FR3061326A1 - DEVICE AND METHOD FOR CREATING A TRUSTED ENVIRONMENT IN A DISTRIBUTED SYSTEM - Google Patents

Abstract

An apparatus and method for establishing in a distributed system, trusted communications between a plurality of processors having configured a trusted environment for a secure execution mode and a non-secure execution mode. In particular, the device comprises means for receiving from a source processor, a data transmission request, for data from either the secure execution mode or the non-secure execution mode; placing at least one frame in the frame of the data and in a header field of the frame an indication of the execution mode relating to the data, the header field being accessible only at the hardware level; and transmitting said frame over a network link of the distributed system.

Description

Holder (s):

THALES Public limited company.

O Extension request (s):

® Agent (s): MARKS & CLERK FRANCE General partnership.

® DEVICE AND METHOD FOR CREATING A CONFIDENTIAL ENVIRONMENT IN A DISTRIBUTED SYSTEM.

FR 3 061 326 - A1 (57) The present invention relates to a device and a method for establishing in a distributed system, trusted communications between a plurality of processors having configured a trusted environment allowing a secure execution mode and a mode. unsecured execution. In particular, the device comprises means making it possible to receive a request for data transmission from a source processor, for data originating either from the secure execution mode or from the non-secure execution mode; placing at least in the body of a frame the data and in a header field of the frame an indication of the execution mode relating to the data, the header field being accessible only at the hardware level; and transmit said frame over a network link of the distributed system.

200

DEVICE AND METHOD FOR CREATING A CONFIDENTIAL ENVIRONMENT IN A DISTRIBUTED SYSTEM

Field of the invention

The invention relates to the field of distributed systems and more particularly relates to a method and a device making it possible to establish a trusted communication between several processors of a distributed system.

State of the art

Many devices have processors which have, in addition to the standard or unsecured execution mode, a secure execution mode also known as the execution mode in a trusted environment or "Trusted Execution Environment (TEE) According to consecrated Anglicism.

In these devices, during the boot phase, the first code that runs, generally an operating system loader, has access to all of the processor resources and is in secure mode (S). The operating system loader is responsible for managing resources and allows interactions between processor resources and the various "hardware" elements such as RAM (for example, DDR-SDRAM) and interfaces to be authorized. enter exit. A specific case of I / O interface is that of communication interfaces, which allow access to a communication network such as Ethernet or a serial link such as RS-232.

The operating system loader is also responsible for managing access rights, and guarantees that resources allocated in secure mode are only used by hardware or by executable code having greater or equal rights. A hardware element or a code executing on the processor, while it is in non-secure NS mode, does not have access to any resource by default. The operating system loader can then inform certain processor resources that they can accept requests for code or hardware items running in NS mode.

Typically a device is either secure or non-secure. Communication devices are thus allocated to one or the other mode. For example, software in NS mode will communicate via Ethernet communication interface in NS mode, software in S mode will communicate via a serial link (RS-232) in mode S.

The operating system loader, in addition to the system running in S mode, may launch another unsecured operating system that will be limited to resources in NS mode. For example, you can load a Linux® kernel which then runs in non-secure mode.

The two operating systems having thus started respectively in S and NS mode, each start a set of software whose mode they determine, S or NS. There are then two environments or worlds called "secure world" and "unsecured world" which share the use of a processor in isolation.

Allocation to the secure world S or to the non-secure world NS of a hardware element can be done either at the peripheral level, or at the level of the bus allowing access to the peripheral. So if a software running in NS mode tries to access a secure device S, it generally receives a Bus Error either emitted by the device itself, or by the bus allowing access to the device. Indeed, the hardware once configured S or NS, guarantees that the non-secure world NS cannot read or write information from the secure world S.

When two or more processors, each configured with the two modes (S, NS) must be associated to form a distributed system, they generally use two separate links which reflect this isolation. Two types of communication are used, typically Ethernet for NS communications, and the serial link for S communications. Ethernet is rarely used in S mode, either because of a lack of available interface, or because it requires a set of software that can weaken the security of software running in S mode. To overcome this, a serial link is set up, resulting in a doubling of the number of connectors and cables, which induces a lower communication speed for S mode, and communications limited to point-to-point, or point-to-multipoint but in unidirectional mode, for the secure side.

It is possible to use only one type of communication, the material control of which is entrusted to one of the two worlds S or NS. Generally, it is the S world which needs guaranteed communication, which by nature the NS world cannot offer. All communications from the NS world must then pass through the S world. This results in major drawbacks, such as:

- the communication between the S world and the NS world is more complex, in that it increases the attack surface;

- repeated passage of the transmission parameters through the S-NS transition is costly in execution time;

- the performance requirement of the NS world is managed by the S world.

This results in greater complexity in the S world, difficulty in maintaining the code, and a reduction in overall performance compared to a system that does not have a trusted environment (TEE).

Thus, there is the need for a solution which allows, in a distributed system, communications between processors operating in a trusted environment, and which overcomes the drawbacks of known approaches. The present invention meets this need.

Summary of the invention

To achieve this objective, an object of the present invention is to provide a device and a method which make it possible to propagate secure or non-secure information through a single network link. The method of the invention is based on the use of a communication interface called "Trust Aware Adapter", which when it receives a request via a system bus associated with a source processor, determines whether the request is a request emitted from the secure world or from the unsecured world, and constructs a message containing the information of the world corresponding to the source request for sending to the destination.

At the destination, the communication interface which receives the message, identifies by reading the frame received which execution mode the source request belongs to, and requests at the target processor level software of the secure or non-secure type which is appropriate.

Advantageously, the destination communication interface is a hardware device which operates autonomously without intervention from a software level. The communication interface in transmitter or receiver mode, uses to mark the message as secure or unsecured, fields of the communication protocol of the distributed system which are not accessible at software level. In a particular implementation, the communication protocol is the RapidIO ™ protocol, and the field used to indicate the information of the execution mode is the virtual field VC "Virtual Channel".

Thus, the trusted environment (TEE) is extended to the level of a distributed system on a network, and it becomes possible to create a secure distributed environment for a set of secure worlds, without doubling the connectivity for communications.

Advantageously, these secure worlds operating together can then provide a higher level of service, by virtue of the overall view that they have on the distributed system, the network topology being insignificant for operating the invention. The network is shared between the two worlds, so they are not located on every node in the network, but they each form a distributed system that operates on a single network.

Advantageously, the invention makes it possible to limit the number of communication interfaces used, by proposing a single interface for managing the secure and non-secure modes of execution. The invention also makes it possible to use communication interfaces allowing both high-performance and multipoint, two-way communications, both from the secure world and from the non-secure world.

Advantageously, the invention makes it possible to use the communication interfaces, such as the RapidIO peripherals, effectively by preserving the isolation of the two worlds secure and non-secure, without impacting their software, thus preserving their simplicity, in particular in the secure part.

The invention will find advantageous applications in the fields where TEE trusted environments are used, such as:

- security: this is a privileged application domain of the TEE, which guarantees the respect of a chain of trust starting from a cryptographic key stored in the silicon of the processor. The isolation of the secure world allows you to save passwords, and host confidential algorithms. This makes it possible to offer encryption and signature functions for data protection, to give access to a secure GPS, to manage digital rights, to give access to payment systems, etc. These typically secure functions are thus made available to a standard Windows® or Android® operating system (OS) in the non-secure world.

- supervision: the secure world can observe the operation of the non-secure world at regular intervals. This makes it possible to detect breakdowns, intrusion attempts, measure the level of use of software and hardware resources, etc. It can also cause an unsafe world OS to be suspended or restarted. This type of use is envisaged for example in the context of drones, systems which must guarantee vital functions in autonomy.

- real-time: the TEE can be configured so as to guarantee the reactivity of the secure world, independently of the processing in progress on the non-secure side. The secure world can host a hard real-time OS, which thus shares hardware resources with a more complex OS on the non-secure side. This type of operation is found in complex sensor-actuator networks, which combine regular data acquisition and precise motor control functions, with analysis functions restoring a first level of synthesis on the acquired data or the system operation.

The systems operating in a TEE environment which can benefit from the invention are for example microprocessors of smartphones, tablets, set-top boxes, televisions, electronic cards, type DSP, FPGA, ASIC, and of any system on machines. small sizes or on autonomous electronic devices (space probes, on-board computer, ...) or data centers.

To obtain the desired results, a device and a method are proposed.

In particular, a device is proposed for establishing in a distributed system, trusted communications between a plurality of processors, each processor having configured a trusted environment allowing a secure execution mode and a non-secure execution mode, the device comprising means allowing:

- to receive from a source processor, a data transmission request, for data originating either from the secure execution mode or from the non-secure execution mode;

- placing at least in the body of a frame said data and in a header field of said frame an indication of the mode of execution relating to said data, said header field being accessible only at the hardware level; and

- to transmit said frame on a network link of the distributed system.

Advantageously, the frame has a format adapted to the communication protocol used in the network of the distributed system. In an implementation, the communication protocol is the RapidIO protocol, the frame format is the RapidIO format and the indication of the data execution mode is placed in the Virtual Channel (VC) field of the RapidIO frames. In an alternative embodiment, the indication of the data execution mode is the state of zero or one of a bit.

According to one embodiment, the transmission request is sent on a system bus of the source processor. In a variant, the system bus is a bus according to the Advanced Microcontroller Bus Architecture (AMBA) standard.

According to implementation modes, the source processor is a microprocessor synthesized on a programmable logic circuit (FPGA) or a circuit on chip (SoC).

According to one embodiment, the network link is coupled to a network switch. The network can be a ring network or a mesh network or a star network.

The invention also covers the claimed device, further comprising means allowing:

- receive a frame sent over a network link;

- determine the execution mode to apply to the data contained in the frame; and

- issue a corresponding transfer request.

A communication system in accordance with the invention includes:

- a source processor configured in a trusted environment;

- a recipient processor configured in a trusted environment;

- a network connecting the source processor to the destination processor by network links;

- a communication interface coupled to the source processor and which comprising the claimed device; and

- a communication interface coupled to the destination processor and which includes the claimed device.

The invention also covers a method for establishing in a distributed system trusted communications between a plurality of processors, each processor having configured a trusted environment allowing a secure execution mode and a non-secure execution mode. The method is characterized in that it comprises at least one step consisting in transmitting on a network link of the distributed system, a frame containing in the frame body data coming either from the secure execution mode or from the non-execution mode. -secured, the frame further containing in a header field, an indication of the execution mode relating to the data, the header field being accessible only at the hardware level.

In one embodiment, the step of transmitting a frame is operated by a communication interface coupled to a source processor and to the network link.

According to the embodiments, the method comprises before the step of transmitting a frame, the steps of:

- generate a data transmission request on a system bus of a transmitting processor, the data coming from the secure execution mode or from the non-secure execution mode; and

- place in the body of the frame the data and in the header field of the frame only accessible at the hardware level, the indication of the execution mode relating to the data.

Advantageously, the claimed method operates for an AXI type system bus, a format of the RapidIO frame and an indication of the data execution mode placed in the Virtual Channel (VC) field of the RapidIO frame.

The method may further comprise, after the step of transmitting a frame, the steps of:

- transmit the frame to a destination processor of the distributed network; and

- determine upon receipt of the frame, the data execution mode.

Certain steps of the method of the invention can operate in the form of a computer program product which includes code instructions for performing these steps when the program is executed on a computer.

Description of the figures

Various aspects and advantages of the invention will appear in support of the description of a preferred mode of implementation of the invention but not limiting, with reference to the figures below:

FIG. 1 illustrates under a schematic view at the software level a known implementation of the secure and non-secure worlds in a processor element;

Figure 2 illustrates in a schematic view, an implementation at the hardware level of the device of the invention according to one embodiment;

FIG. 3 illustrates an example of a frame according to the RapidIO protocol;

FIG. 4 illustrates a simplified architecture of a network of distributed systems in which the device of the invention can operate according to one embodiment;

FIG. 5 shows a sequence of steps in the process for transmitting a packet according to an embodiment of the invention;

FIG. 6 shows a sequence of steps in the method of receiving a packet according to an embodiment of the invention.

Detailed description of the invention

The description which follows is based on examples to allow a good understanding of the principles of the invention, and a concrete application, but is in no way exhaustive and must allow the person skilled in the art to apply modifications and modifications. implementation variants keeping the same principles. Thus, the present description of the invention is made to illustrate an implementation in a distributed system operating according to the RapidIO protocol but is not limiting, and can be used according to other architectures and communication protocols making it possible to interconnect processors of distributed systems.

Figure 1 shows at software level the implementation of the non-secure (102) and secure (104) worlds on a typical processor element (100). Such a processor element (100) can be a microprocessor synthesized on a programmable logic circuit “FPGA” for example or a circuit on chip (SoC), which can also include a plurality of processors. In the following description, the processor element (100) for applying the principles of the invention, more generally designates any autonomous data processing system or entity capable of communicating with another autonomous data processing system or entity. a network of distributed systems. Furthermore, only the components allowing a good understanding of the principles of the invention are described, the other components (memories, clocks, hypervisor, etc.) of a typical processor element being known to those skilled in the art are not detailed. The processor element (100) is configured on initialization to define a trusted environment (TEE), and to have software resources (102) running in non-secure mode NS and software resources (104) running in secure mode S. In known manner, for platforms of the system on a chip or “System on chip (SoC)” type in English, which implement a TEE trusted environment, the S or NS status of a code is accessible to processor level according to the state 0 or 1 of a specific bit (101) which, depending on its value, designates the secure character S or the non-secure character NS of the software being executed.

In an implementation of a TEE platform, this bit is called "Unsecured bit" (or "NS bit" in English) and is available in a secure configuration register (SCR). The unsecured (102) and secure (104) software resources are coupled to an input-output interface (110) via an input-output port (106). This output port is structured and can be divided into the following parts:

- a security configuration (108) for configuring the access rights of the NS software to the input-output interface. It takes into account the status bit (101) to ensure that it is only handled by the secure software;

- I / O input / output channels (107) for exchanging data between the software and the input / output interface. These channels take into account the status bit (101) to ensure consistency with the configuration of access rights;

- interrupt signals (109) allowing the input-output interface (110) to signal the availability of incoming data to the software. In a preferred implementation, there are two interrupt signals called "FIQ" for "Fast Interrupt Request" in English and "IRQ" for "Interruption Request" in English. The signal FIQ is dedicated to the world S because its use can be protected there from the world NS, while the signal IRQ is dedicated to the world NS.

Parts, I / O channels (107) and interrupt signals (109) can be duplicated. In an implementation, each part and its replica are dedicated respectively to S or NS exchanges.

The invention relates to input-output interfaces (110) which are communication interfaces. Since existing systems do not allow access to the communication interface simultaneously from the S and NS worlds in a coherent manner, this interface is then reserved for one of the two worlds, and the NS bit is transmitted to the interface in order to that she can forbid the other world to use it. The I / O channels (107) and interrupt signals (109) therefore only interact with one of the two worlds.

Advantageously, when a communication interface implements the method of the present invention, the two worlds S and NS can use it coherently. The principles illustrated in Figure 1 remain unchanged, the only differences then being that:

- the S and NS worlds can both use the input-output channel (107);

- the interrupt signals (109) can request the two worlds S and NS when the incoming data is available. In a preferred implementation, both the IRQ and FIQ interrupt signals are activated at the same time.

Advantageously, the method of the invention ensures that the data respectively from each world S and NS are transmitted at the level of the recipients, only to software belonging to the same world. The method of the invention makes it possible to use any transfer mode, such as DMA transfer for example, while respecting the separation of the S and NS worlds. Once notified, the recipient world S or NS has access to the frame.

FIG. 2 illustrates an implementation of the device of the invention. The requests to be transmitted over the network of a distributed system can either be unsecured requests called 'NS requests' from a non-secure software block (102) called 'NS initiator', or be secure requests called 'S requests' from a secure software block (104) called 'initiator S'. It should be noted that the same elements, whether hardware or software, bear the same references in the different figures. The initiators NS (102) and S (104) are coupled to a communication interface (110) via an interconnect bus (202) and an input / output port (106). This bus carries the transfer information while including the associated S or NS information, originating from the initiator of the transfer. In a preferred implementation, the interconnection bus is according to the AMBA® standard (Advanced Microcontroller Bus Architecture) from version 3. This bus carries read and write requests and carries address and data information as well as an NS bit. The S or NS information is transmitted to the I / O communication interface (110). In the context of known systems, the bus (202) or the interface (110) use this information to authorize or not authorize NS access to the interface (110).

The communication interface (110) is coupled to a network switch (204) via a network input / output (I / O) link (210). From a hardware point of view, the network switch (204) can either be located on the same hardware component as the bus (202), or on another component and connected by a cable type link.

The network switch (204) has I / O interfaces (not shown) allowing communications via other network links (212) to nodes in the distributed system. Frames sent over the network link (210) can pass through multiple switches before reaching a communication interface (110) on the destination nodes. In a particular implementation where there is no switch, we speak of a direct link via a single network link between two interfaces (110).

The general principle of the invention thus consists in providing a communication interface (110) accessible to the two worlds S and NS of a processor element through an interconnection bus, the interface retaining information from the world S or NS original, and generating on a single network link (210), a frame configured according to this information S or NS.

During the network crossing, the information of the originating S / NS world is not modified by the intermediate routing nodes of the network through which the frame passes. Advantageously, this information can also be used to guarantee the associated quality of service from start to finish. At destination, on the communication interface (110) of a destination node, this information of the original mode is used to activate a reception signal corresponding to the S or NS software of the destination processor. The association between the network frame and the S / NS information which it carries, is made in such a way that this information is made invisible to the software, in particular in NS mode. For this, the information from the original S / NS world is not transmitted as data, which would be visible at the software level. To be invisible at the software level, information from the original S / NS world is transmitted in a frame header, which is visible only at the hardware level.

In an implementation according to the RapidIO protocol, the format of the packets or frames (“frame” in English) at the physical level which are transmitted over the network is as shown in FIG. 3. Each packet has fields (40 to 44) which are only accessible from the communication interface (110):

- AcklD (40): package specific identifier for a link;

- VC (41): Virtual Channel defines the use of priority fields (42) and "CriticaIRequest Flow" (43);

- TT (44): size of the source and destination identifiers.

The packets also have fields (45, 46, 47) allowing to define the identifiers of the source 'Srcld' (47) and the destination 'Destld' (46) of the packet and the request type 'FType' (45 ) contained in the package.

Those skilled in the art can refer to the numerous literature available for more details on the RapidIO protocol.

In this implementation, the communication interface (110) is configured so that the value of the NS bit corresponding to the world of origin is applied to the ‘VC’ field (41) of RapidIO packets. Thus, any transmitted packet carries in its header which is visible only at the hardware level, the value of the bit NS representative of the world NS or S from which the transmitted data come. This value is kept throughout the transport of the packet in the network to the destination.

On reception of a transmitted packet, the communication interface of the processor element which receives the packet extracts the value contained in the header field VC to identify the NS or S status of the data, and associates the received packet with the world. corresponding.

Advantageously, the use of a protocol field which is not accessible at the software level makes it possible to avoid attacks of the “VLAN DoubleTagging” type.

Although a preferred implementation is that according to the RapidIO protocol, those skilled in the art can derive the same principles for any other transport protocol offering the ability to transmit S / NS information invisibly at the software level.

Advantageously, the communication interface of the invention further comprises components (not shown) adapted to offer a high-level hardware interface, in particular allowing direct access transfers (DMA) to the memory of the processor element. , and allowing routing entirely controlled by configuration tables of the controller. In addition, S and NS accesses are associated with qualities of service which are configured from the secure world. The qualities of service correspond to conventional network sharing methods, namely:

- by priority where secure access has priority and associated data is transmitted in priority;

- by portion of the network speed where each access has a reserved portion, so that each TEE mode has a guaranteed speed.

In an implementation where the trusted environment is used to guarantee security over a network and the physical part of this network is possibly exposed to physical attacks, appropriate protection is applied to the packet header , such as a signature and authentication, to guarantee the preservation of secure or non-secure access.

FIG. 4 illustrates in a schematic view at the hardware level, an architecture of a network of distributed systems in which the device of the invention can operate according to one embodiment. For reasons of clarity and simplification of the description and without this being considered as a limitation, the figure shows a single transmitting processor element (200_E), which can communicate through a single element network (400) receiver processor (200_R) via network links (212). Each processor element comprises respectively at the hardware level, at least one interconnection bus (202_E, 202_R) and a communication interface (110_E, 110_R) configured according to the communication protocol. Optionally a network switch (204_E, 204_R) can be added to access the network link.

It should be noted that the network topology is not imposed and that the device and method of the invention are applicable in various types of networks, such as ring networks, mesh or star networks.

FIG. 5 shows a sequence of steps in the process for transmitting a packet according to the principle of the invention. The method begins when a communication request is initiated at the secure or insecure world level in a processor element. A corresponding message is prepared (502) and transmitted on the system bus of the processor element (504). In an AMBA® implementation, the message is prepared by an AXI Master component and sent on the AXI bus.

The message is then written (506) at the level of the communication interface. The method creates (508) the physical level of the packet to be sent. Then, in a following step (510), the method makes it possible to configure the header of the packet by positioning in the secure bit field which is reserved according to the communication protocol used, the value of the bit corresponding to the secure or non-secure origin secure request. The packet thus configured is transmitted and transmitted (512) over the physical layer of the communication network to be routed to the destination processor. In a preferred implementation, the packet transmitted is a RapidIO frame whose VC field contains a bit value equal to 0 or 1 depending on the origin of the request.

FIG. 6 shows a sequence of steps in the method of receiving a packet according to the principle of the invention. The method begins when a packet is received (602) by a communication interface via a network switch. According to the principles of the invention, the interface is configured to extract (604) the value of the bit contained in the header field of the frame which is used to indicate the required mode of execution. The method then makes it possible to create (606) a message or a transfer request which is adapted to the architecture of the recipient processor element. In a next step (608), the method makes it possible to determine whether the message is a message of secure or insecure type and, depending on the result, to transfer the request to the appropriate zone of the processor element corresponding to the secure execution mode or non-secure (610, 612).

Those skilled in the art will appreciate that variations can be made on the method which is described for a preferential implementation. Thus, the examples taken are based on a TEE architecture of the AMBA® type, but the principles of the invention can be applied to other variants of architecture.

Furthermore, even if the description describes a method for transmitting packets and a method for receiving packets, the two methods can be operated by the same communication interface as a transmitter / receiver.

The method of the present invention can be implemented using hardware (ASIC, VLSI for example) and / or synthesis (FPGA) elements. When the communication interface is implemented with dedicated software which is not accessible to the main processor, the process can be implemented, in whole or in part, by this dedicated software. Such a case occurs for example in the DPAA2 / AIOP® solution from NXP. This method may therefore be available as a computer program product on a computer-readable medium.

Claims (17)

Claims 1. A device for establishing in a distributed system, trusted communications between a plurality of processors, each processor having configured a trusted environment allowing a secure execution mode and an unsecured execution mode, the device comprising means allowing : - to receive from a source processor, a data transmission request, for data originating either from the secure execution mode or from the non-secure execution mode; - placing at least in the body of a frame said data and in a header field of said frame an indication of the mode of execution relating to said data, said header field being accessible only at the hardware level; and - to transmit said frame on a network link of the distributed system. 2. The device according to claim 1, in which the frame has a format adapted to the communication protocol used in the network of the distributed system. 3. The device according to claim 2 in which the communication protocol is the RapidIO protocol, the frame format is the RapidIO format and the indication of the data execution mode is placed in the Virtual Channel (VC) field of the RapidIO frames. 4. The device according to any one of claims 1 to 3 in which the transmission request is transmitted on a system bus of the source processor. 5. The device according to claim 4, in which the system bus is a bus according to the Advanced Microcontroller Bus Architecture (AMBA) standard. 6. The device according to any one of claims 1 to 5 in which the indication of the mode of execution of said data is the state of zero or one of a bit. 7. The device according to any one of claims 1 to 6 in which the source processor is a microprocessor synthesized on a programmable logic circuit (FPGA) or a circuit on a chip (SoC). 8. The device according to any one of claims 1 to 7 in which the network link is coupled to a network switch. 9. The device according to any one of claims 1 to 8 in which the network is a ring network or a mesh network or a star network. 10. The device according to any one of claims 1 to 9 further comprising means allowing: - receive a frame sent over a network link; - determine the execution mode to apply to the data contained in the frame; and - issue a corresponding transfer request. 11. A communication system comprising: - a source processor configured in a trusted environment; - a recipient processor configured in a trusted environment; - a network connecting the source processor to the destination processor by network links; - a communication interface coupled to the source processor comprising a device according to any one of claims 1 to 10; and - a communication interface coupled to the destination processor comprising a device according to claim 10. 12. A method for establishing in a distributed system trusted communications between a plurality of processors, each processor having configured a trusted environment allowing a secure execution mode and an unsecured execution mode, the method being characterized in that '' it comprises at least one step consisting in transmitting on a network link of the distributed system, a frame containing in the frame body data coming either from the secure execution mode or from the non-secure execution mode, the frame containing no longer in a header field, an indication of the execution mode relating to said data, said header field being accessible only at the hardware level. 13. The method according to claim 12 in which the step of transmitting a frame is operated by a communication interface coupled to a source processor and to said network link. 14. The method according to claims 12 or 13 comprising before the step of transmitting a frame, the steps of: - generate a data transmission request on a system bus of a transmitting processor, the data coming from the secure execution mode or from the non-secure execution mode; and - place in the body of the frame said data and in the header field of the frame only accessible at the hardware level, the indication of the execution mode relating to said data. 15. The method according to claim 14 in which the system bus is an AXI bus, the frame format is the RapidIO format and the indication of the data execution mode is contained in the Virtual Channel (VC) field of the frames RapidIO. 16. The method according to any one of claims 12 to 15 comprising, after the step of transmitting a frame, the steps of: - transmit the frame to a destination processor of the distributed network; and - determine upon receipt of the frame, the data execution mode. 17. A computer program product, said computer program comprising code instructions making it possible to carry out the steps of the method according to any one of claims 12 to 16, when said program is executed on a computer. 1/6 100 101