JP2007109053A - Bus access controller - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To secure an exclusive area corresponding to each of a plurality of types of applications on a shared memory when a certain bus master simultaneously executes the plurality of types of applications whose algorithms should be protected. <P>SOLUTION: When a bus master which executes a plurality of applications performs access to a memory, an access area number showing that it is access to an area corresponding to each application is output, and whether or not it is possible to perform access to access destination requested by the bus master is decided based on the access area number or an access destination address and access feasibility information included in an access request by an access feasibility deciding part. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to the realization of a secure mechanism or a bus arbitration mechanism in a system LSI for digital AV equipment.

  Currently, multi-processor systems composed of a plurality of processors are generalized as LSIs (Large Scale Integrated Circuits) are becoming more highly functional and highly integrated. In the field of digital AV home appliances and the like, a unified memory configuration that shares information resources such as a main storage device is indispensable for cost reduction. For this reason, when a secret program or data of a certain processor is stored in the shared memory, there is a problem of a decrease in security such that another processor falsifies or steals the secret program.

  Patent Document 1 discloses a mechanism for securing a dedicated area in a shared memory according to each secure process when a certain bus master executes a plurality of types of secure applications. FIG. 19 shows a bus access control device described in Patent Document 1. The access control unit 300 accesses the bus master 200 based on the access permission information indicating the area accessible by the bus master 200 held by the access permission information holding unit 320 and the access request 210 to the memory 350 issued by the bus master 200. It is determined whether the requested area can be accessed. The memory IF unit 340 accesses the memory 350 only when the determination result (accessibility determination result 330) indicates access permission. Accessibility information can be changed only when a program at a specific address is executed. Further, when a plurality of applications are executed, it is necessary to set access permission information each time. FIG. 20 shows an example of access permission information. The access enable / disable information includes the start address and end address of the accessible area, and whether or not access to the area other than the accessible area is permitted. In the example of FIG. 20, the bus master 200 can access only the addresses 0x8000 — 0000 to 0x80FF_FFFF.

In recent LSI on-chip buses, it is important to guarantee the performance how efficiently bus arbitration is performed when a plurality of masters simultaneously access a shared memory. FIG. 21 describes a conventional bus arbitration method introduced as a centralized parallel method in Patent Document 2 and Non-Patent Document 1. The bus masters 201, 202, and 203 output access requests 211, 212, and 213 to the bus, respectively. In the access control unit 300, there is master arbitration information 1110 in which the arbitration order corresponding to each master is described. When a plurality of masters access simultaneously, priority is given to access from which master according to the master arbitration information 1110. Is decided. FIG. 22 shows an example of master arbitration information. In this example, the order among the masters is described, and in the case of this example, fixed priority is given to the order of the master 201, the master 202, and the master 203.
JP 2001-256460 A Japanese Patent Laid-Open No. 6-231074 John L. Hennessy, David A.M. Patterson “Computer Organisation and Design”, 1998, Morgan Kaufmann Publishers, Inc.

  However, in the mechanism of Patent Document 1, during execution of a certain secure application, only one dedicated area corresponding to the application can be secured, so it is possible to simultaneously execute transfers belonging to a plurality of secure applications. Can not. If multiple secure applications are to be executed simultaneously on this mechanism, it is necessary to execute multiple secure transfers in one dedicated area. In this case, the bus master can access multiple types of secure information. Therefore, it becomes a factor of security degradation.

  In the arbitration mechanism shown in FIG. 21, the order of arbitration is determined for each master. For example, when transfer from the master includes various types such as graphics and serial IO with peripheral IO (see FIG. 21). Although it is desirable that the arbitration order can be dynamically changed according to the type of transfer data, a general-purpose DMA controller or the like, this configuration is difficult to realize.

  Both of the above two problems have a configuration in which (1) accessible memory area and (2) information such as bus arbitration order cannot be dynamically changed in a plurality of types of data transfer that can be executed concurrently on the bus. Therefore, they are common in that it is difficult to improve security and transfer performance.

  In order to solve the conventional problem, the present invention provides a bus slave having resources inside and outside the LSI such as a memory and a register, and a bus master that accesses the bus slave, and transfers corresponding to processing contents on the bus master side. A bus output unit for outputting the identification number together with the access request;

  Further, the present invention is the bus access control device according to claim 1, wherein a plurality of control masters that control processing operations of the bus master and which control master is controlling the bus master are determined. The control master identification unit and the bus output unit output, as the transfer identification number, to which control master the processing content on the bus master side belongs, based on information from the control master identification unit Means to do.

  Further, the present invention is the bus access control device according to claim 2, wherein the control master is capable of executing software, and the transfer identification number is a number corresponding to software operating on the control master. It has a feature means.

  The present invention is the bus access control apparatus according to claim 3, wherein the transfer identification number is a fetch destination address of software of the control master.

  Further, the present invention is the bus access control device according to claim 8, further comprising a bus master identification unit that includes a plurality of the bus masters, identifies the bus master that has made the access request, and outputs the bus master identification information. The access permission information includes master identification information that permits access to the area, and the access permission determination unit includes the master identification information, the access permission information, the transfer identification number, and the access included in the access request. The bus master has means for determining whether or not the access request destination area is accessible based on the previous address information.

  The present invention is the bus access control device according to claim 8 or 9, wherein the bus master is an encryption / decryption DMA controller having an encryption / decryption function, and the encryption / decryption DMA controller is used for encryption / decryption. It has a register for setting a key (decryption key setting register), a register for specifying a DMA transfer source (transfer source specifying register), and a register for specifying a DMA transfer destination (transfer destination setting register) Further, when issuing an access request for decrypting the encrypted data or the encrypted program and transferring it to the address indicated in the transfer destination setting register, the bus output unit specifies the decryption key setting register. Means for outputting the transfer identification number corresponding to the decryption key.

  Moreover, this invention is a bus access control apparatus as described in any one of Claims 1-7, Comprising: The bus arbitration part which has several said bus masters and mediates transfer among these bus masters. And the transfer identification number is associated with the priority of bus arbitration, and the bus arbitration unit has means for performing arbitration based on the transfer identification number.

  According to the bus access control device of the present invention, when a certain bus master or a plurality of bus masters concurrently execute a plurality of secure transfers, a dedicated area corresponding to each secure process can be secured on a shared resource (shared memory), and Since unauthorized access to the area can be accurately determined for each bus transaction, security can be improved.

  In addition, according to the bus access control device of the present invention, the arbitration order can be accurately determined for each bus transaction according to the type of data transferred on the bus and the type of master being controlled. Can be realized.

  Embodiments of each claim will be described below with reference to the drawings.

(Embodiment 1)
The operation of the bus access control apparatus according to the first embodiment of the present invention will be described with reference to FIGS.

  The bus master 1 in the bus access control apparatus 100 according to the first embodiment executes three secure applications. As an execution form, it is assumed that when a certain application ends, the next application is not started, but three applications are executed simultaneously.

  As shown in FIG. 2, the accessibility information holding unit 320 stores accessibility information for three areas corresponding to each application, and the area 1 for the application 1 is 0x8000 — 0000 to 8000_FFFF (this is (This means that access to the area 1 is prohibited when other than the application 1 is executed), the area 2 for the application 2 is 0x8100 — 0000 to 81FF_FFFF, and the area 3 for the application 3 is 0x8200 — 0000 to 82FF_FFFF . When the bus master 1 accesses the areas 1 to 3 of the memory 350, the access area number 221 corresponding to the areas 1 to 3 is output together with the address of the access destination. Based on the access area number 221, the address information of the access destination included in the access request 211, and the access permission information held in the access permission information holding unit 320, the access permission determination unit 310 requests the access destination requested by the bus master 1. It is determined whether or not it is accessible, and an access permission determination result 330 is output to the memory IF unit 340. The memory IF unit 340 performs a desired access to the memory 350 only when the access permission determination result indicates access permission.

  As described above, it is possible to secure three dedicated areas corresponding to the three applications being executed.

  Next, an access control process when an access request is made from the bus master 1 in the bus access control apparatus 100 according to the present embodiment to the memory 350 will be described. FIG. 3 is a flowchart illustrating an example of the access control process.

  Step S301: The bus master 1 issues an access request to the memory 350 and outputs the access area number 221 at the same time.

  Step S302: Based on the access permission information held in the access permission information holding section 320, the access area number 221 from the bus master 1, and the access destination address information included in the access request 211 in the access permission determination section 310. It is determined whether access is possible, and the result is output to the memory IF unit 340 as an access permission determination result 330.

  Step S303: When the access permission determination result 330 indicates that access is permitted, the memory IF unit 340 performs a desired access to the memory 350 and returns the result to the bus master 1.

  Step S304: When the access permission determination result 330 indicates that access is not permitted, the memory IF unit 340 performs a dummy access or a dummy response without performing a desired access to the memory 350. Here, as a dummy access, in the case of a write operation, for example, access is performed by masking data to an access destination or issuing a read command instead of a write command. In the case of a read operation, for example, an access such as issuing a read command to an area where access is permitted is performed. The dummy response means a dummy response that causes the bus master to mistakenly recognize that it is a response obtained from an actual access destination. For example, when a write operation is performed from the bus master to the access prohibited area of the shared memory, a false response such as completion of access request acceptance or data write completion is performed without executing the write operation as requested. In addition, when performing a read operation on an access-prohibited area, a false response such as completion of acceptance of an access request or a read data response in a different area is performed without executing the read operation as requested. Therefore, it is difficult to distinguish between an access-prohibited area and an access-permitted area on the shared memory, and analysis for accessing the access-prohibited area can be prevented. In order to make unauthorized analysis difficult, it is also effective to apply bus encryption at the time of data writing in the memory IF 340 and to decrypt at the time of data reading.

  Note that there may be means for notifying the control host of an error response or an interrupt instead of the dummy response as described above when an access prohibited area is accessed. This makes it possible to clearly detect unintended control bugs in the development process.

(Embodiment 2)
The operation of the bus access control apparatus according to the second embodiment of the present invention will be described with reference to FIGS.

  Here, the difference from the operation of the bus access control apparatus according to the first embodiment will be mainly described.

  When receiving an access request to the shared memory 350 from any one of the bus masters 1 to 3, the bus master identification unit 400 identifies which bus master the access request is from. Then, the access request and the identification result are output to the access control unit 300. When access requests are made from a plurality of bus masters, for example, the bus master from which access requests are given is determined according to priority. As shown in FIG. 5, the access permission / rejection information holding unit 320 holds access permission / rejection information for an area corresponding to a secure processing type executed by each bus master, and a bus master that permits access for each area. Master identification information to be shown, and start address and end address information of the area are included. In this example, for example, for area 1, only the bus master 1 is accessible, and the area is 0x8000 — 0000 to 0x8000_FFFF, and bus masters other than the bus master 1 are prohibited from accessing. If the area number is other than 1, it means that access is prohibited. The access permission determination unit 310 is based on the master identification information 410 from the bus master identification unit 400, the access area number 220, the access destination address information included in the access request 210, and the access permission information held by the access permission information holding unit 320. Then, it is determined whether or not the access destination requested by the bus master is accessible, and the access permission determination result 330 is output to the memory IF unit 340.

  As described above, a dedicated area corresponding to a plurality of secure applications executed by a plurality of bus masters can be secured on the shared memory 350.

  Next, an access control process when an access request is made from the bus masters 1 to 3 in the bus access control apparatus 100 according to the present embodiment to the shared memory 350 will be described. FIG. 6 is a flowchart illustrating an example of the access control process.

  Step S601: One of the bus masters 1 to 3 or a plurality of bus masters 1 to 3 issues an access request to the memory 350. The bus master 1 that executes a plurality of secure applications outputs the access area number 221 simultaneously with the issue of the access request.

  Step S602: The bus master identifying unit 400 identifies the bus master that has issued the access request 211, and whether an access request is issued from only a single bus master or whether an access request is issued from a plurality of bus masters. Identify.

  Step S603: If an access request is issued from a plurality of bus masters, it is determined which of these requests is to be processed with priority.

  Step S604: The access permission determination unit 310 holds the master identification information 410, the access area number 220 from the bus master identification unit 400, the access destination address information included in the access request 210, and the access permission information holding unit 320. Whether access is possible is determined based on the access permission information, and the result is output to the memory IF unit 340 as the access permission determination result 330.

  Step S605: If the access permission determination result 330 indicates access permission, the memory IF unit 340 performs a desired access to the shared memory 350 and returns the result to a predetermined bus master.

  Step S606: When the access permission determination result 330 indicates that access is not permitted, the memory IF unit 340 does not perform a desired access to the shared memory 350 but performs a dummy access or a dummy response.

(Embodiment 3)
The operation of the bus access control apparatus according to the third embodiment of the present invention will be described with reference to FIG. Here, the difference from the operation of the bus access control apparatus according to the first and second embodiments will be mainly described.

  The bus master 1 in the present embodiment is a functional block that performs a plurality of types of secure processing (here, secure processing 1 and secure processing 2), and uses the shared memory 350 to execute the plurality of processing. If the access area number 221 used for the determination in the access permission determination unit 310 is illegally assigned by the bus master 1 in securing the dedicated areas for the secure process 1 and the secure process 2, each secure process It becomes impossible to secure a dedicated area. For this reason, the bus master 1 in the present embodiment outputs the access area number 221 corresponding to the processing contents in a one-to-one manner by the hardware whose processing result identification unit 500 cannot illegally change the output result by software. This prevents unauthorized access. It is desirable to generate the access area number 221 by hardware as described above. However, if a secure software execution environment is prepared and cannot be changed by unauthorized software, it is generated by secure software setting. You may do it.

(Embodiment 4)
The operation of the bus access control apparatus according to the fourth embodiment of the present invention will be described with reference to FIGS.

  Here, the description will focus on differences from the operation of the bus access control apparatus according to the first to third embodiments.

  In this embodiment, both the bus master 2 and the bus master 3 are processors, and each executes a secure process. The programs (codes) for that purpose are encrypted and stored in the flash memory 600. When executing the secure processing, these encrypted codes are decrypted and then loaded onto the shared memory. It is desirable that the code for the bus master 2 can be read only by the bus master 2 and the code for the bus master 3 can be read only by the bus master 3. The mechanism for realizing this will be described below.

  The bus master 1 is an encryption / decryption DMA controller (DMAC) that encrypts and transfers plaintext data or decrypts and transfers encrypted data and codes. The bus master 1 (encryption / decryption DMAC) has at least a register for specifying a key to be used for decryption that can be set from the bus master 2 and a register for setting a data transfer destination address after decryption. It has a circuit that generates a region number corresponding to the decryption key set by the bus master 2 and has an encryption code (code 1) for the bus master 2 stored in the flash memory 600 according to an instruction from the bus master 2 ) After decrypting the encryption code (code 2) for the bus master 3, the access request 211 for transferring the decrypted plaintext code to the transfer destination address set from the bus master 2 is output. At the same time when the access request 211 is output, the area number generated by the area number generation circuit 610 is output as the access area number 221. As an example of the area number generation circuit 610, a circuit that extracts and outputs an area number embedded in a predetermined position of a decryption key can be considered.

  In this example, the area number corresponding to the decryption key has a one-to-one correspondence. However, if a plurality of cryptographic operation means are installed, the area number may correspond to the cryptographic operation means in one-to-one correspondence.

  As shown in FIG. 9, the access enable / disable information holding unit 320 includes master identification information indicating a bus master accessible for each area, an access type permitted to the bus master, an area start address, and an end address. As the access type, only writing, only reading, or both writing and reading can be considered. In the example of FIG. 9, area 1 (address 0x8000 — 0000 to 0x80FF_FFFF) can be written only by bus master 1 and only bus master 2 can be read, and area 2 (address 0x8200 — 0000 to 82FF_FFFF) can be written only by bus master 1 and only bus master 3 can be read. Means an area. Based on the master identification information 410, the access area number 220, the access destination address information included in the access request 210, and the access permission information held in the access permission information holding section 320, the access permission determination section 310 It is determined whether or not the requested access destination is accessible, and the access permission determination result 330 is output to the memory IF unit 340.

  As described above, only the bus master 1 (encryption / decryption DMAC) can be written as a secure program dedicated area of the bus master 2 and an area readable only by the bus master 2 can be secured, and further, the bus master 1 ( It is possible to secure an area in which only the encryption / decryption DMAC) can be written and only the bus master 3 can read. That is, since the secure program can be safely transferred from the flash memory 600 to the bus master 2 and the bus master 3, it is possible to prevent unauthorized analysis. Specifically, the bus master 1 (encryption / decryption DMAC) is illegally activated, and the encryption code for the bus master 3 (code 2) is transferred to the bus master 2 secure program area. If the code 2 is read and analyzed, and the code 2 code is designated as the decryption key, the encryption code for the bus master 3 is correctly decrypted, but access for writing the decrypted data to the shared memory 350 is performed. When issuing a request, since the area 2 corresponding to the code 2 key and the one-to-one correspondence is output as the access area number, the access request 211 can be accessed even if the address of the area 1 is specified and the area 1 is written. In the permission determination unit 310, access is not permitted because the access area number and the transfer destination address cannot be matched. If the code 1 code is designated as the decryption key, writing to the area 1 is permitted, but the encryption code for the bus master 3 cannot be correctly decrypted.

  Further, the memory IF unit 340 includes a function for decrypting the secure code after decrypting the secure code with the bus encryption and writing it to the shared memory 350, and reading the secure code from the shared memory 350. It is possible to prevent the security from being lowered due to illegal observation.

  Next, an access control process when an access request is made from the bus masters 1 to 3 in the bus access control apparatus 100 according to the present embodiment to the shared memory 350 will be described. FIG. 10 is a flowchart illustrating an example of the access control process.

  Step S1001: The bus master 2 sets the DMA parameters of the bus master 1 (encryption decoding DMAC) and starts DMA. The DMA parameter includes designation of a key used for decryption, a transfer destination address of decrypted data, and the like.

  Step S1002: The bus master 1 (encryption / decryption DMAC) selects the set decryption key and outputs it to the decryption circuit. At the same time, the region number generation circuit 610 extracts the region number embedded in the decryption key and outputs it to the DMA control circuit 620.

  Step S1003: The DMA control circuit 620 reads an encryption code corresponding to the set decryption key from the flash memory 600, and outputs it to the decryption circuit 630. The decryption circuit 630 decrypts the encrypted code and outputs it to the DMA control circuit. As means for designating an encryption code read from the flash memory 600, a register for setting a transfer source address may be provided.

  Step S1003: The bus master 1 (encryption / decryption DMAC) issues an access request 211 for transferring the decrypted plaintext data. At the same time, the access area number 221 of the access destination is output.

  Steps S1004 to S1008 are the same as steps S602 to S606.

  In this embodiment, the bus master 1 is described as the encryption / decryption DMAC, but the bus master 1 may be a DMAC that performs only decoding. The bus master 1 may be a debugger authentication module that determines whether access is possible in response to an access request from a debugger that accesses LSI internal resources from an external port such as a JTAG port. In this case, an authentication key and 1 By accessing the secure area using the corresponding area number on a one-to-one basis, it is possible to make it possible to access only the authenticated area in response to an access request from the debugger. As a means for generating an area number corresponding to the authentication key on a one-to-one basis, the area number is included in a part of the key used for authentication, the area number is extracted by hardware, and output as an access area number as it is Means can be considered.

(Embodiment 5)
The operation of the bus access control apparatus according to the fifth embodiment of the present invention will be described with reference to FIG.

  Here, the description will focus on differences from the operation of the bus access control apparatus according to the first to fourth embodiments.

  The bus master 1 is a processor that executes a plurality of secure applications, and their codes are stored in different address spaces, for example, different built-in memories (nonvolatile memories). The bus master 1 (processor) manages a plurality of code fetch destination spaces in the fetch destination determination circuit, and when fetching and executing the code, the bus master 1 (processor) has a one-to-one correspondence with the code fetch destination space, that is, the type of application. The access area number 221 is output. Management of the fetch destination space is a method in which the start address 1 to the end address 1 is the area 1 and the start address 2 to the end address 2 is the area 2 or when the fetch destination space is a plurality of physically different memories. For example, a determination method based on a chip select signal or a determination method based on the value of a program counter of the processor core 720 can be considered. As described above, codes in different areas, that is, dedicated areas corresponding one-to-one with codes of different applications can be secured on the shared memory. The built-in memory does not store all the application code, but stores only the application transition sequence (transition trigger), and the main body of the application is stored in a dedicated area on the corresponding shared memory. Also good. By doing so, the capacity of the built-in memory (nonvolatile memory) can be reduced.

  Next, an access control process when an access request is made from the bus masters 1 to 3 in the bus access control apparatus 100 according to the present embodiment to the shared memory 350 will be described. FIG. 12 is a flowchart illustrating an example of the access control process.

  Step S1201: The bus master 1 (processor) fetches a code from the internal memory 1 or the internal memory 2.

  Step S1202: The fetch destination determination circuit 710 determines the fetch destination of the code executed by the processor core 720.

  Step S1203: The access area number 221 corresponding to the fetch destination of the code to be executed simultaneously with the bus master 1 (processor core 720) issuing the access request 211 is output.

  Steps S1204 to S1208 are the same as steps S602 to S606.

(Embodiment 6)
The operation of the bus access control apparatus according to the fifth embodiment of the present invention will be described with reference to FIG. Here, the description will focus on differences from the operation of the bus access control apparatus according to the first to fourth embodiments.

  The control master 800 is a processor capable of executing software, and can access the bus master 1 and the bus master 2 that are slaves thereof and the shared memory 350 via the bus. The control master 800 has a plurality of operation modes (mode 1, mode 2, and mode 3), and information on the operation mode is managed by the operation mode identification unit 810. This mode is leveled according to the level of secure strength. Mode 1 is the mode in which the processing with the highest secure strength required is executed, mode 2 is the second highest after mode 1, and mode 3 is the normal execution. Mode (minimum). When the control master 800 accesses each slave, the execution mode is transmitted via the mode transmission signal 830 simultaneously with the access request 820.

  The bus master 1 operates according to the control of the control master 800 and accesses the shared memory 350 that is the slave. At that time, the bus master 1 manages the value of the mode transmission signal 830 when it is controlled in which operation mode of the control master 800 is held by the control master identification unit 901. Then, the access request 211 is output to the shared memory 350, and at the same time, the value held in the control master identification unit 901 is output as the control master identification number 911. Such a mechanism is similarly realized in the bus master 2.

  Access accessibility information holding unit 320 inside access control unit 300 holds access availability information as shown in FIG. In the example of FIG. 14, the area 1 (address 0x8000 — 0000 to 0x80FF_FFFF) can be read / written only by direct access by the control master 800 in the operation mode 1, and the area 2 (address 0x8200 — 0000 to 82FF_FFFF) is the control master 800 in the operation mode 1 or 2. This means that only the bus master 1 controlled by the control master 800 in the operation mode 1 or 2 or the bus master 2 controlled by the control master 800 in the operation mode 1 can be accessed. In operation mode 3, these secure areas cannot be accessed. In the example of FIG. 14, since the area 1 can be accessed only from the operation mode 1 in which the software can be executed with the highest security strength, the information requiring the highest confidentiality can be stored. In the area 2 that can be accessed only from the mode 1 or 2, information with high secrecy can be stored next.

  As described above, the access authority can be made variable in accordance with the security of the software executed by the control master 800, and the bus master 1 and the bus master 2 controlled by the control master 800 can inherit the attributes. It is possible to provide a plurality of areas having different security strengths required for the memory.

(Embodiment 7)
The operation of the bus access control apparatus according to the seventh embodiment of the present invention will be described with reference to FIG. Here, the difference from the operation of the bus access control apparatus according to the sixth embodiment will be mainly described.

  The control masters 801, 802, and 803 are processors capable of executing software, and can access the bus master 1 and the bus master 2 that are slaves thereof and the shared memory 350 via the bus. The bus master 1 and the bus master 2 operate according to the control of the control masters 801, 802, and 803, and access the shared memory 350 that is the slave. In this embodiment, for convenience, the upper bus having the control masters 801, 802, and 803 as masters is called bus 1, and the bus master 1, bus master 2, and the lower bus having bus 1 as a master is called bus 2. .

  The bus 1 master identification unit 1000 identifies whether the master of the bus 1 is one of the control masters 801, 802, and 803, and transmits a value corresponding to the master by a bus 1 master identification signal 1010. When the bus master 1 is controlled by the control masters 801, 802, 803, the control master identification unit 901 holds the value of the bus 1 master identification signal 1010 when the control master is controlled. I manage. Then, the access request 211 is output to the shared memory 350, and at the same time, the value held in the control master identification unit 901 is output as the control master identification number 911. Such a mechanism is similarly realized in the bus master 2.

  Access accessibility information holding unit 320 in access control unit 300 holds access availability information as shown in FIG. In the example of FIG. 16, the area 1 (address 0x8000 — 0000 to 0x80FF_FFFF) can be read / written only by direct access by the control master 801, and the area 2 (address 0x8200 — 0000 to 82FF_FFFF) is controlled directly by the control master 802 or controlled by the control master 802. It can be accessed only by the bus master 1 and the bus master 2. Neither direct access from the control master 803 nor access via the bus master 1 or the bus master 2 can access the areas 1 and 2.

  As described above, it is possible to provide a plurality of dedicated areas belonging to each control master in the shared memory 350 by adding which attribute is controlled by the software of the control master as an attribute for each access by the bus masters 1 and 2. It becomes possible.

  In this embodiment, a dedicated area is secured on the shared memory for each control master. However, if it is necessary to share data between these control masters, both areas have access authority. It may be.

  In this embodiment, as shown in FIG. 16, the access permission information is defined by both the control master identification information and the bus master identification information. However, this information may be defined by only the control master identification information.

(Embodiment 8)
The operation of the bus access control apparatus according to the eighth embodiment of the present invention will be described with reference to FIG.

  The control master 800 is a processor capable of executing software, and is executed while a plurality of processes are switched. The process identification unit 840 holds a number corresponding to the process being executed. When the control master 800 accesses the bus master 1, the bus master 2, and the shared memory 350 as slaves, the process identification unit 840 performs a process simultaneously with the access request 820. The value held by the identification unit is output via the process number transmission signal 850.

  The bus master 1 manages which process is controlled by the control master 800 by holding the value of the process number transmission signal 850 at the time of control in the control master identification unit 901. . Then, the access request 211 is output to the shared memory 350, and at the same time, the value held in the control master identification unit 901 is output as the control master identification number 911. Such a mechanism is similarly realized in the bus master 2.

  The master arbitration information holding unit 1110 in the access control unit 300 holds master arbitration information as shown in FIG. In the example of FIG. 18, the access to the shared memory belonging to the process number 4 is set with the highest priority, and among them, the access from the bus 1 (direct access from the control master) is the highest, and the master 2 and master 1 Priorities are assigned in the order of access. Next, the access belonging to process number 6 and the access belonging to process number 1 are performed in this order. If the access belongs to process number 6, master 1, master 2 and bus 1 are arbitrated equally. . (The same applies to process 1.) Processes other than the process number are set to the lowest arbitration order.

  In the access arbitration unit 1100, the master from which access from the three masters (bus master 1, bus master 2, bus 1) is prioritized to access the shared memory 350 according to the information in the master arbitration information holding unit 1110. decide.

  In recent processors, when a plurality of processes are executed while switching, execution priority is often assigned to each process as an OS (operating system) function. For example, the priority is set high when a large amount of data is required, such as multimedia processing, and the priority is set low when processing such as low-speed serial communication is performed. There are many. If the master arbitration information shown in FIG. 19 is also linked with the priority setting by the OS, even if memory access occurs simultaneously from a plurality of masters, the priority is set according to the process number to which the access belongs. Therefore, the process that the control master 800 wants to prioritize can be completed at an early stage.

  In addition, although the word “access area number” is used in the first to fifth embodiments, the number corresponds to the processing content in the bus master (in the case of the 1/2 embodiment, the number according to the application, in the third embodiment). The number corresponding to the secure processing, the number corresponding to the decryption operation in the fourth embodiment, and the number corresponding to the fetch destination in the fifth embodiment). Therefore, the real number that can identify the content of the transfer data for each transfer is the same method as the control master identification number applied to the bus arbitration in the eighth embodiment for the purpose of ensuring security. It can also be used for purposes other than access restriction.

  By using the bus access control device according to the present invention, when a certain bus master performs a plurality of secure processes, for example, a plurality of secure application executions and a plurality of secure program decryption processes, the plurality of secure processes are supported. A dedicated area can be secured on the shared memory. Therefore, it can be used to improve the security of all digital devices that perform the confidential processing and to reduce the system cost by sharing the memory.

  In addition, when the bus access control device according to the present invention is used, the access in the form in which a plurality of types of transfer is mixed is dynamically switched and occurs for the shared memory, depending on the type of the bus transaction. Arbitration order can be determined accurately. Therefore, it can be used for performance guarantee in digital equipment whose processing is becoming diversified and for system cost reduction by memory sharing.

Configuration diagram of Embodiment 1 of the present invention The figure which shows the example of access permission information of Embodiment 1 of this invention The figure which shows an example of the flowchart of the access control process in Embodiment 1 of this invention. Configuration diagram of Embodiment 2 of the present invention The figure which shows the example of accessibility information of Embodiment 2 of this invention The figure which shows an example of the flowchart of the access control process in Embodiment 2 of this invention. Configuration diagram of Embodiment 3 of the present invention Configuration diagram of Embodiment 4 of the present invention The figure which shows the example of access permission information of Embodiment 4 of this invention The figure which shows an example of the flowchart of the access control process in Embodiment 4 of this invention. Configuration diagram of Embodiment 5 of the present invention The figure which shows an example of the flowchart of the access control process in Embodiment 5 of this invention. Configuration diagram of Embodiment 6 of the present invention The figure which shows the access permission information example of Embodiment 6 of this invention Configuration diagram of Embodiment 7 of the present invention The figure which shows the example of access permission information of Embodiment 7 of this invention Configuration diagram of Embodiment 8 of the present invention The figure which shows the example of master arbitration information of Embodiment 7 of this invention Configuration diagram of conventional bus access control device (Patent Document 1) The figure which shows the example of accessibility information of the conventional bus access control apparatus (patent document 1) Configuration diagram of a conventional bus access control device (Patent Document 2, Non-Patent Document 1) The figure which shows the example of master arbitration information of the conventional bus access control apparatus (patent document 2, nonpatent literature 1)

Explanation of symbols

100 Bus access control device 200 Bus master 201 Bus master 1
202 Bus master 2
203 Bus master 3
210 Access request input to the access control unit 211 Access request from the bus master 1 212 Access request from the bus master 2 213 Access request from the bus master 3 220 Access area number input to the access control unit 221 Access area number from the bus master 1 DESCRIPTION OF SYMBOLS 300 Access control part 310 Access permission determination part 320 Access permission information holding part 330 Access permission determination result 340 Memory IF part 350 Memory 400 Bus master identification part 410 Bus master identification information 500 Bus master processing content identification part 600 Flash memory 610 Area number generation circuit 620 Encryption / Decryption DMA Control Circuit 630 Decoding Circuit 700 Built-in Memory 1
701 Internal memory 2
710 fetch destination determination circuit 720 processor core 800 control master 801 control master 1
802 Control master 2
803 Control master 3
810 Operation mode identification unit 820 Access request from control master 821 Access request from control master 1 822 Access request from control master 2 823 Access request from control master 3 830 Mode transmission signal from control master 840 Process identification unit 850 Process Number transmission signal 901 Control master identification unit of bus master 1 902 Control master identification unit of bus master 2 910 Control master identification number input to access control unit 911 Control master identification number from bus master 1 912 Control master identification number from bus master 2 1000 Master identification unit for bus 1 1010 Master identification signal for bus 1 1100 Access arbitration unit 1110 Master arbitration information holding unit

Claims (14)

A bus slave having resources inside and outside the LSI such as a memory and a register;
In the bus master accessing the bus slave,
A bus access control device comprising: a bus output unit that outputs a transfer identification number corresponding to the processing content on the bus master side together with an access request. The bus access control device according to claim 1,
A plurality of control masters for controlling processing operations of the bus master;
A control master identification unit for determining which control master is controlling the bus master;
Have
The bus output unit outputs, as the transfer identification number, the control master to which the processing content on the bus master side belongs, based on information from the control master identification unit. Access control device. The control master is capable of executing software;
3. The bus access control apparatus according to claim 2, wherein the transfer identification number is a number corresponding to software operating on the control master. 4. The bus access control apparatus according to claim 3, wherein the transfer identification number is a number corresponding to an application operating on the control master. 4. The bus access control apparatus according to claim 3, wherein the transfer identification number is a number corresponding to a process on an OS operating on the control master. 4. The bus access control device according to claim 3, wherein the transfer identification number is a number corresponding to a software execution mode of the control master in which the software is operating. 4. The bus access control device according to claim 3, wherein the transfer identification number is a number corresponding to a fetch destination address of software of the control master. The bus access control device according to any one of claims 1 to 7,
An access enable / disable information holding unit for holding a plurality of access enable / disable information indicating an area where the bus master can access the resource and an impossible area;
The transfer identification number corresponds to each of the areas held as the accessibility information,
Access for determining whether or not the bus master can access the access request destination area based on the access enable / disable information of the access enable / disable information holding unit, the transfer identification number, and the address information of the access destination included in the access request A bus access control device comprising an access control unit including an availability determination unit. The bus access control device according to claim 8,
A plurality of the bus masters;
A bus master identification unit that identifies the bus master that has made the access request and outputs the bus master identification information;
The access permission information includes master identification information that permits access to the area,
Whether the bus master can access the access request destination area based on the master identification information, the access permission information, the transfer identification number, and the access destination address information included in the access request. A bus access control device that determines whether or not. The bus access control device according to claim 8 or 9,
The bus master is an encryption / decryption DMA controller having an encryption / decryption function,
The encryption / decryption DMA controller includes a register (decryption key setting register) for setting a key used for encryption and decryption, a register (transfer source designation register) for designating a DMA transfer source,
It has a register (transfer destination setting register) for designating the DMA transfer destination,
Further, when issuing an access request for decrypting the encrypted data or the encrypted program and transferring it to the address indicated in the transfer destination setting register, the bus output unit designates the decryption key setting register. A bus access control device that outputs the transfer identification number in correspondence with a decryption key. The bus access control device according to claim 10,
Including the transfer identification number in a predetermined location of the decryption key;
The processing content identification unit outputs information on a predetermined position from the decryption key set in the decryption key setting register as the transfer identification number. The accessibility information is
The bus access control device according to any one of claims 8 to 11, further comprising an area start address and an area end address for indicating an area corresponding to the transfer identification number. The bus access control device according to any one of claims 8 to 12,
The access permission / prohibition information further includes information of an access type (write, read permission / prohibition) permitted to the bus master specified by the master identification information permitting the access,
The access permission determination unit determines whether the access request from the bus master is a write request to the access destination or a read request, and the determination result, the access permission information, the master identification information, and the transfer identification number, A bus access control device that determines whether or not the bus master can access the access request destination area based on access destination address information included in the access request. The bus access control device according to any one of claims 1 to 7,
A plurality of the bus masters;
A bus arbitration unit that arbitrates transfer between the plurality of bus masters;
The transfer identification number is associated with the priority of bus arbitration,
The bus access control device, wherein the bus arbitration unit performs arbitration based on the transfer identification number.

Images