JP2006107040A - Semiconductor integrated circuit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reject the malicious utilization of a program, such as the acquisition, etc. of security information in an external space. <P>SOLUTION: A central processing unit (12) constitutes a first function of distinguishing whether a keycode captured through a second external terminal (T4) coincides with a preset code by the execution of a boot jump code, and a second function of fetching and executing a program stored in an external memory (20) when it is judged that the keycode captured through the second external terminal by this first function coincides with the preset code. Since the program stored in a memory arranged outside of a semiconductor integrated circuit is not fetched and executed unless the keycode captured through the second external terminal coincides with the preset code, the malicious utilization of the program in the external space can be rejected. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a semiconductor integrated circuit, and further to a security technique therefor, for example, a technique effective when applied to a microcomputer.

  The microcomputer formed on one semiconductor substrate is a CPU (Central Processing Unit), ROM (Read Only Memory) for program storage, RAM (Random Access Memory) and timer, A / D (Analog / Digital) This is a microcomputer used for a comparatively small-scale controller in which peripheral functions such as a converter and a D / A (digital / analog) converter are accommodated on one semiconductor chip (for example, Patent Document 1). The ROM is often a mask ROM, but a programmable ROM capable of field programming is also used. For this reason, buses such as the address bus and data bus are not drawn out as signal pins, and the external pins are used as system interface signal pins for peripheral functions and systems outside the microcomputer except for power supply and some control signals. Assigned.

JP-A-6-348867 (second paragraph)

  The microcomputer executes a program from the top address of the built-in ROM according to the default value of the program counter included in the CPU and starts it (this is called “normal boot”), and a function for the convenience of debugging the user program As an internal ROM invalid mode. Here, the difference between the normal boot mode and the built-in ROM invalid mode will be described.

  FIG. 3 shows a normal boot flow.

  In a normal boot, a power-on reset is performed by turning on the power. When the power-on reset is canceled (ST1), user program data (instruction / operand) is read from the start address of the built-in ROM 19 according to the default value of the program counter included in the CPU 12. It is fetched (ST2) and executed (ST3). When an expansion ROM 20 storing a user program is connected to an external expansion bus such as a PCI bus or a ROM / SRAM bus, the expansion user program data (instructions / operands) of the external expansion ROM 20 is executed by the CPU 12. It is possible. In this case, since the boot program in the internal ROM 19 must always be executed, the boot program cannot be placed outside and used freely.

  FIG. 4 shows the flow of the built-in ROM invalid mode.

  In the internal ROM invalid mode, the external terminal for invalidating the internal ROM 19 is set to the enable state by the internal ROM invalid mode selection signal so that the value of the program counter in the CPU 12 indicates the start address of the expansion ROM 20. When it is changed (ST11) and the power-on reset state is released (ST12), the CPU 12 is activated by executing the program from the top address of the expansion ROM 20 (ST13, ST14). According to this mode, a program placed in the external memory space can be used without being restricted by the internal ROM 19. However, since the external memory space can be used without being restricted by the internal ROM 19 by setting only the external mode terminal, a malicious end user is provided with a means for obtaining personal information and copyright information on the system. There is a risk that

  As described above, in the internal ROM invalid mode for the convenience of debugging, the internal ROM can be easily invalidated and booted from the external space only by the external mode terminal, which is convenient for system debugging. Since the end space other than the system manufacturer can use the external space, the built-in ROM invalidation function may become a security hole in the system. As a result, a malicious program such as acquisition of security information may be used in the external space.

  An object of the present invention is to provide a technique for eliminating the use of a malicious program in an external space, such as acquisition of security information.

  The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.

  The following is a brief description of an outline of typical inventions disclosed in the present application.

  That is, a first storage area storing a first program executed in normal boot, a second storage area storing a second program executed in boot at the time of debugging, the first program and the second A first external terminal capable of selectively designating a program; a second external terminal capable of externally inputting a key code; and the first program and the second program according to designation from the first external terminal A central processing unit that can selectively execute the second program, and the central processing unit that executes the second program has a key code fetched via the second external terminal as a preset code. When it is determined by the first function that determines whether or not they match, and the key code fetched via the second external terminal matches the preset code by the first function , And a second function of executing a program stored in a memory provided outside of the semiconductor integrated circuit.

  According to said means, said 1st function discriminate | determines whether the key code taken in via said 2nd external terminal corresponds with the code set beforehand by execution of said 2nd program. The second function is arranged outside the semiconductor integrated circuit when it is determined by the first function that the key code taken in via the second external terminal matches a preset code. The program stored in the stored memory is executed. As a result, unless the key code fetched via the second external terminal matches the preset code, the program stored in the memory arranged outside the semiconductor integrated circuit is executed. Absent. This eliminates the use of malicious programs in the external space, such as security information acquisition.

  The central processing unit can be configured to execute the second program in an infinite loop as long as the key code fetched via the second external terminal does not match a preset code.

  When the key code fetched via the second external terminal does not match a preset code, the central processing unit executes the first program regardless of designation from the first external terminal. It can be configured to execute.

  The first storage area and the second storage area are formed at different addresses in the same semiconductor memory, thereby simplifying the hardware configuration.

  At this time, it is possible to provide a logic gate for involving the logic state of the first external terminal in the formation of the address signal for accessing the semiconductor memory.

  The effects obtained by the representative ones of the inventions disclosed in the present application will be briefly described as follows.

  That is, it is possible to provide a technique for eliminating the use of a malicious program in the external space, such as acquisition of security information.

  FIG. 10 shows a microcomputer as an example of a semiconductor integrated circuit according to the present invention. The microcomputer 10 is not particularly limited, but includes an internal bus controller 11, a CPU 12, a serial interface and timer and an interrupt controller 13, an external bus controller 14, an input port 29, DMAC (direct memory access controller) 15, 18, Bus bridge 17, 21, ROM 19, interrupt controller 20, audio controller 23, display controller 24, graphic engine 25, MPEG (Moving Picture Coding Experts Group) accelerator 26, DDR (double data rate) memory bus controller 27, logic circuit 30, a PLL (Phase Locked Loop) circuit 31, a reset circuit 32, and a single crystal silicon substrate by a known semiconductor integrated circuit manufacturing technique Is formed to which a single semiconductor substrate. The CPU 12, the serial interface and timer, the interrupt controller 13, the external bus controller 14, the input port 29, the DMAC 15, and the bus bridges 17 and 21 are coupled to each other via the bus 16 so as to exchange data. The bus bridge 17, the DMAC 18, the two ROMs 19 </ b> A and 19 </ b> B, the interrupt controller 20, the audio controller 23, the display controller 24, the graphic engine 25, and the MPEG accelerator 26 are coupled to each other via the bus 22 so as to exchange data. . The ROM 19A stores a normal boot program (referred to as “normal boot program”). This normal boot program corresponds to the first program in the present invention. The ROM 19B stores a boot jump code executed for booting during debugging. Here, the boot jump code corresponds to the second program in the present invention. The audio controller 23, display controller 24, graphic engine 25, and MPEG accelerator 26 are coupled to the DDR memory bus controller 27. Although not particularly limited, the input port 29 enables input of parallel data having a plurality of bits through the input terminal T4. The input terminal T4 has a plurality of terminals corresponding to the bit configuration of the input port 29. including. The input terminal T4 is used for data input / output in the normal operation of the microcomputer 10, and is used for key code input in the built-in ROM invalid mode as described later. The bus 16 and the bus 22 are connected by a bus bridge 17. The bus 16 and the DDR memory bus controller 27 are coupled by a bus bridge 21.

  The CPU 12 performs predetermined arithmetic processing according to a predetermined program. The internal bus controller 11 performs bus control such as wait insertion when data is exchanged via the bus 16. The serial interface, timer, and interrupt controller 13 process a serial interface unit that enables serial data exchange with the outside, a timer unit for time measurement, and external interrupt requests according to a predetermined priority order. Including an interrupt control unit. The external bus controller 14 performs predetermined bus control for enabling data exchange with the outside via various externally connected buses such as a PCI bus, an SRAM bus, or a ROM bus. The DMACs 15 and 18 perform DMA control that enables data exchange without the intervention of the CPU 12. The built-in ROM 19 stores a code for boot jump. In the boot jump mode, booting from the built-in ROM is invalidated. The interrupt controller 20 controls interrupt requests from various internal modules according to a predetermined priority. The DDR memory bus controller 27 realizes high-speed data transfer using both rising and falling of a clock signal with an externally coupled DDR memory. The audio controller 23 performs audio output control of audio data taken in via the DDR memory bus controller 27. Audio data is externally output under the control of the audio controller 23. The display controller 24 performs external output control for displaying image data captured via the DDR memory bus controller 27. The graphic engine 25 performs various arithmetic processes on the image data taken in via the DDR memory bus controller 27. The MPEG accelerator 26 processes the moving image data taken in via the DDR memory bus controller 27 at a high speed using dedicated hardware. The logic circuit 30 takes in the boot jump mode signal via the boot jump mode terminal T1, and performs control for selecting the boot program for the CPU 12 based thereon. The PLL circuit 31 forms a predetermined internal clock signal in synchronization with a clock signal input from the outside via the clock input terminal T2. The reset circuit 32 takes in a power-on reset signal input via the power-on reset terminal T3, and issues an interrupt request for resetting to the CPU 12.

  The operation of the above configuration will be described.

  FIG. 1 shows the relationship between the main part of the microcomputer and signals exchanged there.

  The microcomputer 10 is a function for the convenience of debugging the user program separately from the normal boot in the normal operation that allows the user system to control the operation of the user system by executing the user program while mounted in the user system. , Has a boot jump mode for enabling or disabling enabling the internal ROM and enabling the external space ROM. In the boot jump mode, the key code fetched via the input terminal T4 is checked in order to determine whether or not to access the external space. The actual execution procedure is as follows.

  First, the boot jump mode terminal T1 is set to a high (H) level by the boot jump mode signal, so that the ROM 19A is set invalid (ST21). When the power-on reset state is released (ST22), program data is fetched from the ROM 19B including the boot jump code (ST23). Then, the boot jump code is executed by the CPU 12 (ST24), and the setting of the input port 29, the reading of the state of the input port 29, and the key code (permission code for accessing the ROM 20 in the external space) are compared. Codes for reading the input port 29 and comparing key codes are executed in an infinite loop in the CPU 12 and access to the expansion ROM 20 is blocked. The reference key code information is stored in the ROM 19B. Since the ROM 20 is not accessed unless the reference key code information matches the key code input via the input terminal T4, the ROM 20 appears to be locked on the system.

  Specifically, when a key code is input via the input terminal T4. The CPU 12 takes in the key code via the input port 29 (ST25). The key code is not particularly limited. For example, in the case of a 16-bit port, “H′5A5A” is set. The longer the key code, the higher the security level. If the key code fetched via the input terminal T4 matches the predetermined code, the CPU 12 fetches the instruction data from the head address of the ROM 20 where the debug program is placed (ST27). It is executed (ST28).

  The processing content of the boot jump code is limited, and the code size can be very small. Therefore, unlike the ROM 19A, the ROM 19B may have a small storage capacity and can be a register.

  Next, when the boot jump mode terminal T1 is set to a low (L) level by the boot jump mode signal and the ROM 19A is enabled, the non-boot jump mode is designated. That is, as shown in FIG. 2, when the boot jump mode terminal T1 is set to the low level, the ROM 19A is enabled (ST21), and the power-on reset state is released by the power-on reset signal, the CPU 12 incorporates it. User program data (instruction / operand) is fetched from the head address of the ROM 19A (ST23), and is executed by the CPU 12 (ST24). In executing the user program in the built-in ROM 19A, the extended user program data (instruction / operand) is fetched from the head address of the ROM 20 (ST25) and executed by the CPU 12 (ST26). Note that the ROM 19B is unused when the boot jump mode terminal T1 is set to the low level and the ROM 19A is enabled.

  According to the above example, the following operational effects can be obtained.

  (1) The CPU 12 determines whether or not the key code fetched through the input terminal T4 matches the preset code by executing the boot jump code, and the external code corresponding to the determination result The program stored in the memory arranged in is fetched and executed. Thereby, unless the key code fetched via the input terminal T4 matches the preset code, the program stored in the memory arranged outside the semiconductor integrated circuit is fetched and executed. There is no. This eliminates the use of malicious programs in the external space, such as security information acquisition.

  (2) The central processing unit can be configured to execute the boot jump code in an infinite loop as long as the key code fetched via the second external terminal does not match a preset code. . Access to the expansion ROM 20 is blocked. The reference key code information is stored in the ROM 19B. At this time, since the ROM 20 is not accessed unless the key code input through the input terminal matches the preset code, the ROM 20 appears to be locked on the system.

  (3) The hardware configuration can be simplified by forming the storage area for the normal boot user program and the storage area for the boot jump code in one ROM.

  FIG. 5 shows another configuration example of the microcomputer 10.

  In the configuration shown in FIGS. 1 and 2, since an infinite loop was used to check the key code, it appeared to be locked on the system. In the example shown in FIG. 5, when the key code comparison fails once, the boot from the normal built-in ROM is performed. Basically, when the key code is matched after entering the boot jump mode, the processing in the non-boot mode is the same as the case shown in FIGS. 1 and 2, but the operation when the key code comparison fails Unlike the case shown in FIG. 1 and FIG. 2, it seems to the user that it does not differ from a normal boot. For this reason, even if the boot jump terminal T1 is set to a high level, it is difficult to know the existence of the boot jump mode itself. Hereinafter, this example will be specifically described.

  First, the boot jump mode terminal T1 is set to the high level by the boot jump mode signal, so that the ROM 19A is set invalid (ST31). Here, an incorrect key code is input to the input terminal T4 (ST32). When the power-on reset state is released (ST33), program data is fetched from the ROM 19B including the boot jump code (ST34). Then, the boot jump code is executed by the CPU 12, and the setting of the input port 29 and the state of the input port 29 are read (ST35). The state of the input port 29 is read (ST36). In this example, since an incorrect key code is input to the input terminal T4, in the key code comparison process of the CPU 12, it is determined that the input key code is incorrect, and the ROM 19A is accessed (ST37). As a result, the normal boot user program data is fetched from the head address of the ROM 19A to the CPU 12, and is executed by the CPU 12 (ST38). Note that the processing in the boot jump mode when the key codes coincide with each other and the processing in the non-boot mode are the same as those shown in FIGS. 1 and 2, respectively, so description thereof will be omitted here.

  FIG. 6 shows another configuration example of the microcomputer 10.

  In the above example, the ROM 19A for the normal boot user program and the ROM 19B for the boot jump code are separately provided. However, the storage area for the normal boot user program and the storage area for the boot jump code are combined into one. It is possible to simplify the hardware configuration by forming it in the ROM. In the microcomputer 10 shown in FIG. 6, a boot jump code storage area and a boot jump code storage area are formed in a ROM 19A having a normal boot user program storage area. Are formed in one ROM 19A. In such a configuration, the processes from steps ST41 to ST48 correspond to steps ST1 to ST8 in FIG. 1, respectively. When a normal boot user program storage area and a boot jump code storage area are formed in one ROM 19A, it becomes possible to select a boot destination with a minimum current logical scale.

  FIG. 7 shows the formation of the address signal and the ROM address map in the configuration shown in FIG. The logic gates 71 and 72 perform a logical operation on one bit of the address of the ROM 19A and the boot jump mode signal, and the output is replaced with one bit of the address of the ROM 19A, thereby booting from other than the normal boot address. . Immediately after the power-on reset, when the boot jump terminal is at a low level, A4 = 'L' enters the ROM 19A, so that the normal boot is performed from address 0. On the contrary, when the boot jump terminal is at the high level, A4 = 'H' enters the ROM 19A, so that the execution of the program is started from address 16 where the boot jump code is placed.

  In the above example, the input port 29 for capturing the key code in parallel format is provided, but the key code may be captured by serial communication. Furthermore, if the data of the part directly entering the microcomputer 10 is previously encrypted, the security is further improved. In this case, as shown in FIG. 8, the key code is processed by the serial interface 81 with an encryption function to be converted into encrypted serial data and then supplied to the microcomputer 10 via the input terminal T4. (ST56). Inside the microcomputer 10, a serial interface 82 with a decryption function capable of decrypting the output signal of the serial interface 81 with the encryption function is provided. Other processes (ST51 to ST55, ST57, ST58) except that the key code is encrypted and captured in the serial format are the same as the processes (ST21 to ST25, ST27, ST28) in the microcomputer 10 shown in FIG. is there.

  FIG. 9 shows another configuration example of the microcomputer 10. The microcomputer 10 shown in FIG. 9 is greatly different from that shown in FIG. 8 in that a serial interface 92 having an access history information storage area is provided instead of the serial interface 82 with a decoding function. is there. The storage area of the access history information is not particularly limited, but is formed by a non-volatile memory such as a flash memory, and includes the number of key code inputs from the outside, and pass / fail information at the time of input key code determination. Each time a key code is input through the input terminal T4, access history information is recorded (ST66). According to the access history information, it is possible to easily determine whether or not there has been a person who tried to gain unauthorized access in the system. The other processes (ST61 to ST65, ST67, ST68) are the same as the processes (ST21 to ST25, ST27, ST28) in the microcomputer 10 shown in FIG.

  Although the invention made by the present inventor has been specifically described above, the present invention is not limited thereto, and it goes without saying that various changes can be made without departing from the scope of the invention.

  In the above description, the case where the invention made by the present inventor is applied to the microcomputer which is the field of use that has been used as the background has been described. However, the present invention is not limited thereto, and is widely applied to various semiconductor integrated circuits. Can be applied.

  The present invention can be applied on condition that at least a central processing unit is included.

1 is a block diagram illustrating a configuration example of a main part of a microcomputer as an example of a semiconductor integrated circuit according to the present invention. It is another example of a block diagram of the principal part in the said microcomputer. It is a block diagram which shows the structure used as the comparison object of the said microcomputer. It is a block diagram which shows the structure used as the comparison object of the said microcomputer. It is another example of a block diagram of the principal part in the said microcomputer. It is another example of a block diagram of the principal part in the said microcomputer. It is explanatory drawing of formation of the address signal in the structure shown by FIG. 6, and the address map of ROM. It is another example of a block diagram of the principal part in the said microcomputer. It is another example of a block diagram of the principal part in the said microcomputer. It is a block diagram of an example of the overall configuration of the microcomputer.

Explanation of symbols

10 Microcomputer 12 CPU
14 External bus controller 19A, 19B ROM
29 Input port T1 Boot jump mode terminal T3 Power-on reset terminal T4 Input terminal

Claims (5)

A first storage area in which a first program executed in normal boot is stored;
A second storage area in which a second program to be executed at the time of debugging is stored;
A first external terminal capable of selectively designating the first program and the second program;
A second external terminal enabling external input of a key code;
A central processing unit capable of selectively executing the first program and the second program in accordance with designation from the first external terminal,
The central processing unit that has executed the second program has a first function for determining whether or not a key code fetched via the second external terminal matches a preset code;
When it is determined by the first function that the key code fetched via the second external terminal matches the preset code, the key code is stored in a memory arranged outside the semiconductor integrated circuit. A semiconductor integrated circuit comprising: a second function for executing the program. 2. The semiconductor integrated circuit according to claim 1, wherein said central processing unit executes said second program in an infinite loop unless a key code fetched through said second external terminal matches a preset code. If the key code fetched through the second external terminal does not match a preset code, the central processing unit executes the first program regardless of the selection from the first external terminal. The semiconductor integrated circuit according to claim 1 to be executed. 5. The semiconductor integrated circuit according to claim 3, wherein the first storage area and the second storage area are formed at different addresses in the same semiconductor memory. 5. The semiconductor integrated circuit according to claim 4, further comprising a logic gate for causing the logic state of the first external terminal to participate in forming an address signal for accessing the semiconductor memory.

Images