ appears when security of operation thread 1. Kernel is leapt to monitoring mode (specific vector), and in monitoring mode, current PC is stored among the R14_mon and with CPSR is stored among the SPSR_mon (then forbidding IRQ/FIQ).
5. must preserve safe context, recover previous non-security context. Monitor that handling procedure can switch to the IRQ pattern and upgrade R14_irq/SPSR_irq by suitable value, then control is delivered to non-security IRQ handling procedure.
6.IRQ handling procedure provides IRQ, then control is turned back to the thread 1 in the non-security zone. By SPSR_irq and R14_irq are restored among CPSR and the PC, now, thread 1 points to the SMI instruction of having interrupted.
7. re-execute SMI instruction (instruction is identical with 2).
8. the supervision handling procedure is noticed and has before been interrupted this thread, and recovers thread 1 context. Then transfer to the safe thread 1 in the user model, point on the interrupt instruction.
9. then security of operation thread 1 is transferred on " returning from the safety " function in the monitoring mode (special-purpose SMI) until finish.
10. " return " function from safety and carry out following task:
-show and finish safe thread 1 (that is, in the situation of Thread Id table, shifting out thread 1 from table).
-recover and remove required register from the non-security context of stack, as long as in order to turn back to non-security zone, just can't read secure data.
-by the SUBS instruction, make to be transferred back to non-security zone, recover PC (from R14_mon and the CPSR (from SPSR_mon) that recovers. Therefore, the reentry point in the non-security zone should be the instruction behind the previous SMI that carries out in the thread 1.
11. execution thread 1 is until then end returns control to scheduler program.
SIRQ appears in non-security zone
See Figure 11 B:
1. the scheduler program active thread 1
2. when safe thread 1 is just moving, SIRQ appears. Kernel directly jumps to monitoring mode (specific vector) and in monitoring mode, current PC is stored in R14_mon and CPSR is stored among the SPSR_mon, then forbids IRQ/FIQ.
3. must preserve non-security context, then kernel enters safe IRQ handling procedure.
4.IRQ handling procedure provides SIRQ, then uses the SMI with suitable parameter, and control is turned back to the monitoring mode handling procedure.
5. monitor that handling procedure recovers non-security context so that the SUBS instruction makes kernel turn back to non-security zone and recovers to interrupt thread 1.
6. execution thread 1 is until then end causes the control return to scheduler program.
The mechanism of Figure 11 A has the advantage that the definite method that enters the safety zone is provided. Yet have some problems relevant with interrupt priority level: for example, when SIRQ moved in the safe interrupt handling routine, the non-security IRQ with higher priority can occur. As long as finish non-security IRQ, need to rebuild the SIRQ event so that interior nuclear energy recovers safety and interrupt.
Solution two
In this mechanism, (see Figure 12), two different pins, or only one can support safe and non-security interruption. Have two pins and reduce interrupt latency.
When in non-security zone, if
-IRQ appears, and kernel enters the IRQ pattern in order to process this interruption, as in the ARM7 system.
-SIRQ appears, and kernel enters the IRQ handling procedure, and wherein, the SMI instruction will make kernel transfer to monitoring mode in order to preserve non-security context, then enter safe IRQ handling procedure and interrupt in order to process safety.
When in the safety zone, if
-SIRQ appears, and kernel enters safe IRQ handling procedure. Kernel does not leave the safety zone
-IRQ appears, and kernel enters safe IRQ handling procedure, and wherein, the SMI instruction will make kernel transfer to monitoring mode (wherein, preserving safe context), then enter non-security IRQ handling procedure in order to process this non-security interruption.
IRQ appears in the safety zone
See Figure 13 A:
1. the scheduler program active thread 1.
3. the supervision handling procedure is carried out following task:
-the S position is set.
-be kept at (at last other registers) in the storehouse to major general R14_mon and SPSR_mon, if so that in the security of operation application program, occur unusually, also be unlikely to lose non-security context.
-verification moves new thread: safe thread 1:(is through the Thread Id table) mechanism table is shown in the safety zone, and thread 1 is effective.
-then in secured user's pattern, begin security application. Again allow IRQ/FIQ.
4. IRQ appears when security of operation thread 1. Kernel is leapt to safe IRQ pattern.
5. kernel is stored in current PC among the R14_irq and with CPSR and is stored among the SPSR_irq. It is that non-security interruption and execution SMI come to enter monitoring mode by suitable parameter that the IRQ handling procedure detects this.
6. must preserve safe context, recover previous non-security context. The supervision handling procedure knows that by reading CPRS SMI comes wherefrom. Can also enter the IRQ pattern and read R14_irq/SPSR_irq in order to suitably preserve safe context. These non-security context IRQ end of transactions non-security context can also be kept in the identical register, in case and just must recover.
7.IRQ handling procedure provides IRQ, then control is turned back to the thread 1 in the non-security zone. By SPSR_irq and R14_irq are restored among CPSR and the PC, now, kernel points to the SMI instruction of having interrupted.
8. re-execute SMI instruction (instruction is identical with 2).
9. the supervision handling procedure is noticed and has before been interrupted this thread, and recovers thread 1 context. Then transfer to the safe thread 1 in the user model, point on the interrupt instruction.
10. then security of operation thread 1 is transferred on " returning from the safety " function in the monitoring mode (special-purpose SMI) until finish.
Carry out following task 11. " return " function from safety:
Safe thread 1 (that is, in the situation of Thread Id table, shifting out thread 1 from table) is finished in-expression.
-recover and remove required register from the non-security context of stack, as long as in order to turn back to non-security zone, can read secure data.
-by the SUBS instruction, make to be transferred back to non-security zone, recover PC (from R14_mon and the CPSR (from SPSR_mon) that recovers. Reentry point in the non-security zone should be the instruction behind the previous SMI that carries out in the thread 1.
12. execution thread 1 is until then end returns control to scheduler program.
SIRQ appears in non-security zone
See Figure 13 B:
1. the scheduler program active thread 1
2. when safe thread 1 is just moving, SIRQ appears.
3. then kernel direct redirect irq pattern and current PC is stored in R14_irq and CPSR is stored among the SPSR_irq forbids IRQ. It is SIRQ and by suitable parameter that the IRQ handling procedure detects this, carries out the SMI instruction.
4. as long as in monitoring mode, must preserve non-security context, then kernel enters safe IRQ handling procedure.
5.IRQ handling procedure provides the SIRQ service routine, then by having the SMI of suitable parameter, control is turned back to the monitoring mode handling procedure.
6. monitor that handling procedure recovers non-security context so that the SUBS instruction makes kernel turn back to non-security zone and recovers to interrupt the IRQ handling procedure.
7. then, by carrying out SUBS, the IRQ handling procedure turns back to non-security thread.
8. execution thread 1 is until then end turns back to scheduler program with control.
By the mechanism of Figure 12, in the situation of nested interruption, do not need to rebuild the SIRQ event, do not interrupt but do not guarantee to carry out safety.
Unusual vector
Preserve at least two physics vector tables (although watching a little from virtual address, they look like the single vector table), a non-security zone that is used for non-security memory, a safety zone that is used for safe storage (can not access from non-security zone). The different virtual that is used in the safe and non-security zone allows identical virtual memory address to access the different vector tables that are stored in the physical storage to the physical storage mapping effectively. Monitoring mode can always use the flat memory mapping in order to the 3rd vector table is provided in physical storage.
If interrupt the mechanism according to Figure 12, will have the following vector as shown in figure 14 that is used for each table. In safety and non-security memory, copy this vector set.
| Unusually | The vector deviation | Corresponding pattern |
| Reset | 0x00 | Supervision pattern (setting of S position) |
| Undefined | 0x04 | Monitoring mode/undefined pattern |
| SWI | 0x08 | Supervision pattern/monitoring mode |
| The termination of looking ahead | 0xOC | Suspending mode/monitoring mode |
| Data are ended | 0x10 | Suspending mode/monitoring mode |
| IRQ/SIRQ | 0x18 | The IRQ pattern |
| FIQ | 0x1X | The FIQ pattern |
| SMI | 0x20 | Undefined pattern/monitoring mode |
NB. reset item only in safe vector table, when carrying out in non-security zone when resetting, kernel hardware forces and enters the supervision pattern and the S position is set in order to can access reset vector in safe storage.
The explanation of Figure 15 example is applied to respectively three unusual vector tables of safe mode, non-security mode and monitoring mode. Can programme these unusual vector tables in order to satisfy demand and the characteristic of safety and non-security operating system by unusual vector. Each unusual vector table can in the CP15 that stores the base address of pointing to that table in the memory, have relevant vector table base address register. When abnormal, hardware will be quoted the base address of determining vector table to be used corresponding to the vector table base address register of the current state of this system. In addition, can use the different virtual of in different mode, using to come three different vector tables separately storing at place, different physical storages address to the physical storage mapping. As shown in figure 16, in the system relevant with processor cores (configuration control) coprocessor (CP15), provide unusual IMR. This unusual IMR provides the mark relevant with each Exception Type. These marks show hardware current be used for directly processing be used for the vector relevant with its current field and still should force and switch to monitoring mode (a kind of safe mode), then according to the vector in the monitoring mode vector table. Only can write unusual IMR (unusual control register) from monitoring mode. When in non-security mode, can also prevent the unusual IMR of read access. The unusual IMR that to see Figure 16 does not comprise the mark for reset vector, because this system is configured to always make this to jump to such as the reset vector in the safety supervision pattern of appointment in safe vector table in order to guarantee safe guidance and back compatible. To find out in Figure 15, for the purpose of complete, except the safe vector off-balancesheet of safety supervision pattern, in the vector table reset vector be shown.
Figure 16 also example illustrates that the mark for the different Exception Types in the unusual IMR is programmable, such as pass through supervisory programme during safe guidance. In addition, some or all marks can provide by the physics input signal in some implementations, when for example can the safe interrupt flag SIRQ of hard wire receiving safe interrupt signal with box lunch, always make the monitoring mode input and carry out the safe interrupt request vector of corresponding monitoring mode. Figure 16 is example explanation and the unusual relevant unusual interrupt register of part in non-security territory only, and is unusual to security domain, and similar programmable bit collection will be provided.
Although be appreciated that from above-mentioned, in one-level, hardware or force and interrupt processing control and management to realize by the current field is unusual, or realized by the monitoring mode exception management, specifically depend on unusual control register mark, this only is the first order of applied control. For example, unusually can occur in the safe mode, the unusual vector of safe mode is behind the safe mode exception handler, but this safe mode exception handler determines that this is the better attribute of non-security exception handler unusually, therefore, utilize the SMI instruction to switch to non-security mode and call non-security exception handler. Inverse process also is possible, and wherein hardware can be used for starting non-security handling procedure, but then, carries out the instruction of the direct processing of security exception handler or monitoring mode exception handler.
Figure 17 is the operation of schematically example illustrative system in order to support flow process with the unusual relevant other possible switching request type of newtype. In step 98, hardware detects any instruction of just attempting changing monitoring mode, as indicated in present procedure status register (CPSR). When detecting this trial, trigger so the unusual of newtype, it is unusual that this is called the CPSR conflict. In step 100, generate this CPSR and conflict abnormal layer to quoting suitably unusually and in step 102 operation monitoring program conflicting unusually in order to process this CPSR in the monitoring mode.
To recognize except supporting above-mentioned SMI instruction, relevant described mechanism for starting the switching between security domain and non-security territory with Figure 17 can also be provided. When through the SMI instruction, carry out all and authorize when attempting, can provide this unusual machine-processed so that the unauthorized trial of response switching pattern. In addition, this mechanism can be that next the switching between security domain and non-security territory of legal method maybe can provide in order to provide and have now the back compatible of code, for example, even be not that the unauthorized trial of real trial execution is switched between security domain and non-security territory, as the part of its normal operating, attempt to remove the treatment state register.
As mentioned above, generally speaking, when processor is just in monitoring mode, disable interrupts. The purpose of doing like this is the security of increase system. In the middle of broken hair when giving birth to, at that time processor state is stored in the abnormal interruption register so that when finishing interrupt function, can recover the processing of interrupt function at the point of interruption. If allow this process in monitoring mode, the security that then can lower monitoring mode provides possible secure data to leak the path. For this reason, in monitoring mode, common disable interrupts. Yet during monitoring mode, a consequence of disable interrupts is to increase interrupt latency.
If do not store the processor state of carrying out this function, then can allow in monitoring mode, to interrupt. This does not only recover could carry out in the situation of this function after interrupting. Therefore, by allowing only to interrupt the function that can restart safely in the monitoring mode, can solve the problem of the interrupt latency in the monitoring mode. In this case, have no progeny in monitoring mode, relate to the data that function processes and do not store, but it is abandoned, and after EOI, send instruction to processor, from the beginning this function is processed. In above-mentioned example, this is the simple event of processing when processor turns back to point when switching to monitoring mode simply. It should be noted that, concerning some function that can restart, be possible restart and produce the result's that can repeat to produce to the specific function of part just. If if function has changed the state of processor so that restarted it, in the time of will producing Different Results, restarting so function is not good idea. For this reason, in monitoring mode, only interrupt those functions that to restart safely, for other functions, then disable interrupts.
The explanation of Figure 18 example is processed the method for the interruption that occurs according to embodiments of the invention in monitoring mode. During the Processing tasks A SMI appears and this switches to monitoring mode with processor in non-security mode. The SMI instruction makes kernel enter monitoring mode by the non-security SMI vector of special use. Preserve the current state of PC, s position and disable interrupts are set. Usually, preserve PC and the CPSR of non-security mode with LR_mon and SPSR_mon.
Then in monitoring mode, start function, function C. The first thing that function C does is to allow to interrupt, and then processes function C. If occur interrupting during processing function C, disable interrupts is not interrupted in order to accept and carry out. Yet monitoring mode indicator instruction processorunit is had no progeny in this, does not recover this function, but restarts. In addition, this also can come instruction processorunit by independent control parameter. Therefore, in have no progeny the current state of upgrading the abnormal interruption vector and not preserving processor with the value of LR_mon and SPSR_mon.
As shown in figure 18, finish the interruption task, behind the task B, processor reads the address of the SMI instruction that copies interrupt register to and carries out SMI and begin again to process function C.
Be in the situation that can weigh at function C only, said process could be carried out, that is, if restart, process C will cause repeatably treatment step. If function C changes any one of state of processor, affect the situation of its following stack pointer of processing such as meeting, situation is just fully different. Repeatably function is considered to have idempotence in this way. A kind of method of processing the problem of the function that does not have idempotence is the code that rearranges defined function, and in this way, the first of code has idempotence, and as long as different may have idempotence, disable interrupts by permutation code. For example, if code C relates to and writes stackedly, can carry out this operation, and at first not upgrade at least stack pointer. As long as determine that safety is restarted code no longer feasiblely, be used for so the code energy instruction processorunit disable interrupts of function C, then it can be updated to stack pointer correct position. This wherein passes through the processing of function C, by some way disable interrupts as shown in figure 18.
The example that the explanation of Figure 19 example is slightly different. In this example, by some method of Processing tasks C, other control parameter is set. This shows that the further part of task C is not strict idempotence, but supposition at first moves the reparation routine, can restart safely. This reparation routine is used for making the state of processor to return to situation when beginning task C, in order to can restart safely task C and when task finishes, and generation identical processor state when not being interrupted. In certain embodiments, at the point that other control parameter is set, can the short time disable interrupts, some states of correction process device simultaneously are such as the stack pointer that is just upgrading. This allows processor to return to after a while the idempotence state.
After other control parameter is being set, when occurring interrupting, there are so two kinds of possible methods to carry out. Carry out to repair immediately routine (at F1), then can handling interrupt, or handling interrupt immediately, and after interrupting fully, carry out SMI, then before restarting task C, carry out and repair routine (at F2). As can be seen, in these embodiments, carry out in monitoring mode and repair routine, therefore, do not affect the execution in the non-security territory, security domain or monitoring mode are not known in non-security territory.
As seeing from Figure 19, the first of code C have idempotence and can in have no progeny and restart. Suppose that at first routine is repaired in operation, can restart second portion, this shows by " in addition " control parameter is set, and the decline that can not restart code, therefore, before processing this code, disable interrupts.
The example that the explanation of Figure 20 example is other in this case, is different from other embodiment, allows to interrupt during monitoring mode. Then, the function that moves in monitoring mode needs only and no longer can be restarted safely, then disable interrupts. If restart all functions rather than the recovery interrupted in monitoring mode, this is possible.
Can guarantee when interrupting all functions of restarting rather than recovering in a certain pattern, to move by several method. A kind of method is by increasing new processor state, wherein interrupting holding instruction the start address of sequence rather than the address of interrupt instruction. In this case, monitoring mode always operates in this state. Another kind method is by in beginning during each function, and the initial address of function is preloaded into the abnormal interruption register, in have no progeny, forbid that the order of the state of processor writes so that the abnormal interruption register.
In the embodiment shown in Figure 20, after stopping interrupt function, carry out immediately restarting of function, if or require function is restarted safely, after repairing routine, carry out.
Although described the method for handling interrupt stand-by period according to system and monitoring mode with safe and non-security territory, obviously, can be applied to have owing to specific reason any system of the function that should not recover. Usually, these functions operate by forbidding the interruption that increases interrupt latency. With function be modified as can restart and control processor in have no progeny and restart their and allow at least a portion to the processing of function, allow to interrupt and help to reduce interrupt latency. For example, the standard context of operating system switches.
Access security and non-security memory
As described in reference to figure 1, data processing equipment has memory, especially comprises TCM36, high-speed cache 38, ROM44, from memory and the external memory storage 56 of equipment. As with reference to shown in Figure 37, for example, memory partition is become safety and non-security memory. To recognize when making, between the safe storage district of memory and non-security memory areas usually without any substantive difference, but when operate in security domain, these SOSs of distinguishing by data processing equipment define. Therefore, any physical piece of memory devices can be distributed into safe storage, and any physical piece can be distributed into non-security memory.
As referring to figs. 2 to as described in 5, treatment system has security domain and non-security territory. In security domain, secure kernels 80 is provided and in safe mode, carries out. Provide and be across security domain and non-security territory and at least partially in the supervisory programme 72 of carrying out in the monitoring mode. In an embodiment of the present invention, the supervisory programme part is carried out in monitoring mode and is partly carried out in safe mode. As for example shown in Figure 10, a plurality of safe modes are arranged, especially comprise supervision pattern SVC.
Supervisory programme 72 is in charge of in either direction, and the institute between safety and non-security territory changes. In joint " processor mode ", with reference to figure 8 and 9 its some functions are described. Supervisory programme responds the pattern conversion request SMI that sends in order to start the conversion from described non-security mode to described safe mode and respond the pattern switching request SMI that sends safe mode in non-security mode, in order to start the conversion from described safe mode to described non-security mode. As described in the joint " interregional switching ", in monitoring mode, at least some registers switch to occur switch to another from safety and non-security territory one. Relate to the preservation of the state that is present in a register in the territory and new state is write register in another territory (or recovering previous state of preserving in the register). As said, when carrying out this switching, can some registers of disable access. Best, in monitoring mode, forbid described interruption.
Because the monitoring mode that supervisory programme is carried out is across safe and non-security territory, prove that supervisory programme safety is very important: namely, it only realizes the function that those intentions realize. Therefore, if supervisory programme as far as possible simply is favourable. Safe mode allows only implementation in security domain. In this embodiment of the present invention, the special permission safe mode allows access identical safety and non-security memory with monitoring mode. By guaranteeing that speciallyying permit safe mode " sees " identical safety and non-security memory, the function of only realizing is sent to the safe mode that allows to simplify supervisory programme in monitoring mode. In addition, this process that allows to operate in the special permission safe mode is directly switch to monitoring mode or vice versa. Permission switches to monitoring mode and monitoring mode, can carry out the switching in non-security territory from the special permission safe mode. The Non-Patent safe mode must enter monitoring mode with SMI. This system enters the special permission safe mode after resetting. Execution monitoring pattern and special permission between safe mode switching and return so that the state preservation when between the territory, move.
In other embodiments, can specially permit permission access S mark in pattern and the monitoring mode from safety. If allow safe special permission pattern to make processor switch to the control of keeping simultaneously program flow in the monitoring mode, so, these patterns of speciallyying permit have safely had the ability that changes S mark (position) effectively. Therefore, provide the other complexity that only can in monitoring mode, change the S sign unreasonable. On the contrary, the S mark can use the mode identical with other configuration marks that change by one or more safe special permission patterns to store. These embodiment that can change the S mark in of a plurality of safe special permission patterns are included in the current techniques.
Turn back to previously described exemplary embodiment, this device has processor cores 10, the special permission level of defining mode and defining mode, that is, and the collection of functions that any pattern allows. Therefore, with known mode configuration processor kernel 10 in order to allow safe mode and monitoring mode access security and non-security memory and accessed in safe mode monitoring mode to allow all memories of access and the process that allows to operate in the special permission safe mode is directly switch to monitoring mode or vice versa. Processor cores 10 preferably is configured to allow following content.
In an example of this device, memory partition is become safe storage and non-security memory, and only monitor and safe mode in addressable safety and non-security memory. Best, addressable non-security memory in monitoring mode, safe mode and non-security mode.
In another example of this device, in monitoring mode and safe mode one or more, the non-security memory of safe mode denied access, and in non-security mode, safety and the non-security memory of monitoring mode denied access. Therefore, only monitor and safe mode in access secure memory, and only by the non-security mode access non-secure memory, the increase security.
In the example of this device, resetting and guiding of device can be carried out in monitoring mode, and this monitoring mode can be considered to the more privileged pattern of safe mode. Yet, in many examples of this device, being configured in safe mode, provide reset or guide, this is possible, because allow the direct switching between safe mode and monitoring mode.
As described in reference to figure 2, in security domain, and in safe mode, security kernel 80 (severe operating system) function, and one or more security application 82,84 can be in 80 times operations of security kernel. The security kernel that permission moves in safe mode and/or security application or any other program code access security and non-security memory.
Although with reference to have processor unit describe example of the present invention, the present invention can realize by computer program, when when suitable processor moves, makes processor operations, described in this section.
Below, will be according to Figure 21 to 23, the of the present invention other embodiment that description is considered from programmer's model is as follows:
In following description, use by Cambridge, in the situation of the arm processor of the ARM Limited of England design, the following term that it must be understood that.
-S position: the safe condition position is included in the special-purpose CP15 register.
-" safety/non-security state ". Define this state by the S place value. The expression kernel can access security zone when S=1 (when it is in a safe condition, i.e.) still be only limited to non-security zone (S=0). Notice that monitoring mode (seeing in addition) covers S position state.
Addressable all hardware/the software that does not need the non-security application program of security of-" non-security zone " set.
-" safety zone " set is addressable all hardware/software (kernel, memory when carrying out security code only ... .).
-monitoring mode: the new model of being responsible between safety and non-security state, switching kernel.
General introduction
-kernel always can be accessed non-security zone.
-only when being in a safe condition or during monitoring mode, kernel could the access security zone.
-SMI: software monitors and interrupts: by the unusual vector of special-purpose SMI, make kernel enter the new instruction of monitoring mode. " Thread Id ": the identifier relevant with each thread (controlled by OS). To the OS of some types, wherein, OS moves in non-security zone, and when calling safe function, being necessary current thread ID is transmitted is that parameter is in order to be linked to safe function on its non-security application program of calling at every turn. Therefore, multithreading can be supported in the safety zone.
-safety is interrupted the interruption that definition is generated by secure peripheral.
Programmer's model
The general introduction of Carbon kernel
Be used herein to the principle of Carbon of the term of the processor that uses present technique, architecture comprises two independent zones, a safety zone and a non-security zone. The safety zone necessarily can not be with any data leak to non-security zone.
In the solution that proposes, safety will be shared identical (having now) register group with non-security state. Therefore, be present in all present modes in the ARM kernel (end, undefined, Irq, the user ...) will be present in each state.
Since at the new mode bit shown in the special-purpose CP15 register, S (safety) position, and kernel will know that it operates in safety or non-security state.
Allow instruction or event to revise the S position, the control that namely changes over another state from a state is the principal character of the security of this system. The current techniques scheme proposes to increase the new model with the switching between " supervision " two states, monitoring mode. By writing suitable CP15 register, monitoring mode will be the unique pattern that allows to revise the S position.
At last, suggestion is increased to unusual processing with some flexibilities. Except resetting, all will be processed in the state that they occur unusually, or point to monitoring mode. Because special-purpose CP15 register, this will allow configurable.
In following paragraph, the details of this solution will be discussed.
Processor state and pattern
The Carbon new feature
Safe or non-security state (S position)
A principal character of Carbon kernel is to have the S position, shows that kernel is in safety (S=1) or non-security (S=0) state. When in safe condition, kernel is with any data in energy access security or the non-security zone. When in non-security state, kernel will only limit to access non-security zone.
Unique monitoring mode that unusually relates to of this rule covers S position information. Even when S=0, when it is arranged in monitoring mode, kernel will be carried out safe privileged access. See next paragraph, be used for the monitoring mode of other information.
Only can in monitoring mode, read and write the S position. No matter the S value how, if any other pattern attempts accessing it, will be left in the basket or cause undefined unusual.
Except resetting, all unusually on the safe condition position without impact. When resetting, the S position will be set, and kernel will start in monitoring mode. Referring to the guiding joint that is used for details.
Safety/non-security state is independently, and its operation is independent of the state with ARM/Thumb/Java.
Monitoring mode
Other key characters of Carbon system are to create new model, monitoring mode. This kernel that will be used for controlling between safe and non-security state switches. Always will be regarded as safe mode, namely no matter the value of S position how, when it is in the monitoring mode, kernel will always be carried out safe privileged access to the perimeter.
Only by writing CPSR pattern position (MSR, MOVS or equivalent instruction), any safe special permission pattern (i.e. special permission pattern when S=1) can switch to monitoring mode. Yet this will be under an embargo at non-security mode or secured user's pattern. If this frequent generation is with ignore instruction or cause unusual.
The CPSR conflict of needs special use is unusual. By directly writing CPSR from any non-security mode or secured user's pattern, switch to any trial of monitoring mode, will produce this unusually.
When monitoring mode is effective, in fact, will forbid that except resetting all are unusual:
● shield all interruptions
● all memory exception or can ignore or cause fatal unusual
● undefined/SWI/SMI or can ignore or cause fatal unusual.
When entering monitoring mode, automatically disable interrupts and should the writing system supervisory programme so that when system supervisor just moves, the unusual of any other type do not occur.
The supervisory programme pattern need to have some special registers. This solution suggestion only copies minimum register set, i.e. R13 (sp_mon), R14 (lr_mon) and SPSR (spsr_mon).
In monitoring mode, forbid MMU (mapping of dull address) and MPU or subregion checker (the supervisory programme pattern will always be carried out safety special permission external reference). Yet, special-purpose programming MPU district attribute (cache capability ...) will be still effective. As another program, no matter which kind of mapping security domain uses, monitoring mode can use.
New instruction
This proposal requires a new instruction is increased on the existing ARM instruction set.
To use SMI (software monitors and interrupts) to enter monitoring mode, in the fixedly unusual vector transfer of SMI. This instruction will be mainly used to supervisory programme be illustrated in non-security and safe condition between exchange.
As another program (or in addition), the supervision stack/recovering any other pattern from the supervision stack switches performance in order to improve context so that the permission monitoring mode is saved in any other pattern can to increase new instruction.
Processor mode
As described in the front paragraph, in kernel, only increase a new model, monitoring mode. All existing patterns are still available, and will be present in the safe and non-security state.
In fact, Carbon user will see structure as shown in figure 21.
The processor register
Present embodiment proposes safety and shares identical register group with non-security zone. This means that when passing through monitoring mode when switching to another zone from a zone, system supervisor will need to preserve the context of first area, and in second area, create (or recovery) context.
Transfer Parameters becomes a simple task: as long as system supervisor switched the S position, be included in any data in the register in the first area and will be used in the identical register in the second area.
Yet except the limited a plurality of registers that are exclusively used in Transfer Parameters of the strict control of needs, when from safe transfer to non-security state, every other register need to be eliminated in order to avoid any leakage of safety zone.
When from handoff-security to non-security state, realize that it also is possible that hardware mechanism or new instruction directly refresh register.
Another solution that proposes relates to and copies all (or great majority) existing register groups, thereby has the register that two physics separate between safety and non-security state. This solution has the safety that separately is included in significantly in the register and the major advantage of non-security data. Also allow the quick context between safety and non-security state to switch. Yet shortcoming is by register transfer parameter difficult, allows the safety zone to access non-security register unless create some special instructions.
The explanation of Figure 22 example is according to the available register of processor mode. Note, processor state on this theme without impact.
Unusually
Safety is interrupted
Current solution
Propose at present to keep with current inner in identical interruption pin, i.e. IRQ and FIQ. Relevant with unusual IMR (in the literature after a while definition), concerning any system, there are enough flexibilities to realize and process dissimilar interruptions.
VIC strengthens
Increase VIC (vectored interrupt controller): VIC with following method and can comprise a security information position relevant with each vector address. Only can be by monitoring or safe special permission pattern this position of programming. Whether the interruption that expression is thought should be regarded as safety, thereby should process at safe end.
Also increase by two new vector address registers, all that are used in that non-security state occurs are interrupted safely, and another is for all non-security interruptions that occur at safe condition.
The S position information that is included among the CP15 will can be used for VIC, as new VIC input.
According to the state (safe or non-security, as to use the bit representation relevant with each interrupt line) of input interruption and the state (the S input signal on the S position=VIC among the CP15) of kernel, the different possible situations of following table general introduction.
| Kernel in the safe condition (CP15-S=1) | Kernel in the non-security state (CP15-S=0) | |
| Safety is interrupted | Need to be in interregional switching. VIC directly provides the secure address relevant with interrupt line to kernel. Kernel only need in this address branch, wherein should be searched relevant ISR | In non-security territory, VIC does not have the vector relevant with this interruption. Therefore, provide to kernel and be included in the address that is exclusively used in all vector address registers that interrupt safely that in non-security zone, occur. Still in non-security zone, then, kernel is branched off into this address, wherein should search the SMI instruction and switch to the safety zone. As long as in the safety zone, will access correct ISR. |
| Non-security interruption | In security domain, VIC does not have the vector relevant with this interruption. Therefore, provide address in the vector address register that is included in all non-security interruptions that are exclusively used in the safety zone to kernel. Still in the safety zone, then kernel is branched off into this address, wherein, should look into | Need to be in interregional switching. VIC directly provides the dangerous address relevant with interrupt line to kernel. Kernel only need in this address branch, wherein should be searched relevant dangerous ISR |
| Look for the SMI instruction to switch to non-security zone. As long as in non-security zone, will access correct ISR |
The unusual configurability of processing.
Be raising Carbon flexibility, new register, unusual interruption masking will be increased among the CP15. This register will comprise lower rheme:
-position 0: undefined unusual (non-security state)
-position 1:SWI unusual (non-security state)
-position 2: look ahead and end unusual (non-security state)
-position 3: data are ended unusual (non-security state)
-position 4:IRQ unusual (non-security state)
-position 5:FIQ unusual (non-security state)
-position 6:SMI unusual (non-security/safe condition)
-position 16: undefined unusual (safe condition)
-position 17:SWI unusual (safe condition)
-position 18: look ahead and end unusual (safe condition)
-position 19: data are ended unusual (safe condition)
-position 20:IRQ unusual (safe condition)
-position 21:FIQ unusual (safe condition)
Reset and unusually in this register, do not have any corresponding position. Reset and always to make kernel enter the safety supervision pattern by its special-purpose vector.
If the position is set, unusually make accordingly kernel enter monitoring mode. Otherwise, should be unusual with processing in the corresponding handling procedure in the zone of its appearance.
This register will be only in monitoring mode as seen. To ignore and in any other pattern, attempt its any instruction of access.
According to system's supervisory programme whether, should be with this initialization of register to the special-purpose value of system. Can this be functional by VIC control.
Unusual vector table
When independent safety and non-security zone are arranged, also need independent safety and non-security unusual vector table.
In addition, when supervisory programme can also be established some unusual interruptions, also need to be exclusively used in the 3rd unusual vector table of this supervisory programme.
Following table is summarized the unusual vector table of those three differences:
In non-security memory:
| The address | Unusually | Pattern | Automatic access when |
| 0x00 | |||
| 0x04 | Undefined | Undefined | The undefined instruction of in non-security state and unusual IMR, carrying out during [non-security undefined]=0 when kernel |
| 0x08 | SWI | Supervision | When kernel execution SWI instruction during [non-security SWI]=0 in non-security state and unusual IMR |
| 0x0C | The termination of looking ahead | End | When kernel is in non-security state and unusual IMR [during non-security PAbort=0, suspended market order |
| 0x10 | Data are ended | End | When kernel is in non-security state and unusual IMR, [during non-security DAbort=0, end data |
| 0x14 | Reserve | ||
| 0x18 | IRQ | IRQ | The IRQ pin of in non-security state and unusual IMR, inferring during [non-security IRQ]=0 when kernel |
| 0x1C | FIQ | FIQ | The FIQ pin of in non-security state and unusual IMR, inferring during [non-security FIQ]=0 when kernel |
In safe storage:
| The address | Unusually | Pattern | Automatic access when |
| 0x00 | * resets | Supervision | The reseting pin of inferring |
| 0x04 | Undefined | Undefined | The undefined instruction of in safe condition and unusual IMR, carrying out during [safety is undefined]=0 when kernel |
| 0x08 | SWI | Supervision | When kernel execution SWI instruction during [safe SWI]=0 in safe condition and unusual IMR |
| 0x0C | The termination of looking ahead | End | When kernel is in safe condition and unusual IMR [during safe PAbort=0, suspended market order |
| 0x10 | Data are ended | End | When kernel is in safe condition and unusual IMR, [during safe DAbort=0, end data |
| 0x14 | Reserve | ||
| 0x18 | IRQ | IRQ | The IRQ pin of in safe condition and unusual IMR, inferring during [non-security IRQ]=0 when kernel |
| 0x1C | FIQ | FIQ | The FIQ pin of in safe condition and unusual IMR, inferring during [non-security FIQ]=0 when kernel |
* referring to " guiding " joint that further describes relevant reset mechanism.
In supervisory memory (Monotone Mappings)
| The address | Unusually | Pattern | Automatic access when |
| 0x00 | |||
| 0x04 | Undefined | Monitor | The undefined instruction of carrying out when [safety is undefined]=1 and kernel are at non-security state and unusual IMR [non-security undefined]=1 in safe condition and unusual IMR when kernel |
| 0x08 | SWI | Monitor | The SWI instruction of carrying out when [safe SWI]=1 and kernel are at non-security state and unusual IMR [non-security SWI]=1 in safe condition and unusual IMR when kernel |
| 0x0C | The termination of looking ahead | Monitor | When kernel when [safe IAbort]=1 and kernel are at non-security state and unusual IMR [non-security IAbort]=1 in safe condition and unusual IMR, suspended market order |
| 0x10 | Data are ended | Monitor | When kernel when [safe PAbort]=1 and kernel are at non-security state and unusual IMR [non-security PAbort]=1 in safe condition and unusual IMR, end data |
| 0x14 | SMI | Monitor | |
| 0x18 | IRQ | Monitor | When kernel when [safe IRQ]=1 and kernel are at non-security state and unusual IMR [non-security IRQ]=1 in safe condition and unusual IMR |
| The IRQ pin of inferring | |||
| 0x1C | FIQ | Monitor | The FIQ pin of inferring when [safe FIQ]=1 and kernel are at non-security state and unusual IMR [non-security FIQ]=1 in safe condition and unusual IMR when kernel |
In monitoring mode, can the abnormal replication vector, so that each will have two different relevant vectors unusually:
-one unusual for what occur at non-security state
-one unusual for what occur at safe condition
This is useful for reducing the unusual stand-by period, no longer has the necessity that detects the unusual reset condition that occurs because monitor core.
Notice that this feature can be limited to that some are unusual, SMI is the optimal candidate who improves the switching between safety and non-security state.
Interregional switching
When switching between state, monitoring mode must be kept at the context of the first state it and monitor on the stack, and from monitoring that stack recovers the second state context.
Therefore, monitoring mode need to be accessed any register of any other pattern, comprise special register (r14, SPSR ...).
For processing this, the solution that proposes comprises that any special permission pattern in safe condition provides the right that is directly switch to monitoring mode by writing simply CPSR.
By this system, interregional switching is carried out as follows:
-enter monitoring mode
-the S position is set
-switch to supervision pattern-will monitor register holds to monitor on the stack (pattern of supervising will need access to monitor stack pointer certainly, but this can realize easily, for example by using public register (R0 to R8))
-switch to system model-with register (=identical with user model) to be kept at and to monitor on the stack
IRQ register on the-supervision stack
Etc. ... be used for all patterns
-in case preserve all special registers of all patterns, by simple MSR instruction (=simply the supervision value is write in the CPSR pattern field), be returned to monitoring mode
Also consider other solutions:
-increase to allow supervisory programme that the special register of other patterns is kept at new instruction on its oneself the stack.
-supervisory programme is embodied as newly " state ", that is, can be in monitored state (having suitable access right) and IRQ (or any other pattern), in order to check IRQ (or any other) special register.
Basic scenario (seeing Figure 23)
1. thread 1 operates in (S position=0) in the non-security zone
2. by non-security SMI vector, the SMI instruction makes kernel enter monitoring mode.
Preserve PC and the CPSR of non-security mode with LR_mon and SPSR_mon.
In this stage, the S position is still constant, although this system is now in safe condition.
Monitor that core is kept at non-security context on the supervisory programme.
Also be pressed into LR_mon and SPSR_mon.
Then monitor that kernel changes " S " position by writing the CP15 register.
In this embodiment, monitor that the kernel record will in the safety zone (for example by upgrading the Thread Id table), start " safe thread 1 ".
At last, does it withdraw from monitoring mode and switches to (the MOVS instruction after upgrading LR_mon and SPSR_mon of safety supervision pattern?).
3. security kernel to correct secure storage unit, then switches to user model (for example using MOVS) with application program scheduling.
4. in secured user's pattern, carry out safe function. In case finish, by carrying out suitable SWI, call " withdrawing from " function.
5. by carrying out conversely the special-purpose SWI vector of " withdrawing from " function, the SWI instruction makes kernel enter safe svc pattern. Should finish in order to switch back monitoring mode with " SMI " by " withdrawing from " function.
6.SMI instruction makes kernel enter monitoring mode by the safe SMI vector of special use.
Preserve PC and the CPSR of safe svc pattern with LR_mon and SPSR_mon.
The S position is constant (being safe condition) still
Does the fact that monitors the safe thread 1 of core record end (shift out safe thread 1ID from the Thread Id table?)
Then by writing the CP15 register, turn back to non-security state and change " S " position.
Monitor that core is from monitoring that stack recovers non-security context.
In step 2, also load previous LR_mon and the SPSR_mon that preserves.
At last, according to instruction, it withdraws from monitoring mode by SUBS, and kernel is turned back in the non-security user model.
7. thread 1 can normally recover.
With reference to figure 6, at safety and all registers of non-security inter-domain sharing. In monitoring mode, switch to occur, register switches to another from safety and non-security territory one. Comprise the state that is present in a register in the territory is preserved and new state is write register in another territory (or recovering shape of the previous preservation in the register), as described in the upper joint " interregional switching ".
Expectation reduces to be carried out the required time of this switching. Switch institute's time spent for reducing to carry out, when the switching between safety and non-security territory keeps not changing the value that is stored in wherein, forbid sharing register. For example, suppose from non-security territory and switch to security domain. Supposing does not for example need FIQ register shown in Figure 6 in the safety zone. Therefore, forbid those registers and do not need content that they are switched to security domain and do not need to preserve those registers.
Can adopt several different methods to realize disable register. A kind of method is to block the pattern of using those registers. This is by control bit being write in the CP15 register, representing to forbid what that pattern realized.
In addition, on the basis of one by one instruction, by control bit being write the CP15 register, can the disable access register. Write clear and definite and this register in position among the CP15, rather than pattern is relevant, in order to do not forbid the worker, but the register in this pattern of disable access.
The data that the FIQ register-stored is relevant with quick-speed interruption. Occur if forbid FIQ register and quick-speed interruption, processor sends the unusual signal in the supervisory programme. Response abnormality, monitoring mode can be used for preserving relevant with territory and be stored in any data value in the described disable register and the new data value relevant with another territory be loaded in that register, then again allow FIQ pattern register.
Processor can be configured to when in monitoring mode, when processor switches the territory, forbid all in groups registers. In addition, disable register is selectable, because when switching the territory, forbids the shared register that some are predetermined, and according to programmer's selection, can forbid other registers.
Processor can be configured to when in monitoring mode, switching the territory, forbid one or more shared registers, and when a territory of existence, one or more other their data of shared register holds, and new data are carried in another territory. New data can be the sky data.
Figure 24 schematically example illustrates the principle that the safe handling option is increased to traditional ARM kernel. How this figure schematically shows by the safe handling option is increased to existing kernel, can form the processor that comprises the safe handling option. If this system will be compatible with existing legacy operating system backward, intuition is expected the legacy system that operates in the traditional non-security part of processor. Yet, as in the latter half of this figure the signal shown in and following being described in further detail, in fact, legacy system operates in the security of this system.
Figure 25 represent to have the explanation of safe and non-security territory and example resets and with the similar processor of Fig. 2. Fig. 2 example explanation is used for by the non-security OS system of the safe OS system of the processing in the control security domain and the processing in the non-security territory of control, the processor of the responsive type operation of safety in operation. Yet, this processor and traditional operating system back compatible, therefore, this processor uses traditional operating system, operates in the insensitive mode of security.
As shown in figure 25, reset in the security domain, and the unattended operation type how, by set S position or security status indication, resets. In the situation of the insensitive operation of security, in security domain, reset, then process in security domain and continue. Yet the legacy operating system that control is processed is not known the security aspect of system.
As shown in figure 25, carrying out and to reset to arrange the address, is security sensitive or in fact safety is insensitive no matter process, the processing in this address start safety supervision pattern. Reset in case carry out, execution is present in the other task that guides or reboot in the mechanism so. Guiding mechanism is described below.
Guiding mechanism
Guiding mechanism must be considered following feature:
The compatibility of-maintenance and traditional OSes
-in special permission pattern guiding in order to guarantee the security of system.
Therefore, the Carbon kernel will guide in the safety supervision pattern.
Then different system will be:
-hope is moved the system of traditional OS, do not consider the S position, and kernel will see just in time that it guides in the supervision pattern.
-system of Carbon feature is used in hope, kernel guides in the safe special permission pattern that should dispose all safeguard protections (can after switching to monitoring mode) in system.
According to the details of the guiding mechanism that as above provides, this processor of the processor reset of embodiments of the invention begins to process in the safety supervision pattern so that in all cases. In the situation of the insensitive operation of security, in fact operating system operate in security domain, although security is not problem at this, because be provided with S position (although operating system is not known this). Its advantage is and can not can accesses in this case from the partial memory of non-security domain browsing.
In the security sensitive system, in all cases, in the safety supervision pattern guiding also favourable because help to guarantee the security of system. In the security sensitive system, in the safety supervision pattern, provide the address at the pilot point place of storage boot, thereby the permission system is configured to security system and switches to monitoring mode. Usually allow to switch to the supervision pattern and at reasonable time, allow security system in the supervision pattern, to begin to process in order to initialize the monitoring mode configuration from the safety supervision pattern.
The explanation of Figure 26 example is carried out non-security thread NSA in step 1 by non-security operating system. In step 2, non-security thread NSA warp is in step 3, and the monitoring mode of operation monitoring model program calls security domain. In step 5, monitoring mode routine change S position is in order to switch the territory and before moving to SOS, carry out any required context preservation and context recovery. Then, in step 6, before standing to interrupt irq, carry out corresponding safe thread SA. In step 7, interrupt the processing hardware triggering and turn back to monitoring mode, wherein define to close and interrupt and will be processed by SOS or non-security operating system. In this case, will be by the non-security operating system handling interrupt in step 9 beginning. When processing this interruption by non-security operating system, in step 11, before normal thread switched operation, non-security thread NSA reverted to the current task in the non-security operating system. It can be the result that timed events is waited for that this thread switches. In step 12, by the non-security territory in the non-security operating system, carry out different threads NSB, then in step 14, through monitoring territory/program, call security domain. The supervisory programme of step 7 is storage mark, in some other mechanism, is used for representing suspending at last SOS, rather than staying according to the result of interrupting, because safe thread has finished to carry out or owing to normally ask to stay. Therefore, because by interrupting suspending SOS, the supervisory programme of step 15 uses to specify and (for example returns Thread Id, request according to non-security thread NSB, identifier and other supplemental characteristics of the thread that is started by SOS) the software pseudo-interrupt, reenter SOS. These parameters of software pseudo-interrupt can be used as register value transmission.
In step 15, what the software pseudo-interrupt triggered SOS returns the interrupt handling routine routine. What this returned that the interrupt handling routine routine checks the software pseudo-interrupt returns Thread Id in order to whether determine this with before time-out, the Thread Id of the safe thread SA that interrupts when carrying out SOS at last coupling. In this case, therefore coupling, in step 16, does not trigger SOS so that behind the context of preserving safe thread SA, specified according to non-security thread NSB, carries out switching to the thread that returns thread. Then, according to request, restart safe thread SA from the point that interrupts.
Figure 27 schematically example explanation at another example of the type of the behavior shown in Figure 26. In this example, although under the control of non-security operating system, processing execution is in order to process irq, but there is not non-security switching, therefore when the returning interrupt handling routine and receive the software pseudo-interrupt of SOS, do not need to determine thread to switch, in step 15, only recover safe thread SA.
Figure 28 is that schematically example explanation is by the flow chart of the processing of returning the execution of thread handling procedure. In step 4002, begin to return the thread handling procedure. In step 4004, when suspending SOS, check returning the thread identifier and compare with the safe thread of current execution from the software pseudo-interrupt. If these couplings so, are processed and entered step 4006, wherein recover safe thread. If in step 4004, relatively draw and do not mate, process so entering step 4008, wherein, switch to new safety line Cheng Qian in step 4010 execution, preserve the context (being used for follow-up recovery) of previous safe thread. New thread may carry out, so step 4010 is to recover.
Figure 29 schematically example explanation follows the processing of being switched by the task of main non-security operating system execution from SOS. Main non-security operating system can be traditional operating system, does not have for communicating by letter with other operating systems and coordinating the mechanism of its activity, therefore, only is operating as main program. As the initial input point among Figure 29, non-security operating system is being carried out non-security thread NSA. Use software interrupts, and this non-security thread NSA calls the safe thread that will be carried out by SOS, and SMI calls. In step 2, SMI calls and enter the supervisory programme of carrying out in monitoring mode, thus, in step 4, supervisory programme will call be delivered to SOS before, the context of carrying out any necessity is preserved and is switched. Then SOS starts corresponding safe thread SA. Such as the result according to timer event etc., this safe thread can through monitoring mode, turn back to non-security operating system with control. When in step 9, when non-security thread NSA passes control to SOS again, interrupt carrying out this by again sending priginal soft. Software interrupts comprising the non-security Thread Id of identify NSA, with the safe Thread Id of the safe thread of target of activation, namely identify Thread Id and other parameters of safe thread SA.
When calling of being delivered in by supervisory programme that step 9 generates and by SOS, in security domain, when step 12 receives, check non-security Thread Id so that by non-security operating system, determine whether to have the context switching. Also can check the safe Thread Id of target thread and be new thread in order to check that correct thread under the SOS is restarted or started. In the example of Figure 29, by SOS, do not require that in security domain thread switches.
Except under the control of non-security operating system, in non-security territory, outside step 9 produced the switching of thread, Figure 30 and Figure 29 were similar. Therefore, in step 11, it is to make software interrupt calling different non-security thread NSB through SOS. In step 14, SOS is identified the different threads ID of non-security thread NSB, therefore, carries out the task switching that comprises the context of preserving safe thread SA and begin safe thread SB.
Figure 31 is schematically example explanation when software being interrupted being received as when starting thread or recovering the calling of thread of SOS, by the flow chart of the processing of SOS execution. In step 4012, reception is called. In step 4014, check the parameter call in case determine they whether with SOS on current effective safe thread coupling. If coupling occurs, so in step 4016, restart this safe thread. If coupling does not occur, process so and enter step 4018, determine wherein whether the thread of relevant new request is available. Because such as the mutual exclusive resource that it is or requires to have been used by some other threads of just carrying out at SOS, the thread of new request is unavailable. In this case, by returning to the suitable message of non-security operating system, call at step 4020 refusal. If can use at the definite new thread of step 4018, process so entering step 4022, wherein be possible after a while recovery, preserve the context of previous safe thread. In step 4024, according to specified in interrupting calling at the software that SOS is done, switch to new safe thread.
Figure 32 schematically example explanation processes when having the intrasystem interruption of a plurality of operating systems when interrupting by the difference of being processed by different operating system, and the operation of Priority Inversion occurs.
Processing is from the SOS of carrying out safe thread SA. Then interrupting Int1 by first interrupts. This triggers supervisory programme in monitoring mode and determine that this interruption will process in security domain or non-security territory. In this case, this interruption will be processed in security domain and process and turn back to SOS, start the interrupt handling program that is used for interrupting Int1. Half to carrying out the interrupt handling program that is used for Int1 receives the other interruption Int2 with higher priority. Therefore, stop for the interrupt handling routine of Int1 with, and the supervisory programme in the monitoring mode is used for determining handling interrupt Int2. In this case, will be by non-security operating system handling interrupt Int2, therefore control is delivered to non-security operating system, and the interrupt handling routine startup that is used for Int2. When being used for interrupting the interrupt handling routine end of Int2, non-security operating system does not have in the security domain of being illustrated in, and the information of suspending the unsettled interruption Int2 that safeguards is arranged. Therefore, non-security operating system can be carried out some other processing, switches or start different non-security thread NSB such as task, and the initial Int1 that interrupts still is untreated simultaneously.
Figure 33 example explanation can be avoided the technology of the problem relevant with the operation of Figure 32. When interrupting the Int1 generation, supervisory programme is delivered to non-security territory with this, wherein starts the pitching pile interrupt handling routine. This pitching pile interrupt handling routine less, and via monitoring mode, fast processing is turned back to security domain, and trigger the interrupt handling routine that is used for interrupting Int1 in the security domain. Mainly handling interrupt Int1 and start the pitching pile interrupt handling routine can be considered as a kind of pitching pile symbol in non-security territory in security domain just is hung in the security domain to this interruption of non-security domain representation.
The interrupt handling routine that is used for the security domain of interruption Int1 runs into high priority Int2 again. As previously mentioned, this triggers carries out in the non-security territory, is used for interrupting the interrupt handling routine of Int2. Yet in this case, when that interrupt handling routine that is used for Int2 finished, non-security operating system had still unsettled data of pitching pile interrupt handling routine that expression is used for interrupting Int1, therefore, will recover this pitching pile interrupt handling routine. This pitching pile interrupt handling routine resembles to hang over and makes its some place of calling back security domain, therefore re-executes this and calls, thereby switch to security domain. In case get back in the security domain, security domain itself can at the some place that suspends it, be restarted for the interrupt handling routine that interrupts Int1. When in security domain, when being used for interrupting the interrupt handling routine end of Int1, calling and turn back to non-security territory in order to before recovering the initial safe thread SA of execution, close the pitching pile interrupt handling routine in the non-security territory.
Figure 34 schematically example explanation has their relevant priority and dissimilar interruption and how to process them. Using fully provides the security domain interrupt handling routine that is not interrupted by the higher priority of non-security territory processing, processes high-priority interrupt. As long as have than subsequent interrupt higher priority and the interruption in non-security territory, processed, pitching pile interrupt handling routine technology shown in Figure 33 must be processed or utilize to all lower interruptions fully in non-security territory so, these interruptions can be understood in non-security territory thus, occur in security domain even their major part is processed.
As previously mentioned, carry out switching between security domain and non-security territory with monitoring mode. In the embodiment of two different inter-domain sharing registers, this comprises the state in those registers is kept in the memory, then will be loaded into those registers from memory for the new state of aiming field. To not at any register of two inter-domain sharing, needn't preservation state, because those registers will be can't help another domain browsing, and the switching between state is embodied as direct switching result between safe and non-security territory (that is which unshared register is the value that, is stored in the S position among of CP15 register determine to use).
The state that need to switch when in monitoring mode partly is the processor configuration data of control by the processor access memory. Owing in each territory, have the different views of memory, for example, the security domain of access secure memory is used for the storage security data, and this safe storage can not by non-security domain browsing, obviously, when switching, need to change the processor configuration data between the territory.
As shown in figure 35, this processor configuration data is stored in the CP15 register 34, and in one embodiment, these registers are shared between the territory. Therefore, when between security domain and non-security territory, switching monitoring mode, current processor configuration data in CP15 register 34 need to be moved into the memory from the CP15 register, and the processor configuration data relevant with aiming field need to be loaded in the CP15 register 34.
Because the processor configuration data among the CP15 has rapid impact to the memory in the access system usually, therefore, obviously when in monitoring mode, operate, by update processor they, these setting values are effective rapidly. Yet this is not desired, because the expectation monitoring mode has when in monitoring mode the static processor configuration data set of access control memory.
Therefore, as shown in figure 35, in one embodiment of the invention, provide monitoring mode special-purpose processor configuration data 2000, can be used for when processor operates in monitoring mode, cover the processor configuration data in the CP15 register 34. Receive the processor configuration data that is stored in the CP15 register and the multiplexer 2010 of the special-purpose processor configuration data 2000 of monitoring mode by being provided at its input, in embodiment shown in Figure 35, realize. In addition, 2015 receptions show the control signal whether processor is just operating to multiplexer 2010 in monitoring mode in the path. If processor does not operate in monitoring mode, so the processor configuration data in the CP15 register 34 is outputed to system, but in the situation that processor operates in monitoring mode, multiplexer 2010 is exported the special-purpose processor configuration data 2000 of monitoring mode when guaranteeing that processor is just operating in monitoring mode on the contrary, uses the processor configuration data set that conforms to.
Can be in system to the conscientious hard coded of the special-purpose processor configuration data of monitoring mode, thereby guarantee to operate it. Yet, suppose when in safety special permission pattern, operating, only can revise the special-purpose processor configuration data of monitoring mode, the special-purpose processor configuration data 2000 of the monitoring mode of programming, and do not damage security. This provides some flexibilities of the setting value of the special-purpose processor configuration data of relevant monitoring mode. If it is able to programme that monitoring mode processor configuration data is configured to, configuration data can be stored in intrasystem suitable place, for example in the independent register set in the CP15 register 34.
Typically, will the special-purpose processor configuration data of monitoring mode be set in order to be provided for the very safe environment of Operation Processor in monitoring mode. Therefore, in the above-described embodiments, the special-purpose processor configuration data of monitoring mode can be specified when processor just operates in monitoring mode, and forbidden storage device configuration unit 30 can be by any virtual the conversion to physical address of MMU application thereby forbid. In this case, always processor is configured to when sending memory access request, directly sends physical address, that is, will adopt Monotone Mappings. When this guarantees that processor is just operating in monitoring mode, reference to storage reliably, and with whether distorted any virtual irrelevant to the physical address mapping.
The special-purpose processor configuration data of monitoring mode is also specified when processor just operates in monitoring mode usually, allows the processor access secure data. This preferably allows data to specify by the memory that adopts the territory mode bit, and this territory mode bit has the identical value for the corresponding territory mode bit in the safe processor configuration data (" S " position) appointment. Therefore, no matter the actual value that is stored in the territory mode bit in the CP15 register how, cover that value by the territory mode bit by the appointment of the special-purpose processor configuration data of monitoring mode, to guarantee monitoring mode access security data.
The special-purpose processor configuration data of monitoring mode is also specified other data of access control partial memory. For example, the special-purpose processor configuration data of monitoring mode can be specified when processor just operates in monitoring mode, does not use high-speed cache 38 to visit data.
In the above-described embodiments, supposed comprise the processor configuration data all CP15 registers in inter-domain sharing. Yet, in the above-described embodiments, " in groups " a plurality of CP15 registers, in order to for example have two registers of specific for the storage of processor configuration data, that the value for the processor configuration data in non-security territory can be accessed and comprise to register in non-security territory, and that the value for the processor configuration data of security domain can be accessed and comprise to another register in security domain.
Be to comprise " S " position with in groups a CP15 register not, but on the principle, if necessary, can carry out in groups any other CP15 register. In these embodiments, comprise by monitoring mode handoff processor configuration data and to make current processor configuration data in those shared registers move into memory from any shared CP15 register, and the processor configuration data relevant with aiming field is loaded into those shared CP15 registers. To any in groups register, the processor configuration data does not need to be stored in outside the memory, is stored in the relevant result who shares the S place value in the CP15 register according to change on the contrary, will automatically switch.
As previously mentioned, monitoring mode processor configuration data will comprise that covering is stored in the territory mode bit in the relevant CP15 register, and have the value identical with the territory mode bit that is used in security domain (that is, in the above-described embodiments, the S place value is 1). When a plurality of CP15 registers in groups the time, this expression can be derived at least a portion of the special-purpose processor configuration data 2000 of monitoring mode among Figure 35 by the safe processor configuration data from be stored in register in groups, because during the switching process, those content of registers are not write outside the memory.
Therefore, for example, because the special-purpose processor configuration data of monitoring mode will be specified the territory mode bit in order to cover the territory mode bit that ought not use in monitoring mode, and in a preferred embodiment, this have be used in security domain in identical value, this expression select access which in groups the logic of CP15 register will allow in groups CP15 register of access security. By allowing monitoring mode with the relevant portion of this safe processor configuration data as the special-purpose processor configuration data of monitoring mode, can realize saving resource, because no longer need to be provided for those independent register set of the special-purpose processor configuration data of monitoring mode.
Figure 36 is that example illustrates when requiring in a territory and another transformation the flow chart of the step that the handoff processor configuration data is performed. As previously mentioned, send the SMI instruction in order to impel transformation between the territory. Therefore, in step 2020, wait for and send the SMI instruction. When receiving the SMI instruction, processor enters step 2030, wherein processor begins operation monitoring program in monitoring mode, according to entering in the multiplexer 2010, cause multiplexer to switch to control signal on the path 2015 of the special-purpose processor configuration data of monitoring mode, cause the use of the special-purpose processor configuration data of monitoring mode. As previously mentioned, this can be data set independently, some part that maybe can the safe processor configuration data from be stored in register in groups derives.
After this, in step 2040, from the SMI instruction being issued to the territory the memory, preserve current state, this comprises from the state of any shared CP15 register holds processor configuration data relevant with that territory. Usually, there is a part of memory that except these states of storage, arranges. Then, in step 2050, this case pointer switches to the partial memory that comprises for the corresponding state of aiming field. Therefore, usually, exist for storaging state information and two memory portion of distributing, be used in the state that storage is used for non-security territory in one minute, and be used in the state of storing for security domain in one minute.
In case switch case pointer in step 2050, in step 2060, will be loaded into by that state that case pointer points to now the relevant CP15 register of sharing, this comprises that the configuration data that will be used for aiming field is carried in associative processor. After this, in step 2070, withdraw from supervisory programme, as in monitoring mode, then, processor switches to the required mode in the aiming field.
Figure 37 is the operation of the storage management logic 30 of example explanation one embodiment of the present of invention in more detail. The storage management logic is comprised of MMU (MMU) 200 and memory protection unit (MPU) 220. On path 234, send, specify any memory access request of virtual address to be delivered to MMU200 by kernel 10, MMU200 is responsible for carrying out scheduled visit control function, more particularly, be used for definite physical address corresponding to that virtual address, and be used for determining access permission power and determine area attribute.
The accumulator system of data processing equipment is comprised of safe storage and non-security memory, when kernel or other equipment just operate in secure mode of operation, correspondingly, when in security domain, operating, safe storage is used for storing only uses cause kernel 10, or the secure data of one or more other main equipments access.
In embodiments of the invention shown in Figure 37, by the subregion checker 222 in the MPU220, carry out by in non-security mode, application program in kernel 10 operations, the trial control of the secure data in the access secure memory, MPU220 is subjected to SOS, is also referred to as the security kernel management at this.
According to a preferred embodiment of the invention, in non-security memory, for example provide non-security page table 58 in the non-security memory portion of external memory storage 56, and be used for storing the corresponding descriptor for each of a plurality of non-security memory areas that in that page table, define.
The descriptor inclusion information, MMU200 can derive from this information and allow MMU to carry out the required control information of scheduled visit control function, therefore, in the described embodiment of reference Figure 37, relevant virtual information to physical address mapping, access permission power and any area attribute will be provided.
In addition, according to a preferred embodiment of the invention, in the safe storage of accumulator system, for example provide at least one safe page table 58 in the security of external memory storage 56, again be provided for the relevant descriptor of a plurality of memory blocks of definition in table. When processor operates, quote non-security page table so that acquisition is used in the relevant descriptor in the diode-capacitor storage access, simultaneously when processor just operates, with the descriptor that uses from safe page table in safe mode in non-security mode.
Relevant page table retrieval descriptor from MMU is as follows. In the situation of the memory access request appointment virtual address that kernel 10 sends, be used for one the corresponding physical address little TLB206 partly from relevant page table acquisition of a plurality of virtual address components in storage, execution is searched. Therefore, little TLB206 compares some part of virtual address in order to determined whether coupling with the corresponding virtual address that is stored among little TLB. The part that is compared is the highest significant position of predetermined a plurality of virtual addresses more normally, and figure place is decided by the granularity of the page or leaf in the page table 58. Searching usually of carrying out in little TLB206 is relatively very fast, because little TLB206 will only comprise quite a small amount of clauses and subclauses, for example eight clauses and subclauses.
In little TLB206, do not find in the situation of coupling, on path 242, memory access request is sent to the main TLB208 that comprises from a plurality of descriptors of page table acquisition so. As being described in a more detailed discussion subsequently, descriptor from non-security page table and safe page table can coexist as among the main TLB208, and each clauses and subclauses in the main TLB have the corresponding mark (being called main pip) that can arrange to represent to obtain from safe page table or non-security page table the corresponding descriptor that input. Among any embodiment of the physical address in all secure mode of operation are directly specified their memory access request, will recognize does not need this mark in main TLB, because main TLB will only store non-security descriptor.
In main TLB208, carry out similar search procedure in case the relevant portion of the virtual address of determining in memory access request, to send whether corresponding to any one of relevant with the specific pattern of operation, relevant with the descriptor among main TLB208 virtual address component. Therefore, if kernel 10 is just operating in non-security mode, those descriptors that verification has only been obtained from non-security page table, in the main TLB208 are and if kernel 10 is just operating in safe mode, the descriptor in the main TLB that verification has only been obtained from safe page table.
If according to the result of that checking procedure, in main TLB, hit, extract access control information and 242 pass back in the path from relevant descriptor so. Especially, on path 242, virtual address component and the corresponding physical address of descriptor partly are sent to little TLB206, be used for being stored in the clauses and subclauses of little TLB, access permission power is loaded in the access permission logic 202, and area attribute is loaded in the region attribute logic 204, access permission logic 202 and region attribute logic 204 are divided out with little TLB, maybe can be included among little TLB.
In this, then, MMU200 can process storage resource request, because hit in little TLB206 now. Therefore, little TLB206 will generate physical address, then, output on the system bus 40 in path 238, be used for being sent to relational storage, this will be on-chip memory, such as TCM36, high-speed cache 38 etc., or can be through of the outside memory cell of external bus interface 42 access. At this moment, access permission logic 202 will determine whether to allow memory access, and if determine in the current operation pattern, do not allow kernel to access specific memory cell, on path 230, abort signal is sent it back kernel 10. For example, when operating in the supervision pattern of kernel, some memory portion, no matter be in safe storage or non-security memory, can be appointed as only can be by that kernel access, therefore, if when in user model for example, kernel 10 is just attempting accessing this memory cell, and access permission logic 202 will detect that kernel 10 is current not to have a suitable access right, and will be in the path 230 sends abort signal. This will cause ending memory access. At last, region attribute logic 204 will be identified for the area attribute of specific memory access, but whether can the high-speed cache buffer memory such as access etc., and will be in the path 232 send these signals, then, will for example determine in high-speed cache 38 with them the data of theme that whether can the cache memory request of access, in the situation of write-access, whether can cushion data writing etc.
In the situation of in main TLB208, not hitting, use so conversion table stroke logic (walk logic) 210 to visit relevant page table 58 so as in the path the required descriptor of 248 retrievals, then on path 246, that descriptor is delivered to main TLB208, it is stored in wherein. The base address that is used for non-security page table and safe page table will be stored in the register 34 of CP15, and in the register of CP15, the current field that also set handling device kernel 10 is being operated, be security domain or non-security territory, when between non-security territory and security domain, changing, or when vice versa, by monitoring mode that territory status register is set. The content of territory status register is referred to here as the position, territory. Therefore, if need to carry out conversion table stroke process, conversion table stroke logic 210 will know kernel 10 just operates in which territory, and therefore, its base address is with visiting correlation table. Then with virtual address as the skew of base address in order to access appropriate terms in the suitable page table, thereby obtain required descriptor.
In case retrieve descriptor by conversion table stroke logic 210, and be placed in the main TLB208, in main TLB, obtain so to hit, and call previously described process and retrieve access control information, and it is stored in little TLB206, access permission logic 202 and the region attribute logic 204. Then can work to memory access by MMU200.
As previously mentioned, in a preferred embodiment, main TLB208 can store the descriptor from safe page table and non-security page table, in case but relevant information be stored in the main TLB206, only process memory access request by MMU200. In a preferred embodiment, monitor that by the subregion checker 222 that is positioned at MPU220 the information between main TLB208 and little TLB206 transmits, to guarantee in the situation that kernel 10 is just operating in non-security mode, do not have access control information and be sent to little TLB206 from the descriptor in the main TLB208, if can cause in safe storage, generating physical address.
SOS diode-capacitor storage protected location by the information of the subregion between the register 34 that can be positioned at CP15, Definition of Division safety and non-security memory. Then, subregion checker 222 can be quoted that partition information in order to determine whether access control information just is being sent in non-security mode, allows little TLB206 of kernel 10 access secure memory. More particularly, in a preferred embodiment, when kernel 10 is just in non-security operator scheme, as use shown in the position, territory that is arranged by the monitoring mode in the status register of CP15 territory, subregion checker 222 can be through the path 244 monitors and just attempting to return to any physical address part little TLB206 and determine based on that physical address part from main TLB208, and whether the physical address that virtual address is produced is in safe storage. In this case, subregion checker 222 will send abort signal to prevent memory access to kernel 10 on path 230.
To recognize, in addition, subregion checker 222 can be configured to really prevent that physical address partly is stored among little TLB206, perhaps, the physical address part still is positioned at little TLB206, but end procedure division and will by for example refreshing little TLB206, shift out that incorrect physical address part from little TLB206.
As long as kernel 10 is through monitoring mode, when changing between the non-security mode that operates and safe mode, monitoring mode will change the territory place value in the status register of CP15 territory, change in this territory with the operation that represents processor. Part as transport process between the territory, to refresh little TLB206, therefore, first memory access after the conversion between security domain and non-security territory will produce miss in little TLB206, and requirement is direct or through the descriptor of being correlated with from relevant page table retrieval, retrieve visit information from TLB208.
By above-mentioned method, will recognize that subregion checker 222 will guarantee when kernel just operates in non-security territory, allow the access control information of access secure memory to return to little TLB206 if attempt making, will produce the memory access termination.
If in any operator scheme of processor cores 10, memory access request is configured to directly specify physical address, so, in that operator scheme, to forbid MMU200, and on path 236, physical address is sent among the MPU220, in secure mode of operation, access permission logic 224 and region attribute logic 226 will based on access permission power and the area attribute to the corresponding district identification in the partition information register 34 in the CP15, be carried out necessary access permission and area attribute analysis. If the secure storage unit of just attempting accessing is positioned at only in some operator scheme, for example in the safe special permission pattern in the addressable Partial security memory, so, at different operation modes, for example in secured user's pattern, the access of kernel is attempted and will be produced in these cases the identical mode of ending so that access permission logic 224 on path 230, is used with the access permission logic 202 of MMU, and inwardly karyogenesis is ended. Similarly, region attribute logic 226 will with the region attribute logic 204 of MMU to produce the identical mode of those signals that is used for by the memory access request of virtual address appointment, generate signal cacheable and that cushion. Suppose to allow access, then, request of access enters on the system bus 40 in path 240, is sent to suitable memory cell from this bus.
Request of access is specified the non-security access of physical address, through the path 236, make request of access be sent to subregion checker 222, the subregion checker will be quoted the partition information in the CP15 register 34, carry out the subregion verification and whether specify the unit in the safe storage in order to determine physical address, in this case, on path 230, will again produce abort signal.
Now, with reference to the flow chart of Figure 39 and 40, the processing of above-mentioned storage management logic is described in more detail. The explanation of Figure 39 example is in the situation of the program generation virtual address of kernel 10 operations, shown in step 300. To represent by the domain of dependence positions in the CP15 territory status register 34 of monitoring mode setting that kernel is current just moves in security domain or non-security territory. In the situation that kernel is just moving in security domain, process and to transfer to step 302, wherein in little TLB206, carry out search in case the relevant portion of checking virtual address whether with little TLB206 in virtual address component be complementary. In the situation that step 302 is hit, process and directly transfer to step 312, wherein access permission logic 202 is carried out necessary access analysis. In step 314, determined whether that then access permission violates, and if have, process enters step 316, wherein access permission logic 202 230 is sent termination in the path. Otherwise in the situation that does not have this access permission to violate, process enters step 318 from step 314, wherein enters memory access. Especially, region attribute logic 204 will be in the path attributes of the necessary cacheable and buffering of 232 outputs, and little TLB206 will be in the path 238 sends physical address, as previously mentioned.
If in step 302, in little TLB, have missly, so in step 304, in main TLB208, carry out search procedure in order to determine whether required security descriptor is present among the main TLB. If no, so, carry out page table stroke process in step 306, conversion table stroke logic 210 obtains required descriptor from safe page table thus, as described in reference Figure 37. Then process enters step 308, or Already in the situation among the main TLB208, directly enters step 308 from step 304 at security descriptor.
In step 308, determine that main TLB comprises the security descriptor of significant notation now, therefore, process enters step 310, and the subdivision of the descriptor by comprising the physics address part loads little TLB. Just in safe mode, move because kernel 10 is current, do not need subregion checker 222 to carry out any subregion verification function.
Then process and enter step 312, wherein as previously mentioned, the remainder of execute store access.
Whether in the situation of non-security memory access, process forwards step 320 to from step 300, wherein, carry out search procedure and exist from the corresponding physics address part of non-security descriptor in order to determine in little TLB206. If so, process so and directly transfer to step 336, wherein weighed by access permission logic 202 verification access permissions. Note, at this point, if relevant physics address part is in little TLB, do not suppose that safety is not violated, because subregion checker 222 is before it is stored among little TLB, effectively control information, if so that information is positioned at little TLB, suppose that it is that suitable non-vital data is very important. As long as at step 336 verification access permission, process and enter step 338, wherein determined whether any violation, in any one event, in step 316, send the access permission fault and end. Otherwise, process to enter step 318, the remainder of execute store access wherein, as previously mentioned.
In step 320, in the situation of in little TLB, not hitting, process entering step 322, wherein in main TLB208, carry out search procedure and whether exist in order to determine relevant non-security descriptor. If no, by conversion table stroke logic 210, carry out page table stroke process in order to the non-security descriptor from necessity of non-security page table is returned among the main TLB208 in step 324. Then process and enter step 326, or in the situation of the order within main TLB208 appears in step 322, directly enter step 326 from step 322. In step 326, determine that main TLB comprises now for the non-security descriptor of the significant notation of described virtual address, then, in step 328, the physical address (the physical address part in the supposition descriptor) that 222 verifications of subregion checker will generate from the virtual address of memory access request will be specified the unit the non-security memory. If no, that is, if physical address points to the unit in the safe storage, so in step 330, define safe violation, and process and enter step 331, wherein send safety/unsafety failure by subregion checker 222 and end.
Yet if subregion checker logic 222 determines that safety is not violated, process enters step 334, wherein the subdivision of the relevant descriptor by comprising the physics address part loads little TLB, then, in step 336, with previous described mode, process memory access.
The processing of the memory access request of directly sending physical address is described with reference to Figure 40 now. As previously mentioned, in this case, with deexcitation MMU200, this preferably allows the position to realize by MMU is set in the related register of CP15 register, realizes that by monitoring mode this arranges process. Wherein, in step 350, kernel 10 will be created on path 236 and is delivered to physical address among the MPU220. Then, in step 352, MPU verification license be so that the memory access that verification is just being asked can be processed the current operation pattern, i.e. user, supervision etc. In addition, if kernel just operates in non-security mode, in step 352, subregion checker 222 with the verification physical address whether in non-security memory. Then, in step 354, determined whether violation, that is, access permission processes whether show violation, if or in non-security mode, the subregion checking procedure identifies violation. If any one generation of these violations, process enters step 356 so, wherein, by MPU220, generates the access permission fault and ends. To recognize in certain embodiments, as broad as long between two kinds of termination, and in a further embodiment, abort signal can represent that it is relevant with access permission fault or safety failure.
If in step 354, do not detect violation, process enters step 358, and the memory access to the unit of being identified by physical address wherein occurs.
In a preferred embodiment, only monitoring mode is configured to directly generate physical address, therefore, in all other circumstances, MMU200 will be effectively and is generated physical address by the virtual address of memory access request and will occur, as previously mentioned.
The explanation of Figure 38 example is specified virtual address in all memory access request, therefore, in any operator scheme, does not directly generate in the situation of physical address another embodiment of storage management logic. In this case, will recognize does not need independent MPU220, but subregion checker 222 is included among the MMU200. Except this changes, this processing just handy with carry out with reference to Figure 37 and 39 described identical modes.
To recognize that various other selections also are possible. For example, suppose that safety and non-security mode by specifying virtual address send memory access request, two MMUs can be provided, and one is used for security access request and one and is used for non-security request of access, and namely the MPU220 among Figure 37 can be with complete MMU replacement. In these cases, it is safe or non-security that the main TLB that does not need usage flag and each MMU is defined descriptor, because a MMU is stored in non-security descriptor among its main TLB, and another MMU is stored in security descriptor among its main TLB. Certainly, still need the subregion checker to come verification when kernel is in the non-security territory, whether just attempting access secure memory.
In addition, if all memory access request are directly specified physical address, realization in addition can be used two MPUs, and one is used for security access request, and one is used for non-security request of access. The MPU that is used for non-security request of access will have be subjected to the control of subregion checker its request of access to guarantee at non-security mode, do not allow access secure memory.
Dispose the another feature that has as Figure 37 or Figure 38, subregion checker 222 can be configured to carry out some subregion verifications so that the activity of management transitions table stroke logic 210. Especially, just operate in non-security territory if kernel is current, subregion checker 222 can be configured to as long as conversion table stroke logic 210 is just being attempted accesses page table so, and it is accessing non-security page table rather than safe page table verification. If detect violation, preferably generate abort signal. Because conversion table stroke logic 210 is searched by page table is carried out with some combination of the virtual address of sending by memory access request in the page table base address usually, this subregion verification for example can comprise verification conversion table stroke logic 210 and just use the base address of non-security page table rather than the base address of safe page table.
Figure 41 schematically example illustrates when kernel 10 just operates in non-security mode, by the process of subregion checker 222 execution. To recognize that in normal operation the descriptor that obtains from non-security page table will only be described in the page or leaf that shines upon the non-security memory. Yet, in the situation that software is attacked, can distort descriptor in order to describe now the part of the non-security and place of safety that comprises memory. Therefore, consider the example among Figure 41, insecure non-security descriptor can cover and comprise non-security district 370,372,374 and place of safety 376,378 and 380 page or leaf. If the virtual address of sending as the part of memory access request is corresponding to the physical address in the secure storage areas, for example, the secure storage areas 376 shown in Figure 41, subregion checker 222 is configured to generate and ends to occur in order to prevent access so. Therefore, even damage non-security descriptor in attempting access secure memory, subregion checker 222 can prevent that access from occuring. On the contrary, if use physical address that this descriptor derives corresponding to non-security memory block, the zone shown in Figure 41 374 for example, the access control information that is loaded into so among little TLB206 is only identified this non-security district 374. Therefore, the access in the non-security memory block 374 can occur, but access security district 376 can not occur, 378 or 380 any one. Therefore, can comprise the descriptor from the non-security page table of having distorted even can find out main TLB208, little TLB will only comprise and will allow the physical address part of the non-security memory block of access.
As previously mentioned, can generate the embodiment of the memory access request of specifying virtual address in non-security mode or safe mode, memory preferably includes the non-security page table in the non-security memory so, and the safe page table in the safe storage. When in non-security mode, will quote non-security page table by conversion table stroke logic 210, and when in safe mode, will quote safe page table by conversion table stroke logic 210. Figure 42 example illustrates this two page tables. Shown in Figure 42, for example can be arranged in that the non-security memory 390 of the external memory storage 56 of Fig. 1 comprises by reference base address 397 therein, the non-security page table 395 of appointment in CP15 register 34. Similarly, at the safe storage 400 of the external memory storage 56 that is arranged in equally Fig. 1, provide by safe page table base address 407, at the corresponding safe page table 405 of special-purpose CP15 register 34 interior appointments. Each descriptor of non-security page table 395 will point to the corresponding non-security page or leaf in the non-security memory 390, and each descriptor in the safe page table 405 will define the corresponding security page in the safe storage 400. In addition, as described in more detail after a while, to some zone of memory, can share can be by the memory block 410 of non-security mode and accessed in safe mode.
Figure 43 in more detail example illustrates according to preferred embodiment the search procedure of carrying out in main TLB208. As previously mentioned, main TLB208 comprises that the corresponding descriptor of identification is from safe page table or the safety label of non-security page table 425. This guarantees when carrying out search procedure, the relevant descriptor of special domain that verification only and kernel 10 are operated just therein. Figure 43 example explanation kernel is also referred to as the example that moves in the safety zone just at security domain. As finding out from Figure 43, when the main TLB208 of execution searches, will cause ignoring descriptor 440, and only descriptor 445 will be identified as the candidate for search procedure.
According to preferred embodiment, be provided at the other process ID mark 430 that this is also referred to as the ASID mark, so that from the specific page table identification of process descriptor. Therefore, the corresponding page table that provides in memory can be provided respectively for process P1, P2 and P3, and can have in addition the different page tables for non-security operation and safety operation. In addition, will recognize that process P1, P2 and P3 in the security domain can divide out process P1, P2 and P3 in process and the non-security territory fully. Therefore, overseas except verification when requiring main TLB to search 208 as shown in figure 43, go back verification ASID mark.
Therefore, in the example of Figure 43, wherein in security domain, implementation P1, this search procedure is just in time identified two items 450 in the main TLB208, whether then mate with the appropriate section of the virtual address of being sent by memory access request according to the virtual address component in those two descriptors, generation is hit or is miss. If so, extract so relevant access control information and be delivered to little TLB206, access permission logic 202 and region attribute logic 204. Otherwise, occur missly, return to main TLBA208 with do for oneself the in the future required descriptor of the page table that security process P1 provides of conversion table stroke logic 210. As skilled in the art will recognize, the technology that many contents for TLB management are arranged, therefore, when the new descriptor of retrieve stored in main TLB208, main TLB is full, can determine that displacing which descriptor from main TLB to vacate the room for new descriptor with any one of multiple known technology, for example nearest using method etc.
To recognize that security kernel in the safe mode that is used in operation can be developed to non-security operating system and separate fully. Yet in some cases, the exploitation of security kernel and non-security operating system can be closely linked, and in these cases, it also is suitable allowing security application to use non-security descriptor. Really, this allows security application by only knowing virtual address, directly accesses non-security data (being used for sharing). Certainly, this supposes that to specific ASID secure virtual mapping and non-security virtual mapping are mutual exclusions. In these cases, the previous differentiation safety of introducing and the mark (being field mark) of non-security descriptor will do not needed. Then, by all available descriptor, carry out searching among the TLB.
In a preferred embodiment, by the specific position that in the CP15 control register, provides, the configuration of main TLB can be set and have selection between the previously described configuration of independent safety and non-security descriptor. In a preferred embodiment, this position is only by the security kernel setting.
Directly allowing security application to use among the embodiment of non-security virtual address, can obtain non-security stack pointer from security domain. This special register that can copy to by the non-security register value that will identify non-security stack pointer in the CP15 register 34 is finished. Then, according to the scheme of being understood by security application, this will allow non-security application program through the stack Transfer Parameters.
As previously mentioned, can be divided into non-security memory and security, and use the CP15 register 34 that is exclusively used in subregion checker 222, control this subregion. The primary partition method is based on the regional access permission as defining in typical MPU equipment. Therefore, memory is divided into the zone, and the most handy its base address, each zone, size, memory attribute and access permission define. In addition, when the overlay area was programmed, the attribute in a upper zone obtained limit priority. In addition, according to a preferred embodiment of the invention, provide the new region attribute in order to define corresponding zone and be arranged in safe storage or non-security memory. Use this new region attribute so that definition will be protected the memory portion as safe storage by security kernel.
In the vectoring phase, as shown in figure 44, carry out the first subregion. This primary partition is assigned to definition the amount of memory 460 of non-security zone, non-security operating system and non-security application program. This amount is corresponding to the non-security district that defines in this subregion. Then use this information by non-security operating system, be used for its storage management. Non-security operating system does not know to be defined as the remainder 462,464 of safe memory. For protecting the integrality in the non-security zone, by only being used for the access permission of safe special permission pattern, the non-security memory of programming. Therefore, security application will not damage non-security application program. As seeing from Figure 44, behind this vectoring phase subregion, memory 460 can be used for being used by non-security operating system, and memory 462 can be used for being used by security kernel, and memory 464 can be used for being used by security application.
In case carry out the vectoring phase subregion, use MMU200, process the memory mapped of non-security memory 460 by non-security operating system, therefore, can define a series of non-security pages or leaves with usual manner. This as shown in figure 45.
If security application need to non-security application program shared storage, security kernel can change the right of memory portion in order to data manually are sent to another from a territory. Therefore, as shown in figure 46, after the integrality of the non-security page or leaf of verification, security kernel changes the right of that page so that it becomes the addressable security page 466 of shared storage.
After the subregion of memory changes, need to refresh little TLB206. Therefore, in this case, when non-security access sequentially occurs, in little TLB206, will occur missly, therefore, will load new descriptor from main TLB208. When attempting returning to it among little TLB206, by the subregion checker 222 of MPU this new descriptor of verification sequentially, therefore, will be consistent with the new subregion of memory.
In a preferred embodiment, high-speed cache 38 is virtual index and physics mark. Therefore, when in high-speed cache 38, carrying out access, will at first in little TLB206, carry out and search, and therefore, to access permission, particularly verification is carried out in safety and non-security license. Therefore, by non-security application program, can not be with secure data storage in high-speed cache 38. Access to high-speed cache 38 is under the control of the subregion verification of being carried out by subregion checker 222, therefore, in non-security mode, can not carry out the access security data.
Yet a problem that can occur will be the application program in the non-security domain, can with the cache operations register come invalid, remove or refresh this high-speed cache. Need to guarantee that these operations will not affect the security of system. For example, if non-security operating system wants to make high-speed cache 38 invalid, rather than remove it, any safe dirty data data must be write external memory storage before replacement. Best, therefore mark secure data in high-speed cache, if necessary, can differently be processed.
In a preferred embodiment, if carry out " it is capable invalid to make by the address " operation by non-security program, by subregion checker 222 verification physical address, if and cache line is the safety high speed cache lines, operation becomes " removing and invalid " operation, thereby safeguards the security of guaranteeing system. In addition, in a preferred embodiment, all that carried out by non-security program operations that " makes the row invalid by index " become " removing and invalid by index " and operate. Similarly, all " invalid whole " operations by non-security program execution become " removing and invalid whole " operation.
In addition, with reference to figure 1, pass through DMA32 by little TLB206 control, to any access of TCM36. Therefore, search so that when its virtual address translated into physical address when DMA32 carries out in TLB, the previously described mark that has been increased among the main TLB allows to carry out required security verification, as being sent the request of access by kernel 10. In addition, as described later, to copy the subregion checker and be coupled to external bus 70, preferably be arranged in arbiter/decoder block 54, so that if DMA32 directly accesses when external bus interface 42 is coupled to the memory of external bus 70, be connected to the validity that copies subregion checker verification access of external bus. Whether in addition, in some preferred embodiment, can define dma controller 32 and can be used in the non-security territory by the position being increased to CP15 register 34, in the time of in operating in the special permission pattern, this position only allows by the security kernel setting.
Consider TCM36, if secure data is arranged in TCM36, this must carefully process. For example, can imagine that non-security operating system programming is used for the physical address scope of TCM memory 36 so that it covers the situation of external security memory portion. If operator scheme changes over safe mode, security kernel can cause data to be stored in that cover part, usually, stores data among the TCM36, because TCM36 has the priority higher than external memory storage usually. If non-security operating system changes the setting value of the physical address space that is used for TCM36 so that in the previous place of safety of mapping, the non-security physics district of memory, to recognize non-security operating system energy access security data, end because the subregion checker is regarded as this zone non-security and will constantly be called the turn. Therefore, be general introduction, if TCM is configured to serve as conventional local RAM and does not serve as intelligent high-speed cache, if it can move to the TCM base register non-security physical address, so non-security operating system can read the safety zone data.
For preventing in this case, in a preferred embodiment, in CP15 register 34, provide control bit, it only can be speciallyyed permit in the operator scheme in safety and access, and two kinds of possible configurations are provided. In the first configuration, this control bit is arranged to " 1 ", in this case, only can be by safety special permission pattern control TCM. Therefore, will to cause inputting undefined instruction unusual for the TCM control registers in any non-security access CP15 34 of trial. Therefore, in this first embodiment, safe mode and non-security mode can use TCM, but only by safety special permission pattern control TCM. In this second configuration, control bit is arranged to " 0 ", in this case, by non-security operating system control TCM. In this case, only use TCM by non-security application program. Any secure data all can not or load from the TCM storage. Therefore, when carrying out secure access, in TCM, do not carry out check the address whether with the searching of TCM address range match.
According to default situation, imagination TCM is only used by non-security operating system, because in this case, does not need to change non-security operating system.
As previously mentioned, except subregion checker 222 is provided in MPU220, the preferred embodiments of the present invention also provide the similar subregion verification piece that is coupled to external bus 70, this other subregion checker is used for management by other main equipments, for example digital signal processor (DSP) 50, be directly coupled to the dma controller 52 of external bus, can be connected to dma controller 32 etc. the reference to storage of external bus through external bus interface 42. Really, in certain embodiments, as described later, can only have the subregion verification piece that is coupled on the bus of outside (or equipment), and the subregion checker that is not provided as the part of storage management logic 30. In some this embodiment, can alternatively the subregion checker be provided as the part of storage management logic 30, in these examples, this subregion checker can be considered as except be coupled to the equipment bus another subregion checker of providing.
As previously mentioned, whole accumulator system can be comprised of several memory cells, and a plurality of these memory cells may reside on the external bus 70, for example external memory storage 56, guiding ROM44 or peripheral hardware are on actual buffer or register 48,62,66 in screen drive 46, I/O interface 60, key memory cell 64 etc. In addition, the different piece of accumulator system need to be defined as safe storage, for example can expect that the key buffer 66 in the key memory cell 64 is treated to safe storage. If the equipment that is coupled on the external bus attempts to access this safe storage, so obviously, the previous described storage management logic 30 in the chip in being included in kernel 10 can not be managed this access.
How the explanation of Figure 47 example is used and is coupled to external bus, is also referred to as the other subregion checker 492 of equipment bus at this. As long as external bus is configured to pass through equipment usually, such as equipment 470,472 memory access request is sent on that external bus, those memory access request also comprise the defining operation pattern, some signal on the external bus that for example special permission, user wait for. According to a preferred embodiment of the invention, memory access request also comprises the territory signal sent on the external bus and just operates in safe mode or non-security mode in order to identify this equipment. Be preferably in hardware level and send this territory signal, and in a preferred embodiment, the equipment that can operate in safety or non-security territory will comprise for the path 490 in the bus externally, the predetermined pin of domain output signal. Be the example illustration purpose, this path 490 separates expression with other signal paths 488 on the external bus.
The equipment that identification is sent memory access request at this this territory signal that is also referred to as " S position " just operates in security domain or non-security territory, and receives this information by the subregion checker 492 that is coupled to external bus. It is safety or non-security partition information that subregion checker 492 is also accessed the identification memory block, therefore, if can be configured to conclude S position identification secure mode of operation, only allows the security of equipment access memory.
According to default situation, imagination is not concluded the S position, therefore, the non-security equipment that is pre-existing in, all equipment 472 as shown in figure 47 is output assertion S position not, therefore, any security of subregion checker 492 references to storage will be guaranteed never, no matter in the register or buffer 482,486, I/O interface 484 or external memory storage 474 of screen drive 480.
For convenience of description, separate with the decoder 478 that is used for determining providing the suitable memory devices of memory access request service and to illustrate and be used for by main equipment, the arbiter piece 476 of arbitrating between the memory access request of sending such as equipment 470,472, and separate with subregion checker 492. Yet, will recognize if necessary, can be in identical unit integrated these parts one or more.
The embodiment that the explanation of Figure 48 example is other does not wherein provide the subregion checker. On the contrary, each memory devices 474,480,484 is configured to the place value according to S, manages the memory access of himself. Therefore, if equipment 470 is want in non-security mode the register 482 in the screen drive 480 that is labeled as safe storage and is proposed memory access request, does not assert screen drive 480 judgement S positions so, and do not process memory access request. Therefore, imagination can avoid providing separately the needs of subregion checker 492 by the design of suitable various storage component parts on the outer room bus.
In the foregoing description of Figure 47 and 48, the equipment that memory access request is sent in described " S position " identification just operates in security domain or non-security territory. See another kind of method, this S position can be regarded as the expression memory access request and belong to security domain or non-security territory.
In reference Figure 37 and 38 described embodiment, carry out virtual address to the conversion of physical address with single MMU and single page table collection. By this method, usually use simple mode segmentation physical address space between non-security memory and safe storage, as shown in figure 49. Wherein, physical address space comprises from the address 0 beginning and extends to for accumulator system, for example the address space of an access unit address Y in the external memory storage 56. To each memory cell, addressable memory is divided into two parts usually, and first 2110 is distributed into non-security memory and second portion 2120 is distributed into safe storage.
By this method, will recognize that existence can not be by some physical address of special domain access, and these differences are apparent to the operating system that is used in those territories. The operating system that is used in simultaneously in the security domain will be understood non-security territory, therefore, will be indifferent to this, will not need on the operating system theory in the non-security territory to understand to have security domain, but opposite, should just as not existing, security domain not operate.
As other problem, to recognize that non-security operating system will regard as with address 0 beginning and extend to address X for the address space of external memory storage, and non-security operating system do not know any information of security kernel, has especially the safe storage that extends to address Y from address X+1. On the contrary, security kernel will be cannot see the address space of 0 beginning from the address, and this is not that operating system is usually desired.
Schematically the example explanation is hidden secure storage areas by permission from the view safety of the non-security operating system of its physical address space in Figure 51, and by allowing security kernel in the security domain and the non-security operating system in the non-security territory to regard as from address 0 for their address space of external memory storage, avoid an embodiment of the problems referred to above. Wherein, physical address space 2200 can become safely or non-security section in the page or leaf component. In the example shown in Figure 51, the address space that is used for external memory storage is expressed as and is divided into four parts 2210,2220,2230 and 2240, is comprised of two secure storage areas and two non-security memory blocks.
Not through the virtual address space of single page table conversion and the conversion between physical address space, carry out two independent address layer conversions with reference to the first page table and the second page table, thereby allowing to introduce according to processor is in security domain or non-security territory, the concept in the intermediate address space of different configurations. More particularly, shown in Figure 51, by the descriptor that provides in the safe page table in page table collection 2250 is provided, two secure storage areas 2210 in the physical address space and 2230 can be mapped to for single regional 2265 of the intermediate address space of security domain. About the related operating system of moving at processor, regard the intermediate address space as physical address space, and convert virtual address in the intermediate address space intermediate address with MMU.
Similarly, to non-security territory, can dispose intermediate address space 2270, wherein, corresponding descriptor in the non-security page table in page table collection 2250 is with two in the physical address space non-security memory blocks 2220 and the 2240 non-security districts 2275 that are mapped to for the intermediate address space in non-security territory.
In one embodiment, use two independent MMU, processing is through intermediate address, convert virtual address to physical address, shown in Figure 50 A, MMU2150 among Figure 50 A and each of 2170 can be considered as using with the similar mode of MMU200 shown in Figure 37 and consist of, but for convenience of description, omit some details in Figure 50 A.
The one MMU2150 comprises little TLB2155, main TLB2160 and conversion table stroke logic 2165, and similarly, the 2nd MMU2170 comprises little TLB2175, main TLB2180 and conversion table stroke logic 2185. When processor just operates in non-security territory, control a MMU by non-security operating system, or when processor just operates, control a MMU by security kernel in security domain. Yet, in a preferred embodiment, can only control the 2nd MMU by security kernel or supervisory programme.
When processor cores 10 sends memory access request, on path 2153, virtual address is sent to little TLB2155. Little TLB2155 with storage be used for a plurality of virtual address components from be stored in descriptor in the main TLB2160, from the corresponding intermediate address part of the descriptor retrieval of the main TLB2160 of the first page table collection retrieval relevant with a MMU2150. Hit if detect in little TLB2155, so little TLB2155 will be in the path 2157 sends corresponding to 2153 intermediate addresses corresponding to virtual address that receive in the path. If nothing is hit in little TLB2155, to quote so main TLB2160 and check whether in main TLB, to detect and hit, and if will be correlated with virtual address component and corresponding intermediate address partly return among little TLB2155, then, 2157 send intermediate address in the path.
If in little TLB2155 and main TLB2160, without hitting, send for from can be by the request of the required descriptor of the concentrated predetermined page table of the first page table of MMU2150 access with conversion table stroke logic 2165 so. Typically, have the page table relevant with the single processor that is used for security domain or non-security territory, and an intermediate base address that can be used for by 2165 access of conversion table stroke logic those page tables, for example the suitable register in the CP15 register 34. Therefore, conversion table stroke logic 2165 can be in the path 2167 sends intermediate addresses so that from suitable page table request descriptor.
The 2nd MMU2170 is configured on path 2157, by little TLB2155, or on path 2167, reception is by any intermediate address of conversion table stroke logic 2165 outputs, if and in little TLB2175, detect and hit, so, on path 2192, little TLB sends to memory in order to retrieve desired data at data/address bus 2190 with required physical address. 2157 send in the situation of intermediate address in the path, and this will cause desired data to turn back to kernel 10, and to 2167 intermediate addresses that send in the path, will cause required descriptor to turn back to a MMU2150, are used for being stored in main TLB2160.
In the miss situation of little TLB2175, to quote main TLB2180, if and in main TLB, hit, required intermediate address part and corresponding physical address are partly turned back to little TLB2175, then allow little TLB2175 2192 to send required physical address in the path. Yet, in little TLB2175 or main TLB2170, all lack in the situation of hitting, so, conversion table stroke logic 2185 is configured to ask required descriptor at the relevant page table of path 2194 output in the second page table collection relevant with the 2nd MMU2170. This second page table collection comprises the descriptor of intermediate address part with physical address partial association, usually has at least a page table that is used for security domain and a page table that is used for non-security territory. When 2194 sending when request in the path, will cause turning back to the 2nd MMU2170 from the relevant descriptor of the second page table collection, be used for being stored in the main TLB2180.
Now, by specific example as described below, the further operation of the embodiment shown in the example key diagram 50A, the VA that wherein abridges represents virtual address, IA represents intermediate address, and PA represents physical address.
1) kernel sends VA=3000 [IA=5000, PA=7000]
2) miss among little TLB of MMU1
3) miss among the main TLB of MMU1
Page table 1 base address=8000IA[PA=10000]
4) the conversion table stroke logic among the MMU1 is carried out page table and is searched-send IA=8003
5) miss among little TLB of MMU2
6) miss among the main TLB of MMU2
Page table 2 base address=12000PA
7) execution of the conversion table stroke logic among MMU2 page table is searched-is sent PA=12008 " 8000IA=10000PA " and is returned as the page table data
8)-be stored among the main TLB of MMU2
9)-be stored among little TLB of MMU2
10) the little TLB among the MMU2 hits now-sends PA=10003 " 3000VA=5000IA " and is returned as the page table data
11)-be stored among the main TLB of MMU1
12)-be stored among little TLB of MMU1
13) the little TLB among the MMU1 hits now-sends IA=5000 and comes executing data access
14) miss among little TLB of MMU2
15) miss among the main TLB of MMU2
16) execution of the conversion table stroke logic among MMU2 page table is searched-is sent PA=12005 " 5000IA=7000PA " and is returned as the page table data
17)-be stored among the main TLB of MMU2
18)-be stored among little TLB of MMU2
19) the little TLB among the MMU2 hits now-sends PA=7000 and comes executing data access
20) data at physical address 7000 places turn back to kernel
Next time, kernel sent memory access request (supposition VA3001..)
1) kernel sends VA=3001
2) hit in little TLB of MMU1, request sends to the IA5001 of MMU2
3) order in little TLB of MMU2, request sends to the PA7001 of memory
4) turn back to the data of the PA7001 of kernel.
To recognize in above-mentioned example, in little TLB of two MMU and main TLB, occur miss, therefore, this example representative " worst case " situation. Typically, be desirably in to observe at least one of little TLB or main TLB and hit, thereby reduce significantly retrieve data institute's time spent.
Turn back to Figure 51, usually in some district of physical address space, in a preferred embodiment for the second page table collection 2250 is provided in the place of safety. The first page table collection is divided into two kinds, the safe page table of called after and non-security page table. Best, safe page table will appear in the intermediate address space 2265 continuously, be arranged in the non-security intermediate address space 2275 as non-security page table. Yet they do not need to be arranged in continuously physical address space, therefore, for example, the safe page table that is used for the first page table collection is distributed in whole place of safety 2210,2230, uses similar method, and non-security page table can be distributed on whole non-security memory block 2220 and 2240.
As previously mentioned, using a main benefit of two level methods of two page table collection is to the operating system of security domain and the operating system in non-security territory, physical address space can be configured to 0 beginning, and this is that common operating system is desired. In addition, from the non-security operating system in its " physical address " space, can hide secure storage areas fully, because regard the intermediate address space as its physical address space, it can dispose has continuous intermediate address sequence.
In addition, make the processing that is reduced at widely in this way exchange memory block between non-security memory and safe storage. This illustrates explanation with reference to Figure 52. See that such as Figure 52 for example for the memory block 2300 of single memory page may reside in the non-security memory block 2220, and similarly, memory block 2300 may reside in the secure storage areas 2210. Yet, can be only by the relevant descriptor in exchange the second page table collection, exchange easily these two memory blocks 2300 and 2310, so that zone 2300 becomes the place of safety in the zone 2305 in the intermediate address space that is mapped to security domain now, and zone 2310 can become the non-security district in the zone 2315 in the intermediate address space that is mapped to non-security district. The operating system in security domain and non-security territory, complete transparent generation is because the view of their physical address space is in fact respectively the intermediate address space in security domain or non-security territory. Therefore, the method has avoided redefining the physical address space in each operating system.
Now, with reference to figure 50B the another embodiment of the present invention of using two MMU is described, different from the configuration of Figure 50 A. From relatively can finding out of Figure 50 B and Figure 50 A, dispose almost identically, but in this embodiment, a MMU2150 is configured to carry out virtual address is configured to carry out intermediate address to physical address conversion and the 2nd MMU and changes to physical address. Therefore, the path 2157 of the little TLB2175 of the little TLB2155 of replacement from a MMU2150 in the 2nd MMU2170 that is used among Figure 50 A embodiment, little TLB2155 among the one MMU is configured to directly export physical address on path 2192, shown in Figure 50 B. Now, come example explanation in the operation of the embodiment shown in Figure 50 B by the concrete example that illustrates hereinafter, it describes the processing of identical kernel memory access request in detail, as before to as described in Figure 50 A embodiment.
1) kernel sends VA=3000 [IA=5000, PA=7000]
2) miss among little TLB of MMU1 and the main TLB
Page table 1 base address=8000IA[PA=10000]
3) the conversion table stroke logic among the MMU1 is carried out page table and is searched-send IA=8003
4) miss among little TLB of MMU2 and the main TLB
Page table 2 base address=12000PA
5) execution of the conversion table stroke logic among MMU2 page table is searched-is sent PA=12008 " 8000IA=10000PA " and is returned as the page table data
6)-be stored among the little TLB of advocating peace of MMU2 " 8000IA=10000PA " mapping
7) the little TLB among the MMU2 can will convert PA1003 to from the request of step (3) and send extraction " 3000VA=5000IA " now and be returned as the page table data
Attention: this conversion is retained in the temporary storage by MMU1, but directly is not stored among any TLB.
8) request of sending now IA=5000 to MMU2 of the conversion table stroke logic among the MMU1
9) IA5000 among the uTLB of MMU2 and the main TLB is miss
10) execution of the conversion table stroke logic among MMU2 page table is searched-is sent PA=12005 " 5000IA=7000PA " and is returned as the page table data
11) MMU2 with " 5000IA=7000PA " be stored in uTLB and and main TLB in. This conversion also is sent to MMU1.
12a) MMU2 sends the PA=7000 memory access
12b) to provide " 3000VA=7000PA " descriptor, it is stored among the main TLB and little TLB of MMU1 MMU1 with the combination of " 3000VA=5000IA " and " 5000IA=7000PA " descriptor.
13) data with the PA7000 place turn back to kernel
Next time, kernel sent memory access request (supposition VA3001..)
1) kernel sends VA=3001
2) hit in little TLB of MMU1, MMU1 sends the PA=7001 request
3) data at PA7001 place turn back to kernel.
Such as relatively can finding out of providing from above-mentioned example and Figure 50 A, main difference is in step 7, wherein MMU1 does not directly store the first table descriptor, and step 12b (12a and 12b can occur simultaneously), wherein MMU1 also receives IA->PA conversion and carries out combination and will make up descriptor being stored among its TLBs.
Therefore, still convert virtual address to physical address with two page table collection although can find out this another embodiment, little TLB2155 and main TLB2160 store direct virtual address and have avoided carrying out the needs of searching in two MMU when generation is hit in little TLB2155 or main TLB2160 to the fact of physical address conversion. In these cases, a MMU can directly process the request from kernel, and not with reference to the 2nd MMU.
To recognize that the 2nd MMU2170 can be configured to not comprise little TLB2175 and main TLB2180, in either case, page table stroke logic 2185 will be for each request that need to be processed by the 2nd MMU. Suppose that the demand to the 2nd MMU is not very frequent, complexity and cost that this can save the 2nd MMU reach the acceptable degree. Because a MMU need to be used for each request, usually advantageously little TLB2155 and main TLB2160 is included among the MMU2150 in order to improve the service speed of a MMU.
It should be noted that the page or leaf in the page table can change size, therefore, the two halves descriptor partly that is used for conversion is relevant from the page or leaf of different sizes. Typically, the MMU1 page or leaf will be less than the MMU2 page or leaf but this not necessarily must be so. For example:
Table 1 will be mapped on the 0x00081000 at the 4Kb of 0x40003000
Table 2 will be mapped on the 0x02000000 at the 1Mb of 0x00000000
Wherein, one of the minimum of two sizes must be used for the combination conversion, and therefore, the combination descriptor is
To be mapped on the 0x02081000 at the 4Kb of 0x400030000.
Yet wherein, at interregional swap data (as previous with reference to as described in Figure 52), it is possible oppositely setting up, for example:
Table 1 will be mapped on the 0x00000000 at the 1Mb of 0xc0003000
Table 2 will be mapped on the 0x02042000 at the 4Kb of 0x00042000
Now, search from kernel at address 0xc0042010 and provide mapping:
To be mapped on the 0x02042000 at the 4Kb of 0xc00420000
That is, less one of two sizes always is used for the combination mapping
Attention is in the second situation, and treatment effeciency is lower, because search and abandon (1Mb) descriptor in the table 1 with repeating, because access different 4Kb district. Yet in typical system, table 2 descriptor will be larger (as in the first example), the most of the time more effective (to pointing to other 4Kb pages or leaves of suitable IA space segment, can recycle the 1Mb mapping).
As the another program that adopts two independent MMU, as as shown in Figure 50 A and the 50B, can use single MMU, as as shown in Figure 53, wherein when main TLB2420 is miss, produced unusually by MMU, software is moved in kernel 10 so that based on the combination from two different page table collection, produce virtual to the physical address conversion. More particularly, shown in Figure 53, kernel 10 is coupled to MMU2400, and it comprises little TLB2410 and main TLB2420. When kernel 10 sends memory access request, 2430 provide virtual address in the path, if and in little TLB, find to hit, so on path 2440 directly output corresponding physical address so that in path 2450 data are turned back in the kernel 10. Yet, if in little TLB2410, have missly, if quote main TLB2420 and relevant descriptor is included among the main TLB, relevant virtual address component and corresponding physical address are partly returned among little TLB2410, in path 2440 send physical address thereafter. Yet, miss if main TLB also produces, on path 2422, produce unusual to kernel so. Now, will describe from receiving this further combined with Figure 54 unusual, the process of in kernel, carrying out.
Shown in Figure 54, if in step 2500, it is miss to detect TLB by kernel, and so in step 2510, to be used for that unusual pr-set vector, kernel enters monitoring mode. Therefore, this will cause moving the page table combine code and carry out at the remaining step shown in 54.
More particularly, in step 2520, retrieval 2430 transmissions in the path, and cause miss virtual address (hereinafter referred to as fault virtual address) among little TLB2410 and the main TLB2420, thereafter, in step 2530, according to the intermediate base address that is used for the suitable table in the first table collection, be identified for the intermediate address of required the first descriptor. In case determined intermediate address (usually by virtual address and intermediate base address some predetermined combinations), so with reference to the correlation table in the second table collection in order to obtain to be used for the corresponding physical address of the first descriptor. After this, in step 2550, can be from memory fetch the first descriptor in order to allow to be identified for the intermediate address of fault virtual address.
Then, in step 2560, again quote the second table and search the second descriptor that provides for the physical address of the intermediate address of fault virtual address. After this, in step 2570, extract the second descriptor in order to obtain to be used for the physical address of fault virtual address.
In case obtained above-mentioned information, program merges the first and second descriptors in order to generate the new descriptor that required virtual address is provided to the physical address conversion so, carries out this step in step 2580. , carry out merging by software and reuse be used to the minterm table size of uniting combination with reference to the described similar mode of figure 50B with previous. After this, in step 2590, new descriptor is stored in the main TLB2420, after this, in step 2595, this process is owing to unusually return.
After this, kernel 10 will be configured to again send the virtual address for memory access request on path 2430, and this will cause miss among the main TLB2410, but now, cause hitting among the main TLB2420. Therefore, virtual address component and corresponding physical address are partly returned among little TLB2410, after this, little TLB2410 can be in the path 2440 sends physical address, is created in the desired data that turns back to kernel 10 on the path 2450.
To recognize,, use with reference to Figure 53 and 54 described principles with reference to figure 50A and the described alternate embodiment of 50B as previous, can be by one or two MMU among those embodiment of software administration.
No matter whether use two MMU, shown in Figure 50 A or 50B, or use a MMU, shown in Figure 53, (perhaps in the special permission safe mode) guaranteed those page table safety by the fact of processor management the second page table collection in the time of in operating in monitoring mode. Therefore, when processor is arranged in non-security territory, only can see non-security memory, because when being arranged in non-security territory, it only is by the second page table collection, is non-security territory intermediate address that produce, that processor can be seen. Therefore, do not need the subregion checker is provided as the part of storage management logic 30 as shown in Figure 1. Yet, still externally provide the subregion checker in order to monitor the access of being undertaken by other bus main frames in the system on the bus.
In reference Figure 37 and 38 previous embodiment, the subregion checker 222 relevant with MMU200 is provided, therefore, when in high-speed cache 38, carrying out access, to at first in little TLB206, carry out and search, therefore, the verification access permission, particularly safety and non-security license may be finished. Therefore, in these embodiments, by non-security application program, secure data can not be stored in the high-speed cache 38. Access cache 38 is to be carried out under the control of subregion verification by subregion checker 222, therefore, in non-security mode, can not carry out the access security data.
Yet, in alternate embodiment of the present invention, be not provided for monitoring the subregion checker 222 that conducts interviews at system bus 40, opposite data processing equipment only has the external bus of being coupled to 70, is used for monitoring that access is connected to the single subregion checker of the memory cell of that external bus. In these embodiments, this means that processor cores 10 can access any memory cell in the system that is directly coupled to 40, for example TCM36 and high-speed cache 38, and those access are not controlled by outside subregion checker, therefore, need some mechanism to guarantee processor cores 10 when in non-security mode, operating, not the secure data in access cache 38 or the TCM36.
Figure 55 example illustrates data processing equipment according to an embodiment of the invention, provides mechanism to allow high-speed cache 38 and/or TCM36 to control access to them, and does not need any subregion verification logic of providing relevant with MMU200. Shown in Figure 55, through MMU200 kernel 10 is coupled to system bus 40, also is coupled to high-speed cache 38 and TCM36 on the system bus 40. Through external bus interface 42, the external bus 70 that makes kernel 10, high-speed cache 38 and TCM36 be coupled to shown in Figure 55, be formed by address bus 2620, control bus 2630 and data/address bus 2640.
In Figure 56, example illustrates the MMU200 of Figure 55 in more detail. By the comparison of Figure 56 and Figure 37, can find out in the complete mode identical with the MMU of Figure 37 to consist of MMU200 that unique difference is not to be provided for to monitor between main TLB208 and little TLB206, the subregion checker 222 of 242 data that send in the path. If processor cores 10 sends the memory access request of specifying virtual address, so through MMU200, the route memory requests such as processing as described in reference Figure 37, is created on the path 238, from little TLB206, at the physical address of system bus 40 outputs. On the contrary, if memory access request is directly specified physical address, then avoid MMU200, through the path 236, directapath is to system bus 40. In one embodiment, only when processor just operates, produce the memory access request of directly specifying physical address in monitoring mode.
Can expect such as the previous description from MMU200, and especially, from the description of Figure 43, main TLB208 will comprise a plurality of descriptors, and to each descriptor, will provide field mark 425 so that corresponding description of identification is from safe page table or non-security page table. In the MMU200 of Figure 55, schematically example illustrates these descriptors 435 and relevant field mark 425.
When kernel 10 sends memory access request, this will produce the physical address that is used in that memory access request of system bus 40 outputs, and high-speed cache 38 searches with execution processing is next determines whether be stored in the high-speed cache by the specified data item in that address usually. As long as in high-speed cache, occur miss, namely, determine that the data item that stands request of access is not stored in the high-speed cache, start the row filling process in order to retrieve the data line of the data item of the theme that comprises memory access request from external memory storage 56 by high-speed cache. Especially, high-speed cache fills row with request through EBI42 to the control bus 2630 of equipment bus 70, and initial address is outputed on the address bus 2620. In addition, on path 2632, the HPROT signal is outputed on the control bus 2630, will comprise specifying in when sending memory access request the territory signal of the operator scheme of kernel. Therefore, going filling process can regard as by high-speed cache 38 original memory access request is propagated on the external bus.
Receive this HPROT signal by subregion checker 2656, therefore, the subregion checker will be identified when sending memory access request, specify the equipment (equipment that comprises in this case, kernel 10 and high-speed cache 38) of data just in security domain or non-security territory, to operate from external memory storage 56 requests. Subregion checker 2656 also will be accessed those district safety or unsafe partition informations of recognition memory, therefore, can determine whether to allow its data of just asking of device access. Therefore, if the subregion checker can be configured to assert that the territory signal (being also referred to as the S position at this) in the HPROT signal represents by these data of equipment request access that just operating in secure mode of operation, only allow the security of equipment access memory.
If the subregion checker determines not allow kernel 10 to access the data of asking, for example, because HPRTO signal indication kernel just operates in dangerous operator scheme, but the row request of filling is just being attempted from the external memory storage retrieve data of the place of safety that is positioned at memory, subregion checker 2656 sends to abort signal on the control bus 2630 so, on path 2636, it is transmitted back EBI42, and from then on get back to high-speed cache 38, be created in the abort signal that sends to kernel 10 on the path 2670. Yet, if subregion checker 2656 determines to allow access, to export so the data that represent from the external memory storage retrieval is S marking signals of secure data or non-security data, and through the path 2634, make this S marking signal transmission return EBI42, and from then on turn back to high-speed cache 38 so that the theme with the row filling process allow to be set, the mark 2602 that cache line 2600 is relevant.
Simultaneously, the capable padding data that control logic 2650 will authorize external memory storage 56 to export to ask on path 2680, transfers back to high-speed cache 38 through EBI42 with these data, is used for being stored in the relevant cache line 2600. Therefore, as the result of this process, use from the selected cache line in the data item filling high-speed cache 38 of external memory storage 56, those data item are included as the data item from the theme of the original memory access request of kernel 10. Then, make the data item from the theme of the memory access request of kernel turn back to kernel from high-speed cache 38, perhaps on path 2660, directly be provided to kernel 10 from EBI.
In a preferred embodiment because according to the above line filling process, to be created in original storage data in the high-speed cache, will be based on the value that is provided by subregion checker 2656, the mark 2602 relevant with that cache line is set, then uses this mark so that directly control is to any subsequent access of the data item in that cache line 2600 by high-speed cache 38. Therefore, when if kernel 10 sequentially is emitted in the memory access request of hitting in the specific cache line 2600 of high-speed cache 38, high-speed cache 38 is the value of preview mark of correlation 2602, and the present mode that will be worth with the operation of kernel 10 compares. In a preferred embodiment, use the current operation pattern of the territory bit representation kernel 10 that is arranged by the monitoring mode in the status register of CP15 territory. Therefore, high-speed cache 38 can be configured to when processor cores 10 just operates in secure mode of operation, only allowing data item in the cache line of corresponding mark 2602 expressions is secure data by processor cores 10 access. When kernel is just in non-security mode, any trial of the secure data in the kernel access cache 38 will cause high-speed cache 38 2670 to produce abort signal in the path.
TCM36 can be set in various manners. In one embodiment, can be set to as high-speed cache and operate, and in that embodiment, use the mode identical with high-speed cache 38, will be configured to comprise a plurality of row 2610, each row has relevant with it mark 2612. Then, with with reference high-speed cache 38 described identical modes, management is to the access of TCM36, and the capable filling process just carried out of the miss generation of any TCM, as its result, make data return to particular row 2610, and subregion checker 2656 will generate required S mark value, be used for being stored in the mark 2612 relevant with will that do 2610.
In an optional embodiment, TCM36 can be arranged to the expansion of external memory storage 56, and be used for storing the data of usually being used by processor, because access TCM usually faster than access external memory through system bus. In this embodiment, TCM36 will be not usage flag 2612, on the contrary, will control access to TCM with different mechanisms. Especially, as previously mentioned, in these embodiments, the control mark that can arrange when speciallyying permit operation in the safe mode is provided, expression is only when speciallyying permit when carrying out in the safe mode, can by processor control or when just at least one non-security mode, carrying out, can control tightly-coupled-memory by processor. By SOS control mark is set, and in fact, definition of T CM is speciallyyed permit safe mode and controlled by non-security mode. Therefore, a kind of structure that can define is only to specially permit when operating in the secure mode of operation control TCM when processor. In these embodiments, it is unusual that any non-security access of the TCM control register being attempted will cause entering undefined instruction.
In an optional structure, when just in non-security operator scheme, operating, can control TCM by processor. In these embodiments, only use TCM by non-security application program. Secure data storage is not loaded secure data to TCM or from TCM. Therefore, when carrying out secure access, in TCM, do not carry out check this address whether with the searching of TCM address range match.
Figure 57 is that example explanation is when the non-security program generating virtual address in processor cores 10 operations, by the flow chart (step 2700) of the processing of the device execution of Figure 55. At first, in step 2705, in little TLB206, carry out and search, and if this result hit, so little TLB is at step 2730 verification access permission. With reference to Figure 56, this process can be regarded as by 202 execution of access permission logic.
If in step 2705, it is miss to search middle appearance at little TLB, in the non-security descriptor of storage, carries out in main TLB208 and searches (step 2710) so therein. If this causes miss, carry out page table stroke process (describing with reference to Figure 37) after step 2720 in step 2715 so, determine that main TLB comprises the non-security descriptor of significant notation. Hit if search generation in step 2710, process directly enters step 2720 so.
After this, in step 2725, by comprising the descriptor part of physical address, load little TLB, then in step 2730, little TLB verification access permission.
If in step 2730, define the violation access permission, process enters step 2740 so, wherein sends abort signal (similar with the path 2670 shown in Figure 55) to processor cores on path 230. Yet, suppose not detect violation, so in step 2745, determine whether access is relevant with cacheable data item. If no, start external reference in order to attempt from external memory storage 56 retrieve items in step 2790 so. In step 2795, subregion checker 25656 will determine whether the security partitioning violation, namely, when if processor cores 10 is just operating in non-security mode, attempt the data item in the access secure memory, if and detect violation, subregion checker 5656 will generate abort signal in step 5775 so. Yet supposing does not have security partitioning to violate, and processor enters step 2785 so, in step 2785 data access occurs.
If in step 2745, determine that the data item just asking can high-speed cache, so in step 2750, in high-speed cache, carry out cache searching, and if detect and hit, so in step 2755, high-speed cache has determined whether that the security row mark violates. Therefore, in this stage, high-speed cache will be browsed the value of the mark 2602 relevant with the cache line that comprises data item, and the value of that mark and the operator scheme of kernel 10 are compared in order to determine the kernel data item whether Internet access is asked. Violate if detect the security row mark, process enters step 2760 so, wherein generates by high-speed cache 38 that safety is violated the fault abort signals and 2670 sends to kernel 10 in the path. Yet, suppose that not detecting the security row mark in step 2755 violates, and accesses at step 2785 executing data so.
If when when step 2750 is carried out cache searching, cache-miss exists, start cache line in step 2765 so and fill. In step 2770, whether subregion checker 2656 detects has security partitioning to violate, and if send abort signal in step 2775. Yet, suppose that not detecting security partitioning violates, so in step 2780, cache line is filled and is processed, and causes accessing in step 2785 end data.
Shown in Figure 57, in MMU, carry out step 2705,2710,2715,2720,2725,2730 and 2735, and by high-speed cache execution step 2745,2750,2755,2765,2780 and 2790, and by subregion checker execution step 2770 and step 2795.
Figure 58 is the flow chart (step 2800) that is illustrated in the similar process of carrying out in the situation of the security procedure generating virtual address of carrying out on the kernel. By with Figure 58 and Figure 57 relatively, will recognize the step 2805 in MMU, carried out to 2835 with before with reference to the described step 2705 of Figure 57 to 2735 similar. Unique difference wherein according to any security descriptor that is stored in the main TLB, is carried out searching of carrying out in step 2710 in main TLB, as a result of, in step 2820, main TLB comprises the security descriptor of significant notation.
In high-speed cache, high-speed cache no longer needs to search any security row mark to be violated, because in the embodiment shown in reference Figure 58, supposes that security procedure can access security data and non-security data. Therefore, if in step 2850, during cache searching, generate and hit, process so directly entering data access step 2885.
Similarly, in the situation of the external reference that requires external memory storage (that is, in step 3865 or 2890), the subregion checker does not need to carry out the subregion verification, and is same because the supposition security procedure can access security data or non-security data.
The step 2845 of in high-speed cache, carrying out, 2850,2865,2880 and 2890 and with reference to the described step 2745 of Figure 57,2750,2765,2780 and 2790 similar.
Figure 59 illustrates different mode and the application program of moving at processor. Dotted line represents according to embodiments of the invention during monitoring processor, how different mode and/or application program can be separated and isolate with another.
Monitoring processor is located possible fault and found why application program is not according to such execution of expecting, and is extremely useful, and many processors provide these functions. Can in all sorts of ways, comprise debugging and following function execution monitoring.
In the processor according to current techniques, debugging can operate in comprising the several modes that suspends debugging mode and monitor debugging mode. These patterns are intercalation model and the program suspension that causes operation this moment. In suspending debugging mode, when breakpoint or point of observation occur, stop kernel and enter debugging mode with remainder isolation and the kernel of system. When entering, stop kernel, refresh streamline and not preextraction instruction. Freeze PC and ignore any interruption (IRQ and FIQ). Then can check kernel internal state (through the JTAG serial line interface) and accumulator system state. This state inserts to be carried out, because can revise present mode, revises content of registers etc. In case stop debugging, by with restarting instruction, scan by debugging TAP (test access port), kernel withdraws from from debugging mode. Then program recovery is carried out.
In monitoring debugging mode, breakpoint or point of observation cause kernel and enter suspending mode, carry out respectively preextraction or data and end vector. In this case, in the time of in suspending debugging mode, kernel still is being in functional mode, and does not stop. End handling procedure and debugging routine interapplication communications so that access processor and processor state or dump memory. The debugging supervisory programme is connected between debug hardware and the software debugging aid. If position 11 (the seeing after a while) of debugging mode and control register DSCR are set, can disable interrupts (FIQ and IRQ). In monitoring debugging mode, when data termination and preextraction termination, forbid that it is the termination result who monitors that debugging mode generates that vector captures to avoid basis, makes processor enter unrecoverable state. It should be noted that and monitor that debugging mode is a kind of debugging mode and not related with the monitoring mode for the processor of the pattern of supervision safety zone and non-security interregional switching.
Debugging can provide the at a time snapshot of the state of processor. By noticing that the value in the different registers is finished when receiving debugging startup request. Then these value records, use jtag controller (Fig. 1 18) on scan chain (Figure 67 541,544), sequentially export them.
A kind of optional method that monitors kernel is by following the tracks of. Follow the tracks of is not to insert and when kernel continued operation, record continued state. Tracking operates in the embedded tracking macroelement (ETM) 22,26 of Fig. 1. ETM has trace port, and by this port, then output tracking information analyzed by outside trace port analyzer.
The processor of the embodiment of present technique operates in two independent territories, and in described embodiment, these territories comprise security domain and non-security territory. Yet, be the function for monitoring purpose, for the skilled person, these territories can be any two territories that data should not be leaked. Embodiments of the invention relate to and prevent between two territories the function for monitoring that leaks data and usually allow the travel all over system, such as debugging with to follow the tracks of be the potential source of data leak between the territory.
In the example in the above-mentioned safety that provides and non-security territory or zone, secure data necessarily can not be used for non-security zone. In addition, if allow debugging, in the safety zone, some data in restriction or the hiding safety zone are favourable. Dotted line among Figure 59 represents the segment data access and some examples of the possible method of different grain size level is provided. In Figure 59, represent monitoring mode and be the safe mode of all patterns with square frame 500, and control safety and non-security interregional switching. Monitoring mode 500 times, the supervision pattern is arranged, this comprises safety supervision pattern 510 and non-security supervision pattern 520. Then, non-security user model with application program 522 and 524 and have application program 512, secured user's pattern of 514 and 516 is arranged. Monitoring mode (debugging and tracking) can be controlled to and only monitor non-security mode (virtual 501 the left sides). In addition, can allow to monitor non-security territory or zone and secured user's pattern (501 the left side and the right that is positioned at 501 under 502). In another embodiment, can allow the non-security zone moved and some application program in the secured user territory, in this case, by a dotted line 503 other segmentation occurs. These separations help to prevent from leaking secure data between the different user of operation different application. In some controlled situations, can allow to monitor whole system. According to desired granularity, the following part of kernel need to be controlled their access during function for monitoring.
On debug events, four registers can be set: instruction malfunction register (IFSR), data fault status register (DFSR), Fault Address Register (FAR) and instruction Fault Address Register (IFAR). In certain embodiments, when entering non-security zone from the safety zone, should refresh these registers to avoid any leakage of data.
PC sample register: debugging TAP can be by scan chain 7 access PC. When debugging in the safety zone, the debugging granularity according to selecting in the safety zone can shield that value. When kernel just operates in the safety zone, non-security zone, or to add that secured user's application program can not obtain any value of PC very important in non-security zone.
TLB item: use CP15, can read little TLB item and read and write and become owner of the TLB item. Can also control main TLB and little LTB loading and coupling. Must strictly control this operation, if when particularly safe thread identification debugging needs the help of MMU/MPU.
The performance monitoring control register: the performance control register provides relevant cache-miss, little TLB is miss, the information of external memory storage request, performed transfer instruction etc. These data should not accessed in non-security zone, even in debugging mode. Counter should operate in the safety zone, even forbid debugging in the safety zone.
Debug in cache systems: in cache systems, debugging must be non-intercalation model. Keep consistent very important between high-speed cache and external memory storage. Use CP15, can make cache invalidation, maybe can make to be cached at all Qu Zhongzhi and to write. Under any circumstance, allowing to revise the high-speed cache behavior in debugging can be security vulnerabilities and should control.
Byte order (endianness): non-security zone or secured user's application program that should not allow to access debugging change byte order. Change byte order and can make the security kernel maloperation. According to granularity, in debugging, can forbid the byte sequential access.
When starting function for monitoring, can control the access of the function for monitoring of kernel part. In all sorts of ways and start debugging and tracking. Only allow to initialize under certain conditions, the embodiment of present technique arrives the access control of function for monitoring some security of kernel.
The embodiment of present technique attempts by following granularity item to be restricted to function for monitoring:
By independent control insertion and observable (tracking) debugging;
In secured user's pattern or in whole safety zone, allow the debugging item by only;
By only in secured user's pattern, allowing debugging, in addition, consider Thread Id (application program of operation).
For control starts function for monitoring, know that it is very important how starting function. Figure 60 represents that example explanation starts the form of the mode of the type of function for monitoring of the possible mode of function for monitoring, startup and the enabled instruction of programming.
Usually, through software or through hardware, namely through jtag controller, input these monitor commands. In order to control the startup function for monitoring, use controlling value. These comprise according to condition and fixed permission position, therefore, if there are specified conditions, allow the position if arrange, and only allow to start to monitor. These positions be stored in the safe register CP14 that is arranged in ICE530 (seeing Figure 67) (debugging and mode control register, DSCR) on.
In a preferred embodiment, have four positions allowing/forbid to insert with the observable debugging, these comprise that the safety debugging allows position, safety to follow the tracks of and allows position, secured user's pattern to allow position and the identification of safe thread to allow the position. These controlling values are used to provide the controllable granularity for function for monitoring, similarly, can help prevent from special domain and leak data. Figure 61 provides these general introduction and how to access them.
These control bits are kept in the register in the security domain, and access this register and be limited to three kinds of possibilities. Through arm coprocessor MRC/MCR instruction, the software access is provided, and only allows these from the safety supervision pattern. In addition, by using identifying code, provide the software access from any other pattern. Another replacement scheme relates to more the hardware access and calls the instruction that the input port on JTAG is write. Except being used for inputting the controlling value relevant with the availability of function for monitoring, can also input the controlling value relevant with other functions of processor with this input port.
The below provides further describe relevant with scan chain and JTAG.
Register logic unit
Each integrated circuit (IC) is comprised of two kinds of logics:
● the combinational logic unit resembles AND, OR, INV door. These or these combination is used for according to one or more input signals, calculates Boolean expression.
● register logic unit: resemble latch, trigger. These unit are used for storing any signal value. Figure 62 represents just along the trigger view that triggers.
When producing just along event in clock signal (CK), output (Q) receives the value of input (D), otherwise output (Q) is kept at its value in the memory.
Scan chain cell
Be test or debugging purpose, the function access of register logic unit and the content of direct access register logical block are ignored in expectation. Register cell is integrated in the scan chain cell shown in Figure 63.
In functional mode, removing (SE) (scanning allows) and register cell work is single register cell. In test or debugging mode, SE and input data are set can input from SI (scanning input), rather than the D input.
Scan chain
All scan chain cells are strapped in the scan chain, shown in Figure 64.
In functional mode, remove SE and can normally access all register cells and with other intersection mutual effects of circuit. In test or debugging mode, SE is set and all registers are strapped in scan chain each other. According to the cadence of each clock cycle, data can and can move past any other scan chain cell from the first scan chain cell. Data can be shifted out in order to check the content of register.
The TAP controller
Debugging TAP controller is used for processing a plurality of scan chains. The TAP controller can be selected specific scan chain: it will " be scanned into " and " scanning " signal is connected to that specific scan chain. Then, can with data scanning in chain, shift out or scan. Outside by jtag port sound pick-up external control TAP controller. Figure 65 is example explanation TAP controller schematically.
JTAG has selection to forbid scan chain cell
For security reasons, some registers can not be accessed by scan chain, even in debugging or test pattern. The so-called JADI of new input (the JTAG access is forbidden) can allow dynamically and still to shift out scan chain cell from whole scan chain, and does not revise the scan chain architecture of integrated circuit. Figure 66 A and 66B schematically show this input.
If JADI invalid (JADI=0), no matter be in function or test or debugging mode, the scan chain normal operation. If JADI is (JADI=1) effectively, and if testing or debugging mode in, can shift out some scan chain cells (being selected by the designer) from scan chain architecture. For keeping identical scan chain cell number, JTAG has and selects to allow scan chain cell to use the bypass register. It is now different to note scanning (SO) and scan chain cell output (Q).
Figure 67 schematically illustrates the processor that comprises the JTAG part. In normal operating, command memory 550 is communicated by letter with kernel and under some environment, can also be communicated by letter with register CP14, and the controlling value that resets. This only is only permission usually under the safety supervision pattern.
When starting debugging, be those instructions of control kernel through debugging TAP580 input instruction and it. Kernel in the debugging is moving in the step pattern one by one. Debugging TAP accesses CP14 (by inputting at the JSDAEN pin that is shown the JADI pin, the JTAG access among Figure 45 is forbidden the access control signal of inputting and decide) through kernel, and controlling value by this way also resets.
Access the CP14 register by access control signal JSDAEN control through debugging TAP580. This is configured as access and particularly allows write-access, and JSDAEN must be arranged to height. In the plate level stage, when just verifying whole processor, JSDAEN is arranged to height and allows debugging in whole system. In case this system of verification can be connected to the JSDAEN pin on ground, this means that through debugging TAP580, the controlling value that the access permission is debugged is now unavailable in safe mode. Usually, the processor in the production model has the JSDAEN that is connected to ground. Through command memory 550, through the software route, the access control value is only available. Be limited to another pattern (seeing Figure 68) that safety supervision pattern or supposition provide identifying code through the access of this route.
It should be noted that according to default situation debugging (inserting and observable-tracking) only can be used in the non-security zone. For allowing them to be used in the safety zone, controlling value need to be set allow the position.
Its advantage is always can start debugging in order to move in non-security zone by the user. Therefore, although in debugging, always the access security zone not can be used for the user, in many cases, this is not problem, because this zone of restriction access and so that before available, verify the safety zone fully in the plate level. Therefore, predict in many cases, the debugging safety zone is unnecessary. If necessary, secure supervisor is still through writing the software route startup debugging of CP14.
Figure 68 indicative icon the control that starts of debugging. In the figure, kernel part 600 comprise storage expression system whether the memory element 601 of the safe condition position S of safety zone (can be foregoing CP15 register. Kernel 600 also comprises by the pattern moved of expression processor, the register 602 that forms of the position of user model for example, and the register 603 that the Context identifier symbol of the current application program of just moving at kernel of identification or thread is provided.
When breakpoint arrives the comparator 610 that the breakpoint will be stored on the register 611 and the location that is stored in the kernel on the register 612 compare, send signal to control logic 620. Control logic 620 is checked safe condition S, pattern 602 and thread (Context identifier symbol) 603 and it and the controlling value and the condition indicator that are stored on the register CP14 is compared. If system does not operate in the safety zone, so will be at 630 output " entering debugging " signals. Yet if system just operates in the safety zone, control logic 620 will be checked pattern 602, and if in user model, whether verification is arranged to check that user model allows and debugging allows the position. If they are that supposition does not also have the initialization thread discrimination bit so, will initialize debugging. Above example illustrates the hierarchical attribute of controlling value.
In Figure 68, also schematically illustrate the thread identification division that monitors control and how only can from safety supervision pattern (in this embodiment, processor is positioned at Product-level and JSDAEN is connected to ground), change the controlling value that is stored among the register CP14. From secured user's pattern, use identifying code, can enter the safety supervision pattern, then, controlling value can be set in CP14.
Suppose that the 640 expression debugging of thread comparator can be used for that thread, when comparator 610 expressions in address have arrived breakpoint, control logic 620 output " entering debugging " signals. This supposition can arrange thread identification initialization bit in CP14. If behind breakpoint, thread is set identifies initialization bit, if address and Context identifier accord with and in breakpoint and those couplings that can allow to represent in the thread indicator, can only enter debugging or tracking. After starting function for monitoring, will only continue to capture diagnostic data, by comparator 640 the Context identifier symbol is designated the permission thread simultaneously. The application program of moving when the expression of Context identifier symbol is not the application program that allows, and suppresses to capture so diagnostic data.
It should be noted that in a preferred embodiment some grades are arranged in granularity. In fact, safety debugging or follow the tracks of and allow the position to be positioned at the top is after secured user's pattern allows the position and come at last safe thread identification and allow the position. This is example explanation (seeing below) in Figure 69 A and 69B.
Remain on controlling value in " debugging and state control " register (CP14) according to territory, pattern and execution thread, control safety is debugged granularity. It is in the upper part of safety supervision pattern. In case consist of " debugging and state control " register CP14, corresponding breakpoint, point of observation etc. make kernel enter debugging mode until the safety supervision pattern is programmed for it.
Figure 69 A illustrates the general introduction for the safety debugging granularity of inserting debugging. Default value when representing to reset with grey.
Debugging granularity to relevant observable test also is the same. Figure 69 B is illustrated in this case, the general introduction of safety debugging granularity, the default value when wherein also representing to reset with grey.
The user model of taking care debugging allows position and safe thread identification debugging to allow the position to be generally used for inserting and the observable debugging.
Thread identification initialization bit is stored among the register CP14, and whether expression need to be by the granularity of application program. If initialization thread discrimination bit, identifier is used in further verification to control logic or thread 603 represents in thread identification control bit, if so, initializes so debugging. Do not allow any one of position or the thread discrimination bit is set and application program is not one that represents in thread identification control bit if user model or debugging are set, will ignore so breakpoint and kernel and will continue its performed processing and not initialize debugging.
Except the initialization of control function for monitoring, use similar mode, capture diagnostic data during controlling monitoring mode. For carrying out this operation, kernel must continue to consider controlling value, namely be stored among the CP14 the permission position and during function for monitoring, the condition relevant with them.
The granularity of the function for monitoring when Figure 70 schematically shows operation. In this case, regional A is relevant with the zone that allows to capture diagnostic data, and regional B and controlling value in being stored in CP14 to represent to capture the zone of diagnostic data relevant.
Therefore, when commissioning test and program operate among the regional A, between limber up period, in a step-wise fashion export diagnostic data. When operation switches to regional B, wherein, do not allow to capture diagnostic data, debugging is no longer in a step-wise fashion carried out, and on the contrary, it is processed and capture data not automatically. Then this continuation, again begins to capture diagnostic data and debugging and continues in a step-wise fashion operation until the operation of program enters regional A again.
In the above-described embodiments, if security domain is uncommitted, then always regard the SMI instruction as atomic event and diagnostic data is captured in inhibition.
In addition, if thread identification initialization bit is set, so with respect to application program, the granularity of function for monitoring during operation also occurs.
About observable debugging or follow the tracks of, this realizes by ETM, and fully irrelevant with debugging. When allow following the tracks of, ETM normal operation and when forbid it, ETM is in the safety zone, or hides tracking in the safety zone part of being decided by selected granularity. When not allowing, avoid ETM to capture and a kind of method of following the tracks of the diagnostic data in the security domain is when S position when being high, stop ETM. This can pass through S position and the incompatible realization of ETMPWRDOWN signal node, and when entering the safety zone with convenient kernel, the ETM value remains on their last value. Therefore, ETM should follow the tracks of the SMI instruction, then until kernel turns back to non-security zone just stops. Therefore, ETM only sees non-security activity.
The below provides some general introduction of the granularity of different function for monitoring and they.
The insertion debugging of plate level
In the plate level, when not connecting the JSDAEN pin, before beginning any guiding Christmas, the debugging of having the ability to allow anywhere. Similarly, if in the safety supervision pattern, has similar right.
If in ending debugging mode, initialize debugging, can access all registers (non-security and safe register group), and the whole memory of energy dump, except the position that is exclusively used in the control debugging.
Can enter the debugging suspending mode from any pattern with from any territory. Can in safety or non-security memory, breakpoint and point of observation be set. In debugging mode, can through the MCR instruction, enter the safety zone by changing simply the S position.
When security exception occurs, in the time of entering debugging mode, expand the vector interrupt register by following new position:
The SMI vector interrupts allowing
Secure data is ended vector and is interrupted allowing
Safety Pre extracts ends vector interruption permission
The non-definition vector of safety interrupts allowing
In monitoring debugging mode, if allow Anywhere debugging, even when debugging SMI in non-security zone, can progressively enter the safety zone in the debugging. When breakpoint occurring in security domain, safety is ended handling procedure can be used for DumpSec register group and safe storage.
End handling procedure and provide their information so that debugging routine window (on relevant debugging control PC) can represent the buffer status in safety and the non-security zone to debugging utility for two in the safe and non-security zone.
Figure 71 A represents to consist of kernel and allow debugging time institute's event in the safety zone in monitoring debugging mode. Figure 71 B represents to consist of kernel and forbid debugging time institute's event in the safety zone in monitoring debugging mode. The below will describe this rear process.
In product-level insertion debugging
At Product-level, when connecting JSDAEN and make debugging be restricted to non-security zone, unless the safety supervision program determines that the table shown in Figure 71 B represents institute's event so. In this case, SMI should always be considered as the atom instruction, so that before entering debugging mode, always finishes security function.
Enter the debugging suspending mode and stand following restriction:
Only in non-security zone, consider outside debugging request or internal debugging request. If assert that the while, in case termination security function and kernel turn back in the non-security zone, kernel entered the debugging suspending mode to EDBGRQ (outside debugging request) in the safety zone.
Do not have impact and when programming matching addresses, do not stop kernel at safe storage programming breakpoint or point of observation.
Vector interrupt register (below provide this details) only relates to non-security regional anomaly. Previous described all not impacts of expansion interrupt enable bit.
As long as in ending debugging mode, use following restriction:
Do not change the S position and force the safety zone input, unless allow the safety debugging
If only in the safety supervision pattern, allow debugging, do not change the pattern position.
Do not change the special-purpose position of control safety debugging.
If load and carry out SMI (by the system speed access), only when carrying out security function fully, kernel reenters debugging mode.
In monitoring debugging mode, because do not monitor in the safety zone, safety is ended handling procedure does not need to support the debugging supervisory programme. In non-security zone, progressively be possible, but as long as carry out SMI, whole execution security function, in other words, when in every other instruction, " stepping " and " step-out " is possible, then allows the XWSI single step. Therefore, XWSI is considered as the atom instruction.
In case forbid safe debugging, have following restriction:
Before entering monitoring mode:
Only in non-security zone, consider breakpoint and point of observation. If the S position is set, ignores breakpoint/point of observation. Attention can also be passed through MCR/MRC (CP14) access point of observation unit, because in safe storage, therefore breakpoint/point of observation is not safety problem without impact.
BKPT is commonly used to replace the instruction that breakpoint is set thereon. This supposition this instruction in the BKPT instruction overlaying memory, this situation only is possible in non-security mode.
The vector interrupt register only relates to non-security unusual. The interrupt enable bit of foregoing all expansions is impact not. Should forbidden data end and preextraction is ended to allow to enter unrecoverable state to avoid processor to force.
Through JTAG, have and the identical restriction (can not revise S position etc.) that is used for suspending mode.
In case in monitoring mode (non-security suspending mode)
Non-security termination handling procedure can the non-security zone of dump and in safety register and safe storage do not have visibility in groups.
Carry out security function by atom SMI instruction
Can change the S position to force the safety zone item
Can not change the pattern position, because only in the safety supervision pattern, allow debugging
If note occuring outside debugging request (EDBGRQ),
In non-security zone, kernel is ended present instruction, then enters immediately debugging mode (in suspending mode)
In the safety zone, kernel is ended current function and in turning back to non-security zone the time, is entered debugging mode.
New debugging demand means the improvement in the kernel hardware. Must carefully control the S position, and for security reasons, security bit can not the interleave scan chain in.
Generally speaking, in debugging, energy modification pattern position is as long as allow debugging in the safety supervision pattern. To prevent that anyone from entering debugging in the security domain in order to enter all safety zones by modification system (revising the TBL item waits for). Use the sort of mode, each thread can be debugged its oneself code, and its oneself code only. Must keep security kernel safety. Therefore, when kernel when just when operation entering debugging in non-security zone, as before, only change the pattern position.
The embodiment of this technology uses new vector interrupt register. If height is arranged in a position in this register and corresponding vector triggers, processor enters debugging mode, as arranging the breakpoint in the instruction of extracting from relevant unusual vector. These behavior can allow debugging value in the position and difference according to the safety zone in the debugging control register.
New vector interrupt register comprises lower rheme: D_s_abort, P_s_abort, S_undef, SMI, FIQ, IRQ, Unaligned, D_abort, P_abort, SWI and Undef.
● the D_s_abort position: only when in the safety zone, allowing debugging, and
The configuration debugging just arranges in the debugging mode when ending. In monitoring debugging mode, this position should be that the position never is set. If forbid debugging in the safety zone, no matter how it is worth, this position is impact not.
● P_s_abort position: identical with the D_s_abort position.
● S_undef position: only when in the safety zone, allowing debugging, just arrange.
If forbid the debugging in the safety zone, no matter how it is worth, this position is impact not.
● SMI position: should only when in the safety zone, allowing debugging, just arrange.
If forbid the debugging in the safety zone, no matter how it is worth, this position is impact not.
● FIQ, IRQ, Unaligned, D_abort, P_abort, SWI and
The Undef position: corresponding to non-security unusual, therefore, even forbid debugging in the safety zone, they also are effective. Attention in monitoring mode, should not assert D_abort and, P_abort is for high.
● the Reset position: when entering the safety zone when resetting generation, only when the debugging in the permission safety zone, this ability is effective, otherwise not impact.
Although described specific embodiments of the invention at this, the invention is not restricted to obviously this, and can carry out within the scope of the invention many improvement and increase. For example, according to the feature of independent claims, can carry out following dependent claims feature various combinations and do not deviate from scope of the present invention.
Claims (47)
1. for the treatment of the device of data, described device comprises:
The processor that can in a plurality of patterns and a plurality of territory, operate, described a plurality of territories comprise security domain or non-security territory, described a plurality of patterns comprise:
At least one safe mode for the pattern in the described security domain;
At least one non-security mode for the pattern in the described non-security territory;
It is characterized in that,
When described processor just in safe mode during performing a programme, described program can be used when described processor just operates in non-security mode, the secure data that can not access;
Described processor response is used for using exception handler, trigger unusual one or more exceptional conditions of processing, described processor can be used to just operate in described security domain or in the described non-security territory according to described processor, selects described exception handler from a plurality of possible exception handlers.
2. device as claimed in claim 1, it is characterized in that described unusual at least one is selectable unusual by a processing of the selection of the non-security exception handler that is just operating or the security exception handler that just operating in safe mode in non-security mode; And
Described unusual at least one is can be unusual by the Special safety that the security exception handler that is just operating in safe mode is processed.
3. device as claimed in claim 1, it is characterized in that, described one or more exceptional condition can be configured to by when needed able to programmely, any territory of also triggering changes, and triggers the non-security exception handler that is just operating in non-security mode or the security exception handler that is just operating in safe mode.
4. as at the described device of front any one claim, has the security exception that triggers by a signal in the unusual signal input of Special safety and the non-security unusual signal input.
5. such as claim 1, the described device of any one of 2 and 3 has at safety and the non-security unusual signal input of sharing between unusual and another input signal of cooperate with described unusual signal input so that control triggering security exception handler or non-security exception handler.
6. as at the described device of front any one claim, it is characterized in that described security exception handler is the part of the SOS that can operate in described safe mode.
7. as at the described device of front any one claim, it is characterized in that described non-security exception handler is the part of the non-security operating system that can operate in described non-security mode.
8. as at the described device of front any one claim, it is characterized in that, described processor also can operate in monitoring mode and through described monitoring mode, generation is for the treatment of unusual required safe mode and any switching between non-security mode, and described processor can be at least partially in operation in the described monitoring mode in order to carry out the supervisory programme of the switching between the described safe mode of management and described non-security mode.
9. device as claimed in claim 8 is characterized in that, described supervisory programme can be used to when switching between safe mode and non-security mode, and the context data of Save and restore definition processor state is in order to process unusual.
10. such as any one described devices of claim 8 and 9, it is characterized in that, described processor comprises that register group and described supervisory programme can be used to when switching to described non-security mode from described safe mode, at least refresh the described register group part of between described safe mode and described non-security mode, sharing, so that except described supervisory programme allows, the secure data that is kept in the described register group can not be delivered to described non-security mode from described safe mode.
11. as, it is characterized in that described exceptional condition comprises following one or more at the described device of front any one claim:
Safe interrupt signal is unusual;
Pattern is switched the software interrupt signal;
It is unusual to reset;
Interrupt signal is unusual;
The software interrupt signal;
Undefined instruction is unusual;
Looking ahead, it is unusual to end;
Data are ended unusual; And
The quick-speed interruption abnormal signal.
12. device as claimed in claim 1 is characterized in that, described processor response abnormality condition is selected exception handler so that according to relevant with described exceptional condition and be stored in for the unusual vector value in the effective anomaly vector table of described exceptional condition; And
Described effective anomaly vector table is of a plurality of unusual vector tables.
13. device as claimed in claim 12 is characterized in that, described a plurality of unusual vector tables comprise the security exception vector table that can select and the non-security unusual vector table that can select in described non-security mode in described safe mode.
14. any one the described device such as claim 12 and 13 is characterized in that, described processor also can operate in any switching between monitoring mode and safe mode and non-security mode, and through described monitoring mode, carries out described a plurality of unusual vector.
15. device as claimed in claim 14 is characterized in that, described a plurality of unusual vector tables comprise the unusual vector table of monitoring mode.
16. device as claimed in claim 15 is characterized in that, the response of described processor is specified should be by one or more parameters of described unusual which of the unusual vector list processing of described monitoring mode.
17. such as claim 13 and 16 described devices, it is characterized in that, described safe vector table is that described effective vector table in the described safe mode and described non-security vector table are the described effective vector tables in the described non-security mode, is described effective vector table of described exceptional condition unless described one or more parameter is specified described monitoring mode vector table.
18. device as claimed in claim 16 is characterized in that, at least one of described parameter is stored in the exception trap shielding.
19. device as claimed in claim 18, it is characterized in that when described processor was in described monitoring mode, described unusual control register can be write, and when described processor was not in described non-security territory, described exception trap mask register can not be write.
20. device as claimed in claim 13 is characterized in that, when described processor was in safe mode, described security exception vector table can be write, and when described processor was in non-security mode, described security exception vector table can not be write.
21. device as claimed in claim 13 is characterized in that, for the security exception handler of the part of SOS is used described safe mode.
22. device as claimed in claim 13 is characterized in that, for the non-security exception handler of the part of non-security operating system uses described non-security mode.
23. such as any one described device of claim 12 to 22, comprise a plurality of vector tables base address pointer register, each storage is used for corresponding one base address value separately of described a plurality of unusual vector tables.
24. the method for a deal with data, described method comprises step:
By the processor performing a programme that can operate in a plurality of patterns and a plurality of territory, described a plurality of territories comprise security domain or non-security territory, and described a plurality of patterns comprise:
At least one safe mode for the pattern in the described security domain;
At least one non-security mode for the pattern in the described non-security territory;
It is characterized in that,
When described processor just in safe mode during performing a programme, described program can be used when described processor just operates in non-security mode, the secure data that can not access;
Respond one or more exceptional conditions, use exception handler, trigger unusual the processing, described processor can be used to according to described processor (is?) still (of in the described security domain?) operate in the described non-security territory, select described exception handler from a plurality of possible exception handlers.
25. method as claimed in claim 24, it is characterized in that described unusual at least one is selectable unusual by a processing of the selection of the non-security exception handler that is just operating or the security exception handler that just operating in safe mode in non-security mode; And
Described unusual at least one is can be unusual by the Special safety that the security exception handler that is just operating in safe mode is processed.
26. method as claimed in claim 24, it is characterized in that, described one or more exceptional condition can be configured to by when needed able to programmely, any territory of also triggering changes, and triggers the non-security exception handler that is just operating in non-security mode or the security exception handler that is just operating in safe mode.
27. such as any one described method of claim 24,25 and 26, have security exception signal input and non-security unusual signal input.
28. such as claim 24, the described method of any one of 25 and 26 has at safety and the non-security unusual signal input of sharing between unusual and another input signal of cooperate with described unusual signal input so that control triggering security exception handler or non-security exception handler.
29. any one the described method such as claim 24 and 28 is characterized in that, described security exception handler is the part of the SOS that can operate in described safe mode.
30. any one the described method such as claim 24 to 29 is characterized in that, described non-security exception handler is the part of the non-security operating system that can operate in described non-security mode.
31. any one described method such as claim 24 to 30, it is characterized in that, described processor also can operate in monitoring mode and through described monitoring mode, generation is for the treatment of unusual required safe mode and any switching between non-security mode, and described processor can be at least partially in operation in the described monitoring mode in order to carry out the supervisory programme of the switching between the described safe mode of management and described non-security mode.
32. method as claimed in claim 31 is characterized in that, described supervisory programme can be used to when switching between safe mode and non-security mode, and the context data of Save and restore definition processor state is in order to process unusual.
33. any one described method such as claim 31 and 32, it is characterized in that, described processor comprises that register group and described supervisory programme can be used to when switching to described non-security mode from described safe mode, at least refresh the described register group part of between described safe mode and described non-security mode, sharing, so that except described supervisory programme allows, the secure data that is kept in the described register group can not be delivered to described non-security mode from described safe mode.
34. any one the described method such as claim 24 to 33 is characterized in that, described at least one exceptional condition comprises following one or more:
Safe interrupt signal is unusual;
Pattern is switched the software interrupt signal;
It is unusual to reset;
Interrupt signal is unusual;
The software interrupt signal;
Undefined instruction is unusual;
Looking ahead, it is unusual to end;
Data are ended unusual; And
The quick-speed interruption abnormal signal.
35. method as claimed in claim 24, it is characterized in that, described processor response abnormality condition is selected exception handler so that according to relevant with described exceptional condition and be stored in for the unusual vector value in the effective anomaly vector table of described exceptional condition; And
Described effective anomaly vector table is of a plurality of unusual vector tables.
36. method as claimed in claim 35 is characterized in that, described a plurality of unusual vector tables comprise the security exception vector table that can select and the non-security unusual vector table that can select in described non-security mode in described safe mode.
37. any one the described method such as claim 35 and 36 is characterized in that, described processor also can operate in any switching between monitoring mode and safe mode and non-security mode, and through described monitoring mode, carries out described a plurality of unusual vector.
38. method as claimed in claim 37 is characterized in that, described a plurality of unusual vector tables comprise the unusual vector table of monitoring mode.
39. method as claimed in claim 37 is characterized in that, the response of described processor is specified should be by one or more parameters of described unusual which of the unusual vector list processing of described monitoring mode.
40. such as claim 36 and 39 described methods, it is characterized in that, described safe vector table is that described effective vector table in the described safe mode and described non-security vector table are the described effective vector tables in the described non-security mode, is described effective vector table of described exceptional condition unless described one or more parameter is specified described monitoring mode vector table.
41. method as claimed in claim 39 is characterized in that, at least one of described parameter is stored in the exception trap mask register.
42. method as claimed in claim 41, it is characterized in that when described processor was in described monitoring mode, described unusual control register can be write, and when described processor was not in described monitoring mode, described exception trap mask register can not be write.
43. method as claimed in claim 36 is characterized in that, when described processor was in safe mode, described security exception vector table can be write, and when described processor was in non-security mode, described security exception vector table can not be write.
44. method as claimed in claim 36 is characterized in that, for the security exception handler of the part of SOS is used described safe mode.
45. method as claimed in claim 36 is characterized in that, for the non-security exception handler of the part of non-security operating system uses described non-security mode.
46. such as any one described method of claim 35 to 45, comprise that corresponding one base address value separately that will be used for described a plurality of unusual vector tables is stored in a plurality of vector table base address registers.
47. a computer program has any one method that can be used to according to such as claim 24 to 46, the computer program of control data processing equipment.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0226902.5 | 2002-11-18 | ||
| GB0226905A GB0226905D0 (en) | 2002-11-18 | 2002-11-18 | Exception tyres within a secure processing system |
| GB0226905.8 | 2002-11-18 | ||
| GB0303449.3 | 2003-02-14 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1711526A true CN1711526A (en) | 2005-12-21 |
| CN100354829C CN100354829C (en) | 2007-12-12 |
Family
ID=9948069
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003801035347A Expired - Lifetime CN100354829C (en) | 2002-11-18 | 2003-10-27 | Exception types within a secure processing system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100354829C (en) |
| GB (1) | GB0226905D0 (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100444119C (en) * | 2005-12-28 | 2008-12-17 | 中国科学院计算技术研究所 | Message level processing method in service system structure |
| CN101427222A (en) * | 2006-04-24 | 2009-05-06 | 松下电器产业株式会社 | Data processing device, method, program, integrated circuit, and program generating device |
| CN103559105A (en) * | 2013-11-11 | 2014-02-05 | 上海航天测控通信研究所 | ERC32 processor-based satellite-borne software system and reentry method thereof |
| WO2014206172A1 (en) * | 2013-06-27 | 2014-12-31 | 中国银联股份有限公司 | Switching between untrusted environment and trusted environment in mobile device |
| CN105224403A (en) * | 2015-09-17 | 2016-01-06 | 华为技术有限公司 | A kind of interruption processing method and device |
| CN105247485A (en) * | 2013-05-23 | 2016-01-13 | Arm有限公司 | A method and apparatus for interrupt handling |
| CN106687971A (en) * | 2014-06-24 | 2017-05-17 | 弗塞克系统公司 | Automated code lockdown to reduce attack surface for software |
| CN107580697A (en) * | 2015-05-07 | 2018-01-12 | Arm 有限公司 | For verifying that correct code performs the inspection instruction of context |
| TWI724065B (en) * | 2015-12-23 | 2021-04-11 | 美商英特爾股份有限公司 | Processor and system comprising mode-specific endbranch for control flow termination |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5745770A (en) * | 1993-12-27 | 1998-04-28 | Intel Corporation | Method and apparatus for servicing simultaneous I/O trap and debug traps in a microprocessor |
| US5684948A (en) * | 1995-09-01 | 1997-11-04 | National Semiconductor Corporation | Memory management circuit which provides simulated privilege levels |
| US6003129A (en) * | 1996-08-19 | 1999-12-14 | Samsung Electronics Company, Ltd. | System and method for handling interrupt and exception events in an asymmetric multiprocessor architecture |
| CN1120420C (en) * | 2000-12-15 | 2003-09-03 | 智原科技股份有限公司 | Device for exception processing procedure in software control of processor and its operation method |
-
2002
- 2002-11-18 GB GB0226905A patent/GB0226905D0/en not_active Ceased
-
2003
- 2003-10-27 CN CNB2003801035347A patent/CN100354829C/en not_active Expired - Lifetime
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100444119C (en) * | 2005-12-28 | 2008-12-17 | 中国科学院计算技术研究所 | Message level processing method in service system structure |
| CN101427222A (en) * | 2006-04-24 | 2009-05-06 | 松下电器产业株式会社 | Data processing device, method, program, integrated circuit, and program generating device |
| CN105247485B (en) * | 2013-05-23 | 2019-11-08 | Arm 有限公司 | Method and apparatus for interrupt processing |
| CN105247485A (en) * | 2013-05-23 | 2016-01-13 | Arm有限公司 | A method and apparatus for interrupt handling |
| WO2014206172A1 (en) * | 2013-06-27 | 2014-12-31 | 中国银联股份有限公司 | Switching between untrusted environment and trusted environment in mobile device |
| CN104252388A (en) * | 2013-06-27 | 2014-12-31 | 中国银联股份有限公司 | Method for realizing switching between non-trusted environment and trusted environment in mobile equipment |
| CN103559105A (en) * | 2013-11-11 | 2014-02-05 | 上海航天测控通信研究所 | ERC32 processor-based satellite-borne software system and reentry method thereof |
| CN106687971B (en) * | 2014-06-24 | 2020-08-28 | 弗塞克系统公司 | Automatic code locking to reduce attack surface of software |
| CN106687971A (en) * | 2014-06-24 | 2017-05-17 | 弗塞克系统公司 | Automated code lockdown to reduce attack surface for software |
| US10509906B2 (en) | 2014-06-24 | 2019-12-17 | Virsec Systems, Inc. | Automated code lockdown to reduce attack surface for software |
| CN107580697A (en) * | 2015-05-07 | 2018-01-12 | Arm 有限公司 | For verifying that correct code performs the inspection instruction of context |
| CN107580697B (en) * | 2015-05-07 | 2021-11-30 | Arm 有限公司 | Checking instructions for verifying correct code execution context |
| CN105224403B (en) * | 2015-09-17 | 2018-09-28 | 华为技术有限公司 | A kind of interruption processing method and device |
| CN105224403A (en) * | 2015-09-17 | 2016-01-06 | 华为技术有限公司 | A kind of interruption processing method and device |
| TWI724065B (en) * | 2015-12-23 | 2021-04-11 | 美商英特爾股份有限公司 | Processor and system comprising mode-specific endbranch for control flow termination |
| US11099847B2 (en) | 2015-12-23 | 2021-08-24 | Intel Corporation | Mode-specific endbranch for control flow termination |
| US11650818B2 (en) | 2015-12-23 | 2023-05-16 | Intel Corporation | Mode-specific endbranch for control flow termination |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100354829C (en) | 2007-12-12 |
| GB0226905D0 (en) | 2002-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1711524A (en) | Switching between secure and non-secure processing modes | |
| CN1723448A (en) | Secure memory for protecting against malicious programs | |
| CN100350388C (en) | Virtual to physical memory address mapping within a data processing system having a secure domain and a non-secure domain | |
| CN1922576A (en) | Operating systems | |
| CN1195276C (en) | Method and device for maintenance of chained list | |
| CN1538296A (en) | Multithreaded kernal for graphics processing unit | |
| CN101052949A (en) | Operating systems | |
| CN1261870C (en) | Data processing method and its apparatus | |
| CN1214307C (en) | Multi-function power switch and feedback light emitting diode for hanging-up system | |
| CN1609812A (en) | System and method for enhancing performance of coprocessor | |
| CN1257452C (en) | Appts. system and method of imaginary branch target address high speed buffer storage branch | |
| CN1702634A (en) | Facilitating management of storage of a pageable mode virtual environment absent intervention of a host of the environment | |
| CN1601474A (en) | Method and system for real-time scheduling | |
| CN1728685A (en) | Method and system for facilitating data transfer in a pageable mode virtual environment | |
| CN1632877A (en) | Variable latency stack cache and method for providing data | |
| CN1495605A (en) | Independent processing multiple instruction flow, soft controlled every instruction flow processing function multiporogram flav simultaneous processor | |
| CN1577311A (en) | Method and system for performing real-time operation using processors | |
| CN1282071C (en) | Data processor, data processing method and program thereof | |
| CN1690971A (en) | Interrupt control apparatus | |
| CN1934543A (en) | Cache memory and control method thereof | |
| CN1410876A (en) | Microprocessor | |
| CN1217271C (en) | Imaginary branch target address high speed buffer storage | |
| CN1916962A (en) | Method and device storing and back-storing state context in graphic processing unit | |
| CN1139772A (en) | Power management processor for hinging-up system | |
| CN1076378A (en) | Be used for the external storage system that video game system etc. has programmable graphics processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20071212 |
|
| CX01 | Expiry of patent term |