EP1544820B1 - Electronic data processing device - Google Patents

Electronic data processing device Download PDF

Info

Publication number
EP1544820B1
EP1544820B1 EP20040106441 EP04106441A EP1544820B1 EP 1544820 B1 EP1544820 B1 EP 1544820B1 EP 20040106441 EP20040106441 EP 20040106441 EP 04106441 A EP04106441 A EP 04106441A EP 1544820 B1 EP1544820 B1 EP 1544820B1
Authority
EP
European Patent Office
Prior art keywords
memory
processing units
processing
data
units
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP20040106441
Other languages
German (de)
French (fr)
Other versions
EP1544820A1 (en
Inventor
Peter Timmermans
Carl Van Himbeeck
Mark Vanophalvens
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Atos Worldline SA
Original Assignee
Atos Worldline SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from EP03078879A external-priority patent/EP1542181A1/en
Application filed by Atos Worldline SA filed Critical Atos Worldline SA
Priority to EP20040106441 priority Critical patent/EP1544820B1/en
Publication of EP1544820A1 publication Critical patent/EP1544820A1/en
Application granted granted Critical
Publication of EP1544820B1 publication Critical patent/EP1544820B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]

Definitions

  • the invention relates to an electronic data processing device, comprising a data processing member, provided for processing first encoded data, obtained by encoding first data, input by a user and second encoded data, read from a carrier comprising a first memory for storing identification data, said data processing member being provided for controlling, based on said first and second data, a secured operation initiated by said user, said device further comprising a second memory accessible by said processing member, said second memory being configurable in order to delimit at least one secured memory part within said second memory, to each of said secured memory parts there being assigned a dedicated address range, said data processing member comprises N ⁇ 2 processing units of which M ⁇ N-1 processing units are provided to process said secured operation and at least one of the remaining N-M processing units is provided for processing application data related to said operation, to each of said M processing units there is assigned at least one of said secured memory parts, each of said processing units being each time connected to a memory access control member, said second memory being also connected to said memory access control member, which is provided for controlling accesses to said second memory, said
  • Such an electronic data processing device is known from US-A-2003/0018860 and for example used as a transfer terminal for electronic payment placed at a point of sales.
  • the first data is generally input by the user by means of keys or a touch screen and comprises for example the user's PIN code.
  • the second data is stored in the first memory of the carrier, for example a bankcard and identifies the user, for example by his bank account number. Since the PIN code as well as the bank account number are secured data, they should only be processed by a secured operation, which is initiated by the user upon introducing the carrier with his first memory into the terminal.
  • the data processing member needs the second memory, where the necessary routines and data, as well as encoding and decoding keys are stored.
  • a drawback of the known device is that the SPM monitors a common bus, which is accessible by all processing units. This signifies that one could, via this common bus, get access to the SPM and reconfigure the latter, in order to get access to the secure data.
  • an electronic data processing device is characterised in that each of said processing units is connected each time to said memory access control member by means of a dedicated internal bus and in that said memory access control member comprises a configuration element connected to a selected one of said M processing units by means of the internal bus dedicated to said selected processing unit, said configuration element being provided for generating, under control of said selected processing unit, said address ranges indicating said secured memory parts assigned to each of said M processing units, said memory access control member comprises a memory protection member connected via their dedicated internal bus to each of said N-M processing units, said configuration element having an output connected to said memory protection member for supplying said generated address ranges.
  • the configuration element is connected to the selected processing unit by means of its dedicated internal bus, implies that only that selected processing unit can access the configuration element. In such a manner there is prevented that the set configuration could be changed by another processing unit than the selected one. Since the secured memory address ranges are determined under control of the selected processing unit, only the latter can change the set configuration. Furthermore the fact that the memory protection member is connected to the N-M processing units by means of their internal bus, implies that no access to the configuration element is possible by means of this N-M processing units, as there is no bus link to this configuration element.
  • a first preferred embodiment of an electronic data processing device is characterised in that said memory protection member comprises a set of N-M memory protection units, to each of said N-M processing units there being assigned one of said memory protection units.
  • each of the N-M processing units has its own memory protection units and the protected parts are efficiently protected.
  • a second preferred embodiment of an electronic data processing device is characterised in that said memory protection member comprises a flag generator provided for generating a flag signal upon said detection, said flag generator being provided for supplying said flag to the processing unit to which the detected memory address is assigned.
  • said flag generator is provided for supplying said flag to the processing unit to which the detected memory address is assigned.
  • the electronic data processing device comprises a data processing member having N ⁇ 2 processing units.
  • N 2 processing units
  • all N processing units are embedded in a single semiconductor element, thereby avoiding to physically isolate them as discrete physical components. Indeed, if all N processing units are embedded in a same semiconductor element, a majority of the data transfer remains within the semiconductor element and is not easily accessible from outside.
  • N processing units M ⁇ N - 1 processing units are provided to process secured operations and at least one of the remaining N-M processing units are provided for processing application data such as the generation of messages addressed to a user of a point-of-sales terminal.
  • secured operations there is understood operations dealing with secured data such as the PIN code of a user, his bank account number, which is generally present in a first memory incorporated in a carrier such as a bank card, the encoding and decoding keys etc..
  • application data there is understood, data such as the user guidance, choice of language, information such as "do you want a ticket ?” etc., which is not vulnerable and generally of no interest to an unauthorised user.
  • each processing unit MP1 and MP2 has its own operating system 0S enabling the respective processing unit to operate on its own.
  • N distinct processing units and attribute the secure operations to M of the N processing units It is however not enough to provide N distinct processing units and attribute the secure operations to M of the N processing units. It is also necessary to secure the second memory to which the processing units have access in order to avoid that an unauthorised user could retrieve secured data from the second memory. Data, such as encoding and decoding keys, transfer protocols, user data, processing algorithms etc. which are necessary for enabling an electronic data transfer operation, comprising secured data are stored in this second memory. In particular the secured data such as the encoding and decoding keys should not be accessible to an unauthorised user.
  • One possibility would be to physically attribute a separate memory to each processor unit in order to avoid that one processor could read or write data in the memory attributed to another of the M processing units.
  • each secured memory part there is assigned to each secured memory part a dedicated address range.
  • the configuration of each address range is preferably realised by using a number of registers, which are part of the memory access controller.
  • the memory itself is divided in blocks, each block having a fixed predetermined size of for example 4 kbytes.
  • a start address (SA) register is provided for storing the start addresses of each of the M processing units.
  • the start address is the reference initial address, which configures the memory block or blocks to be protected.
  • the effective available physical memory space could be smaller than the total addressing capacity of the address generator and the start register so that virtual addressing can be used.
  • the logical address range (LS) of the memory blocks, which have to be protected, and the physical size of the memory storage area should not be necessarily the same.
  • DS physical memory storage area
  • LS logical address range
  • the memory address controller comprises also a mask register, which enables to configure the bits in the start address, which are not relevant.
  • the memory access controller further comprises a programmable type register, which enables the configuration of the type of protection to be applied, as well as other features such as access speed and connected devices. Those types are read/write, read only, write only or no protection at all. The reset value is preferably always read/write protected.
  • a protected address range can thus be expressed as follows (SA + m x DS) ⁇ address to be protected ⁇ (SA + m x DS + NB x BS) where BS is the block size and 1 ⁇ m ⁇ n-1 (SA being the start address, DS the storage area size and NB the number of blocks attributed to each of the M processing units). It is furthermore of importance to provide a set of reset values in such a manner as to enable a restart in case of erasure. The following reset values could for example be applied (the presented number is in hexadecimal representation) :
  • the electronic data processing device comprises a multi-port memory access controller 10, as illustrated in figure 2 .
  • the multi-port memory access controller is formed by an interface, which is shared by each of the N processing units (MP1, MP2, ...MPN) 11, 12, 14 as well as by other units such as for example an Ethernet Media Access Controller 13.
  • Each processing unit (MP1, MP2, ...MPN) 11, 12, 14 and the Ethernet Media Access Controller 13 is connected to the multi-port memory access controller 10 by its own internal bus 31-1, 31-2, 31-N and 31-E.
  • the multi-port memory access controller acts as a slave vis-a-vis the master, formed by the processing units and the Ethernet MAC:
  • the multi-port memory access controller further.comprises a number of slave interfaces 15, 16, 17, 18 and 19 in such a manner that each of the N processing units and the Ethernet MAC each have a dedicated slave interface to which they are connected via their internal bus.
  • the slave interfaces enable the programming of the memory access controller. They contain most of the registers and perform a large part of the register address decoding.
  • the slave interfaces are prioritised with interface 15 having the highest priority.
  • the presence of a plurality of slave interfaces enables high bandwidth peripherals to have direct access to the dynamic memories without data having to pass over the main system bus.
  • the interface 19 forms the programmable type register mentioned here before.
  • the memory access controller is provided with logic circuitry (20, 21, 22, 23) as well as with an interface 24.
  • This logic circuitry comprises data buffers 20 for improving the memory bandwidth and reduce transaction latency.
  • the buffers are not tied to a particular one of the slave interfaces and are used as read buffers, write buffers or a combination of both.
  • the buffers are designed in such a manner that they are always coherent for read and write operations.
  • the logic circuitry also comprises a memory controller 21 for storing properties of the annexed memory such as for example the access speed, the type of memory, the memory bus speed.
  • Circuitry 23 is formed by an Endian and Packing logic and is provided for applying little-endian and big-endian conversion and data packing. Circuitry 23 is formed by a test interface controller used for testing the controller after manufacturing.
  • this multi-port memory access controller is realised by one of the N-M (MP1;14) processing units provided for processing application data. In such a manner, a large flexibility is obtained.
  • the memory access controller controls the access to dynamic memory interfaces and asynchronous static memories. It is also designed to operate with cached and non cached processors and is equipped with read and write buffers 20 to reduce latency and improve performances, in particular for non cached processors.
  • the memory access controller comprises a plurality of advanced high speed busses for accessing the second memory.
  • the memory access controller supports a boot device enabling a configuration of the whole memory and which has the ability to access the second memory in read mode.
  • This part of the second memory comprises preferably a NOR-flash memory 25, for example a 4Mbit memory organised as a 512Kx16 bits.
  • a global random access read/write part of the second memory is provided for storing code and data, which should be accessed in a fast way access and offers a high density for a moderate cost.
  • This part is preferably formed by an SDRAM 26; typical SDRAM of 128 or 256Mbit, organized as 8Mx16 or 16Mx16).
  • the memory comprises a high density non-volatile part provided for building a reliable file system. This part is preferably formed by a NAND-Flash 27 of for example 128Mbits.
  • the memory part 26 (SDRAM) is accessible to all N processing units.
  • the multi-port memory access controller makes no distinction between memory access requested by the different processing units.
  • a dedicated area of the common SDRAM 26 is reserved for use by the M processing units, which deal with secured data.
  • codes and data necessary for the secure operations, handled by the M processing units are stored.
  • This dedicated area must be protected against access by the N-M processing units and the Ethernet MAC.
  • the multi-port memory access controller comprises a memory access control member 30 provided for storing the address ranges assigned to the M processing units as illustrated in figure 3 .
  • the memory access control member 30 initiates a mechanism for preventing access by the N-M processing units or the Ethernet MAC to a configurable number of contiguous segments of the memory. This allows delimiting of the memory range whose access can be reserved to the M secure processing units.
  • the restricted area may be locked for read, write or both from the N-M point of view.
  • the restricted area can be mirrored throughout the memory space when using memory devices that don't use all available address bits.
  • the memory access control member 30 comprises a memory protection member formed for example by a set of N - M memory protection units 32-1, 32-2, 32-3 in such a manner that to each of said N - M processing units and to the Ethernet MAC, there is assigned one of said memory protection units.
  • Each of the N - M processing units and the Ethernet MAC is connected to its memory protection unit by means of its dedicated internal bus 31.
  • each of the memory protection units 32 is controlled by a selected one of the M secure processors, for example processor 11 as illustrated in figure 3 .
  • the memory access control member 30 comprises a configuration element 33, which is connected to the internal bus 31-1 of the secure processor 11. There is no connection between this configuration element and the other internal buses, so that there is no direct physical access to this configuration element by means of the other processors. Consequently the set configuration cannot be changed neither reset by anyone of the N-M non-protected processors, as they have no access to this configuration element, even not by having a full knowledge of the internal architecture of the device. Only an external or power-on reset may reset the set configuration.
  • the first 4Mbyte of SDRAM is free for both read and write, the next 4Mbyte is locked for read and write.
  • This sequence is repeated for the whole physical range of the first SDRAM device (64Mbyte).
  • 64Mbyte e.g. a 16Mbyte SDRAM device (128Mbit)
  • this can be divided into 4 blocks of 4Mbyte, the 1 st and the 3 rd will be available for MP2, the 2 nd and the 4 th will be locked.
  • this configuration is supplied via an output of the configuration element to the memory protection units 32 in order to inform the latter of the set configuration.
  • the memory protection unit 32-3 will recognise the address assigned to the MP1 processing unit 11 and will overrule the access request. This is realised by using the start address and the block size stored in the start address register and the length register. Depending on the type of protection as set in the protection type register, the access will be enabled or the memory protection unit will overrule the access, for example by converting the presented address to a predetermined address corresponding to no location in SDRAM.
  • a flag signal FIQ is generated by a flag generator, which is part of the memory control member.
  • the flag signal is supplied to the processing unit to which the detected address had been assigned as well as to the processing unit, which tried to access the protected memory part.
  • the processing unit MP1 which received the flag signal could treat this as a tamper source and initiate a tamper routine. This condition should normally not occur unless an attempt is made to retrieve some secure information, a software buffer overflow or bad pointer usage should be trapped by the memory management unit of the processor and cause a 'Data Abort' exception.
  • the configuration of all the memory protection units is preferably common, they share the same configuration information but it consists of multiple instantiations of the same function since it consists of multiple buses and since there is no physical connection between the internal buses, multiple instantiations are needed.

Description

    ELECTRONIC DATA PROCESSING DEVICE
  • The invention relates to an electronic data processing device, comprising a data processing member, provided for processing first encoded data, obtained by encoding first data, input by a user and second encoded data, read from a carrier comprising a first memory for storing identification data, said data processing member being provided for controlling, based on said first and second data, a secured operation initiated by said user, said device further comprising a second memory accessible by said processing member, said second memory being configurable in order to delimit at least one secured memory part within said second memory, to each of said secured memory parts there being assigned a dedicated address range, said data processing member comprises N≥2 processing units of which M≤ N-1 processing units are provided to process said secured operation and at least one of the remaining N-M processing units is provided for processing application data related to said operation, to each of said M processing units there is assigned at least one of said secured memory parts, each of said processing units being each time connected to a memory access control member, said second memory being also connected to said memory access control member, which is provided for controlling accesses to said second memory, said memory access control member being provided for storing said memory address ranges assigned to said M processing units and for detecting an access request to said protected memory address, belonging to said ranges, when issued by one of said N-M processing units and for overruling the detected access request to said protected memory address.
  • Such an electronic data processing device is known from US-A-2003/0018860 and for example used as a transfer terminal for electronic payment placed at a point of sales. The first data is generally input by the user by means of keys or a touch screen and comprises for example the user's PIN code. The second data is stored in the first memory of the carrier, for example a bankcard and identifies the user, for example by his bank account number. Since the PIN code as well as the bank account number are secured data, they should only be processed by a secured operation, which is initiated by the user upon introducing the carrier with his first memory into the terminal. For the execution of the transaction requested by the user, and in particular for the secured operation, the data processing member needs the second memory, where the necessary routines and data, as well as encoding and decoding keys are stored.
  • As secured operations are executed by the processing member, it is of the utmost importance that the data involved in such an operation are well protected against any attempt to read or retrieve them. For that purpose it is well known to encrypt or encode the data involved in the secured operation and avoid in such a manner that "clear" data could be retrieved from the terminal.
  • Unfortunately, it is not excluded that persons with bad intentions could reach the keys stored in the second memory and could thus be able to decode the data encoded by means of those keys. Still higher levels of protection are thus required in order to provide the user with an efficient and reliable protection of the secured operation initiated on such electronic data processing devices.
  • In the device known from US-A-2003/0018860 a plurality of processing units are present and only a restricted number of them is entitled to process secure data. In order to avoid that processing units, which are not entitled to access secure data, could reach this secure data, a memory access control member is used. This memory access control member is provided with an SPM (System Protection Member), which is connected to a traffic control unit. The SPM controls the traffic towards the second memory and prevents that secure data is accessed by non-authorised processing units.
  • A drawback of the known device is that the SPM monitors a common bus, which is accessible by all processing units. This signifies that one could, via this common bus, get access to the SPM and reconfigure the latter, in order to get access to the secure data.
  • It is an object of the present invention to increase the protection of such an electronic data processing device, while preventing access to the security tools.
  • For this purpose an electronic data processing device according to the present invention is characterised in that each of said processing units is connected each time to said memory access control member by means of a dedicated internal bus and in that said memory access control member comprises a configuration element connected to a selected one of said M processing units by means of the internal bus dedicated to said selected processing unit, said configuration element being provided for generating, under control of said selected processing unit, said address ranges indicating said secured memory parts assigned to each of said M processing units, said memory access control member comprises a memory protection member connected via their dedicated internal bus to each of said N-M processing units, said configuration element having an output connected to said memory protection member for supplying said generated address ranges. The fact that the configuration element is connected to the selected processing unit by means of its dedicated internal bus, implies that only that selected processing unit can access the configuration element. In such a manner there is prevented that the set configuration could be changed by another processing unit than the selected one. Since the secured memory address ranges are determined under control of the selected processing unit, only the latter can change the set configuration. Furthermore the fact that the memory protection member is connected to the N-M processing units by means of their internal bus, implies that no access to the configuration element is possible by means of this N-M processing units, as there is no bus link to this configuration element.
  • A first preferred embodiment of an electronic data processing device according to the invention is characterised in that said memory protection member comprises a set of N-M memory protection units, to each of said N-M processing units there being assigned one of said memory protection units. In such a manner, each of the N-M processing units has its own memory protection units and the protected parts are efficiently protected.
  • A second preferred embodiment of an electronic data processing device according to the invention is characterised in that said memory protection member comprises a flag generator provided for generating a flag signal upon said detection, said flag generator being provided for supplying said flag to the processing unit to which the detected memory address is assigned. The use of a flag enables the secured processor to be alerted of an unauthorised access and to take appropriate measures.
  • The invention will now be described in more details with reference to the annexed drawings illustrating a preferred embodiment of a data processing device according to the present invention. In particular the invention will be described with reference to a data transfer terminal. However the invention is not limited to such terminals and can be applied on any data processing device. In the drawings :
    • fig. 1 shows an overall view of the architecture and data flow of an electronic data processing device according to the present invention;
    • fig. 2 shows a multi-port memory controller which is part of the device according to the present invention; and
    • fig; 3 illustrates the memory access mechanism.
  • In the drawings a same reference sign has been assigned to a same or an analogous element.
  • It is of the utmost importance that an electronic data processing device, such as an ATM (Automatic Teller Machines) or a POS (Point of Sales Terminal), is very well protected against any unauthorised access to the data processed by the terminal. Therefore measures are taken to protect and isolate not only the processing member but also the memory and the bus connecting the memory, the processing member and the access peripherals. For this purpose, the electronic data processing device according to the present invention comprises a data processing member having N ≥ 2 processing units. In the example illustrated in figure 1, the processing member comprises two processing units (N = 2) MP1 and MP2. Preferably, all N processing units are embedded in a single semiconductor element, thereby avoiding to physically isolate them as discrete physical components. Indeed, if all N processing units are embedded in a same semiconductor element, a majority of the data transfer remains within the semiconductor element and is not easily accessible from outside.
  • Among those N processing units M ≤ N - 1 processing units are provided to process secured operations and at least one of the remaining N-M processing units are provided for processing application data such as the generation of messages addressed to a user of a point-of-sales terminal. Under secured operations there is understood operations dealing with secured data such as the PIN code of a user, his bank account number, which is generally present in a first memory incorporated in a carrier such as a bank card, the encoding and decoding keys etc.. Under application data there is understood, data such as the user guidance, choice of language, information such as "do you want a ticket ?" etc., which is not vulnerable and generally of no interest to an unauthorised user.
  • The presence of more than one processing unit makes it not only possible to split the processing power over more than one processing unit, but also to make a separation between the treatment of secured and non-secured data. In such a manner, the secured data is not mixed up, during processing, with the non-secured data, thereby avoiding that an unauthorised user could get access to the secured data via the application data. As shown in figure 1, each processing unit MP1 and MP2 has its own operating system 0S enabling the respective processing unit to operate on its own.
  • It is however not enough to provide N distinct processing units and attribute the secure operations to M of the N processing units. It is also necessary to secure the second memory to which the processing units have access in order to avoid that an unauthorised user could retrieve secured data from the second memory. Data, such as encoding and decoding keys, transfer protocols, user data, processing algorithms etc. which are necessary for enabling an electronic data transfer operation, comprising secured data are stored in this second memory. In particular the secured data such as the encoding and decoding keys should not be accessible to an unauthorised user. One possibility would be to physically attribute a separate memory to each processor unit in order to avoid that one processor could read or write data in the memory attributed to another of the M processing units. Although this solution could be used, it is not a practical one as it does not offer a possibility to the N processing units to share at least a part of the memory in common thereby enhancing the efficiency. The solution to use a memory, which is shared by all N processing units, is therefore preferred, thereby enabling to configure this second memory in such a manner as to delimit at least one secured memory part within this seconde memory.
  • In order to realise such a delimitation, there is assigned to each secured memory part a dedicated address range. The configuration of each address range is preferably realised by using a number of registers, which are part of the memory access controller. The memory itself is divided in blocks, each block having a fixed predetermined size of for example 4 kbytes. To each of the M processing units there is thus each time assigned one or more memory blocks. In order to recognise at which address the assigned block or blocks start(s), a start address (SA) register is provided for storing the start addresses of each of the M processing units. The start address is the reference initial address, which configures the memory block or blocks to be protected.
  • It should be noted that the effective available physical memory space could be smaller than the total addressing capacity of the address generator and the start register so that virtual addressing can be used. In such a manner the logical address range (LS) of the memory blocks, which have to be protected, and the physical size of the memory storage area should not be necessarily the same. If the physical memory storage area (DS) is smaller than the logical address range (LS) of the start address register, then a same physical memory cell can be addressed n times with a same logical address, where n = LS/DS. If n ≠ 1, care should be taken that the protected blocks cannot be reached by a multiple of the start address. For this purpose the memory address controller comprises also a mask register, which enables to configure the bits in the start address, which are not relevant.
  • In order to determine how many memory blocks there have been assigned to each of the processing units, the memory access controller is provided with a length register, which stores the number (NB) of blocks attributed to each of the M processing units. If, as set out here before n ≠ 1, this should be taken into account when assigning the number of blocks. So, for example if n = 2, then each attributed block in fact corresponds to half of the effective available memory space.
  • The memory access controller further comprises a programmable type register, which enables the configuration of the type of protection to be applied, as well as other features such as access speed and connected devices. Those types are read/write, read only, write only or no protection at all. The reset value is preferably always read/write protected.
  • A protected address range can thus be expressed as follows (SA + m x DS) ≤ address to be protected ≤ (SA + m x DS + NB x BS) where BS is the block size and 1 ≤ m ≤ n-1 (SA being the start address, DS the storage area size and NB the number of blocks attributed to each of the M processing units). It is furthermore of importance to provide a set of reset values in such a manner as to enable a restart in case of erasure. The following reset values could for example be applied (the presented number is in hexadecimal representation) :
    • > BS = 0x1000 (4kB)
    • > DS = 0x800000
    • > PA = 0x40000000
    • > LS = 0x4000000
    • > SA = 0x40400000 (physical address start + 1/2 smallest device size ->
    • > 0x40000000 + 1/2 * 8MB)
    • > NB = 0x400 (1/2 smallest device size / BS -> 1/2 * 8MB / 4kB)
    • > n = 64MB/8MB = 8
    • > Protected area is the sum of the following regions:
    • > 0x40400000 - 0x40800000(with m=0)
    • > 0x40C00000 - 0x41000000(with m=1)
    • > 0x41400000 - 0x41800000(with m=2)
    • > 0x41 C00000 - 0x42000000(with m=3)
    • > 0x42400000 - 0x42800000(with m=4)
    • > 0x42C00000 - 0x43000000(with m=5)
    • > 0x43400000 - 0x43800000(with m=6)
    • > 0x43C00000 - 0x44000000(with m=7)
  • In order to manage this memory access, the electronic data processing device comprises a multi-port memory access controller 10, as illustrated in figure 2. The multi-port memory access controller is formed by an interface, which is shared by each of the N processing units (MP1, MP2, ...MPN) 11, 12, 14 as well as by other units such as for example an Ethernet Media Access Controller 13. Each processing unit (MP1, MP2, ...MPN) 11, 12, 14 and the Ethernet Media Access Controller 13 is connected to the multi-port memory access controller 10 by its own internal bus 31-1, 31-2, 31-N and 31-E. The multi-port memory access controller acts as a slave vis-a-vis the master, formed by the processing units and the Ethernet MAC:
  • The multi-port memory access controller further.comprises a number of slave interfaces 15, 16, 17, 18 and 19 in such a manner that each of the N processing units and the Ethernet MAC each have a dedicated slave interface to which they are connected via their internal bus. The slave interfaces enable the programming of the memory access controller. They contain most of the registers and perform a large part of the register address decoding. The slave interfaces are prioritised with interface 15 having the highest priority. The presence of a plurality of slave interfaces enables high bandwidth peripherals to have direct access to the dynamic memories without data having to pass over the main system bus. The interface 19 forms the programmable type register mentioned here before.
  • Furthermore the memory access controller is provided with logic circuitry (20, 21, 22, 23) as well as with an interface 24. This logic circuitry comprises data buffers 20 for improving the memory bandwidth and reduce transaction latency. The buffers are not tied to a particular one of the slave interfaces and are used as read buffers, write buffers or a combination of both. The buffers are designed in such a manner that they are always coherent for read and write operations.
  • The logic circuitry also comprises a memory controller 21 for storing properties of the annexed memory such as for example the access speed, the type of memory, the memory bus speed. Circuitry 23 is formed by an Endian and Packing logic and is provided for applying little-endian and big-endian conversion and data packing. Circuitry 23 is formed by a test interface controller used for testing the controller after manufacturing.
  • The configuration of this multi-port memory access controller is realised by one of the N-M (MP1;14) processing units provided for processing application data. In such a manner, a large flexibility is obtained. Preferably, the memory access controller controls the access to dynamic memory interfaces and asynchronous static memories. It is also designed to operate with cached and non cached processors and is equipped with read and write buffers 20 to reduce latency and improve performances, in particular for non cached processors. Furthermore, the memory access controller comprises a plurality of advanced high speed busses for accessing the second memory.
  • The memory access controller supports a boot device enabling a configuration of the whole memory and which has the ability to access the second memory in read mode. This part of the second memory comprises preferably a NOR-flash memory 25, for example a 4Mbit memory organised as a 512Kx16 bits. A global random access read/write part of the second memory is provided for storing code and data, which should be accessed in a fast way access and offers a high density for a moderate cost. This part is preferably formed by an SDRAM 26; typical SDRAM of 128 or 256Mbit, organized as 8Mx16 or 16Mx16). Finally the memory comprises a high density non-volatile part provided for building a reliable file system. This part is preferably formed by a NAND-Flash 27 of for example 128Mbits.
  • The memory part 26 (SDRAM) is accessible to all N processing units. The multi-port memory access controller makes no distinction between memory access requested by the different processing units. However, as already described, a dedicated area of the common SDRAM 26 is reserved for use by the M processing units, which deal with secured data. In this dedicated area, codes and data necessary for the secure operations, handled by the M processing units, are stored. This dedicated area must be protected against access by the N-M processing units and the Ethernet MAC. For this purpose the multi-port memory access controller comprises a memory access control member 30 provided for storing the address ranges assigned to the M processing units as illustrated in figure 3.
  • The memory access control member 30 initiates a mechanism for preventing access by the N-M processing units or the Ethernet MAC to a configurable number of contiguous segments of the memory. This allows delimiting of the memory range whose access can be reserved to the M secure processing units. The restricted area may be locked for read, write or both from the N-M point of view. The restricted area can be mirrored throughout the memory space when using memory devices that don't use all available address bits. The memory access control member 30 comprises a memory protection member formed for example by a set of N - M memory protection units 32-1, 32-2, 32-3 in such a manner that to each of said N - M processing units and to the Ethernet MAC, there is assigned one of said memory protection units. Each of the N - M processing units and the Ethernet MAC is connected to its memory protection unit by means of its dedicated internal bus 31.
  • The configuration of each of the memory protection units 32 is controlled by a selected one of the M secure processors, for example processor 11 as illustrated in figure 3. For this purpose the memory access control member 30 comprises a configuration element 33, which is connected to the internal bus 31-1 of the secure processor 11. There is no connection between this configuration element and the other internal buses, so that there is no direct physical access to this configuration element by means of the other processors. Consequently the set configuration cannot be changed neither reset by anyone of the N-M non-protected processors, as they have no access to this configuration element, even not by having a full knowledge of the internal architecture of the device. Only an external or power-on reset may reset the set configuration. In a default programming, after reset, the first 4Mbyte of SDRAM is free for both read and write, the next 4Mbyte is locked for read and write. This sequence is repeated for the whole physical range of the first SDRAM device (64Mbyte). When using e.g. a 16Mbyte SDRAM device (128Mbit), this can be divided into 4 blocks of 4Mbyte, the 1st and the 3rd will be available for MP2, the 2nd and the 4th will be locked.
  • Once the configuration of the protected memory address ranges has been set, i.e. the protected address ranges have been assigned to each of the M processing units, this configuration is supplied via an output of the configuration element to the memory protection units 32 in order to inform the latter of the set configuration.
  • If now one of the N-M processing units, suppose the MP2 processing unit 12, would like to access a memory part dedicated to the MP1 processing unit 11, the memory protection unit 32-3 will recognise the address assigned to the MP1 processing unit 11 and will overrule the access request. This is realised by using the start address and the block size stored in the start address register and the length register. Depending on the type of protection as set in the protection type register, the access will be enabled or the memory protection unit will overrule the access, for example by converting the presented address to a predetermined address corresponding to no location in SDRAM.
  • When one of the N - M processing units or the Ethernet MAC attempts to access the memory part, assigned to the M processing units, preferably a flag signal FIQ is generated by a flag generator, which is part of the memory control member. The flag signal is supplied to the processing unit to which the detected address had been assigned as well as to the processing unit, which tried to access the protected memory part. The processing unit MP1, which received the flag signal could treat this as a tamper source and initiate a tamper routine. This condition should normally not occur unless an attempt is made to retrieve some secure information, a software buffer overflow or bad pointer usage should be trapped by the memory management unit of the processor and cause a 'Data Abort' exception.
  • The configuration of all the memory protection units is preferably common, they share the same configuration information but it consists of multiple instantiations of the same function since it consists of multiple buses and since there is no physical connection between the internal buses, multiple instantiations are needed.

Claims (6)

  1. An electronic data processing device, comprising a data processing member, adapted to process first encoded data, obtained by encoding first data, input by a user and second encoded data, read from a carrier comprising a first memory for storing identification data, said data processing member being adapted to for control, based on said first and second data, a secured operation initiated by said user, said device further comprising a second memory accessible by said processing member, said second memory being configurable in order to delimit at least one secured memory part within said second memory, to each of said secured memory parts there being assigned a dedicated address range, said data processing member comprises N≥2 processing units (11,12,13,14) of which M≤ N-1 processing units (11) are adapted to process said secured operation and at least one of the remaining N-M processing units (12,13,14) is adapted to process non-vulnerable application data related to said operation, to each of said M processing units (11) there is assigned at least one of said secured memory parts, each of said processing units being each time connected to a memory access control member (30), said second memory being also connected to said memory access control member (30), which is adapted to control accesses to said second memory, said memory access control member being adapted to store said memory address ranges assigned to said M processing units (11) and to detect an access request to a protected memory address, belonging to said ranges, when issued by one of said N-M processing units (12,13,14) and to overrule the detected access request to said protected memory address, characterised in that each of said processing units (11,12,13,14) is each time connected to said memory access control member (30) by means of a dedicated internal bus; said memory access control member (30) comprises a configuration element (33) connected to a selected one of said M processing units (11) by means of the internal bus (31-1) dedicated to said selected processing unit (11), said configuration element (33) being adapted to generate, under control of said selected processing unit (11), said address ranges indicating said secured memory parts assigned to each of said M processing units (11); and in that said memory access control member (30) comprises a memory protection member connected to each of said N-M processing units (12,13,14) via their dedicated internal buses said configuration element (33) having an output connected to said memory protection member for supplying said generated address ranges.
  2. An electronic data processing device as claimed in claim 1, characterised in that said memory protection member comprises a set of N-M memory protection units (32-1,32-2,32-3), to each of said N-M processing units (12,13,14) there being assigned one of said memory protection units (32-1,32-2,32-3).
  3. An electronic data processing device as claimed in claim 2, characterised in that each of said N-M memory protection units (32-1,32-2,32-3) is connected to its respective processing unit (12,13,14) by means of its dedicated internal bus.
  4. An electronic data processing device as claimed in claim 1, 2 or 3, characterised in that said memory protection member comprises a flag generator provided for generating a flag signal upon said access request being detected, said flag generator being provided for supplying said flag to the processing unit (11) to which the protected memory address is assigned.
  5. An electronic data processing device as claimed in claim 4, characterised in that said flag generator is provided for supplying said flag to the processing unit (12,13,14), which supplied the detected access request.
  6. An electronic data processing device as claimed in any one of the claims 1 to 5, characterised in that said N processing units (11,12,13,14) are housed in a single semiconductor.
EP20040106441 2003-12-11 2004-12-09 Electronic data processing device Active EP1544820B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP20040106441 EP1544820B1 (en) 2003-12-11 2004-12-09 Electronic data processing device

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP03078879A EP1542181A1 (en) 2003-12-11 2003-12-11 Electronic data processing device
EP03078879 2003-12-11
EP20040106441 EP1544820B1 (en) 2003-12-11 2004-12-09 Electronic data processing device

Publications (2)

Publication Number Publication Date
EP1544820A1 EP1544820A1 (en) 2005-06-22
EP1544820B1 true EP1544820B1 (en) 2013-07-31

Family

ID=34524736

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20040106441 Active EP1544820B1 (en) 2003-12-11 2004-12-09 Electronic data processing device

Country Status (1)

Country Link
EP (1) EP1544820B1 (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1601956A (en) * 1978-03-02 1981-11-04 Marconi Co Ltd Multiprocessor data processing systems
US4660168A (en) * 1984-03-14 1987-04-21 Grant Elwyn E Apparatus for completing a customer initiated ATM transaction
US6449699B2 (en) * 1999-03-29 2002-09-10 International Business Machines Corporation Apparatus and method for partitioned memory protection in cache coherent symmetric multiprocessor systems
CN1252597C (en) * 2000-07-18 2006-04-19 英特尔公司 Controlling access to multiple isolated memories in an isolated execultion environment
JP2002207708A (en) * 2001-01-12 2002-07-26 Mitsubishi Electric Corp Arithmetic unit
US6775750B2 (en) * 2001-06-29 2004-08-10 Texas Instruments Incorporated System protection map

Also Published As

Publication number Publication date
EP1544820A1 (en) 2005-06-22

Similar Documents

Publication Publication Date Title
JP3493047B2 (en) memory card
US6003134A (en) Secure open smart card architecture
JP2755828B2 (en) Secure application card for sharing application data and procedures between multiple microprocessors
US5912453A (en) Multiple application chip card with decoupled programs
EP0689701B1 (en) A secure memory card with programmed controlled security access control
US20040162932A1 (en) Memory device
EP1573466B1 (en) Enhancing data integrity and security in a processor-based system
CA2489737C (en) Electronic data processing device with secured memory access
JPS63145531A (en) Microprocessor
JP4945053B2 (en) Semiconductor device, bus interface device, and computer system
KR20050113659A (en) Universal memory device having a profile storage unit
US7409251B2 (en) Method and system for writing NV memories in a controller architecture, corresponding computer program product and computer-readable storage medium
US7526655B2 (en) Microprocessor configuration and method for operating a microprocessor configuration
US20100037000A1 (en) One-time-programmable memory emulation
US6754794B2 (en) Chip card with integrated circuit
US7891556B2 (en) Memory access controller and method for memory access control
EP1544820B1 (en) Electronic data processing device
US7389427B1 (en) Mechanism to secure computer output from software attack using isolated execution
US6034902A (en) Solid-state memory device
WO1995024698A1 (en) A secure memory card
KR100232086B1 (en) A secure memory card
US11886734B2 (en) Secure memory card and control method thereof
KR20020082281A (en) Smart card capable of maintenence security between multi-application programs
JPH0769869B2 (en) Single-chip micro computer

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU MC NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA HR LV MK YU

17P Request for examination filed

Effective date: 20051209

AKX Designation fees paid

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU MC NL PL PT RO SE SI SK TR

AXX Extension fees paid

Extension state: HR

Payment date: 20051209

GRAJ Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted

Free format text: ORIGINAL CODE: EPIDOSDIGR1

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ATOS WORLDLINE S.A.

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU MC NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: HR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 625029

Country of ref document: AT

Kind code of ref document: T

Effective date: 20130815

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602004042893

Country of ref document: DE

Effective date: 20130926

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 625029

Country of ref document: AT

Kind code of ref document: T

Effective date: 20130731

REG Reference to a national code

Ref country code: NL

Ref legal event code: VDEP

Effective date: 20130731

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20131202

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20131130

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130703

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20131101

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20140502

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602004042893

Country of ref document: DE

Effective date: 20140502

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20131209

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20131209

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20131231

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20131231

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20041209

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20130731

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 12

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 13

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 14

REG Reference to a national code

Ref country code: DE

Ref legal event code: R082

Ref document number: 602004042893

Country of ref document: DE

Representative=s name: MAIWALD GMBH, DE

Ref country code: DE

Ref legal event code: R081

Ref document number: 602004042893

Country of ref document: DE

Owner name: INGENICO BELGIUM, BE

Free format text: FORMER OWNER: ATOS WORLDLINE S.A., BRUXELLES, BE

Ref country code: DE

Ref legal event code: R082

Ref document number: 602004042893

Country of ref document: DE

Representative=s name: MAIWALD PATENTANWALTS- UND RECHTSANWALTSGESELL, DE

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20220721 AND 20220727

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20231220

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20231229

Year of fee payment: 20

Ref country code: DE

Payment date: 20231214

Year of fee payment: 20