JP5742575B2 - Semiconductor integrated circuit and data leakage prevention method - Google Patents

Description

  The present invention relates to a semiconductor integrated circuit and a data leakage prevention method, and in particular, a technology suitable for protecting intellectual property such as programs and data in an embedded system such as a control device of a power conversion device applying power electronics technology. About.

  In microprocessors used in embedded systems such as control devices of recent power converters, it has become the mainstream to mount an interface using JTAG (Joint Test Action Group) as a debugging function.

  By the way, protection of software such as programs and data which are intellectual property in an embedded system as well as a general-purpose computer system such as a PC (Personal Computer) is an important design matter. However, if the above-described JTAG interface is used, it is possible to freely read programs and data held in the flash ROM and the built-in RAM built in the semiconductor integrated circuit.

  FIG. 6 is a diagram showing a configuration of a general embedded system (control device 100) in which an external flash ROM 120 and an external RAM 130 are connected to the microprocessor 100a via an address bus 150 and a data bus 160 and used. It is. A debugger 200 such as JTAG-ICE (In Circuit Emulator) is connected to the microprocessor 100 a via the JTAG port 110.

  In the case of the control device 100 having no software protection function, the external flash ROM 120 holds encrypted software and decryption software for decrypting the encrypted software. This is because a third party removes the external flash ROM 120 soldered to the Pt plate from the system and prevents these software held by a flash ROM writer (not shown) from being read.

  The microprocessor 100a converts the encrypted software using the decryption software held in the external flash ROM 120 into the original software before encryption in the course of the initialization process after the reset is released. Processing held in the RAM 130 is performed. After the above processing, the microprocessor 100a performs the original processing of the embedded system using the software before encryption stored in the external RAM 130.

  Conventionally, a mechanism that prevents reading of programs and data via a JTAG interface by a third party has been developed and many patent applications have been filed. For example, Patent Document 1 discloses a mechanism in which a security bit is provided in a built-in flash ROM, and by turning on this security bit, the function of the JTAG interface is prohibited and the program held in the flash ROM cannot be read. Yes. Patent Document 2 discloses a mechanism in which, when a debugging device such as ICE is connected to the JTAG interface, the program held in the internal RAM cannot be read by prohibiting access to the internal RAM. Yes.

JP 2002-32267 A JP 2009-25907 A

  Even in the embedded system used for the power conversion apparatus described above, the capacity of software has recently increased, and there are many cases in which an external flash ROM, external RAM, or the like is used as a microprocessor. In this embedded system, the protection of programs and data has become important. However, as disclosed in Patent Document 1 and Patent Document 2, the object of preventing the reading of programs and data from the JTAG interface is as follows. It is held in a flash ROM or RAM built in the processor, and is not held in an external memory such as an external flash ROM or external RAM.

  Further, when an external memory is connected to a microprocessor, a microprocessor that does not incorporate a flash ROM is often used. Many of such microprocessors are equipped with a JTAG interface, but none have a function of preventing leakage of programs and data held in an external memory via the JTAG interface.

  The present invention has been made to solve the above-described problems. Even when a memory is connected via a bus to a microprocessor equipped with a debugging interface such as JTAG, the program and data stored in the memory are stored. An object of the present invention is to provide a semiconductor integrated circuit and a software leakage prevention method capable of reading protection.

  In order to solve the above-described problem, a semiconductor integrated circuit according to a first aspect of the present invention is a semiconductor integrated circuit in which a memory holding data including a program and a microprocessor are connected via a bus. A connection unit to which a debugger that supports debugging of the device is connected; a connection detection unit that turns on a connection detection signal when it is detected that the debugger is connected to the connection unit; and When the access control signal to the memory output from the processor is turned on, break data is output to the bus, and when the break data and the access control signal are turned on, the memory outputs the data to the bus. And a bus output unit that makes data propagating to the bus undefined.

According to the semiconductor integrated circuit of the first aspect of the present invention, when the bus output unit is effective when both the connection detection signal indicating that the debugger is connected and the access control signal from the microprocessor are valid. Predetermined data is output. For this reason, the data propagating through the bus is destroyed and becomes indefinite when the predetermined data collides with the data held in the memory and output to the bus, so it is held in the memory connected to the microprocessor via the bus. It is possible to protect the read program and data.
In the semiconductor integrated circuit according to the first aspect of the present invention, the bus is a parallel bus composed of a plurality of bits, and the break data has different values in adjacent bits.

In the semiconductor integrated circuit according to the first aspect of the present invention, the bus is an address bus or a data bus.
In the semiconductor integrated circuit according to the first aspect of the present invention, the bus output section is connected to the bus via a current suppressing means.

  In the semiconductor integrated circuit according to the first aspect of the present invention, the connection detection unit or the bus output unit is configured by a programmable logic device programmed in a predetermined language.

  In the semiconductor integrated circuit according to the first aspect of the present invention, the bus output unit includes a select port that is selected by itself, a control port that receives the access control signal, both the select port and the access control signal. And an output port that outputs the break data when enabled, the connection detection signal is connected to the select port, the control signal is connected to the control port, and the output port Is connected to the bus.

  In the semiconductor integrated circuit according to the first aspect of the present invention, the connection detection unit receives and holds a command from the debugger via the connection unit, and turns off the connection detection signal based on the held command. Command receiving means is provided. According to the present invention, when a predetermined command is received, the output of predetermined data to the bus is prevented, thereby preventing the protection of programs and data from interfering with debugging work by maintenance personnel of the manufacturer. it can.

  In the semiconductor integrated circuit according to the first aspect of the present invention, the command includes a first command and a second command, and the command receiving means receives the first command within a predetermined time. By receiving the second command, the first command or the second command is held as the command. According to the present invention, it is possible to control the blocking of the output of predetermined data to the bus due to the coincidence of command transmission based on trial and error by a third party.

  A semiconductor integrated circuit according to a second aspect of the present invention is connected to a debugger that supports debugging of the program in a semiconductor integrated circuit in which a memory holding data including a program and a microprocessor are connected via a bus. A connection detection unit that turns on a connection detection signal when it is detected that the debugger is connected to the connection unit, and a memory that is output from the microprocessor when the connection detection signal is on. And a bus output unit that supplies a reset signal to the microprocessor when the access control signal is turned on.

  According to the semiconductor integrated circuit of the second aspect of the present invention, the memory output from the microprocessor when the bus output unit is on when the connection detection signal output by the connection detection unit when the debugger is connected is on. When the access control signal to is turned on, a reset signal is supplied to the microprocessor. For this reason, the microprocessor is initialized every time a reset signal is received, and is started from the initial routine each time. Therefore, the program is not read continuously, and can be provided as an effective means for protecting the program. .

  In a semiconductor integrated circuit according to a third aspect of the present invention, a nonvolatile memory in which data including a program is stored, a volatile memory, and a microprocessor are connected via a bus, and the volatile memory includes: In a semiconductor integrated circuit in which at least a partial copy of the data held in the nonvolatile memory is held, a connection portion to which a debugger for supporting debugging of the program is connected, and the debugger is connected to the connection portion A connection detection unit that turns on a connection detection signal when this is detected, and when the connection detection signal is on, an access control signal to the nonvolatile memory or the volatile memory that is output from the microprocessor is turned on. To output break data to the bus, and the nonvolatile data is turned on when the break data and the access control signal are turned on. To collide with said data memory or the volatile memory is output to the bus, characterized in that it comprises a and a bus output unit for undefined data to be propagated to the bus.

  According to the semiconductor integrated circuit of the third aspect of the present invention, the bus output unit is a non-volatile output from the microprocessor when the connection detection signal output by the connection detection unit when the debugger is connected is ON. Break data is output to the bus when the access control signal to the volatile memory or volatile memory is turned on, and the data that the nonvolatile memory or volatile memory outputs to the bus when the break data and the access control signal are turned on And the data propagating to the bus is undefined. Therefore, it is possible to protect a program or data that is a copy of at least a part of the nonvolatile memory held in the volatile memory connected to the microprocessor via the bus.

  According to a fourth aspect of the present invention, there is provided a data leakage prevention method comprising a memory holding data including a program, a microprocessor connected to the memory via a bus and executing the program, and debugging the program. A data leakage prevention method in a semiconductor integrated circuit having a connection portion to which a debugger to be supported is connected, the first step of turning on a connection detection signal when detecting that the debugger is connected to the connection portion; When the connection detection signal is turned on, an access control signal to the memory output from the microprocessor is turned on to output break data to the bus, and the break data and the access control signal When turned on, the memory collides with the data output to the bus and propagates to the bus And having a second step of the over data undefined, a.

  In the data leakage prevention method according to the fourth aspect of the present invention, the first step includes receiving and holding a command from the debugger via the connection unit, and detecting the connection based on the held command. A first sub-step for turning off the signal is included.

  In the data leakage prevention method according to the fourth aspect of the present invention, the command includes a first command and a second command. In the first sub-step, a predetermined time after receiving the first command. The first command or the second command is held as the command by receiving the second command within the range.

  According to a fifth aspect of the present invention, there is provided a data leakage prevention method comprising: a memory holding data including a program; a microprocessor connected to the memory via a bus and executing the program; and debugging the program. A data leakage method in a semiconductor integrated circuit having a connection portion to which a debugger to be supported is connected, the step of detecting that the debugger is connected to the connection portion and turning on a connection detection signal, and the connection detection And supplying a reset signal to the microprocessor when the access control signal to the memory output from the microprocessor is turned on when the signal is turned on.

According to a sixth aspect of the present invention, there is provided a data leakage prevention method comprising: a nonvolatile memory in which data including a program is held; a volatile memory; and a microprocessor are connected via a bus, and the volatile memory includes A method for preventing data leakage in a semiconductor integrated circuit in which at least a partial copy of the data held in the non-volatile memory is held, which detects that a debugger is connected to a connection portion and turns on a connection detection signal And when the connection detection signal is turned on, an access control signal to the nonvolatile memory or the volatile memory output from the microprocessor is turned on to output break data to the bus, When the break data and the access control signal are turned on, the nonvolatile memory or the volatile memory is changed to the bus. To collide with said data to be output, characterized in that it and a step of the data to be propagated to the bus undefined.

  According to the present invention, a memory is connected to a microprocessor equipped with a debug interface such as JTAG via a bus, and even in the case of use, a semiconductor integrated circuit capable of protecting the reading of programs and data held in the memory In addition, a software leakage prevention method can be provided.

1 is a block diagram showing a configuration of a semiconductor integrated circuit according to an embodiment of the present invention. It is a block diagram which shows an example of an internal structure of the bus output part of the semiconductor integrated circuit which concerns on embodiment of this invention. FIG. 10 is a timing chart showing an operation when a debugger is not connected in the semiconductor integrated circuit according to the embodiment of the present invention. FIG. 5 is a timing chart showing an operation when a debugger is connected in the semiconductor integrated circuit according to the embodiment of the present invention. It is a block diagram which shows the other example of the internal structure of the bus output part of the semiconductor integrated circuit which concerns on embodiment of this invention. It is a block diagram which shows the structure of a general embedded system.

Hereinafter, an embodiment for carrying out the present invention (hereinafter simply referred to as the present embodiment) will be described in detail with reference to the accompanying drawings.
(Configuration of the embodiment)
FIG. 1 is a block diagram showing the configuration of the semiconductor integrated circuit according to the present embodiment. Here, a built-in system such as the control device 1 of the power conversion device will be described as an example of the semiconductor integrated circuit.

  As shown in FIG. 1, the control device 1 includes a microprocessor 10, a JTAG port 11, an external flash ROM, an external RAM 13, and a PLD (Programmable Logic Device) 14. Except for the PLD 14, it has the same configuration as the general embedded system shown in FIG. That is, an external flash ROM 12 and an external RAM 13 are connected to the microprocessor 10 via an address bus 15 and a data bus 16, and a debugger 2 such as JTAG-ICE is a JTAG which is a connection part (connector). The port 11 is connected to the microprocessor 10.

  The PLD 14 has both a connection detection signal indicating that the debugger 2 is connected and an access control signal from the microprocessor 10 (READ or WRITE, which here targets READ to protect memory reading). This is a program logic device having a function of outputting predetermined data to the address bus 15 or the data bus 16 when it is valid. For this reason, the break data used as the predetermined data and the output data held in the memory (external flash ROM 12 and external RAM 13) and output to the bus collide, so that the address bus 15 or the data bus 16 is Propagating output data is destroyed and becomes undefined. Therefore, data including programs held in the nonvolatile flash ROM 12 and the external RAM 13 connected to the microprocessor 10 via the bus can be protected.

  Here, the object to be protected by preventing reading by the microprocessor 10 via the debugger 2 is the program before encryption held in the external RAM 13, the encryption program held in the external flash ROM 12, or It is assumed that data held in a register (volatile memory) built in an LSI (not shown) is included.

  For this reason, the PLD 14 is connected to the microprocessor 10 via the address bus 15 and the data bus 16, and from the microprocessor 10, a read signal (READ) that is an access control signal for the external flash ROM 12 or the external RAM 13. Via line 10a, its own chip select signal (CSPLD) via line 10b, chip select signal (CSROM) of external flash ROM 12 via line 10c, and chip select signal (CSRAM) of external RAM 13 via line 10d. Get via each. Further, a JTAG control signal and JTAG data are acquired from the JTAG port 11 via lines 11a and 11b, respectively.

  The JTAG control signal acquired via the line 11a is a JTAG interface standardized by IEEE 1149.1, together with the JTAG data acquired via the line 11b and the JTAG data output from the microprocessor 10 to the JTAG port 11. It is a defined signal. In particular, the JTAG control signal includes signals such as TMS (Test Mode State) and TRST (Test Reset), and the PLD 14 determines the connection of the debugger 2 such as JTAG-ICE based on the state and transition of these signals. The presence or absence of can be detected.

  FIG. 2 shows an example of the internal configuration of the PLD 14. According to FIG. 2, the PLD 14 includes a connection detection unit 141 and a bus output unit 142. The connection detection unit 141 obtains a JTAG control signal from the JTAG port 11 via the line 11a as an input, and obtains JTAG data as an input via the line 11b. When detecting that the debugger 2 is connected to the JTAG port 11, the connection detection unit 141 validates the connection detection signal and outputs it to the bus output unit 142.

  The bus output unit 142 includes a bus output control unit 142a, an address bus output unit 142b, and a data bus output unit 142c. The bus output control unit 142a acquires from the microprocessor 10 the CSROM signal via the line 10c, the CSRAM signal via the line 10b, and the READ signal that is the access control signal via the line 10a, and the READ signal is turned on (enabled). When this is done, an enable signal for controlling the address bus output unit 142b and the data bus output unit 142c is generated so as to select the external flash ROM 12 or the external RAM 13 based on the CSROM signal or the CSRAM signal that is also input. To do.

The address bus output unit 142b is connected to the address bus 15 via a damping resistor 17a. The address bus output unit 142b outputs address data to the selected external flash ROM 12 or external RAM 13 based on the enable signal output from the bus output control unit 142a via the line 14b. The data bus output unit 142c is connected to the data bus 16 via the damping resistor 17b. The data bus output unit 142c outputs data to the selected external flash ROM 12 or external RAM 13 based on the enable signal output from the bus output control unit 142a via the line 14b. The damping resistors 17a and 17b are inserted to suppress a current caused by a collision between the break data and the output data and prevent damage to elements around the address bus 15 and the data bus 16, such as a driver and a receiver (not shown).
(Operation of the embodiment)
3 and 4 are timing charts showing the operation of the semiconductor integrated circuit according to the present embodiment. The operation of the bus output unit 142 in each case when the debugger 2 is not connected and when the debugger 2 is connected is shown. Show. 3 and 4, (a) is an external flash ROM chip select signal (CSROM) output from the microprocessor 10, and (b) is an access control output from the microprocessor 10 to the external flash ROM 12. Signals (READ) and (c) are output data of the address bus output unit 142b, (d) is output data of the data bus output unit 142c, (e) is address data that propagates through the address bus 15, and (f) is Each of the data propagating on the data bus 16 is shown.

  Hereinafter, the operation of the semiconductor integrated circuit (control device 1) according to the present embodiment shown in FIGS. 1 and 2, particularly the operation of the bus output unit 142, will be described in detail with reference to the timing charts of FIGS. To do.

  First, the operation of the control device 1 when the debugger 2 is not connected will be described with reference to the timing chart of FIG. In this case, since the connection detection signal output from the connection detection unit 141 is OFF, the bus output control unit 142a of the bus output unit 142 reads the READ signal acquired from the microprocessor 10 via the line 10a, the line 10c. The enable signal output to the address bus output unit 142b and the data bus output unit 142c via the line 14b is turned off without depending on the state of the CSROM signal acquired via the line 10b and the CSRAM signal acquired via the line 10b. To do. Therefore, the address bus output unit 142b and the data bus output unit 142c maintain the high impedance state (Hi-Z).

  In this state, when the microprocessor 10 performs READ access to the external flash ROM 12 or the external RAM 13, address data that the microprocessor 10 wants to read is output to the address bus 15, and the data bus 16 Data corresponding to the previous address of the external flash ROM 12 or the external RAM 13 is output. As a result, reading operations such as reading of programs and reading of work variables performed by the microprocessor 10 are normally performed, and therefore, development personnel or maintenance personnel of manufacturers can develop software by debugging.

  On the other hand, when the debugger 2 is connected to the JTAG port 11, a connection detection signal is output from the connection detection unit 141. At this time, the bus output control unit 142a of the bus output unit 142 outputs a READ signal, which is a read access signal, from the microprocessor 10 when data is read from the external flash ROM 12 or the external RAM 13, and When the CSROM signal or the CSRAM signal is turned ON, an enable signal is generated, and this enable signal is supplied to the address bus output unit 141b and the data bus output unit 142c. When the enable signal is turned ON, the address bus output unit 142b and the data bus output unit 142c output, for example, rake data (predetermined data) including fixed data such as 0x0000 and 0xFFFF to the address bus 15 and the data bus 16, respectively. To do.

  On the other hand, when the microprocessor 10 outputs the address value of the data to be read to the address bus 15, the corresponding data in the external flash ROM 12 or the external RAM 13 is output to the data bus 16. In this case, two types of data (signals) of output data and break data collide with each other and propagate through the address bus 15 and the data bus 16 as shown in (e) and (f) of FIG. Address data and output data values are indefinite. Therefore, the microprocessor 10 cannot perform normal reading. As described above, the debugger 2 such as JTAG-ICE can protect the data including the program held in the external flash ROM 12 or the external RAM 13 by using the reading function of the microprocessor 10 and prevent reading. I can do it.

  The debugger 2 is a tool that supports program development by reading data held by the external flash ROM 12 or the external RAM 13 by using the data reading function of the microprocessor 10. Therefore, for example, the connection detection unit 141 has a configuration (command receiving unit) that receives and holds a predetermined command from the debugger 2 via the JTAG port 11, and outputs break data based on the held predetermined command. Can be prevented so that debugging work by maintenance personnel of the manufacturer is not hindered.

  The predetermined command used in this case is a secret command that cannot be known by a third party, and is programmed and registered in advance in the command receiving means (in the PLD 14). The command receiving means acts on the bus output unit 142 to hold the command and prevent the output of break data when the previously registered command matches the command received via the JTAG port 11. For this, the connection detection signal 14a of the connection detection unit 141 may be turned off, or a mask signal may be given to the bus output unit 142 so that the enable signal 14b is not output.

  In addition, a timer is provided in the command receiving means so that a predetermined command is divided into a first command and a second command to be managed, and a predetermined command is received after the connection detection unit 141 receives the first command. It is possible to adopt a configuration in which holding of a predetermined command is permitted by receiving the second command within a predetermined time. As a result, it is possible to suppress output of break data to the address bus 15 and the data bus 16 due to accidental coincidence of command transmission based on trial and error by a third party. As for the first command and the second command, both may be the same command or different commands. When both are managed as the same command, the second command is received within, for example, 10 seconds after detecting a match between the first command and the command registered in advance in the command receiving means. What is necessary is just to hold | maintain a command by the 2nd command and the command previously registered into the said command receiving means being in agreement. The operation on the bus output unit 142 is the same as described above.

  On the other hand, if each of the first command and the second command is registered in advance in the command receiving means (in the PLD 14), the first command and the second command can be managed as different commands. In this case, the second command is received within, for example, 10 seconds after the first command registered in the receiving means and the first command received via the JTAG port 11 are detected. The command (first command or second command) may be held by matching the second command with the second command registered in advance in the receiving means. The operation on the bus output unit 142 is the same as described above.

  As described above, the break data output is canceled by receiving the multistage command, so that a break to the address bus 15 or the data bus 16 due to a coincidence of command transmission based on trial and error by a third party can be achieved. Data output blocking can be further suppressed.

  In the configuration shown in FIG. 2, when both the connection detection signal indicating that the debugger 2 is connected and the access control signal from the microprocessor 10 are valid, a break is caused with respect to the address bus 15 or the data bus 16. Although the bus output unit 142 that outputs data is described as being configured by the PLD 14, it can be replaced by a memory such as a ROM, a flash memory, or a RAM instead of the PLD. An example of the internal configuration of the bus output unit 142 in this case is shown in FIG.

Referring to FIG. 5, the bus output unit 142 includes a select port 142d that receives a connection detection signal and selects itself, a control port 142e that receives a READ signal from the microprocessor 10 that is an access control signal, and a select port. The storage unit includes a port 142d and an output port 142f that outputs data when both of the access control signals are turned on. Even with this configuration, it is possible to realize a mechanism for destroying data propagating through the address bus 15 or the data bus 16 by causing the break data to collide with the data output by the READ. Reading of data including programs from the flash ROM 12 and the external RAM 13 can be prevented.
(Modification of the embodiment)
In the above-described semiconductor integrated circuit according to the present embodiment, the PLD 14 causes the connection detection unit 141 to output a connection detection signal and the bus output unit 142 to output a READ signal when the debugger 2 is connected to the JTAG port 11. Although the description has been made on the assumption that the break data including the fixed data is output to the address bus 15 and the data bus 16 by being turned on, any value may be used as the break data. In this case, it is particularly convenient if adjacent bits have different values.

  That is, the address bus 15 and the data bus 16 that connect the microprocessor 10 to the external flash ROM 12 or the external RAM 13 have a parallel bus configuration in which a plurality of lines are connected in parallel. For this reason, when the contents of a plurality of bits propagating through the parallel bus are simultaneously switched, a large current change occurs due to this. The high-frequency current flowing at this time is concentrated on the power supply and ground of various LSIs including the microprocessor 10 to generate potential fluctuations. When the power supply voltage of the LSI or the like fluctuates due to this potential fluctuation, the output current of a bus driver (not shown) changes and the signal rise time of the receiver changes, and as a result, the signal timing between signal transmission and reception shifts. In extreme cases, malfunctions may occur due to fluctuations in the threshold. Therefore, switching is suppressed at the same time by making the values of adjacent bits different, and malfunction can be avoided.

  In addition, according to the present embodiment, the bus output control unit 142a determines that both the address bus output unit 142b and the data bus output unit 142c are satisfied when the condition (both the connection detection signal and the access control signal are ON) is satisfied. The enable signal is supplied to both the address bus 15 and the data bus 16, but in this case, the present invention can be realized only by enabling one of them.

  In addition, according to the present embodiment, the data including the program output to the address bus 15 and the data bus 16 is destroyed by colliding with the break data to be an indeterminate value. When it is established, a reset signal is supplied to the microprocessor 10 for initialization, thereby preventing data including a program from being read via the JTAG interface.

  In this case, the bus output unit 142 receives the connection detection signal output from the connection detection unit 141 and the access control signal (READ) output from the microprocessor 10 to the external flash ROM 12 or the external RAM 13. When the connection detection signal and the access control signal are turned on, hardware for supplying a reset signal to the microprocessor 10 is added. However, even in this case, if tracing is performed by connecting a logic analyzer or the like to the bus, it cannot be denied that the program and data output to the bus can be read. However, since the program is started from the initial routine every time the microprocessor 10 is reset, the program is rarely read continuously. Therefore, it is an effective means from the viewpoint of protecting the program.

  In the present embodiment, the external flash ROM 12 or the external RAM 13 is used as the memory connected to the microprocessor 10 via the address bus 15 and the data bus 16. If the data set in the volatile memory such as a register is to be protected, a chip select signal output to the LSI is supplied to the bus output unit 142 (bus output control unit 142a). A similar effect can be obtained.

In this case as well, the bus output unit 142 is connected to the address bus 15 and the data bus when the connection detection signal indicating that the debugger 2 is connected and the access control signal (READ) from the microprocessor 10 are both valid. 16 outputs break data. For this reason, the output data held in the volatile memory and output to the address bus 15 or the data bus 16 collide with the break data, so that the data propagating through the address bus 15 or the data bus 16 is destroyed and becomes indefinite. Become. Therefore, it is possible to protect a program or data that is at least a partial copy of the nonvolatile memory held in the volatile memory connected to the microprocessor 10 via the address bus 15 or the data bus 16. Note that the volatile memory used here may include a high-speed memory such as a cache in which an SRAM or the like is mounted in addition to the above-described registers built in the LSI.
(Effect of embodiment)
As described above, according to the semiconductor integrated circuit of this embodiment, the microprocessor 10 equipped with a debug interface such as JTAG is connected to the external flash ROM 12 or the external device via the address bus 15 and the data bus 16, for example. Even in the case where the RAM 13 is connected, it is possible to prevent reading of data including a program held in the external flash ROM 12 or the external RAM 13 and further reading of data held in a register built in the microprocessor 10. Further, even when the semiconductor integrated circuit according to the present embodiment is applied to an embedded system such as the control device 1 of the power conversion device, the operation clock of the microprocessor 10 is increased, and the signal to the external flash ROM 12 or the external RAM 13 is transmitted. In order to realize data protection including a program without inserting an element for increasing the delay in the middle of a signal line inputted to the external flash ROM 12 or the external RAM 13 in recent years, the required specification for the delay has become strict. High performance embedded system can be provided.
(Data leakage prevention method)
In addition, the data leakage prevention method according to the present embodiment includes, for example, a memory (external flash ROM 12 and external RAM 13) in which data including a program is stored, and a bus (address) to this memory, as shown in FIG. A semiconductor integrated circuit which is connected via a bus 15 and a data bus 16) and which has a microprocessor 10 for executing the program and a connection part (JTAG port 11) to which a debugger 2 for supporting debugging of the program is connected. This is a data leakage prevention method.

  Then, a first step of turning on the connection detection signal when it is detected that the debugger is connected to the connection unit, and an access control signal to the memory output from the microprocessor (when the connection detection signal is on) (READ) is turned on, break data is output to the bus. When the access control signal is turned on, the break data and the data output to the bus by the memory collide with each other, and the data propagated to the bus is undefined. 2 steps.

  As described above, according to the data leakage prevention method according to the present embodiment, when both the connection detection signal indicating that the debugger 2 is connected and the access control signal from the microprocessor 10 are valid, Since the break data is output, the break data and the output data held in the memory and output to the bus collide, so that the data propagating on the bus is destroyed and becomes indefinite. Therefore, it is possible to protect the programs and data held in the memory connected to the microprocessor 10 via the bus. In addition, instead of making the break data output to the bus and the output data from the memory collide with an indefinite value, the same condition (connection detection signal indicating that the debugger 2 is connected and access from the microprocessor 10) The same effect can be obtained by supplying a reset signal to the microprocessor 10 when both control signals are valid.

  As mentioned above, although this embodiment was described, it cannot be overemphasized that the technical scope of this invention is not limited to the range as described in the said embodiment. It will be apparent to those skilled in the art that various modifications or improvements can be added to the above embodiment. Further, it is apparent from the scope of the claims that the embodiments added with such changes or improvements can be included in the technical scope of the present invention.

1..Control device, 2..Debugger (JTAG-ICE), 10..Microprocessor, 11..JTAG port (connection part), 12..External flash ROM, 13..External RAM, 14 ... PLD (Program Logic Device), 15 ··· Address bus, 16 ··· Data bus, 141 ··· Connection detection unit, 142 ··· Bus output unit, 142a ··· Bus output control unit, 142b · · · Address bus output unit, 142c ..Data bus output section, 142d ..Select port, 142e ..Control port, 142f ..Output port

Claims (15)

In a semiconductor integrated circuit in which a memory holding data including a program and a microprocessor are connected via a bus,
A connection part to which a debugger supporting the debugging of the program is connected;
A connection detection unit that turns on a connection detection signal when detecting that the debugger is connected to the connection unit;
When this connection detection signal is on,
When the access control signal to the memory output from the microprocessor is turned on, break data is output to the bus, and when the break data and the access control signal are turned on, the memory outputs to the bus. A bus output unit that collides with the data and makes the data propagating to the bus undefined;
A semiconductor integrated circuit comprising: The semiconductor integrated circuit according to claim 1,
The bus is a parallel bus composed of a plurality of bits,
The break data is a semiconductor integrated circuit characterized in that adjacent bits have different values. The semiconductor integrated circuit according to claim 1 or 2,
The semiconductor integrated circuit according to claim 1, wherein the bus is an address bus or a data bus. The semiconductor integrated circuit according to claim 1, wherein the bus output unit is
A semiconductor integrated circuit connected to the bus via a current suppressing means. The semiconductor integrated circuit according to any one of claims 1 to 4,
The connection detection unit or the bus output unit is
A semiconductor integrated circuit comprising a programmable logic device programmed in a predetermined language. The semiconductor integrated circuit according to any one of claims 1 to 4,
The bus output unit is
Storage means having a select port selected by itself, a control port that receives the access control signal, and an output port that outputs the break data when both the select port and the access control signal are enabled Consists of
A semiconductor integrated circuit, wherein the connection detection signal is connected to the select port, the control signal is connected to the control port, and the output port is connected to the bus. The semiconductor integrated circuit according to any one of claims 1 to 5,
The connection detection unit
A semiconductor integrated circuit comprising command receiving means for receiving and holding a command from the debugger via the connection unit and turning off the connection detection signal based on the held command. The semiconductor integrated circuit according to claim 7.
The command includes a first command and a second command,
The command receiving means includes
A semiconductor integrated circuit, wherein the first command or the second command is held as the command by receiving the second command within a predetermined time after receiving the first command. In a semiconductor integrated circuit in which a memory holding data including a program and a microprocessor are connected via a bus,
A connection part to which a debugger supporting the debugging of the program is connected;
A connection detection unit that turns on a connection detection signal when detecting that the debugger is connected to the connection unit;
When this connection detection signal is on,
A bus output unit for supplying a reset signal to the microprocessor when an access control signal to the memory output from the microprocessor is turned on;
A semiconductor integrated circuit comprising: A nonvolatile memory in which data including a program is held, a volatile memory, and a microprocessor are connected via a bus, and the volatile memory includes at least a part of the data held in the nonvolatile memory. In a semiconductor integrated circuit in which a copy is held,
A connection part to which a debugger supporting the debugging of the program is connected;
A connection detection unit that turns on a connection detection signal when detecting that the debugger is connected to the connection unit;
When this connection detection signal is on,
When the access control signal to the nonvolatile memory or the volatile memory output from the microprocessor is turned on, break data is output to the bus, and the break data and the access control signal are turned on. A bus output unit that collides with the data output to the bus by the non-volatile memory or the volatile memory, and makes the data propagated to the bus undefined;
A semiconductor integrated circuit comprising: A semiconductor integrated circuit comprising: a memory holding data including a program; a microprocessor connected to the memory via a bus and executing the program; and a connection unit to which a debugger supporting the debugging of the program is connected. A method for preventing data leakage in a circuit,
A first step of turning on a connection detection signal when detecting that the debugger is connected to the connection unit;
When this connection detection signal is on,
When the access control signal to the memory output from the microprocessor is turned on, break data is output to the bus, and when the break data and the access control signal are turned on, the memory outputs to the bus. A second step of colliding with the data and making the data propagating to the bus undefined;
A data leakage prevention method characterized by comprising: The data leakage prevention method according to claim 11,
In the first step,
A data leakage prevention method comprising: a first sub-step of receiving and holding a command from the debugger via the connection unit and turning off the connection detection signal based on the held command. The data leakage prevention method according to claim 12,
The command includes a first command and a second command,
In the first sub-step,
A data leakage prevention method, wherein the first command or the second command is held as the command by receiving the second command within a predetermined time after receiving the first command. A semiconductor integrated circuit comprising: a memory holding data including a program; a microprocessor connected to the memory via a bus and executing the program; and a connection unit to which a debugger supporting the debugging of the program is connected. A data leakage method in a circuit,
Detecting that the debugger is connected to the connection unit and turning on a connection detection signal;
When this connection detection signal is on,
Supplying a reset signal to the microprocessor by turning on an access control signal to the memory output from the microprocessor;
A data leakage prevention method characterized by comprising: A nonvolatile memory in which data including a program is held, a volatile memory, and a microprocessor are connected via a bus, and the volatile memory includes at least a part of the data held in the nonvolatile memory. A method of preventing data leakage in a semiconductor integrated circuit in which a copy is held,
Detecting that the debugger is connected to the connection unit and turning on the connection detection signal;
When this connection detection signal is on,
When the access control signal to the nonvolatile memory or the volatile memory output from the microprocessor is turned on, break data is output to the bus, and the break data and the access control signal are turned on. Colliding with the data that the non-volatile memory or the volatile memory outputs to the bus, and making the data propagated to the bus undefined;
A data leakage prevention method characterized by comprising: