TW200422849A - Exception types within a secure processing system - Google Patents

Abstract

There is a provided a data processing system comprising: a processor operable in a plurality of modes and either a secure domain or a non-secure domain including: at least one secure mode being a mode in said secure domain; and at least one non-secure mode being a mode in said non-secure domain; wherein when said processor is executing a program in a secure mode said program has access to secure data which is not accessible when said processor is operating in a non-secure mode; said processor is responsive to one or more exception conditions for triggering exception processing using an exception handler, said processor being operable to select said exception handler from among a plurality of possible exception handlers in dependence upon whether said processor is operating is said secure domain of said non-secure domain.

Description

200422849 发明 Description of the invention: [Technical field to which the invention belongs] Tian This invention relates to data processing systems. In particular, the present invention relates to a data processing system operating in a secure domain and a non-secure domain, in which it is intended to switch between the domains in a controlled manner. [Prior Art] A typical type of data processing device includes a processor for executing applications loaded in an information processing device. The device is operated under the control of an operating system. The data required to perform any particular application is usually stored in a memory of the information processing device. It will be understood that the data may contain instructions contained within the application and / or actual data values used during the execution of those instructions regarding the processor. There are many examples here. When at least one piece of data used by the applications is sensitive, it should not be accessed by other applications that can execute on the processor. As an example, when the information processing device is a smart card, one of the applications is a security application using sensitive data, for example, a security key 'is used to perform authentication, authentication, decryption, and so on. In such cases1 I understand the importance of ensuring the security of such sensitive data so that it is not accessible by other applications that may be loaded in the data processing device, such as attempts to access the security data Loaded hacking application. In the conventional system, ensuring that the operating system can provide sufficient security. It is usually the job of the operating system developer to ensure that other applications executed under the control of the operating system cannot access the application's security data. Bran phase should be omnipotent, such as 3 200422849 If the system becomes more complex, the general tendency is that the operating system becomes larger and more complex, and in such cases, let the operating system itself ensure sufficient security becomes Increasingly difficult. Examples of systems seeking to provide secure storage for sensitive data and protection against malicious code are discussed in US patent application US 2002/0007456 A1 and US patents US 6,292,874 B and US 6,282,657 B. Therefore, in order to seek to maintain the security of such security data contained in the memory of the data processing equipment, there is an urgent need to provide an improved technology. [Summary of the Invention] One aspect of the present invention provides a device for processing data. The device includes: a processor that can operate in most modes and one of a secure network domain or a non-secure network domain, including ... At least one security mode in the security domain, and at least one non-security mode in the non-security domain;

When the processor is executing a program in Ann L., U, ^ female holistic mode, the program accesses security information 'which is impossible when the processor is operating in a non-safe mode Access; the processor responds to one or more backups ^ ^ η 4 Most abnormal conditions use an exception manager to trigger exception handling. The processor is operable based on whether the processor is operating in the security domain Or wx non-geodomains, select the exception manager from most possible exceptions 4 200422849 manager. The present invention identifies security weaknesses that can occur in a security system for exception handling. The solution of the present invention is to provide a system with a combination of a number of exceptions, which can be selectively directed to a security or non-security exception manager and one or more exceptions to be directed to a global and security exception One of the managers. Providing selectivity often leads to a desired degree of flexibility in anomaly management to reconcile the needs of various systems and the like, when proprietary anomalies provide a limited and well-defined response to a particular anomaly in a more difficult way As an example, a watchdog security timer may be associated with a dedicated exception, which is guaranteed to be managed by a security exception manager, so that regular security checks triggered by the watchdog timer are not locked. The present invention facilitates combining one of the provided monitoring modes whereby all conversions between the full domain and the non-secure network domain must be performed by the monitoring mode responsible for security activities, such as clearing values during conversion and so on. Preferred examples of the exceptions exclusive to the present invention are a security interrupt signal, a mode switch software interrupt signal, and a reset exception. The preferred examples of optional are an interrupt signal exception, a software interrupt signal, a defined instruction exception, a prefetch abort exception, a data abort exception, and a quick interrupt signal exception. Another aspect of the present invention provides a method for processing data, which includes the following steps: using a method that can operate in most modes and a secure network domain or a non-secure potential or multi-security non-secure operation. For example, one of the operations performed by one of the operations in the security information registration number heterosexual heterogeneity method domain 200422849 includes a process of eight, including: in the above non-secure domain, female all-sex Mode; and at least one non-security mode; at least one of the above security domains when the processor is accessing security data in a security profiler, which is when the program is executed Cannot be accessed during the operation; # ㉟ 器 在 -non-security mode responds to one or most of the abnormal conditions, use-handle; among which the exception manager triggers an exception-one of the non-security exception manager exception manager is optional At least one of the exceptions may be selected by a security selector operating in one of the non-safety modes or in one of the security modes; and at least one of the exceptions is a proprietary exception that is controlled by a non-safety Of the security mode operation-managed by one of the non-security exception manager and one of the security exception managers operating in one security mode. [Embodiment] The first figure is a block diagram describing a data processing device according to a preferred embodiment of the present invention. The data processing device functions in conjunction with a processor core i0, which provides an arithmetic logic unit (ALU) 16 arranged to execute a series of instructions. The data required by the ALU 16 is stored in a log-in block 14 as the core 10 and provides various monitoring functions to intercept diagnostic data indicating the core activity of the processor. As an example, an embedded trace module (ETM) 22 '200422849 is provided to register 26 content according to certain controls within the ET 22 that defines the activity to be traced, generating certain activities of the processor core Real-time tracking. The tracking signals are usually output to a tracking buffer where they can be analyzed later. A vectored interrupt controller 21 is provided to manage most of the interrupt services that can be provided by various peripherals (which will not be repeated here). What's more, another monitoring functionality that can be provided within Core 10 as shown in the first figure is a debugging function, which is outside of the data access device — the debugging application can be connected by one or more The connection test access group (JTAG, Joint Test Acces Group) controller 18 of the scan chain 12 communicates with the core 10. The status information of each part of the processor core 10 can be output to external debugging applications through these scan chains 12 and JTAG controller 18. An online circuit emulator (ICE, In Circuit Emulator) 20 is used to store the confirmation when to start and stop the debugging function within the registration 24, and therefore, for example, 'is used to store a breakpoint (breakp oint) , Watchpoints, etc. Core 10 is connected to a system bus 40 through memory management logic 30. The memory management logic 30 is arranged to manage memory access requests issued by core 10 to access the data. The memory location of the processing device. Some parts of memory can be deployed by a memory unit directly connected to the system bus 40, for example, cache 38 and Tightly Coupled Memory (TCM) 36 shown in the first figure. Additional devices may also be provided for accessing such memory, such as a direct memory access (DMA) controller 32. In general, various control registrations 34 will be provided to define certain control parameters of various components of the wafer. Here, these control registrations are also referred to as 7 200422849 as the auxiliary processor 15 (CP15) registration. A chip containing the core 10 and an external bus 70 (for example, according to the "Advanced Microcontroller Bus Architecture (AMBA)" specification developed by ARM Limited can be used through an external bus interface 42 An operating bus) is connected and various devices can be connected to the external bus 70. These devices may include, for example, a master control device of a digital signal processor (DSP), and various controlled devices such as a boot-only read-only memory 44, a screen driver 46, an external memory 56, an input / output (I / O) interface 60 OR 金 录 ial storage unit 64. The various controlled devices shown in the first figure can be regarded as a common part of the entire memory of the data processing equipment. For example, the boot-only read-only memory 44 will form part of the addressable memory of the data processing device, as will the external memory 56. In particular, devices such as the screen driver 46, the input-output interface 60, and the key storage unit 64 each include individually addressable internal storage elements such as a login or buffer 48, 62, 66, which are all used as data processing equipment. Part of the memory ship. As will be discussed in more detail later, a portion of the memory, for example, a portion of the external memory 56 will be used to store a paging table 58 that defines one or more of the memory access controls. Those skilled in the art will understand that an arbiter and decoder logic 54 are usually provided for the external bus 70. The arbiter is used to perform most memory access requests issued by most master devices. Judging, for example, the core 10, DMA 32, DSP 50, DMA 52, etc., and the decoder will be used to determine any specific memory access request that the controlled device on the external bus should process. 8 22849 In some embodiments, a bus bar may be provided externally to a wafer containing a core 10. In other embodiments, an on-chip will be integrated to provide a core 10 to an external gastric bus. It is more conducive to maintaining the security of the security data on the external bus than when the external bus is a non-integrated chip. When the external bus is a non-integrated chip, data encryption technology can be used to improve the security. Information security. Fig. 2 illustrates various programs executed on a processing system having a secure domain and a non-secure domain. A monitoring program 72 is provided for the system to execute at least partially in a monitoring mode. In this exemplary embodiment, the security status flag is a writable access only within the monitoring mode and can be written by the monitoring program 72. The monitor 72 is responsible for managing all transitions in either direction between the secure domain and the non-secure domain. From an out-of-core point of view, the monitoring mode is always safe and the monitoring program is tied to security memory.

Within a non-secure domain, a non-secure operating system 74 and most non-secure applications 76, 78 are provided which interact with the non-secure operating system 74. In the security domain, a security core 80 is provided. The security kernel program 80 can be regarded as forming a security operating system. Generally, such a security core program 80 will be designed to provide only those functions necessary for processing activities' so that the security core 80 is as small and simple as possible, because it is easy to ensure security. Shown are most security applications 82, 84 that are implemented in conjunction with the security core 80. Figure 3 illustrates a matrix of processing patterns associated with different security domains. In this particular example, 'this processing mode is called 200422849 in terms of a secure domain, and therefore mode 1 and mode 2 exist in both secure and non-secure forms. The monitoring mode has the highest level of security access in the system, and in the exemplary embodiment is the only mode authorized to switch in either direction between a non-secure domain and a secure domain. Therefore, all domain conversions are within the monitoring mode, and are performed by the monitoring mode and the execution of the monitoring program 72.

FIG. 4 illustrates another set of non-secure network domain processing modes 1, 2, 3, and 4, and secure network domain processing modes a, b, and c. With respect to the symmetrical arrangement of Figure 3, Figure 4 illustrates that some processing modes may not appear in one or other secure domains. The monitoring mode 8 6 is shown again, which covers non-secure and secure domains. The monitoring mode 86 can be regarded as a security processing mode, because the security status flag can be changed in this mode and the monitoring program 72 in the monitoring mode has the ability to set the security status flag by itself. Overall, It effectively provides the ultimate level of security within the system.

Figure 5 illustrates another arrangement of processing modes in terms of a security domain. Under this arrangement, both secure and non-secure domains and a further domain are identified. This further domain may be a method that does not require interaction with the above-mentioned secure or non-secure domains and is independent of other parts of a system, so it is a question of who it is It doesn't matter. I will understand a processing system, such as a login block 88 typically provided for a microprocessor, in which operand values can be stored. Figure 6 shows a module view of an example of an example login block for a programmer 10 200422849, which has an exclusive login β provided for certain login numbers in certain processing modes. In particular, Figure 6 An example is the extension of the known ARM registration block (for example, provided in the ARM 7 processor of ARM Limited (Cambridge, UK)) which is provided with a dedicated stored program status registration, a dedicated Stack index registration and a dedicated link registration R14, but in this case, it is extended by a supplier in a monitoring mode. As shown in Fig. 6, the quick interrupt mode has an additional exclusive login provided so that when entering the aforementioned quick interrupt mode, it is not necessary to save and then restore the login status from other modes. The monitoring mode can also be provided in an alternative embodiment in a manner similar to the fast interrupt mode with exclusive further logins to speed up the processing of a secure domain transition and reduce the system wait time associated with such transitions . Figure 7 illustrates another embodiment in which login blocks 88 are provided in the form of two fully and separated login blocks, which are used for a secure domain and a non-secure domain, respectively. This method stores the security data in a registry that can be operated in a secure domain. When a non-secure domain is switched, it prevents the data from becoming accessible. However, if allowed and desired, by using a fast and effective mechanism to place it in a registry that is accessible by both non-secure and secure domains, the above arrangement prevents the transfer of data from non-secure domains. Possibility of passing to a secure domain. An important advantage of having a secure login block is to avoid the need to clear login content before transitioning from one situation to another. If the waiting time is not a special issue, you can use the repeated login without security domain context_ 11 200422849 to simplify the hardware system, such as Section 6®. The monitoring mode is responsible for transitioning from one domain to another. Restoring content, saving previous content, and clearing registrations are performed at least in part by a monitoring program in monitoring mode. The system thus behaves like a virtualization module. Embodiments of this type are discussed further below. When discussing security features in this article, reference should be made to, for example, the programmer module of ar ^ 7. Processor mode (Processor Mode, as opposed to most modes in a security context, the same mode supports both secure and non-secure domains (see Figure 8). The monitoring mode knows the current state of the core, Whether it is security or non-security (for example, when read from a stored S bit, it is an auxiliary processor setting register). In Figure 8, as long as there is an SMI (software monitoring interrupt instruction, s〇) ftware Monitor Interrupt instruction) occurs, and the core enters the monitoring mode to appropriately transition from one situation to another. Refer to Figure 9 where SMIs are allowed in user mode: 1. Scheduled to launch thread 1. 2 Thread 1 needs to perform a security function = = > SMI security call, the core enters the monitoring mode. The existing PC is controlled under hardware, and CPSR (current processor status register) is stored in R14_mon, and SPSR__mon (saved processor status register for the monitor mode) and IRQ / FIQ interrupt failure. 3. The monitor performs the following tasks: Calls for setting the S bit (security status flag). 12 2 00422849 • Store at least R14 — mon and SPSR — mon on the stack. When a security application is executed, if the exception occurs, the non-security content will not be lost. • Check if there is a new thread to launch: security thread A mechanism (in some example embodiments, by the thread ID table) that indicates that thread 1 is enabled in the security context. • IRQ / FIQ interrupts are enabled again. A security application can now be used with security. 4) Execute security thread 1 to completion, and then (SMI) developed the "self-safety return" function of the monitor program mode (when the core enters the monitor mode, the IRQ / FIQ interrupt is invalidated). 5. The "return from secure" function performs the following tasks: • Instructs the completion of a secure thread 1 (for example, in the case of a thread ID table, remove thread i from the table). Restore and clear the required logins from the stack of non-secure content so that once the non-secure domain is returned, no security information can be read. • Then, the —SUBS command (which enables The type count is restored to the correct point and the status flags are updated) Back to the non-secure domain, (from the restored Ri4_mn) to restore the PC and (from spSR_m0n) to restore the CPSR. So, in the non-secure The return point of the sexual domain towel is after the SMI instruction previously executed by thread 1. 6. Execute thread 1 to the end, and then return to the schedule. 13 200422849 Some of the above-mentioned functionalities may differ between the monitoring program and the security operating system, depending on the specific embodiment. In other embodiments, SMIs may be required to be disallowed from appearing in the user mode. Entry of Security Context Reset When a hard reset occurs, the MMU is disabled and the ARM core (processor) develops a security oversight mode with the S-bit set. As desired, once the secure boot is terminated, the SMI to monitoring mode can be executed and the monitoring can be switched to an OS (non-security svc mode) in a non-security context. If you want to use the previous OS, it can just start in the security supervision mode and ignore the security state. SMI instruction

The instruction (a mode for converting software interrupt instructions) can be called from any non-security mode in the non-security domain (as mentioned above, it may wish to restrict SMIs to the permission mode), but it is determined by the relevant vector The target entry point is always fixed and within monitoring mode. It is up to the SMI manager to develop appropriate security functions that must be performed (for example, controlled by operands borrowed by instructions). Passing parameters from a non-secure context to a security context can be performed by registering within a login block of the type shown in Figure 6. 14 228 49 、 Tianyi SMI occurs in a non-security situation. The ARM core may perform the following actions in hardware: Develop the SMI vector (allowed in security memory access, because you are currently in monitoring mode) to Monitoring mode • Store PC to R14 —mon and (: Ignore ”to start a security in the monitoring mode (if there are multiple threads, restore / store content) Lu develops security use (Or another mode, such as svc mode) to implement appropriate functions The security function is completed and I return to the non-security mode that previously called the function. • The security function was interrupted by a non-security exception (eg, IRQ / FIQ / SMI) 〇 The security function is normal The security function is normal Termination and we need to restore the instruction that is just after, and resume an application in a non-safety situation. In the security user mode, an "SMI" instruction is To return to the model with appropriate parameters corresponding to the "Self-safety situation return" example. At this stage, Den 15 200422849 was cleared to avoid data leakage between non-security and safety situations, and then The general purpose registrations of the security content are restored and the non-secure block registrations are updated with the values they obtained in the non-security context. R14 —mon and SPSR —mon So after SMI, by executing a "MOVS PC , R14 ”instruction to obtain the appropriate value to resume the non-safety application There are several possibilities for security interrupts. There are two possible solutions based on the following two points: • What kind of interrupt (security or non-security) is it? When the IRQ occurs, what mode is the core in (in a security or non-security context) Solution 1 In this solution There are two different ways to support security and non-security interrupts. When in a non-security context, if an IRQ occurs, then when in an ARM core (such as ARM 7), 16 200422849 core enters IRQ mode to handle The interruption. • When an sIRQ occurs, the core enters monitoring mode to store non-sexual content, and then enters the security IRQ manager to handle the gold interrupt. When in a security context, if • a SIRQ occurs, the core enters The core of the security IRQ manager does not exit the security context. • When an IRQ occurs, the core enters a monitoring mode that stores security content, and then enters a non-security IRQ manager to handle non-security interrupts. In other words, when an interruption that does not belong to the current context occurs, the core enters the monitoring mode, otherwise it stays in the current context (see Figure |). Occurs in a security situation Please refer to Figure 11 Α: 1 · Schedule thread 1 to start. 2. Thread 1 needs to perform a security function => SMI security call, the core enters the monitoring mode. PC and CPSR are currently stored in R14 and SPSR_mon, which disables IRQ / FIQ. 3 · The monitoring manager (program) performs the following tasks: • Sets the S bit. • Store at least R14-mon and SPSR-mon in the stack (also secure the 0, the control module, and the direct ί 10 sex call mon may 17 200422849 enter other logins) so that if an exception occurs during the execution of the security application So that you do n’t lose non-security content. * Check if there is a new thread to launch: Security thread 1. A mechanism (via the thread ID table) indicates that thread 1 is enabled in the security context. • The security application can now start in a security consumer mode. IRQ / FIQ is then enabled again. 4. When the security thread i executes, an IRQ occurs. The core directly jumps into the monitoring mode (exclusive vector) and the SP14-mon R14-mon and CPSR in the monitoring mode store the existing PC (then invalidate the IRQ / fiq). 5 · Security content must be stored to restore previous non-security content. The monitoring manager must enter the IRQ mode in advance, update R14-irq / SPSR-irq with appropriate values, and then pass control to the non-secure IRq manager. 6. The IRQ manager provides IRQ services and then passes control back to the thread in a non-security context1. By restoring SPRS_irq and R14 ″ rq to CPSR and PC, thread 1 now points to the interrupted SMI instruction. 7 · S MI instruction is executed again (same instruction as 2). 8. The monitoring manager detects the previously interrupted thread and restores the content of the thread 1 'and then develops a security thread 1 in the user mode to point to the interrupted instruction. 9. Safety Thread 1 runs until it is completed, and then develops the "Self-Safe Return" function in the age-controlled (exclusive to SMI). 1 〇 · The "Self-Return to Security" function performs the following tasks. 18 200422849 • Indicates that security thread 1 is complete (for example, in the case of a thread lP table, remove thread 1 from the table) ° • Self-stacking non-security content restores and clears the required logins' as if no security data could be read once the non-security context was returned. • Return to the non-security situation with a SUBS instruction, (from R14-mon being restored) PC and (from SPSR — mon) CPSR. Then, the return point in a non-safety context should be the instruction following the previously executed SMI in bet 1. 11. Thread 1 executes to the end, and then returns control to the schedule. Please refer to Figure 11B for SIRO that occurs during non-security scams. 1 Schedule the execution of thread 1. 2. When security thread 1 executes, a SIRQ occurs. The core directly jumps to the monitoring mode (exclusive vector) and in the monitoring mode, R14_mon of SPSR_mon and CPSR store the existing PC, and then invalidate the IRQ / FIQ. 3 Non-secure content must be stored before the core enters the security IRQ manager. 4. The IRQ manager provides the siRQ service, and then returns control to the monitoring mode manager with an SMI with appropriate parameters. 5. The monitoring manager restores non-security content, so a SUBS instruction returns the core to the non-security context and resumes the interrupted thread i. 6 Execute thread 1 until the end, and then return control to the schedule. The mechanism of Figure ΠA has the advantage of providing a method of decision-making into the security context. 19 200422849 However, there are some issues related to interrupt priority: for example, when a SIRQ is executed in a secure interrupt manager, a non-secure IRQ with a higher priority may occur. Once the non-safety IRQ is completed and a SIRQ event needs to be generated again, the core can resume the safety interrupt. Solution two In this mechanism (please refer to Figure 12), two different or only one pin can support security and non-security interrupts. Two pins are used to reduce interrupt wait time. When in an unsafe situation, if an IRQ occurs, the core enters IRQ mode to handle the interrupt, as in an ARM7 system. • An SIRQ occurs and the core enters the IRQ manager. One of the SMI instructions will cause the core to develop a monitoring mode to store non-secure content, and then develop a secure IRQ manager to manage the security interrupt. When in a security context, if a SIRQ occurs, the core enters the security IRQ manager. The core does not exit the security context. • When an IRQ occurs, the core enters the security IRQ manager. One of the SMI instructions will cause the core to develop a monitoring mode (where the security content is stored), and then enter a non-security IRQ manager to handle the non-security by 20 200422849. Break. For IRQs that occur in a security situation, please refer to Figure 13 A: 1 • Schedule thread 1 to start. 2. Thread 1 needs to perform a security function == >! 5% 1 Security call 'core enters monitoring mode. The PC and CPSR are currently stored in R14_mon and SPSR_mon, invalidating IRQ / FIQ. 3. The monitoring manager performs the following tasks: • Setting the S bit. * Store at least R1 4_mon and SPSR_mon (the same is true for other logins) in a stack, so if an abnormality occurs during the execution of a security application, the non-security content will not be lost. #Check if there is a new thread to launch: Security thread 1. A mechanism (via the thread ID table) indicates that thread 1 is enabled in the security context. • The security application can now be started in a secure user mode. IRQ / FIQ is enabled again. 4. When security thread 1 executes, an IRQ occurs. The core jumps directly to the security IRQ mode. 5. The core stores the existing PC in R14-irq and SPSR-irq in CPSR. The IRQ manager detects it as a non-security interrupt and executes an SMI with the appropriate parameters to enter the monitor mode. 6 · Security content must be stored to restore previous non-security content. 21 200422849 The monitoring manager knows where the SMI comes from by reading the CP SR. It can also enter IRQ mode to read R14-IRQ / SPSR_irq to properly store security content. It can also store non-secure content that must be restored once the IRQ instance is completed in these same registries. 7. The IRQ manager provides IRQ services and then returns control to thread 1 in this non-security context. By restoring §PRg ”rq * R14” rq to CPSR and PC, the current core points to the interrupted SMI instruction. 8. Execute the SMI instruction again (such as the same instruction in 2). 9. The monitoring manager detects the previously interrupted thread and restores the state of the thread 1. It then developed security thread 1 in user mode, pointing to the interrupted instruction. I 〇 Safety thread 1 executes to its completion, and then develops "Self-Return"; a function in the monitoring mode (specialized in SMI). II · The "Self-Return to Security" function performs the following tasks: • Indicates that security thread 1 is complete (that is, in the case of a thread ID table, thread 1 is removed from the table). • Restore and clear required logins from stacked non-security content, so once we return to a non-security context, we cannot read any security information. Lu developed a SUBS instruction to return to the non-safety situation, restore the PC (from SPSR —mon) and restore the CPSR (from SPSR_mon). The return point in the non-safety situation should be after the previously executed SMI in thread 1. Instructions. 1 2 · Thread 1 executes until the end, and then returns to the schedule to take over. 22 200422849

For SIRO in sexual situations, please refer to Figure 13B: i. Schedule Thread 1. 2. When security thread 1 executes, a SIRQ occurs. 3. The core jumps directly to IRQ mode, and saves the existing one? (: R14 "rq and store CPSR in SPSR-irq. After that, disable irq. The jrq manager detects that it is a SIRQ and executes an SMI instruction with appropriate parameters. 4 · Once in monitoring mode, non-secure must be stored Sexual content, and then the core enters the security IRQ manager. 5. The security IRQ manager provides SIRQ service routine services, and then returns control to the monitoring with SMI with appropriate parameters. 6. The monitoring manager restores non-security content Therefore, a subs instruction returns the core to the non-security context and resumes the interrupted IRQ manager. 7. At this time, the IRQ manager can return to the non-security thread by executing a sUBS. 8. Thread 1 executes to End, and then return control to the schedule. Referring to the mechanism in Figure 12, there is no need to generate SIRQ events again in the case of many interrupts, but security interrupts are not guaranteed to be performed. Exceptions to j at least two entity vector tables ( Although they look like a single vector table from a virtual address, one is for the non-secure scenario 23 200422849 of non-secure memory, and one is for the security of secure memory. The use of primary contexts (not accessible from non-secure sexual contexts). Used for different virtual-to-physical memory mappings for security and non-secure female sexual contexts, effectively allowing the same J's virtual memory address Access the different memory tables stored in the physical memory of the entity S. The monitoring mode always uses pure memory mapping to provide a third vector table in the physical memory. If the interrupts follow the first The mechanism of broadcast solid magic in Fig. 2 will have Γ W ^ 涿 for each table. The set of safety and non-security is as shown in Fig. 14. The following directions are repeated. Exception vector offset value-~ --------- Correspondence mode reset (Reset) 0x00 Supervision mode (s byte) Undefined (Undef) 0x04 Control mode / Undefined mode 4 SWI 0x08 Supervision mode / Monitor mode Prefetch Abort OxOC Abort mode Data Abort 0x10 Abort mode IRQ / SIRQ 0x18 IRQ mode FIQ OxlX FIQ mode SMI 0x20 Undefined (Undef ) Mode / Monitoring Mode

Reset entry exists only in the security vector table. When a Reset is performed in a non-safety context, the core hardware prompts the supervisor mode and sets the S bit, so that the Reset can be accessed in the security memory. Figure 15 shows the vector design of the open and monitoring modes for consistency. Each exception is registered as a base address of the table base address. The previous state corresponds to the base address of the scale. : Three different vectors of physical memory mapping ”(a set of control masks. The exception capture flags. These flags refer to: Abnormal operation instructions: (It is a safety vector. Exception catch, can be written The recording of a non-catch mask registration does not include a reset vector that is also in the security vector. This can be seen in the vector table instead of .5; respectively applied to a security mode, A non-safety module with three exception vector tables. The above-mentioned exception vector table uses exceptions ^ The requirements of safety and non-safety operating systems and special page tables can have a related vector in CP1 5 and the CP15 in memory The internal storage points to the table. When an exception occurs, the hardware registers the reference and system's target table base address to determine the direction used. It can be selectively applied to different virtual modes of different ... modes, which can be used to The difference is stored in different physical memory address tables. As shown in Figure 16, the auxiliary processor (CP 15) is provided in the auxiliary processor (CP 15) system to provide exception capture masks. Logins are provided to provide flags related to their respective exception types. Whether the hardware should be related to the vector in its existing domain, or should it facilitate the transition to the monitoring mode mode type), and then follow the mask registration in the monitoring mode vector table (exception control registration). It is only safe in the monitoring mode In the sexual mode, read access can also be stopped by exception. It can be seen that the flag of the exception capture mask in Figure 16 when the system is not set to always be as set in the table, forcing it to jump to the safety supervision mode to ensure a safe boot and anti- To compatibility. From the figure, for the sake of completeness, the reset vector has appeared in the security vector table of the fully-supervised mode.

25 200422849 Figure 16 also illustrates that different types of exception flags in the exception capture mask registration can be designed, for example, by a monitoring program during security boot. Optionally, if some or some flags can be provided by the physical input signal in some implementations, for example, the security interrupt flag SIRQ can be hard-wired to always cause the monitor mode to be entered and the corresponding monitor mode security to be implemented. Interrupt request vector when a security interrupt signal is received. The 16th circle shows that only a portion of the exception capture registration that is related to the non-safety domain exception's programmable bit will be provided to the safety domain exception. I can understand from the above that in one level, the hardware controls the login flags based on these exception control, causing the existing domain exception manager or monitoring mode exception manager to provide an interrupt, which is only the first level of control applied . For example, an exception may also occur in the security mode, and the security mode exception vector is based on the security mode exception manager, but at this time, the security mode exception manager is determined by the nature of the exception. It would be better for the security exception manager to handle this, and therefore an SMI instruction is used to switch to the non-security mode and request the non-security exception manager. It is also possible to have a transition in which the hardware can initiate the non-security exception manager, but then it executes instructions that direct the program to the security exception manager or the monitoring mode exception manager. Another possible type conversion request is related to a type exception. In step 98,

Figure 17 is a flowchart showing the operation of the system that can support a new class 1. If the existing program is hard, it triggers a step at step 100 26 200422849. The CPSR violation exception is generated. As a result, a reference is made to an appropriate exception vector within the monitoring mode, and the monitoring program is executed at step 102 to handle the CPSR violation exception. I will understand that in addition to supporting the SMI instructions previously discussed, it may provide a mechanism for initiating a transition between a secure domain and a non-secure domain as discussed in relation to FIG. 17. An exception mechanism can be provided in response to an unauthorized intent to switch modes, and all authorized intents should be performed through an SMI instruction. Alternatively, such a mechanism may be a legal method of transitioning between a secure domain and a non-secure domain, or it may provide backward compatibility with ) Except for code, even if it is not really an unauthorized conversion intent between a secure domain and a non-secure domain. ~ As mentioned above, in general, interrupts are disabled when the processor is operating in monitor mode. The reason for this is to improve the security of the system. When an interrupt occurs, the state of the processor at that moment is stored in the interrupt exception registration. Therefore, when the interrupt function is completed, the processing of the interrupted function can be resumed at the interrupt point. If this processing is allowed in the monitoring mode, it may reduce the security of the monitoring mode and may cause the path of security data leakage. Therefore, interrupts are usually disabled in monitor mode. However, as a result of disabling the interrupt during the monitor mode, the interrupt wait time is increased. It is also possible to enable interrupts in monitor mode if the state of the processor's execution function is not stored. It can only be performed after an interruption and the function is not resumed. Therefore, by allowing only interrupts that can be safely restarted in the monitoring mode, the problem of interrupt waiting time in the monitoring mode can be solved. In this case, after an interruption in the monitoring mode, once the interruption is completed, the data related to the processing of the function is not stored and discarded and the processor is instructed to start processing its initial function from its beginning. . In the example above, when the processor simply returns to the point where it transitioned to monitor mode, it is a simple matter. It should be noted that restarting a function is only possible for some functions that can be restarted and still produce repeatable results. If the function changes the state of the processor and it will produce a different result when it is restarted, then it is not a good idea to restart the function. Therefore, only those functions that can be safely restarted can be interrupted in the monitor mode, and for other functions, these interrupts are disabled. Trillion, the thesis occurs in the monitor. Figure 18 illustrates a method of interruption according to the present pattern. In a non-secure mode, an smi occurs during the processing of task A, and it switches the processor to monitor mode. The SMI instruction enables the core to enter the monitoring mode with the vector through dedicated non-security. The current state of the PC is stored, the s bit is set and the interrupt is disabled: Normally, LR_mon and SPSRmon are used to erode the production office — and-to stagger the Pc in non-security mode and then start a e. Function 0. The first thing that function c does is to enable the interrupts, and then function C is processed. If an interrupt occurs during the processing of function C, ~ the interrupts are not invalidated to accept and execute the order. However, the monitoring instructs the processor with a mode indicator, and after an interruption, the function is not resumed or restarted. Optionally, the control parameters can be used to indicate the processor + processor β respectively. Therefore, after an interrupt 28 200422849, the interrupt exception vectors are updated with the LR_mon and SPSR_mon values without storing the current state of the processor. As shown in FIG. 18, after the interrupt task-task B is completed, the processor reads the address of the SMI instruction which has been copied to the interrupt registration and executes an SMI and starts processing function C again. The above processing only works when function C can be restarted, which means that if process C is restarted, a repeatable processing step will be generated. This is not to say that function C changes any state of the processor, for example, stacking metrics may affect future processing. Here, a function that is called repeatable is because it has idempotence. One way to deal with the problem of a function is to rearrange the code that defines the function. In this method, the first part of the code has idempotent. Once it is no longer possible to arrange the code with idempotent, interrupt Failure. For example, if code C involves writing to the stack, then it is possible to do so at least initially without updating the stack index. Once it is determined that the code can no longer be restarted safely, the code of function C can instruct the processor to disable the interrupt, and then it can update the stack index to the correct position. As shown in Fig. 18, the interruption is disabled in some way by the processing of the function c. Figure 19 illustrates a slightly different example. In this example, a further control parameter is set by some method handled by task C. It indicates that the following parts of Task C are not strictly idempotent, but can be safely restarted, ensuring that an improved routine is executed first. This improved example restores the state of the processor to what it was at the beginning of task C. At the end of the task, if it is not interrupted, when it has completed, it enables task 29 200422849 c to restart safely and Generate a secure processor state. In some embodiments, at a point where further control parameters are set, when the processor's status is modified (for example, updating the stack index), the interrupt can be disabled for a short period of time. This allows the processor to be restored to an idempotent state later. When an interruption occurs after further control parameters are set, there is a possibility of rain treatment. One

The improved routine for handling interrupts is an example that can handle the interrupt immediately and then > break it later, execute SMI, and then execute this step before restarting task C (at F2). As shown, in the above two embodiments, the improved example is executed in the monitoring mode, and therefore the good luck in the non-secure network domain (which does not know the security network domain or monitoring mode) is not affected. As shown in Figure 19, one of the first part of the code c has idempotence "and can be restarted after an interruption. A second part can be restarted, ensuring that an improved example is performed first. And it is indicated by setting a "further" old parameter, and the last part of one of the code cannot be reopened: and therefore the interrupt is invalidated before the code is processed.

Figure 20 illustrates a selectivity. In this case, its alien party implements interrupts that are enabled during the monitoring grip mode. Then the functions performed in the Supervisor's Underworld style caused the interruption to lose LL ^ ^ double, once they can no longer be installed 4

To start again. It is possible only when all the interrupted functions in the monitoring mode can be said to be started again rather than resumed. There are ways to ensure that it works,% + to ensure that all exercises performed in a certain mode & are not resumed when interrupted. One method is by adding a new shoulder state. 200422849 The interrupt stores the start address of the instruction sequence instead of the address of the interrupted instruction. In this case, the monitoring mode is always executed in this state. An alternative method is to interrupt the abnormal registration by preloading the start address of a function to the interrupt exception registration at the beginning of each function, and invalidating the subsequent writing of the processor state after the interrupt. In the embodiment shown in FIG. 20, if the function is required to be restarted safely, the restart of the function may be completed immediately after the interrupt function is completed, or after an improved routine. Although a method of handling interrupt latency has been described above with respect to a system with a secure, non-secure domain, and a monitoring mode, it can be understood that it can be applied to a function that should not be used for a specific reason Resume any system. Normally such functions can be used by disabling interrupts that increase interrupt latency. After an interrupt, the correct function is to restart and control the processor to restart them. For at least part of the functional processing, allow the interrupts to be enabled and help reduce interrupt wait time. For example, the general content conversion of an operating system.

Accessing secure and non-secure memory The data processing device shown in the first figure has memory, which includes TCM 36, cache 38, ROM 44, memory for controlled devices, and external memory 56. As shown in Figure 37, for example, the memory is divided into secure and non-secure memory. I will understand that at the time of manufacture, there is usually no actual difference between the secure memory area and the non-secure memory area, but these areas are defined by a security job of the data processing equipment 31 200422849 system. 'When operating in this security domain. Therefore, any physical department of the memory device can be allocated as a security memory and any physical portion can be allocated as non-safety memory. As shown in the second to fifth circles, the 'processing system has a -secure domain and a -non-secure domain. In this safety net shot, the sexual mode is provided, and the steep mode is executed. A monitoring program 72 is provided, which includes security and non-security networks, and at least a portion of which is implemented in a one-year-controlled mode. In the embodiment of the present invention, the monitoring program Zou Fen is executed in a monitoring mode and a partial m-mode. As shown in figure iQ *, there are security modes, including,-supervision mode svc. The monitor 72 is responsible for managing all changes in either direction of the secure and non-secure domains. Refer to Figure 8 and Figure 9 in the "Processing Mode" section for some of its functions. The monitoring program is responsible for the conversion of the _ mode for the SMI issued in the holistic mode to initiate the conversion of the self-described non-safety mode to the above-mentioned security mode, and the g-safety mode. In the transition of ^ mode, please ask SMI to start with the above security mode to the above 6 ^ Initialize the transition from the above _ 4 non-security mode _ transition environment, as described in the Supervisor Chapter That is, M ^ s in the emotional and non-secure domains, and the history students are converted from women's all at least some logins to ^ This involves the existence of-login status and ^ other stored in a domain. Such as entering a new state to log in (or write in other domains (times before the restore in the log also mentioned in the previous storage, when performing some-conversion, the state of). This invalidation. The preferred embodiment is to make Monitoring mode:: Recorded: It may be disabled due to the interruption of the monitoring program. The implemented monitoring mode covers security and non-security 32 domains, so it is confirmed to be a function to be deployed. Because :: The monitoring program is very important: that is, if the monitoring program becomes simpler, the t-mode can only be executed in the security domain. In the example: the security mode of the permission is in the present invention. The real H and monitoring modes allow access; sexual and non-secure memory. Only take the same security _ by ensuring that the security is the same security and non-secure, see "4 δ memory, only can The functions of monitoring and tracing are switched to the security of the monitoring program that allows execution in the simple server control mode. 4. In addition, it allows a security and security mode. In this sexual mode Once processed to monitor mode, otherwise Of course, the conversion of direct conversion is allowed, while in κ, to the 'control mode domain. Non-permission security mode 々ν 1, 卩 female full-scale network power "mode must use SMI' to enter the monitoring mode h sigh After that, the system enters the permission security mode. In the network, it helps to switch back and forth between the health state type and the permission security mode. In the embodiment, 'allow the access to the s flag in the self-security permission mode and in the self-supervision mode. If the security permission mode is allowed to switch the processor to the monitoring mode during the control of the dimensional process, this type of security permission mode has been changed from csv to c ^ — the belle is full of daggers, and it has the conversion S flag. The effective capacity of the tag (bit). This' requirement can only be changed in the monitoring mode. The additional resumption of the s flag can be confirmed to be correct. It should be used to store the i flag. The flag cannot be stored in the same way as the S flag. However, the other setting flags can be changed by one or the security permission mode. The present technology includes such an embodiment in which the S flag is changed in one of most security permission = expressions. Returning to the previously discussed exemplary embodiment ,Assume It has the definition mode and 33 200422849 definition of the holistic and holistic any formula, which is described as 0 and can only be accessed by the holistic type. It is not safe. However, the control mode is not safe in the device. Sex memory in monitoring and security memory in the monitoring model, memory is divided, and security and non-security mode access. Better, security mode and mode permission level of a processor core 1 ○ a, that is, any mode allows the set. Therefore, the processing method is arranged in a conventional way. Jun Haixin allows security and non-security access to security and non-security mode. The security mode access monitoring mode allows access to all ^ hidden bodies, and allows the operation in the permission security mode to directly switch to the monitoring mode and vice versa. The better comfort of processor core 10 is to allow the following to be cut into a secure memory, a holistic memory, and an example of both. The non-security mode is another example of a local machine in monitoring mode. Access to non-secure memory in security mode and one or more security modes; and deny access to non-secure memory in security mode and monitoring mode in full mode and therefore 'allow only in monitoring and security Access to secure memory in sexual mode and access to non-secretory memory only through non-secure mode that enhances security. In the example of this device, resetting or turning on the device can be performed in a monitoring mode that is deemed to require a security mode and a higher privilege mode. In many instances of the device, it is possible to provide resetting in a security mode because it allows a direct transition between security mode and mode to be provided. As shown in Figure 2 ’in the security domain and in a security mode,

34. 200422849-Security Core 80 (or operating system) functions' and one or more security applications 82, 84 can be executed in Security Core 80. This security core and / or security application or any other code running in a security mode is allowed to access both secure and non-secure memory. Although an example of the invention is described in terms of a device with a processor 'The invention can be deployed by a computer program that, when executed on a suitable processor, sets the processor with the operations described in this section. In the following, referring to FIGS. 21 to 23, an alternative embodiment of the present invention refers to a model perspective from a programmer: In the following, the terminology we use must be based on an ARM processor (from Cambridge, UK Designed by ARM Limited). • S bit: Security status bit, included in a dedicated CP 1 5 login. ❿ "Security / non-security status". This state is defined by the S-bit value. It indicates whether the core can access the security context (when it is in a security state, ie, s = l) or restricts only non-security contexts (s = o). Please note that the monitoring mode (see below) takes precedence over this s-bit state. • A "non-security context" provides access to all hardware / software groups that are accessed by non-security applications that do not require security. • A Security Context is a group of all hardware / software (core, memory ...) that is only accessible to me when executing security code. • Monitoring mode: A new mode that is responsible for transitioning between security and non-security states. In short _ the core is always able to access non-security contexts. 35 200422849 • Only when the core is in the security state or monitoring mode, the core can access the security context. • SMI: Software Monitoring Interrupt: A new instruction that allows the core to enter the monitoring mode through a dedicated SMI exception vector. "Thread id": An identifier (controlled by 10S) associated with each thread. For some types of OS, 'When the OS executes in a non-security context, each time a female full-featured function is called, an existing thread ID parameter needs to be passed' to connect the security function with the non-feature it calls Security applications. This security scenario can therefore support multiple threads. • Security interrupts define interrupts generated by security perimeters. Programmer's Module C a r b ο η Core Overview

The modification of instructions or events allowed by the control is attributed to the inclusion of * gold * 9 ---- holistic) bits ", nuclear status. The S bit, that is, changing from one state to another state is an important feature of system security. This solution proposes a “monitoring mode”, a new mode of addition-new mode, whose “supervision” changes between the two states. The monitoring mode (by writing in the appropriate cpi5 login) is the only one allowed to change the S bit. Finally, the present invention proposes a method that adds some flexibility to exception handling. Except for Reset, all exceptions are either handled in their occurrence or are directed to the monitoring mode. Due to an exclusive one cpi5 login, this can be set. The details of this solution are discussed in the following paragraphs. Processor status and hibiscus Carb_on new special micro Anjin second taste or non-security traits 钹 rs # 开.)

A major feature of the Carbon core is the presence of the s-bit, which indicates whether the core is in a secure (S = 1) or non-secure (s = 0) state. When in a secure state, the core can access any data in a security or non-security context. When in a non-security state, the core is limited to that non-security situation. The only exception to this rule relates to the monitoring mode, which takes precedence over the s-bit information. Even when S = 0, when it is in monitor mode, the core will perform security permission access. For further information, please refer to the monitoring mode in the next paragraph. This S bit can only be read and written in the monitor mode. Regardless of the value of the s bit, if any other mode tries to access it, if it is not ignored, 2004200422849 will result in an Undefined exception. All exceptions except Reset Meeting bit. On Reset, the s bit is set and the monitor mode starts. For more information, please refer to the booting chapter. The security / non-security state is separate and its ARM / Thumb / Java state. Li control mode

One other important feature of the Carbon system is the creation of a new style. It will be used to switch between security and non-security cores. It is always regarded as a security mode, that is, when in monitoring mode, the core always performs access to external contexts. Any security permission mode (that is, when S = 1; | is converted from a write-only CPSR mode bit (MSR, MOVS, or others) to a monitoring mode. However, it is in any non-security user mode Prohibited. If this happens, cause an exception. There may be a need for a dedicated CPSR violation exception. The security mode or security user mode directly writes any intent to switch to the monitoring mode to cause the exception. When the monitoring mode When it is enabled, it is invalid except for Reset: φ All interrupts are masked; the security behavior is affected and the core will monitor operations independently of the mode. Security permission limit mode) can be equivalent to the prescriptive mode or the security ignores the instruction or by using any non-CPSR, it can be 'all exceptions real 200422849 φ All memory exceptions are either ignored or cause a major exception. The defined / SWI / SMI is ignored or caused a major anomaly. When entering a monitoring mode, the interrupts are automatically disabled and system monitoring should be disabled. In order to prevent other types of exceptions from occurring when the system monitoring is performed. The monitoring mode requires some private logins. This solution proposes that people only repeat the login of the smallest group, that is, R13 (sp-mon), R14 (lr-mon) and SPSR (spsr-mon) 〇 In monitoring mode, MMU will fail (flat address map), as well as MPU or split detector (monitoring mode will always execute security permissions outside Access) ❶ However, especially the designed MPU region attributes (cacheability ... etc.) are still enabled. Alternatively, the monitoring mode can use all mappings used by the security domain. New Refers to the present invention, the presenter needs to add a new instruction to the existing ARM instruction set. Use the SMI (software monitoring interrupt) instruction to enter the monitoring mode (developed from a fixed SMI exception vector). This instruction is mainly used to Indicate monitoring swap (Swap) between non-safety and security status. Optionally (or additionally) 'may also add a new instruction to allow monitoring mode to / from Monitor the status of the stack store / restore of any other mode, 39 200422849 to improve the performance of content conversion. As described in the previous paragraph, ‘only a new mode has been added to the core. All existing models are continuously available and exist in both security and non-security states. In fact, Carbon users will understand the architecture shown in Figure 21. Processor Logging In An embodiment of the present invention proposes that security and non-security scenarios share the same login block. $ Means that when transitioning from one situation to another by the monitoring mode, the system monitoring will need to store the content of the first situation and generate (or restore) a content in the second situation. Passing parameters becomes an easy task: once the s bit is changed by system monitoring, any data contained in one login in the first scenario will be available in the same login in the second scenario. However, in addition to a limited number of logins dedicated to passing parameters, strict control, when passing from security to non-security status, his logins need to be cleared to avoid leaking any security information. Ensured by the monitoring core. It requires all other needs. It is also possible to deploy a hardware mechanism or a new instruction to clear the login directly when transitioning from a secure to a non-secure state. Another proposed solution involves repeating all (or most) of the existing login blocks, and therefore having two login blocks with a knife on the entity between security and non-security states. This solution mainly has the advantage of clearly separating the security and non-security data contained in the login. Fast content transitions are also allowed between security and non-security states. However, the disadvantage is that it is difficult to pass parameters through the login, unless we generate some specialized instructions to allow the security context to access non-secure logins. Figure 22 illustrates the available logins based on the processor mode. Note that processor status has no effect on this topic. "Yj · Existing Solution" in Exceptional Security The present invention proposes to keep the same interrupt pins, i.e., IRQ and FIQ, when in the existing core. Regarding Exception Trap Mask register (see below for details) ’should be flexible enough for any system to deploy and handle different types of interrupts. VIC Enhancement The present invention enhances V1 c (Vectored Interrupt Controller) by the following methods: VIC may contain a security information bit associated with each vector address. This bit can only be designed by monitoring or security permission mode. It indicates whether the interruption considered should be considered security and therefore should be handled in security. The present invention also adds two new vector address registrations, one for all security interrupts that occur in a non-security state, and the other for all non-security interrupts that occur in a security state 41 200422849. The S-bit information contained in CP15 is made available to the VIC as a new VIC input. The following table outlines some different possible processes, which are based on the status of the interrupt introduced (safety or non-safety, indicated by the S bit associated with each interrupt line) and the status of the core (in VIC, CP15 = S input S bit of the signal).

42 200422849 volume. Therefore it presents to the kernel the address contained in the vector address registration, which in turn is exclusive to all non-security interrupts that occur in the security context. The core (still in the security context) develops to that address, where it should find an SMI instruction to transition to a non-security context. Once in a non-safety context, it can access the correct ISR. Disconnected core non-security address. The core only needs to develop at that address, and the address should discover the relevant non-security ISR. Anomaly management settings To improve the flexibility of Carbon, a new registration “Anomaly Capture Mask” will be added to CP 1 5. This entry contains the following bits: Bit 0: Undef exception (non-security state) Bit 1: SWI exception (non-security state) Bit 2: Prefetch abort exception (non-security state) Bit 3: Data abort Exception (non-safe status) Bit 4: IRQ exception (non-safe status) Bit 5: FIQ exception (non-safe status) Bit 6: SMI exception (non-safe / safe status s) Bit 16 : Undef exception (security state) 43 200422849 bit 17: SWI exception (security state) bit 1 8: Prefetch abort exception (security state) bit 19: Data abort exception (security state) bit 20: IRQ exception (security status) Bit 2 1: FIQ exception (security status)

The Reset (reset) exception does not always have a corresponding bit in the registration. Β Reset always causes the core to enter the security supervision mode through its exclusive vector. If a bit is set, the corresponding exception causes the core to enter the monitoring mode. Otherwise, it handles the exception in its corresponding manager in the context in which it occurred. This login is only visible in monitoring mode. Any instruction attempting to access it in any other mode is ignored. The registration should be initialized to a system-specific value, depending on whether the system θ supports a monitoring. This function can be controlled by VIC. Differentiating _ has security and non-safety scenarios, so separate security and non-safety exception vector tables are also needed. In addition, if the monitoring can also catch some anomalies, we also need a third abnormal vector table dedicated to monitoring. The following table outlines three different exception vector tables: In non-safe memory: 44 200422849 Timing of automatic access to the address exception mode ΟχΟΟ Crane face 0x04 Undef Undef When the core is in an unsafe state and the exception capture mask is registered, Undefined instruction executed [Non-secure Undef] = 0 0x08 SWI Supervisor (Supervisory) When the core is in a non-secure state and the exception capture mask is logged in, the SWI instruction executed [Non-secure SWI] = 0 0x0c Prefetch Abort Abort (Abort) The abort instruction executed when the core is in a non-secure state and the exception capture mask is logged in [Non-secure Pabort] == 0 0x10 Data Abort Abort is in a non-secure state and the exception capture mask is in the core At the time of registration, the execution suspension data [Non-secure DAbort] = 0 0x14 Reserved 0x18 IRQ IRQ When the core is in a non-secure state and the exception capture mask is registered, the set IRQ pin (ass) [Non -secure IRQ] = 0 Ox 1 c FIQ FIQ The FIQ pin set (assert) when the core is in a non-safe state and the exception capture mask is registered ( pin) [Non-secure FIQ] = 〇

45 200422849 In the security memory: The timing of automatic access to the address exception mode 0x00 Reset * Supervisor resets the set pin 0x04 Undef Undef is executed when the core is in the security state and the exception trap mask is registered. Undefined instruction [Secure Undef] = 0 0x08 SWI Supervisor (Supervision) When the core is in a secure state and the exception capture mask is logged in, the SWI instruction [Secure SWI] = 0 0x0c Prefetch Abort Abort (Abort) is in the core Aborted instruction executed during security status and exception capture mask registration [Secure Pabort] = 0 0x10 Data Abort Abort Aborted data executed when core is in security status and exception capture mask registration [Secure DAbort] = 0 0x14 Reserved 0x18 IRQ IRQ When the core is in the security state and the exception capture mask is registered, the set IRQ pin [Secure IRQ] = 0 Ox 1 c FIQ FIQ is in the core security state When registering with the exception capture mask, the set FIQ pin [Secure FIQ] = 0 46 200422849 In the body (flat mapping): The timing of automatic access to the address exception mode 0x00-_-0x04 Undef Monitor (monitoring) When the core is in a security state and the exception capture mask is registered, the undefined instruction [Secure Undef] = i Undefined instruction executed when the core is in a non-secure state and the exception capture mask is logged in [Non-Secure UndefJ = l 0x08 SWI Monitor (Monitoring) The core is in a secure state and the exception capture mask is logged in When executing the SWI instruction [Secure SWI] = 1 When the core is in a non-secure state and the exception capture mask is logged in, the executed SWI instruction [Non-Secure SWI] = 1 0x0c Prefetch Monitor Sexual status and abnormal Abort control) abort instruction executed during capture mask login [Secure Pabort] = l abort instruction executed when core is in a non-secure state and abnormal capture mask login [Non-Secure Pabort] = l 0x10 Data Monitor (Monitoring the core is in a security state and abnormal Abort control) The execution of capture mask login was aborted 47 200422849 [Secure DAbort] = l When the core is in a non-secure state and the exception capture mask is logged in, the execution suspension data [Non-Secure DAbort] = l 0x14 SMI Monitor (monitoring) 0x18 IRQ Monitor (monitoring) Set IRQ pin (assert) [SecureIRQ] = 0 when the security status and exception capture mask are registered. IRQ set (assert) when the core is in a non-safe state and the exception capture mask is registered. Pin [Non-Secure IRQ] = 0 Ox 1 c FIQ Monitor (Monitor) When the core is in a safe state and the exception capture mask is registered, the FIQ pin set (assert) [Secure FIQ ] = 0 When the core is in a non-secure state and the exception capture mask is registered, the set FIQ pin (ass) [Non-Secure FIQ] = 0

In monitoring mode, there can be two exception vectors, so each anomaly will have two different correlation vectors: One for anomalies that appear in a non-safe state 48 200422849 Detect. The private state is changed to an exception for the security state. This can reduce the waiting time for the exception, because the monitoring core no longer needs the initial state where the exception occurred. Please note that this feature is limited to some exceptions, and SMI is the most suitable choice to improve the transition between security and non-security states. Transition between situations When transitioning between states, the monitoring mode must store the contents of one state in its monitoring stack, and restore the monitoring mode in the second state from the monitoring stack. Therefore, it needs to access any logins, There are logins (rl4, SPSR ...). In order to deal with it, the solution proposed by the present invention is included in security 'to give any permission mode to the authority of the monitoring mode directly by simply writing to the CPSR. This type of system switching between scenarios is performed as follows: * Entering the monitoring mode • Setting the s bit * Switching to the monitoring mode-Storage monitoring is logged into the MONITOR stack (of course, the monitoring mode requires access to the monitoring stack indicator, But this is easy to do, for example, by using a normal login (R0 to R8)) * Switch to System mode-store login (as user 49 200422849 mode) in the monitoring stack ♦ IRQ login in the monitoring stack Once all the private logins of all modes are stored, return to the monitoring mode with a simple MSR instruction (just write the monitoring value to the CPSR mode stop). Other solutions are also considered: Lu added a new instruction that allows monitoring in Your own stack stores private logins for other modes. * Deploy monitoring with a new "state", that is, see the IRQ (or any other) private login in the monitoring state (with those appropriate access rights) and in IRQ (or any other) mode. Basic process (please refer to Figure 23) 1. Thread 1 is executed in a non-safety situation (S bit == 〇). This thread needs to execute a security function => SMI instruction. 2 · The S MI instruction causes the core to enter monitoring mode through a non-safe S MI vector. LR_mon and SPSR_mon are used to store the PC and CPSR in non-security mode. The S bit remains unchanged at this stage, although the system is now in a security state. Monitoring core Stores non-security content in monitoring. It also sends LR_mon and SPSR_mon. At this time, the monitoring core changes the S bit by writing to the CP15 register. In this embodiment, the monitoring core keeps track and a "safe thread 1" starts in the security context (for example, by updating a thread ID table by 50 200422849). Finally, it exits monitoring mode and transitions to security monitoring mode. 3 • The security core sends the application to the correct security memory location and then switches to user mode (for example, using a MovS). 4. Perform security functions in security consumer mode. Once this is done, call the "exit" function by performing the appropriate SWI call. 5. The SWI instruction enables the core to enter the security svc mode through a dedicated SWI vector, and sequentially execute the "exit" function. The "exit" function ends with a " SMI " to switch back to the monitoring mode. 6. The SMI instruction enables the core to enter the monitoring mode through the dedicated security SMI vector. Use LR_mon and SPSR_mon to store PC and CPSR in security svc mode. The S bit remains unchanged (for example, security status). The monitoring core logs into the fact that this security thread 1 is completed. Afterwards, it logs in by writing to CP15 and changes the S bit to return to the non-secure state. The monitoring core self-monitors the stack to restore non-security content. It also loads the LR_mon and CPSR_mon previously stored in step 2. Finally, exit the monitoring mode with a SUBS (with this instruction, the core will be returned in non-secure user mode). 7 Thread 1 can resume normally. Referring to Figure 6, all logins are shared between secure and non-secure domains. In monitoring mode, the transition occurs when transitioning from one of the secure and non-secure domains to the other. It involves storing a registered record (or conversion between the registrations) stored in a domain name 51 200422849. Chapter I hope that the conversion used in the conversion will be held unchanged. For example, change. For example It is not required in the environment. Switch to the safety net to make the login misuse. The write control bits of these logins are selectively set to a CP15: the written bits are invalid, but the FIQ login is invalid and the response is abnormal. In the invalid registration, the new resources of other domains can arrange all the states in the mode, and write the new state in the domain of another IA 1 office to restore the state of the previously saved makeup), also As described in the section above, the time it takes for the conversion between β τ and s. In order to reduce the cost of time, when the login used between the secure and non-secure domains is invalidated, so as to save 1% to 2% The data protection of 保, consider a turn from the non-secure thumb jp 丨 —— human tf birth domain to the security domain, assuming that the FIQ login shown in Figure 6 is in the security profile and therefore 'disable those logins, and No need to transfer them to the domain, There is no need to store those registered contents. The effect can be achieved by several methods, such as the warrior and the pi port. One method is to lock the mode. A CP15 is used to indicate the failure mode. Based on the order, the access to the login is invalidated by writing to the control bit a. The login in CP 1 5 is only related to the login, not the mode, so the mode does not save the login of the mode. It will be invalid. Store the data related to the fast interruption. If the FIQ logout interruption occurs, the processor sends an abnormal signal to the monitor. The control mode is operable to store any data value related to a domain and stored in the above, and load it. Entering the login is related to its value, and then enabling the FIQ mode login. Processor 'so that when the processor changes the domain, the login in the monitoring block is invalid. Optionally, when the domain is converted to

52 200422849 When one of the logins shared by other programmers chooses to fail, some defaulters can choose to disable the login. When the domain is switched in ▲ control mode, the processor can be arranged to use one or more 'Shared login invalidation' and-or most other shared logins, will store # when leaving the -domain, and send new data to another sea area. The new data can be null data.

Figure 24 illustrates adding to the core of a traditional program-the concept of security processing options. The diagram illustrates how a processor with security processing options can be formed by adding security processing options to an existing core. If the system wanted to be backward compatible with an existing operating system, it would intuitively be assumed that the existing system was operating on the traditional non-secure part of the processor. However, as shown in the lower half of the figure and discussed further below, in fact, an existing system is operating in the security part of the system.

Figure 25 shows a processor with one of the secure and non-secure domains, and the reset is similar to Figure 2. Figure 2 illustrates a processor suitable for performing a security-sensitive operation, which uses a security 0s system to control processing in the security domain, and a non-security 0S system in #security Control processing in the sexual domain. However, the processor is also backward compatible with a traditional legacy operating system, and therefore the processor can operate with a legacy operating system using a non-security sensitive method. As shown in Figure 25, the reset in the security domain and the reset that occurs regardless of the type of operation that has the S bit or security status flag set here. In the case of a non-security-sensitive type of operation, resets occur in the security domain, and then continue processing in the security domain. However, the control process of the old operating system 53 200422849 does not know the security aspect of the system. As shown in Figure 25, a reset is performed to set the address of the processing start in the security supervision mode, regardless of whether the processing is security sensitive or indeed non-security sensitive. Once a reset has been performed, additional tasks that occur during a power-on or power-on are performed thereafter. The boot mechanism is detailed below. The boot mechanism must take into account the following characteristics: • Maintain compatibility with older operating systems. • Power on in the most privileged mode to ensure system security. therefore. Carbon Core will boot in a security oversight mode. The different systems will be: _ For systems that want to run an older operating system, the S bit is not considered, and the kernel will only know that it is powered on in supervisor mode. • For systems that want to use Carbon features, the core boots in the security permission mode, and the security permission mode should be able to set all security protections in the system (possibly after switching to monitoring mode). In detail, the processor of the embodiment of the present invention resets the processor to start processing in all cases in the security supervision mode. In the case of a non-security-sensitive type of operation, although security is not an issue here because the s-bit is set (although the operating system is unknown), the operating system is actually operating in the security domain. It has an excellent 54 200422849 point, a portion of memory that cannot be accessed from non-secure domains, in which case it is accessible ° In all cases, 'booting in security supervision mode is also conducive to security sensitivity System 'because it helps ensure system security. In a security sensitive system, the address is provided at boot time where the boot program is stored in the security supervision mode, and thus allows the system to be set as a security system and switched to a monitoring mode. In general, the self-safety monitoring model gas is converted to the monitoring mode 疋 allowed, and the security system is enabled at an appropriate time to start processing in the monitoring mode to initialize the monitoring mode architecture, _ Figure 26 1 step, performed by a non-safety operating system ~ one of the non-safety threads NSA. Step 2, non-secure execution = NS A executes a monitoring mode of the monitoring mode program in step 3, which is called a security domain. The monitoring mode program changes the S bit to change the domain, and performs any necessary content storage and content restoration before moving to the security operating system in step 5. Then in step 6, subject to an interruption ^ w lrq, execute the corresponding security thread SA. In step 7, the interrupt processing hardware triggers a return to the monitoring mode, where it is determined whether to be processed by a secure operating system or a non-secure operating system. In this case, the interrupt is handled by the non-secure operating system beginning at step 9. ' ’When the interrupt is handled by a non-safety operating system, before the -r ^ ^ Step 1 regular thread switching operation, the NSA has been resumed as an existing task in the non-safety operating system. The thread transition I is the result of a time event or the like. In step 12, a different thread is executed by the non-secure operating system in the non-secure network domain. 55 200422849 NSB, and at this time, the domain / program flag is monitored at Once interrupted into execution or because of a security program, the software should perform steps in the operating system-type inspection software when the non-annual execution is interrupted, and then start the domain at the new operation set. Make a call. In step 7, the monitor program stores some other mechanisms to refer to;-it is known that the holistic operating system was suspended for the last time, not because the security thread has been completed because of normal operation. When asked to leave, the meat was put off. Therefore, the entire operating system was temporarily interrupted by an interruption. In step 15, a software imitation interrupt was monitored to set the interruption of the imitation of the security operation system. As soon as the uranium orbital thread ID is returned. (For example, when the NSB request is sent to the general thread, the identifier entered by the farmer will be a pool 3 ^ Tian Nu comprehensive operation system, and other parameters such as Shen + + and Ling Ju are also the same). In software imitation, the parameter can be passed as a registered value.

In step 15, the fake software interrupt triggers a security-back interrupt manager routine. _Return Interrupt Manager Example It simulates the return thread ID of the interrupt to determine whether it conforms to the SA SAID ’which was interrupted before the last time the security operating system was suspended. In this case, there is no compliance, and therefore after the content of the security thread SA has been stored in the 16th, the security system is triggered to convert the thread into a non-safe thread NSB and return the thread. Then, when requested, the security thread SA can be interrupted. Figure 27 is another example of the type of behavior not shown in Figure 26. In this example, when the program is under the control of a non-safety operating system to handle the IRQ, there is no non-safety thread transition, so when a software imitation interrupt is received by the return interrupt manager of the safe operating system, Its decision 56 200422849 (No thread conversion is required and only the safety thread SA is resumed in step i 5). The 28th circle is a flowchart illustrating the processing performed by the return thread manager. The return thread manager is started in step 4002. In the first village = step, when the safety operating system is suspended, the carcass imitation interrupt thread is checked and compared with the existing execution security thread. If they match, the process proceeds to step 4006 and the safety thread resumes. If the comparison in step 4004 does not match, the process proceeds to step 4008, where the transition to the new: before thread in step 4010 'stores the contents of the old security thread (to continue for the new). The new thread is already in progress, so the 40th new one continues. Shao Xiangzhong Envoy :: Change? As shown in the figure, a controlled safety operation system can be executed as a main non-safety operation system. The main control of the non-security industry department can be a coordinating woman without a monthly communication mechanism. ≫ The old operating system, and adjust the action of the dagger to cooperate with other operating systems. Operation 29 One of the initial entry points , Non-security == master control line-non-security thread NSA. The non-safety executive, the executive executive ^. The thread N S A calls a sexual thread, and the security thread wants to be attacked by a teacher, and the female holistic operating system uses an incoming call at MI) to execute. In the second step, a monitoring program 1 executed in the call control mode is performed in step 4 to perform any required operation: before entering the security operating system, the monitoring program is executed, stored and converted. The safety thread SA corresponding to the safety% A t 4 at this time. The safety enforcement = initial operating system execution may return control to a non-safety operating system by monitoring mode 57 200422849, for example, due to a timed event or the like. In step 9, when the non-safety thread implicitly re-transmits control to the secure operating system again ', it does so by issuing the original: system interrupt again. The software includes identifying the non-safety thread ratio of the NSA, the security thread of the target security thread ID, the thread ID that identifies the security thread SA, and other parameters. When the beer call generated in step 9 is passed by the monitoring program, and received in the security domain by the security operating system in step 2, the non-security execution can be performed with the ID to determine whether Content has been converted by non-security job f. You can also check the safe execution of the target thread, and understand whether the correct thread under the female holistic operating system has been restarted or started with a new thread. In the example in Figure 29, no security operating system is required to perform any exchanges in the secure domain. The second image is similar to the second image. "Except for the transition of the first thread", under the control of the security operating system, a second event occurs in a non-secure network domain. In step 11, the software is interrupted. The call across the security system is a different non-secure thread. In the 14th :: Comprehensive operating system, the non-security thread is identified as a different brain: the second execution involves the storage of the security thread SA. Contents and tasks of the full thread SB task transition. Figure 31 is a flow chart illustrating the operation of security when receiving-software interrupts as a call to resume the thread of the security operating system. The processing performed by the system. In step 4012, the 58 200422849 call is received. In step 4014, the parameters of the call are checked to determine whether they are in a security operating system and are compatible with an existing enabled security thread. Yes. If it does, then restart the security thread at step 40 16. If not, the program proceeds to step 4018 where it decides whether the newly requested thread can be used. The recent request The requested thread may not be available because it is or it requires a unique resource that is already used by some other thread in a secure operating system. In this case, at step 4020 In response, an appropriate message is returned to the non-security operating system, and the call is rejected. "If it is determined in step 4018 that a new thread is available, the process proceeds to step 4022, where the content of the old security thread is saved. , For possible restart later. At step 4024, the setting is switched to a new security thread like the setting of a software interrupt call to the security operating system. Figure 32 illustrates an operation based on which A priority is inverted. When an interrupt is processed in one of the systems with multiple operating systems, different interrupts are processed by different operating systems. Processing begins with the security operating system executing a security thread SA. Then it starts with a first Interrupted by Int 1. It triggers a monitor in monitoring mode to determine whether the interrupt is to be processed in a secure or non-secure domain. In this case, the interrupt is to be processed in the security domain, and the program returns to the security operating system and starts the interrupt processing routine of interrupting Int 1. The interrupt processing routine of Int 1 has a higher priority in the middle. A further interruption of the right Int 2 is received. Therefore, the interruption manager of Int 1 is stopped and in the monitoring mode is used to determine where the interruption of Int 2 is performed. During the non-safety pause, some security threads can be executed. The problem shown in Figure 33. The stub interrupt manager is a relative network domain, and the stub interrupt s interrupt in the Int 1 domain Record 'which indicates that the security management of the high-priority Int interrupt Int 2 interrupts the management of stub interrupts of Int 2 and will therefore occur again, as appropriate, according to this call. In this case, 'Interrupt Int 2 is to be handled by non-secure, and therefore control is passed to the interrupt manager of non-secure operating system 2. When the manager of Int2 is interrupted, the operating system does not have a message indicating that the service was interrupted in the security domain ... Therefore, further steps of the non-safety operating system, such as task switching or starting a different non-NSB, still fail to provide service to the original interruption Int i! Show a technique to avoid interruption Int 1 related to the 32nd operation When this happens, the monitor passes it to a non-secure domain at the start of the storage manager. The stub interrupt is small and quickly returns the program to security by monitoring mode. The interrupt manager triggers interrupt Int 1 in the global domain. It is mainly handled in women's holistic domains, while initiation of the non-safety network manager can be regarded as a type of location to maintain the non-safety domain, and the interruption is suspended in the safety domain. The interrupt manager for 'interrupt Int 1 in the domain is again dominated by 2. In non-secure domains, the execution of the interrupt manager is still triggered. However, in this case, the 'non-secure operating system has the data of the indicator' when the processor is complete, because the interrupt lnt i is still incomplete, and the stub interrupt manager is newly continued. The stub interruption management and the call with which it paused to return to the secure domain will be executed again and therefore transferred to the secure domain. Once 60 200422849 returned to the security domain, the security domain was able to start interrupting Int 1's interrupt manager again on its own. When the interrupt manager of the interrupt Int i is done in the secure domain, make a call back to the non-secure domain to perform the original execution of the security thread s A in the non-secure domain. Close the stub interrupt manager. Figure 34 illustrates the different types of interrupts related to their priorities and how to deal with them. A purely secure domain interrupt manager can be used to handle priority interrupts, ensuring that no higher priority interrupts are handled by non-secure domains. Once an interrupt has a higher priority than subsequent interrupts and is processed in a non-safety domain, all lower-priority interrupts are either handled purely in the non-safety domain or are used in Figure 33. The stub interrupt manager technology enables non-secure domains to keep track of those interrupts, even if they primarily deal with those who occur in the secure domain. As mentioned earlier, monitor mode is used to perform transitions between secure and non-secure domains. In an embodiment, the registration is shared between two different domains, which involves storing the states in those registrations into memory, and then loading this new state into the registration from the memory as the destination domain. For any logins that are not shared between the two domains, there is no need to save the state, because those logins will not be accessed by other domains, and the transition between these states is as secure and non-secure A direct result of the conversion between sexual domains (ie, the value of the s-bit stored in one of the CP 15 registrations determines the non-shared registration used). " " When the processor sets data to control the processor's access to memory in the monitor mode, some states need to be switched. Because there are 61 200422849 different §memory bodies in each domain, for example, a secure domain accesses a secure memory and stores security data, the secure memory cannot be fetched from a non-secure network. The processor setting data will need to be stored in the CP15 login 34 when the domain is converted as shown in Figure 35. 'In one embodiment, these registrations share this between domains'. When switching monitoring between a secure domain and a non-secure domain, the processor setting data existing in the CP15 registry 34 needs to be automatically transferred to memory, and the processor setting data related to the destination domain is loaded into the CP15 registry 34. Because the processor setting data in the CP15 registration usually has an immediate effect on system memory access, it is clear that if the processor updates them during operation in the monitor mode, these settings will immediately occur. This is undesirable in terms of a quiet monitoring mode in which the processor setting data is to be set in the monitoring mode. Therefore, as shown in FIG. 35, the implementation of the monitoring mode of the present invention provides special processor setting data 2000, which can be used to cover the processor setting data 34 of the login 34. When the processor is in the monitoring mode, Time. As shown in Fig. 35, when it is input, it can be achieved by receiving the processor setting data registered in CP15 and the monitoring mode i processor setting data 2000 through the multiplexer. In addition, multiplexing receives a control signal via path 2015 to indicate whether to handle operation in the milli-monitor mode. # 果 Processor is not in the monitoring mode " The processor setting data registered in CP15 34 is output to the system. If the processor is operating in the monitoring mode, & Device settings. Due to the mode CP15, the central control mode is required. In the state setting example, CP15 is used in 2010, and the exclusive 2010 L is under e, so L is in the converter 62 200422849 2010 output monitoring mode exclusive processor setting data 2 〇〇, to ensure that the applied processor setting data is consistent Yes, when the processor is operating in monitor mode. The dedicated processor setting data of the monitoring mode can be hard-coded in the system to ensure that it cannot be manipulated. However, it is also possible to program the processor-specific setting data of the monitoring mode without compromising security. When operating in a security permission mode, ensure that the processor-only setting data of the monitoring mode can only be modified by the processor. This allows some flexibility in terms of the settings of the processor dedicated to the monitoring mode. If the monitoring mode dedicated processor setting data is arranged to be programmable, the setting data can be stored anywhere in the system, such as in a separate set of registrations 34 in cpl5 registration 34. In the normal mode, when the memory tube is implemented as described above, the entity record is arranged as follows, which will enable the addressable mapping of the local setting data «^ 疋 a control mode exclusive processor setting data processor operation to provide a Very safe environment. Therefore, in the example, the setting data of the dedicated processor of the monitoring mode may set the processing unit 30 to be invalid. When the processor is operating on the monitoring module, it may be managed by the memory. The virtual memory applied by the unit Translation is invalid. In such a situation, the processor will always directly issue the physical address, and when a memory access request is issued, a plane mapping is used. It ensures that when operating in the monitoring mode, processing accesses the memory irrespective of whether or not any virtual-to-physical bits are compatible. When the processor is operating in the monitor mode, the dedicated processor in the current mode usually also allows the processor to access security. It is configured by domain-like memory in the form of 2004 200422849 state bits. In the security processor setting data, the domain state bits with the same value are set to the domain state bits with the same value. ('' S π bit). Therefore, regardless of the actual value of the domain status stored in the CP 1 5 registry, the value will be overwritten by the domain status bit set by the monitoring mode-specific processor setting data to ensure that the monitoring mode has access security Sexual information. The monitor-specific processor setting data can be set to other data used to control access to part of the memory. For example, when the processor is operating in the monitoring mode, the dedicated processor setting data of the monitoring mode can be set to cache 3 8 and should not be used to access the data. In the embodiment described above, it has been assumed that all CP 1 5 logins containing processor setting data are shared across network domains. However, in an alternative embodiment, some CP15 entries are "banked", for example, there are two entries for a specific item to store processor setting data, and one entry to a non-secure network. The value of an item that is accessed in a domain and contains processor configuration data for a non-secure domain, and that of another processor registered in a security domain that can be accessed in a secure domain and contains processor configuration data for a secure domain Item value. A non-blocked CP15 login is one that contains the "S" bit, but in principle any other CP 1 5 login can be blocked if desired. In such embodiments, the conversion of processor setting data by the monitoring mode 'converts any shared CP 1 5 registrations into memory, and now the processor setting data is in these shared registrations, And 'load the processor configuration data related to the destination domain in these shared cp 1 5 registrations. For 64 200422849 any block registration, it is not necessary to store the processor setting data in the memory. On the contrary, the conversion will occur automatically due to changing the S bit value stored in the associated shared CP 15 registration. As mentioned previously, the monitoring mode processor setting data will have a domain status bit that overrides the data stored in the CP15 registry, but has the same value as the domain status bit for the security domain (ie, in the The S-bit value 1) in the above embodiment. When some CP15 logins are partitioned, it means that at least part of the monitoring mode dedicated processor setting data 2000 in Figure 35 can be derived from the security processor setting data stored in the partitioned login, because in the conversion These registrations were not written to the memory during processing. Therefore, as an example, the dedicated processor in the monitoring mode will set a domain status bit to cover users who are not in the monitoring mode. And in the preferred embodiment, it has the same value as the user in the security domain. It means that the logic of selecting the accessible block Cpi5 login is to allow access to the security block C P 1 5. By allowing the monitoring mode to use the security processor setting data as the relevant part of the monitoring mode dedicated processor setting data, 'the storage of resources can be implemented because it is no longer necessary to provide these items for the monitoring mode dedicated processor setting data. A set of individual logins. Fig. 36 is a flowchart illustrating the steps for performing the conversion of the processor setting data when the conversion is required between a network domain. As mentioned earlier, the SM1 command is issued to facilitate the transition between the domains. Therefore, in step 2020 ', it is awaited that an SMI instruction is issued. When receiving an SMI instruction, the processor proceeds to step 2030, where the processor starts executing the monitoring process in the monitoring mode ^, which makes the monitoring mode exclusive processor setting data 65 200422849 expected to be used as The result of going to the multiplex conversion number results in multiplexer data. As mentioned earlier, it may be stored in some parts from the blocked entry. Control path on the path of 2010. Switch to monitoring mode. Dedicated processor settings. A set of self-contained data, or available security processor settings data. Afterwards, 'moved in step 2040, _. Xi, since the SMI command The domain to the memory stores the existing status, which includes logging in from any shared CP 15 and storing the status of the processor setting data of the Lutianguan related to the above domain. Normally, a portion of memory is set aside for storage in + such states. Then, in step 2050, the conversion status indicator is jealous A ^,… the heart 3 has the corresponding status memory of the destination domain. Therefore, usually, two parts of memory are allocated for y-Ub and storage state information.

One is configured to store the state of the non-secure domain, and one is configured to store the state of the secure domain. Once the status indicator is converted in step 2050, the current status of the current status indicator is loaded into the relevant shared cpl5 registry in step 2060, which contains the relevant processor setting data loaded for the destination domain. Thereafter, at step 2070, when in the monitor mode, the monitor program exits, and then the processor switches to the desired mode in the destination domain. Figures 37 and 7 illustrate the operation of the memory management logic 30 according to an embodiment of the present invention in detail. The memory management logic includes a memory management unit (MMU) 200 and a memory protection unit (MPU) 220. Any access request issued by the core 10 which is set with a virtual address will be passed to the MMU 2 00 via the path 234. The MMU 2 00 is responsible for performing predetermined access control functions, especially determining the correspondence with the virtual address. Physical address, and decide access 66 200422849 permissions and determine area attributes. The memory system of the data processing device includes a security memory and a full memory. The secure memory used to store access to security data is intended to be accessed by the core, or one or more of other master devices, the heart or other devices when operating in a security mode and therefore in a secure domain . In the embodiment of the present invention shown in FIG. 37, the strategy of accessing the security material in the security memory by the application executing on the core 10 under non-security is by the partitioning in the MPU 2 20 The MPU 2 20 executed by the detector is arranged by a secure operating system, which is also referred to herein as a safe heart. According to a preferred embodiment of the present invention, a non-secure page table 5 8 in non-secure memory, such as externally A non-sexual memory portion of the memory 56 is used to store a corresponding descriptor (descriptor) for each female general e memory area defined in the above paging table. The information contained in the symbol 'can be used to obtain the access control information required for the MMU to perform the predetermined fetch control function, and accordingly, in the embodiment described with reference to 37,' providing information on the virtual to physical address mapping Information for permission, and any regional attributes. In addition, according to a preferred embodiment of the present invention, at least one security paging table 5 8 is provided in the full memory of the memory system, for example, in a security part of the memory 56, which is again in the table The specified memory regions provide an associated descriptor. When the processor is operating in a full-scale mode, it will refer to the non-security paging table to obtain non-safety-only core network model sexual resources. The external non-secret uses 67 200422849 to manage the related descriptors of memory access. Conversely, when the processor is operating in the security mode, the descriptors from the security paging table will be used. The process of obtaining the descriptor from the auto-correlated paging table to the MMU is as follows. The memory access request issued by the core 10 sets a virtual address, and a query is executed on the micro-TLB 206 (TLB is the main translation lookaside buffer), which is one of the virtual address parts. The corresponding physical address portion of the autocorrelation paging table. Therefore, the micro-TLB 206 will compare a certain part of the virtual address with the corresponding virtual address part stored in the micro-TLB to determine compliance. The part of the comparison is usually some predetermined number of most significant bits of the virtual address. The number of bits is based on the paging granularity in the paging table 58. Queries executed in micro-TLB 206 are generally relatively fast because micro-TLB 206 includes only a relatively small number of items, such as eight items. When no hit is found in the micro-TLB 206, the memory access request is passed via the path 242 to the main TLB 208 containing some descriptors obtained from the paging tables. As will be discussed further later, descriptors from both the non-security paging table and the security paging table can coexist in the main TLB 208, and each entry in the main TLB has a corresponding flag (in this article (Referred to as a domain flag), which can be set to indicate whether the corresponding descriptor in the item has been obtained from a security paging table or a non-security paging table. I will understand that for all security mode operations that directly set the physical address in their memory access request, such flags in the main TLB are not needed, and when the main tlb stores only non-security descriptors Time. 68 200422849 In the main TLB 208, execute a similar query procedure to determine whether the relevant part of the virtual address issued in the memory access request corresponds to any virtual address associated with the descriptor in the main TLB 208 Partially, this main TLB is related to a specific mode of operation. Therefore, if Core 10 is operating in non-security mode, only those descriptors in the main TLB 208 that have been obtained from the non-security paging table will be checked. Otherwise, if Core 10 is operating in security mode, In TLB, only the descriptors that have been obtained from the security paging table are checked. If there is a match in the result of the check processing in the main TLB, the access control information is extracted from the relevant descriptor and transmitted via the path 242. In particular, the virtual address part of the 'descriptor and the corresponding physical address part will be routed to the micro-TLB 206 via the path 242 to be stored in an item of the micro-TLB, and the access permission is loaded to the memory. The permission logic 202 is fetched, and the region attribute is loaded into the region attribute logic 204. The access permission logic 202 and the area attribute logic 204 may be separated from the micro-TLB or may be incorporated in the micro-TLB. At this point, the MMU 200 is able to handle memory access requests because there is now a match in the micro-TLB 206. Therefore, the micro-TLB 206 will generate a physical address, which may be output to the system bus 40 via the path 2 3 8 to be routed to the relevant memory, if not by on-chip memory , Such as TCM 36, cache 38, etc., is one of the external memory units accessible through the external bus interface 42. At the same time, the memory access logic 202 will decide whether to allow the memory access, and if the kernel is not allowed to access the specific memory 69 200422849 address in the operation of the existing mode, it will send a stop signal via path 230 to return Core ι〇. For example, whether in secure or non-secure memory, when the core is operating in supervised mode, the core sets certain parts of the memory to be accessible only by the core, and therefore, when in, for example, user mode At the next time, if the core attempts to access such a memory address, the 'access permission logic 202 will detect that the core 10 does not currently have appropriate access rights' and send a Middle-earth signal via path 23. This will suspend memory access. Finally, the region attribute logic 204 will determine the region attributes of a particular memory, such as whether access is cacheable, bufferable, etc., and issue such signals via path 232, which will be used to determine memory Whether the data requested by the body access can be cached, for example, in the cache 38, whether the written data can be buffered in the case of write access, and so on. In the case where there is no match in the main TLB 208, the translation table walk logic 21 is used to access the relevant paging table 58 to intercept the required descriptors via path 248 and then via path 246 passes the descriptor to the main TLB 208 for storage and retrieval. The base address of both the non-security paging table and the security paging table will be stored in the CP 1 5 3 4 'and the existing network domain operated by the processor core 10, that is, the security network domain or the non-security network. The domain will also be set in a login of CP 15 when the transition occurs between a non-secure domain and a secure domain, or vice versa. The domain status registration will be set by the monitoring mode. Domain Status Registered content will be referred to as the domain bit in this article. Therefore, if it is necessary to execute a translation table walking program, the translation table walking logic 21 will know the domain that the core executes, and therefore the base bit 70 200422849 address used to access the related table. The virtual address is then used as a supplementary paging table for the base address to access the appropriate entries to obtain what is needed. Once the description is intercepted by the translation table walking logic 21, the description in the main TLB 208 is' in the main The TLB will obtain and call the previously described procedures to store access control data in micro-TLB 2 06, access permission logic 202 logic 204, and then memory access can be performed by MMU200 as previously described. In the preferred embodiment, the main TLB store is from both the security paging table and the non-security paging table. Once the relevant information is stored in the micro-TLB 206, 200 processes the memory access request. In the preferred embodiment, the data transmission between 208 and micro-TLB 206 is monitored by a cutting detector 2 2 2 to ensure that when the core 10 operates in a formula 'no access control information from the main TLB The input to micro-TLB 206, if so, will generate a physical address in the memory. The memory protection unit is managed by the secure operating system and is registered in the CP 1 5 34 division information between the secure memory and the non-secure memory. The segmentation detector then splits the information to determine whether the access control information is transmitted to 206 ', which allows the core 10 memory to be used in a non-secure mode. In particular, in the preferred embodiment, when the core i 0 non-security mode is' as indicated by the network domain bit set in the CP 1 5 domain status registration mode, split compensation can be operated, Take the appropriate descriptor. Character, and place it in a match, message, and move it with the zone attribute. 208 can store descriptors, but P, can be transmitted by the MMU descriptive symbol of the non-security module of the main TLB MPU 220, which can be set in the security theory. It can be set to define the segmented 222, which can refer to the micro-TLB for security records. Operated by a monitoring module 222 at 71 200422849 via path 244, monitoring attempts to retrieve any physical address portion from the main TLB2 08 to micro-TLB 206, and decide whether to follow the physical address portion based on the physical address portion The physical address generated for the virtual address is in security memory. In this case, the partition detector 222 will send a termination signal to the core 10 via the path 230 to prevent memory access from occurring. I will understand that the segmentation detector 2 2 2 can be arranged to actually prevent the physical address portion from being stored in the micro-TLB 206, or alternatively the physical address portion is still stored in the micro-TLB 206, but the processing portion is aborted The incorrect physical address portion will be removed from the micro-TLB 206, for example by clearing the micro-TLB 206. As long as the core 10 is changed between a non-security mode and a security mode by the monitoring mode, the monitoring mode will change the value of the domain bit in the CP 1 5 domain status registration to indicate the operation of the processor. Domain. As part of the transfer process between domains, the micro-TLB 206 will be cleared, and therefore the first memory access after switching between the secure and non-secure domains will cause a mismatch in micr0-TLB 206 (Miss), and request to intercept the access information from the main TLB 208, or directly intercept the relevant descriptors from the relevant paging table. With the above method, I will understand that the segmentation detector 2 2 2 will ensure that when the core is operating in a non-secure domain, if the intention is to intercept the micr0-TLB 206 access control information that allows access to the security memory, A memory access abort will be generated. If in any mode of operation of the processor core 10, a memory access request is arranged to directly set a physical address, the operation mode 72 200422849 of MMU 200 will be invalidated, and the physical address will be passed to path 236. 220. In a security mode of operation, the access permission logic 224 and the attribute logic 226 perform the necessary storage and region attribute analysis based on the access permission permissions and region attributes defined for the domains registered for the segmentation of information in CP15 34. . If the attempted access to the security memory is in a security memory that can only be accessed in a specific mode of operation, such as the security permission mode, then the core intends to access in a different mode, such as A security user mode will result in a suspension of stored logic 224, and a suspension method in such an environment with the same access permission 202 as the MMU, via path 230 core ° Similarly, area attribute logic 226 A cacheable, buffered signal will be generated, and a memory access request set for the pseudo address with the same area attribute logic 204 as the MMU will generate such a signal. It is assumed that the access is allowed 'at this time the access request is made to the system bus via path 2 40 and from this type it is routed to the appropriate memory unit. A non-secure access request that specifies a physical address for the access request will be routed to the segmentation detector 222 via path 236, whose CP15 registers the segmentation information of 34 to perform a segmentation check to determine whether the physical address is in A location is specified in the security memory, in which case an abort signal is generated via the path 230. The above-mentioned procedure of the memory management logic is now described in further detail with reference to Fig. 39 and the circular flowchart. FIG. 39 illustrates a case where a program in the core 10 generates a virtual address, as shown in step 300. The relevant area in the CP15 domain status registration 34 set in the monitoring mode should be set to allow only the ~ ~ logic obtained by the department to pass and can be allowed to 40, with reference to whether it is true again% 40 implementation based on the domain 73 200422849 bit will indicate whether the core is currently executing in a secure or non-secure domain. In this case, the core is being executed in a security domain, and the process proceeds to step 302, where a check is performed in micro-TLB 206 to see if the relevant part of the virtual address matches the micro-TLB. One of the virtual address parts. If it matches in step 302, the process proceeds directly to step 312, where the access permission logic 202 performs the necessary access permission analysis. At step 314, it is determined whether there is an access permission violation, and if so, the program proceeds to step 316, where the access permission logic 202 issues a suspension via path 230. Otherwise, if there is no access permission violation, the process proceeds from step 314 to step 318, where memory access is performed. In particular, the area attribute logic 204 will output the necessary cacheable and bufferable attributes via path 232, and micr0_TLB206 will issue the physical address via path 238 as described earlier. If there is a discrepancy in the micro-TLB in step 302, then in step 3, a query procedure is executed in ± request TLB 208 to see if the required security descriptors are present in the main TLB. 6 steps execution _ paging table walking program, the translation table walking logic 21 holistic paging table to obtain the required descriptors, as described earlier in Figure 37, the program proceeds to step 308, or directly from step 304 If the security descriptor already exists in the main two to the first-in step 308 'It is determined that the main tlb now contains the tagged security descriptor, and therefore the program proceeds to the 31st step, which is contained in the micro_TLB The entry contains the real ship address part: the step subpart. Because the core 10 is currently being executed in the security mode, the second vanadium scandium segmentation inspection 74 200422849 detector 222 does not need to perform any segmentation inspection functions. At this point, the process proceeds to step 32, where the rest of the memory access is performed as described earlier. If non-secure memory is accessed, the process proceeds from step 300 to step 320, where a query procedure is executed at micro-TLB 206 to determine whether a corresponding physical address portion exists from a non-security descriptor. If there is', the program proceeds directly to step 36, where the access permission logic 202 checks the access permission right. It should be noted at this point that if the relevant entity address part is in a micro-TLB, it is assumed that there is no security violation, because the segmentation detector 22 effectively monitors this information before being stored in the micr0-TLB. Once the access permission has been checked in step 336, the process proceeds to step 338, where a decision is made as to whether there has been any violation, and the access permission error is aborted in step 316. Otherwise, the program proceeds to step 318, where the rest of the memory access is performed as discussed earlier. If no conformant is located in the micro-TLB at step 320, the program proceeds to step 322, where a lookup procedure is performed at the main TLB 208 to determine whether the relevant non-security descriptor exists. Otherwise, the translation table walk logic 210 executes a paging table walk procedure at step 324 to intercept the necessary non-security descriptors from the non-secure paging table to the main tlb 208. At this point, the procedure proceeds to step 326, or directly from step 322 to step 326, if a conformant appears in the main TLB 2008 at step 322. In step 326, it is determined that the main TLB now contains a valid additional non-security descriptor of the virtual address under consideration, and then in section 75 200422849 328-some points point to the security check, the step, the access, and the access. In step 220, the line, pattern cut, security check, and full step split detector 222 check the virtual address generated from the memory access request (of the physical address given in the descriptor). A physical address will be a location in non-secure memory. Otherwise, if there is a location in the physical address security memory, then in step 330, it decides a total violation, and the program proceeds to step 332, where a security / non-issue is issued by the splitter 222 Security error aborted. However, if the partition detector logic 222 decides that there is no security violation, the program proceeds to step 334, in which a sub-portion of the relevant descriptor containing the body address portion is loaded in micr0_TLB, and thereafter in steps 33.6 to Memory access is performed in the manner described previously. The processing of directly issuing a memory request of a physical address will now be described with reference to FIG. 40. As mentioned earlier, in this process, the MMU 200 will, preferably, be achieved by a relevant login setting of the CP15 registering an MMU enable bit. 'The setting procedure is performed by the monitoring mode β. Therefore, step 3 5 0 The core 10 will generate a physical address that will be transmitted to the MPU via path 2 3 6. Then, in step 352, the MPU checks to make sure that the requested memory access can be accessed by the user, supervisor, etc. in the existing operation mode. In addition, if the core is operating in non-secure ', whether or not the physical address is in non-secure memory, the analyzer 2 2 2 will check whether the physical memory is in non-sex mode in step 3 52. Then, at step 354, it is determined whether there is a violation, that is, whether the access permission procedure has disclosed a violation, or if in the non-security mode, the 'segment check procedure has confirmed a violation. If any of these violations occur, the procedure proceeds to step 356, in which the MPU 22 0 76 200422849 is generated in the second middle school, an address 358, and the understanding of all the work of the open address can be completely taken for safety. The master should be replaced by another MMU. In this case, it may not be necessary to abort with an access. I will understand that there is no difference between certain 1 types of aborts, and that in selective the abort signal can publicly indicate whether it is associated with an access permission error. If no violation is detected in step 3 54, the program step 'where memory access occurs is confirmed by the physical address. In the preferred embodiment, only the monitoring mode is scheduled to be directly generated and therefore in all other cases, As mentioned earlier, the virtual address with and from which a memory access request will occur is shown in Figure 38. Figure 38 illustrates an alternative implementation of memory management logic. Memory access requests specify a virtual address, and Generate physical addresses directly in any mode. In the process, ’there is no need for another MPU 220, and vice versa, it is merged into MMU 200. This change happens quietly the same as discussed earlier with reference to Figures 37 to 39. 4 I will understand that various other options are also possible. For example, the security and non-security modes of the specified virtual address are issued, and two MMUs can be provided, one for the security access request, and the sexual access request, that is, Μρυ 22 in Figure 37. The flag of TLB is required. Standard, which uses the MMU in its main TLB to store the security descriptor in the main TLB to define a security or non-storage non-security description. In an embodiment, the embodiment may be wrong or proceed to the first spoon position. The MMU 200 generates a physical package example, in which this is not in operation, we will: the tester 222, the program is performed in I-style. 'Assumes that memory can be used and one is not available. One MMU security, character, and of course, still 77, :: need a knife detector to check if the core is in a non-secure domain. Access security memory. If the address is 'selectively', all memory access requests directly specify the real request. Selective execution can use two MPUs, one for secure storage and one for non-secure access requests. MPU for non-secure access reading can be jealous to female mountain-Ito, b has its access supervised by female holistic segmentation detector, "ensures that access to secure memory is not allowed in non-secure mode Any of the arrangements in Figure 37 or Figure 38 may provide further activities that may be arranged by the segmentation detector 222 to perform some segmentation checks to supervise the translation table order logic 210. In particular, if the core is operating in a non-secure domain, the segmentation detector 222 can be arranged to look up. As long as the translation table walking logic 21 attempts to access a page table, it stores the non-security page table instead of the security page. table. If a violation is detected, it is best to generate a stop signal on month b. Because the translation table walking logic 21 usually uses a paging table base address and a virtual bit sent by a memory access request to perform a paging table query, the segmentation detection may involve, for example, , Check the translation table walk logic 2 丨 〇 uses a base address of a non-secure page table instead of a base address of a security paging table Figure 41 illustrates when the core 丨 〇 in-non-security mode The program executed by the segmentation detector 222 during the middle operation. I will understand that under normal operation, the descriptor obtained from the non-secure paging table should only describe one page mapped in the non-full memory. However, in a soft palate attack, the descriptor may be tampered with so that it now describes a portion of the non-secure security area containing memory. Therefore, consider one of the examples in Figure 41. The recipient requested that the Special Supervisor seize the non-security descriptor modified by the site ’s functional operations and security. Zones 370, 3 72, 374 and security zones 376, 378, 38. If the virtual address issued as part of the $ memory access request now matches a physical address in a secure memory region, as shown in Figure 41, security »Hidden region 3 7 6 'then The partition detector 2 2 2 is arranged to generate a stop to prevent access from occurring. Therefore, even if an attempt to access the secure memory has tampered with the non-security descriptor, the partition detector 222 prevents that access from occurring. In contrast, if the physical address derived from the descriptor and a non-secure memory region S, for example, region 3 74 as shown in Figure 4j, are loaded into micro-TLB 2 06 The access control information only confirms the non-security area 374. Therefore, access in the non-secure memory area 374 can occur, but access to any of the security areas 376, 378, or 380 cannot occur. Therefore, it can be seen that even though the main TLB 2008 may contain descriptors from tampered non-secure paging tables, the micr0 TLB will only contain the physical address portion, which will enable the storage of non-secure memory areas. take. As mentioned earlier, in the embodiment, the non-security mode and the security mode can generate a memory access request for a specified virtual address, and then the memory preferably includes a non-security in the non-security memory. A paging table, and a security paging table in security memory. When in the non-security mode, the translation table walking logic 210 will refer to the non-security paging table, while in the security mode, the translation table walking logic 21 will refer to the security paging table. Figure 42 illustrates the two-page table. As shown in FIG. 42, unsafe memory 3 9 that may be in, for example, the external memory 5 6 shown in FIG. 1 is included in 79 200422849, among them #security pagination table 395, which refers to a basis Address 397 is specified in a CP15 release 34. Similarly, in the security memory 400, a corresponding security paging table 405 can be provided in the external memory 56 shown in FIG. 1 again, which is based on a security paging table base address. 407 Specified in a duplicate CP15 login 34. Each descriptor in the non-secure page table 395 will point to a corresponding non-secure page in the non-secure memory 390, and each descriptor in the security page table 405 will be defined The corresponding security pages in the security memory 400. In addition, as will be described later, 'for some regions of memory, it is possible to share the memory region 4 1 0, which is accessible by the non-security mode and the security mode. Figure 43 details the query procedure performed in the main TLB 208 according to the preferred embodiment. As mentioned earlier, the main TLB 208 includes a domain flag 425, which confirms whether the corresponding descriptor 435 is from a security paging table or a non-security paging table. It ensures that when a search procedure is performed, only descriptors related to the specific domain where the core 10 operates are checked. Figure 43 illustrates an example where the core is implemented in a security domain, also known as a security scenario. It can be seen from Figure 43 that when a main TLB 208 query is performed, it will cause descriptor 440 to be ignored, and only descriptor 445 will be identified as a candidate for the search procedure. According to a preferred embodiment of the present invention, an additional program ID flag 43, also referred to herein as an ASID flag, is provided to confirm the descriptor from the program-specific paging table. @This, the programs P1,! ≫ 2 and P3 each have a corresponding paging table provided in the memory, and further can have different paging tables for non-security operations and security operations. In particular, I will understand that programs PI, P2, and P3 in a secure domain can be completely independent of programs PI, P2, and P3 in a non-secure domain. Therefore, as shown in Fig. 43, the ASid flag is also checked when the main TLB query 208 is required outside the domain. Therefore, in the example of Fig. 43, in the security domain, the program P1 is executed, and the search procedure confirms that only two items 45, ^, ^ 'in the main TLB. 208, and whether there is a dummy in the two descriptors The address part matches the virtual address part issued by the memory access request, and a hit or a miss is generated. If so, the relevant access control information is intercepted and passed to the micro-TLB 206, the access permission logic 202, and the area attribute logic 204. Otherwise, a non-compliance occurs and the translation table walk logic 21 is used to intercept the required descriptors from the paging table provided to the security program P1 into the main TLB 208. Those skilled in the art will understand that there are many techniques for managing the contents of TLB, and therefore when a new descriptor is intercepted to be stored in the main TLB 208 'and the main TLB is already full, you can use any of the most learned techniques Decide which descriptors to remove from the main TLB, to make room for new descriptors, such as the most recently used method, etc. I will understand that the security core of the security model for operation can be developed completely independently of the non-safety operating system. However, in one such brother, the core of security and the development of non-secure operating systems can be closely linked, and in this case, it is appropriate to allow non-security descriptors to be used by security applications. Indeed, this will allow security applications to directly access non-secure data (for sharing) with only known virtual addresses. It of course assumes that security virtual mappings and 2004 and non-security virtual mappings are available for specific ASIDs to perform. In such a history, there is no need to pre-import tags to identify (ie, domain flags) between security and maidenness descriptors. Instead the query is executed in the TLB with all available descriptors. In the preferred embodiment, the architecture of the main TLB and the previously described architecture of the security and non-security descriptors can be set by specific bits provided in the Cp15 control login. In the preferred embodiment, this bit is set only by the security core. In an embodiment, a security application is allowed to directly use a non-secure virtual address, which may also make the non-security stack index available from the security network domain. It can confirm the non-security registration value of the non-security stack indicator by copying it to an exclusive registration in the CP15 registration 34. At this time, it will cause the non-security application to pass through the stack according to the plan understood by the security application. parameter. As mentioned earlier, the memory may be partitioned into non-security and security parts, and the CP34 login 34 dedicated to the partition detector 222 is used to control the partition. The basic partitioning method is based on zone access permissions defined in a typical Mpu device. Therefore, the memory is divided into a plurality of regions, and it is best to define each region and domain with its base address, size, memory attributes, and access permissions. In particular, when designing overlapping areas, the breadth of the upper area has the highest priority. In addition, according to a preferred embodiment of the present invention, a new region attribute is provided to define whether the corresponding region is in a secure memory or a non-secure memory. The new zone attribute is used by the security core to define the memory to be protected as security memory 82 200422849 section. In the startup phase, a first partition is performed as shown in FIG. 44. This initial partitioning will determine the amount of memory 460 to be distributed to non-security scenarios, non-security operating systems, and non-security applications. This number is consistent with the non-security area defined in the segmentation. This information is then used by non-secure operating systems for its memory management. The remaining memories 462, 464 (defined as secure) are not known to non-secure operating systems. To protect the integrity of non-secure contexts, non-secure memory can be designed to allow access only to the security permission mode. Therefore, security applications will not be tampered with by those who are not secure. As shown in FIG. 44, after the boot-up phase is divided, the memory 460 can be used for non-security operating systems, the memory 462 can be used for security cores, and the memory 464 can be used for security applications. Once this boot phase partition has been performed, the memory map of the non-secure memory 460 is handled by the non-secure operating system using the MMU 200, and thus a series of non-secure pages can be defined in a unified mode. As shown in Figure 45. If a security application needs to share memory with a non-security application, the security core can change the permissions of a part of the memory to transfer fake data from a domain to others. Therefore, as shown in Figure 46, the security core can change the permissions of the non-secure page after checking the integrity of the non-secure page so that the security page 466 becomes accessible shared memory. When the memory partition is changed, the micro-TLB 206 needs to be cleared. Therefore, in the process, when a non-secure access occurs later, a discrepancy will occur at 83 200422849 micro-TLB 206, and therefore a new descriptor "Segmentation by MPU" will be loaded from the main TLB 208 The detector 222 then checks the new descriptor when it intends to intercept it to the micro-TLB 206, so it will be consistent with the new segmentation of the memory. In the preferred embodiment, the cache 38 is a virtual index and a physical addition. Therefore, when an access is performed in the cache 38, a query has been performed in micro-TLB 2 06 first, and therefore access permissions (especially security and non-security permissions) will be checked. Therefore, the security data cannot be stored by the non-security application in the cache 38, and thus the access to the security data cannot be performed in the non-security mode. However, for a security application in a non-secure domain, a problem may arise in being able to log in using a cache operation for inVaudate, clear, or remove the cache. It needs to ensure that such operations do not affect the security of the system. For example, if a non-safety operating system wants to do cache 38 without clearing it, any external memory must be written with any security-contaminated data before it can be replaced. For better implementation, security data is appended to the cache, and therefore can be processed differently if desired. .. perform a "cache line by value" operation by splitting the address of the detector 222, and if the cache line is a security cache line, "= invalidate" operation 'to ensure the security performance of the system In the preferred embodiment, the operation of the bow is made by a non-safety process dog, and the operation of "archiving pruritus cache line" becomes "clearing and invalidating pruritus according to the index". Similarly, 84 200422849 all "do all" operations performed by a non-secure program become "clear and do all". In addition, referring to the first figure, the micro-TLB 206 controls any access of the DMA 32 to the TCM 36. Therefore, when the DMA 32 performs a query in the TLB to convert its virtual address to an entity, the previously mentioned flags added to the main TLB allow the required security checks to be performed as if they had been issued by the core 10 Access request like. In addition, as will be discussed later, a copy is connected to the external bus 70, preferably in the arbitel: / decoding block, so that the external bus interface 42 is directly used in the DMA 32 When the memory connected to the external bus 70 is accessed, the copy division detector connected to the external bus 70 checks the validity of the access. In particular, in some preferred embodiments, it is possible to add a bit to the CP 1 5 login 34 to define whether the DMA controller 32 is available for non-secure domains when operating in a privileged mode This bit is only allowed to be set by the security core. Consider TCM36, if security data is placed in TCM36, it must be handled with care. As an example, imagine a journey in which a non-secure operating system designs a physical address range for the TCM memory 36 so that it overlaps an external security memory portion. If the mode of operation is changed to a security mode later, the security core may cause the data to be stored in the above-mentioned overlap, and the data is usually stored in the TCM 36, because the TCM 36 usually has higher priority than the external memory. If the non-secure operating system subsequently changes the physical address space setting for TCM 3 6 so that the previous security area is now mapped to the non-secure physical area of the memory, I will understand that at this time the non-secure operating system can Access to this security resource 85 200422849 The completion area is non-secure and will not be announced, because the segmentation detector will treat the suspension as 0. Therefore, in short, if the Trim TCM is set to function as a normal local RAM Instead of SamrtCarfiA Tiana — if it can move the TCM-based login to the address of a non-secure entity, then Kazaki also — people, this may allow non-secure operating systems to read the security context data. '' To prevent the above process, provide control bits in the < Don't Care of the Best Practices example.

The CP15 login 34 can only be accessed during security mode operation, and provides two possible architectures. In a first architecture, the control bit is set to "1", where the TCM can only be controlled by the security permission mode. Therefore, any insecure access to the TCM control intent in cpi5w will result in entry into an undefined instruction exception. Therefore, in this first architecture, both the security mode and the non-security mode can use the TCM, but the TCM is controlled only by the security permission mode. In the second architecture, the control bit is set such that the TCM can be controlled by a non-safety operating system. In this case 'the TCM can only be used by non-security applications. No security data can be loaded from TCM or stored in TCM. So when performing security

During full access, no query is performed in the TCM to see if the address matches the TCM address range. By default, imagine that TCM can only be used by non-safety operating systems. In this process, there is no need to change the non-safety operating system. As mentioned previously, in addition to providing a segmentation detector 222 at the MPU 220, the preferred embodiment of the present invention also provides a similar segmentation detection block which is connected to the external bus 70. This additional segmentation detector is used for Supervises memory access by other master devices, such as digital signal processor 86 200422849 (DSP) 50, DMA controller 52 connected directly to external bus, DMA connected to external bus via external bus interface 42 Controller 32, etc. In some embodiments, as will be discussed later, it is possible that only one split detection block is connected to the external bus without providing a split detector as part of the memory management logic 30. In some such embodiments, a segmentation detector may optionally be provided as part of the memory management logic 30. In such examples, the segmentation detector is considered to be in addition to the one connected to the device bus, One of the further segmentation detectors provided. As mentioned earlier, all memory systems can contain most memory units, and many of the above may exist on external buses 70, such as external Δ memory 56, boot ROM 44, or true buffering or on peripheral devices Registrations 48, 62, 66 in, for example, screen driver 46, I / O interface 60,

Key storage unit 64, 笪 鲮.,. L, etc. In addition, different parts of the memory system may need to be defined as security records (for example, the key buffer memory in the key store το 64 may be broken as a secure memory). If a report connected to the external bus acknowledges that the device intends to access the security memory, it is clear that the core ship management logic 30 will not ... Such access will not be supervised. Figures 4 to 7 do not show how the device bus is commissioned to the external bus (also referred to in this article as an additional segmentation detector 49 ^ ^ ^ bus to make I recognize θ + 92 Usually the women ’s volleyball team ’s external bus: None, devices (for example, device 47 ’s physical access request, will enter the above-self-hidden request is also included in _ # A 卩 sink slave bus. These memory accesses on the external bus Some signals that define the operation mode of the signal 87 200422849: for example, permission, ..., etc. According to the preferred embodiment of the present invention-memory access request also involves sending a domain signal to the external sink module According to the media, whether the device is operated on Full mode or non-secure. It is best to send the domain signal at the hardware level, and in the preferred case, 'capable of operating in a secure or non-secure domain — the device includes: Bit 1 to output this domain signal to the external bus' path 490. In order to describe it, on the external bus, outside the other route 488, the path 49 is displayed separately. Port network signal (this article Also refers to " S bit ") the device that confirms whether or not to issue a memory access request is operating in a secure or non-secure domain, and is received by a split detector 492 connected to an external bus Information: The segmentation detector 492 will also have access to the region of the segmentation information that confirms its memory. Security or non-security, and therefore can be arranged to allow only one device to access a specific part of the memory. The bit system is declared to confirm a security mode. By default, imagine that the s-bit is not declared, and therefore a pre-existing non-security device (such as device 472 shown in Figure 47) Will not output a declared S 7G, and therefore it is never allowed to access any security part of the memory by the partition detector 492, whether it is in the registry or buffers 482, 486 in the screen driver 480, the input / output interface 484, or in external memory Body 4 7 4. For descriptive purposes, it is used to arbitrate between memory access requests issued by a master device (such as device 47, 472) (arbiter's arbiter block 'system The decoder 478 independent of the appropriate memory 88 200422849 which determines the service memory access request and the independent detector 492 are explained. However, I will understand that one or more of the above components can be integrated in the same unit Medium, if desired. Figure 48 illustrates an alternative embodiment in which the segmentation detector 492 is not provided, and instead each memory device 474, 480, 484 is arranged to monitor its own memory access based on the value of the S bit. Therefore, if the device 470 is to declare a memory access request to a login 482 in the screen driver 480 marked as secure memory in the non-security mode, the screen driver 480 will determine that the S bit is not Declares, and does not process the memory access request. Therefore, it is conceivable that with the proper design of various memory devices, it is possible to avoid the need to provide a separate detector 492 on the external bus. In the above content of FIGS. 47 and 48, the "S bit" is The device for confirming that the memory access request is operated in a secure domain or a non-secure domain. Viewed from another perspective, the S bit can be regarded as indicating that the memory access request belongs to the secure domain. Or non-secure domains. In the embodiments described in Figures 37 and 38, a single MMU (along with a single-component page table) is used to perform virtual-to-physical address translation. In this way, The physical address space is usually divided between non-secure memory and secure memory in a simple mode as shown in Figure 49. For one of the memory units in a memory system, this article is a physical address Space 2 1 00 contains a range starting at address zero and extending to address Y, for example, external memory 5 6. For each memory unit, the addressable memory is usually cut into two parts, a first part 2 11 0 is assigned as non-security Sexual memory and a 89 200422849 part 2 1 2 0 are allocated as secure memory. In this way, I will understand that there are certain physical addresses that cannot be accessed by specific domains, and such differences The operating system used for these domains will be very obvious. The operating system used for security domains will know the existence of non-secure domains, and therefore will not care about this. In non-secure domains The operating system should preferably not need to know the existence of the security domain, but on the contrary, it should operate as if it is not in the security domain. In a further issue, we will understand that a non-security operating system knows the external memory The address space starts at address zero and extends to address X 'and the non-secure operating system does not need to know anything about the security core, and especially extends from address χ + 丨 to address γ The existence of security memory. Conversely, the security core will not know that its address space starts at address zero, which is usually not what one would expect from an operating system.-Implementation to alleviate the above concerns For example, by allowing a secure memory region to be completely unknown to a non-secure operating system with its physical address space, and by enabling the security core in the security domain and the non-security domain in the Non-security operating systems to know that the external memory's address space starts at address zero, as shown in Figure 51. Here, the physical address space 2 2 00 can be cut to secure or non-secure at the paging level In the example shown in Figure 51, the address space of the external memory shown is cut into four blocks 2210, 2220, 2230, and 2240, which contain two secure memory areas and two Non-secure memory area. Instead of converting between the virtual address space and the physical address space by a single paging table conversion, refer to a first paging table and a second paging table 90 200422849 to perform two separate layers Address translation, thereby introducing the concept of an intermediate address space 'depending on whether the processor is in a secure or non-secure domain, it can make different arrangements. In particular, as shown in FIG. 51, two security memory regions 2210 and 2230 in the physical address space are provided by using a descriptor 'physical address space provided in a set of page tables 2250. Able to map to a single region 2265 in the middle address space. For the operating system running on the processor, it will regard the intermediate address space as the physical address space 'and will use the MMU to transform the virtual address into the intermediate address space in the intermediate address space. Similarly, the intermediate address space 22 70 can be set for non-secure domains, where the corresponding descriptors in a non-secure paging table of the component page table 2250 will be two in the physical address space. The non-secure memory regions 2220 and 2240 are mapped to the non-secure region 2275 of the non-secure domain. In one embodiment, as shown in FIG. 50A, the translation of the virtual address to the physical address via the intermediate address is controlled by two independent MMUs. The MMUs 2150 and MMUs 2170 in FIG. 50A can be considered to be constructed in a similar manner to the MMU 200 shown in FIG. 37, but some details have been omitted for the sake of simplicity. The first MMU 2150 includes a micro-TLB 2155, a main TLB 2160, and translation table walking logic 2165. Similarly, the second MMU 2170 includes a micro-TLB 2175, a main TLB 2180, and translation table walking logic 2 1 8 5. The first MMU is controlled by a non-secure operating system when the processor is operating in a non-security domain, or is controlled by the security core when the processor is operating in a security domain 91 200422849. However, in a preferred embodiment, the second MMU can only be controlled by a security core or a monitoring program. When the processor core 10 issues a memory access request, it will

Path 2153 sends a virtual address to micro-TLB 2155. micro.T £ B 2155 will store some virtual address portions that correspond to the middle address portion intercepted from the descriptors stored in the main TLB 2160. The description of the main τlb 2 1 60 'symbol is taken from a paging table of a first set of paging tables associated with the first mMU 2 1 50. If a match is detected in the micro-TLB 2155, the micro-TLB 2155 can send an intermediate address corresponding to the virtual address received via the path 2 1 5 3 via the path 2157. If in

If there is no match in micro-TLB 2155, reference will be made to the main TLB 2160 to see if a match is detected in the main TLB. And if there is, the virtual address part and the corresponding middle address part will be intercepted to m i c r 0-T L B 2 1 5 5 and then the middle address can be sent out via the path 2 1 5 7. If there is no match in micro-TLB 2155 and main TLB 2160, the translation table walking logic 2 1 65 is used for the required descriptors from one of the first groups accessible by the first MMU 2 1 50 A predetermined paging table issues a request. In general, there may be paging tables for individual programs related to secure or non-secure domains, and the intermediate base addresses of these paging tables will be accessible by the translation table walk logic 2 1 6 5 such as from the CP 1 5 Log in as appropriate for 34. Therefore, the translation table walk logic 2165 can issue an intermediate address via path 2167 to request a descriptor from the appropriate paging table. Arrange the second MMU 2170 to receive any intermediate address output by the translation logic 2165 via path 2157 92 200422849 micro-TLB 2155 or via path 2167, and if a match is detected in 2175 'then micro -The TLB can send the required physical address to the memory via path 2192 to intercept the required data via the data bus 2190. If an intermediate address is issued via path 2157, the required data will be transmitted back to core 10, and for an intermediate address issued via path 2 丨 67, this will cause the required descriptors to be returned to the first mmu 2150 to store in the main TLB 2160. If there is a discrepancy between micro-TLB 2175, it will refer to the main TLB 2180 'and if there is a match in the main TLB, it will return the required middle address part and the corresponding physical address part to micr 〇- TLB 2 1 7 5 to cause micro-TLB 2175 to issue the required physical address via path 2192. However, if there is no match in micro-TLB 2175 or main TLB 2180, then the translation table walk logic 2 1 8 5 is output from the relevant paging table via path 2 1 94 to request the required descriptor, and the relevant paging table It is in a second group page table of a page table related to a second MMU 2170. The second set of page tables includes a descriptor that relates the middle address part to the physical address part, and usually has at least one paging table for secure domains and a paging table for non-secure domains. When 2 1 94 is issued, it will cause the relevant descriptors to be transferred back from the second set of page tables to the second MMU 2170 for storage in the main TLB 2180. The operation of the embodiment described in FIG. 50A will now be further explained by the special case described below, where the abbreviation VA refers to a virtual address, ία refers to an intermediate address, and PA refers to a physical address. 93 200422849 1) The core issues VA = 300 [ΙΑ = 5000, PA = 7000] 2) A discrepancy is found in the micro-TLB of MMU 1 3) A discrepancy is found in the main TLB of MMU 1 Paging Table 1 Base address = 8000 ΙΑ [PA = 10000] 4) Performing pagination table query in the translation logic of MMU 1-Issue IA = 8003 5) Mismatch found in micro-TLB of MMU 2

6) The main TLB of MMU 2 is found to be inconsistent. Paging table 2 base address = 12000 PA 7) Performs pagination table query on the translation logic of MMU 2-Issue PA = 12008 ”8000 IA = 10000 PA · ' Pagination table information

8)-Primary TLB stored in MMU 2

9)-micro-TLB stored in MMU 2 10) micro-TLB in MMU 2 now has hits

11)-Primary TLB stored in MMU 1

12)-The micro-TLB stored in MMU 1 13) The micro-TLB in MMU 1 now has a hit (hit) Issue IA = 5000 to perform data access 14) The non-conformance found in the micro-TLB of MMU 2 15) A discrepancy was found in the main TLB of MMU 2. 16) The translation logic of the MMU 2 walks through the paging table query.

17)-Primary TLB stored in MMU 2

18)-The micro-TLB stored in MMU 2 19) A match was found in the micro-TLB of MMU 2 (hit)-PA = 7000 is issued to perform data access 2) The data at the physical address 7000 is returned to The next time the core issues a memory access request (called VA 3〇01.) 1) The core sends VA = 3001 2) A matcher is found in the micro-TLB of MMU 1 and requests IA 5001 to be sent to MMU2 3) If a match is found in the micro-TLB of MMU 2, request pA 7001 to the memory 4) The data in PA 7001 is transmitted back to the core. I will understand that the discrepancy between the micr0_TLB and the main TLB of the MMU in the above example, and therefore the example represents the "worst case" process. Generally, it is expected that a conformer will be found in at least one of the micro-TLBs or the main TLB, thereby greatly reducing the time to intercept the data. Returning to FIG. 51, in a preferred embodiment of a security area, a second set of page tables 2250 is usually provided in a specific area of the physical address space. The first group of page tables can be divided into two types, namely, security paging tables 95 200422849 and non-security paging tables. In a preferred embodiment, the security paging tables will continuously appear in the middle address space 2 2 65, and the same is true for the non-security paging tables in the non-secure middle address space 2275. However, they do not need to be consecutively placed in the physical address space, and therefore, for example, the security paging table of the first group of page tables can be spread across the security areas 2210, 2230, and in a similar manner, the non-security paging tables can be spread across Non-secure memory regions 2220 and 2240. As mentioned earlier, one of the main advantages of the two-tier approach using two-component page tables is that for operating systems in secure domains and operating systems in non-secure domains, Arrange the physical address space to start at zero, which is usually what an operating system would expect. The extra secure memory area can be completely unknown to a non-secure operating system with its own "physical address" space, because it treats its physical address space as an intermediate address space which can be arranged to have intermediate A continuous sequence of addresses. In addition, the use of such methods can greatly simplify the processing of memory transition regions between non-secure and secure memory. As shown in Figure 5 2. As can be seen from FIG. 52, a region 2300 of the memory, such as a single page memory, may exist in the non-secure memory region 2220, and similarly, the memory region 2310 may exist in the secure memory region 2210. . However, the above two memory regions 2300 and 2310 may be easily swapped by changing the relevant descriptors in the second set of page tables, so that region 23 00 now becomes a security region that maps to the middle of the security domain. Area 2305 in the address space, and area 2310 now becomes a non-secure area which maps to the area 23 1 5 of the intermediate address space 96 200422849 of the non-secure network domain. In a secure domain and a non-secure domain, it can occur completely clearly in the operating system, because from the perspective of the physical address space, it is indeed the intermediate address space of the secure domain or the non-secure domain, respectively. Therefore, the method avoids any redefinition of the physical address space in each operating system. An alternative embodiment of the present invention will now be described with reference to FIG. 50B, which also uses two MMUs, but in an arrangement different from that of FIG. 50A. Comparing Figure 50A and Figure 50B, it can be seen that the arrangements are almost the same, but in this embodiment, the first MMU 2150 is arranged to perform the translation of the virtual address to the physical address, and the second MMU is arranged to perform the intermediate address to Translation of physical addresses. Therefore, for the embodiment shown in FIG. 50A, the path from the micro-TLB 2155 of the first MMU 2150 to the micro-TLB 2175 of the second MMU 2170 is arranged. The micro-TLB 2155 of the first MMU directly outputs an entity via the path 2192. Address, as shown in Figure 50B. The operation of the embodiment shown in Fig. 50B will now be explained in the following special case. "The detailed procedure of the core memory access request is the same as that previously shown in Fig. 50A. 1) The core issues VA = 300 [IA = 5000, PA = 7000] 2) A discrepancy is found between the micro-TLB and the main TLB of MMU 1 Page 1 Base address = 8000 ΙΑ [PA = 10000] 3) On MMU 1 Translation table walk logic executes paging table query-issue IA = 8003

4) A discrepancy between the micro-TLB and the main TLB of MMU 2 is found. IA 8003 97 200422849

Base address of paging table 2 = 12000 PA 5) Execute the paging table query in the translation logic of MMU 2-Issue PA = 12008 " 8000 IA = 10000 PA " Return as paging table data 6) " 8000 IA — 10000 PA " maps stored in MMU 2 main

TLB and micro-TLB 7) The micro-TLB at MMU 2 is now translated from step (3) to pA 1003 and issued a fetch " 3000 VA = 5000 ΙΑ "is returned as pagination table data

Note in May · This translation is retained in the temporary storage by MMU1, but is not directly stored in any TLB 8) The translation logic of MMU 1 walking request now sends a request of LA = 5000 to MMU2 9) miCr0-TLB IA 5000 found to be inconsistent with the main TLB. 10) Perform pagination table query in the translation logic of MMU 2-Issue PA = 12005 π5000 IA = 7000 PA.

11) MMU 2 is stored " 500 00 ΙΑ = 7000 ΡΑ " in micro-TLB and main TLB. The translation is also connected to mmU 1.

12a) MMU 2 issues pa = 7000 access to memory 12b) MMU 1 combines "30000VA = 5000 IA, and π50000IA = 7000 PA1 'descriptor to give one" 30000va = 7000 PA " descriptor, which is stored in the main tLB and micro-TLB 98 of 2004 MMU 1) 13) The data of PA 7000 is transferred back to the core-human core ~ issue a memory access request (called VA 3001. ·) 1) The core issues VA = 3001. 2) A match is found in the micr0-TLB of MMU 1 and mmmu sends a request of PA = 7001. 3) The data in PA 7001 is transmitted back to the core. From the comparison of the above example provided in Figure 50 A, it can be seen that the main difference here is in step 7, where MMU 1 does not directly store the first table descriptor, and in step 12b (12a and 12b can occur simultaneously) ) Among them, MMU 1 also receives IA-> PA translation and combines, and stores the combined descriptors in its TLBs. Therefore, I can understand that when the alternative embodiment still uses two sets of page tables to convert the virtual address into a physical address, in fact when a conformer occurs in micro-TLB 2155 or main TLB 2160, micro-TLB The 2155 and the main TLB 2160 store the translation of the virtual address to the physical address to avoid the need to perform queries in the two MMUs. In this case, the first MMU can control the request directly from the core without having to refer to the second MMU. I will understand that being able to schedule the second MMU 2170 does not include the micro-TLB 2175 and the main TLB 2180, where the paging table walking logic 2185 is used for every request that needs to be controlled by the second MMU. It can save complexity and consumption for the second MMU, and can accept the assumption that only a relatively small number of second MMUs are needed. Because each request will require the use of the first 99 200422849 MMU, it is usually advantageous to include the micro-TLB 2155 and the main TLB 2160 in the first MMU 2150 to improve the operating speed of the first MMU. It should be noted that the pages in the paging table can be resized, and thus there may be two halves of the translated descriptors associated with pages of different sizes. In general, the paging of MMU 1 is smaller than the paging of MMU 2, but this is not necessary. For example: Table 1 maps to 4Kb at 0x40003 000 to 0x00081000 Table 2 Maps to 1 Mb at 0x00000 000 to 0x02000000 Here, the smallest of the two sizes must be used in conjunction with translation, so the: t combination descriptor is at 0x40003 00 0 Mapping to 4Kb of 0x02 081000 However, the exchange of data between contexts (as described earlier with reference to Figure 52) may be reversed, for example: Table 1 Mapping from 0x00000000 to 1Mb at 0x0004000000 4Kb Now, query the given mapping from the core at one of the addresses 0xc0042010: 4Kb at 0xc0042000 to 0x02042000 That is, the smallest of the two sizes is always used to combine the mappings. Please note that in the second case, the processing is less efficient, because when accessing different 4Kb regions, the descriptor (1Mb) in Table 1 will be searched repeatedly and discarded by 100 200422849. However, in a typical system, in most cases, the descriptors of Table 2 will be larger (as described in the first example), which is more efficient (capable of mapping 1 Mb to other 4Kb pointing to the appropriate part of the IA space) Paging again). As shown in Figures 50A and 50B, a selective method using two separate MMUs' Single MMU can be used in Figure 53. When a discrepancy occurs in the main TLB 2420, the 甴 MMU generates an exception (which causes the software to To execute virtual to physical address translation based on a combination of descriptors from two different sets of paging tables. In particular, as shown in Figure 53, cores 10 and 10

MMU 2400 link (which includes a micro-TLB 2410 and a primary TLB 2420 °) When the core 10 issues a memory access request, a virtual address is provided via path 2440, and if a conformer is observed in the micro-TLB , The corresponding physical address is directly output via path 2440, so that the data is returned to core 10 via path 2450. However, if there is a discrepancy in mic ^ TLB 241〇, refer to the main tlb 242〇 and if the main Each tlb has a related description4, then the relevant virtual address part and the corresponding physical address part are intercepted to miTLB241G. After that, the physical address is enough, and the block is issued by Road & 2440. However, if the main | tlb If a discrepancy is also generated, an exception is generated and sent to the core via path 2422. The processing after receiving such an exception in the core will be further described with reference to FIG. 54. As shown in FIG. 54, if it is at step 2500 When the core detects an abnormality of the TLB non-compliance, the core enters the monitoring mode with a predetermined vector for the exception at step 2510. At this time, it will merge the paging table with the executed code and execute it.纟 帛 54 The rest of the steps shown in Figure 54. In particular, in step 2520, the virtual bit 101 200422849 is issued via path 243〇 and the discrepancies generated between micro-TLB 2410 and main tlb 242〇 (hereafter, Called the wrong virtual address (心 川 叩 virtual s)), i, based on the intermediate base address in the appropriate table of the first set of tables, determines the intermediate address of the required -descriptor in step 2530. Middle address (usually using a predetermined combination of virtual address and intermediate base address), and then referring to the related table in the second set of tables to obtain the corresponding physical address for the first descriptor. Thereafter, On the 255th

Step 'can obtain the first-insert from memory to determine the middle address of the wrong virtual address. Then, in step 2560, refer to the second table again to find the second descriptor to give the physical address for the middle address of the wrong virtual address. Thereafter in step 2570, the second descriptor is retrieved to obtain the physical address of the wrong virtual address. Once the above information has been obtained, the program makes the first and second descriptors. And in order to generate a new descriptor for the required virtual address to physical address translation, step 2585 performs this step. As previously referred to Figure 5 〇B

A similar method is described in which the software performs the merge again and uses the smallest page table size for the combined translation. After that, in step 2590, the new descriptor is stored in the main TLB 2420, and then the program returns from the exception in step 2595. After that, the core 1 is scheduled to issue a virtual address for the memory access request via path 2430. It will still generate non-conformances in micro-TLB 2410, but will now generate a conformant in main TLB 2420. Therefore, the virtual address part and the corresponding physical address part can be intercepted to 102 200422849 micro-TLB 2410 ′, and micro_TLB 2410 can transmit the required data back to core 10 via path 2450. I will understand 'in the alternative embodiment described previously with reference to Figures 50A and 50B' by software using the principles described above with reference to Figures 53 and 54 to manage the One or both of the MMU. Regardless of whether two MMUs are used as shown in Figure 50A or 50B, or one MMU is used as shown in Figure 53, the fact that the processor manages the second set of page tables when operating in monitor mode (or (Optionally in a permission security mode) to ensure that the paging tables are secure. As a result, when the processor is in a non-secure domain, it can only see non-secure memory. When Tian is in a non-female full-scale domain, the first set of page tables that can only be seen by the processor is Non-secure domains create intermediate address spaces. As a result, it is not necessary to provide a segmentation detector as part of the memory management logic 30 as shown in the first figure. However, a split detector is still provided on the external bus to monitor access in the system by other bus masters. In the embodiments previously discussed with reference to Figures 7 and 38, Provided-a segmentation detector 222 related to ^^ U 2 0 0, and therefore when access is to be performed in the cache 38 + + 1 seek 'A query has been executed first in the micro-TLB 206' and As a result, access permissions (especially security and non-security permissions) have been checked. Therefore, + In such embodiments, non-safety applications cannot store inflammation ## in the cache 38 for holistic data of women. The access to the cache is under the control of the segmentation detection by the segmentation detector 222 /, and therefore not 103 200422849 can be in the non-secure ten: However, if it is not for: via a data processing device It is used to implement the i system bus and cache 3 8 in this type, so some data access is needed during the operation. No. 55, which mentions the access check logic performed. Example: Link to the system confluence ^ link. The core surface 42 is connected to a ^ Control® flow ^ The core 1 0 interface 42 is also visible as a row j connection, for example: 472. It is also connected to perform access to oblique security data in 4 • mode. In an alternative embodiment of the present invention, the segmentation detector 222 is provided by the monitoring access by the integrated bus 40, otherwise there is only a single segment inspection monitoring connected to the external bus 70 connected to the external bus Of memory cells. In this column, it means that the processor core 10 can access any memory unit directly connected to 40, such as τ〇μ36 without having to monitor these accesses by an external partition detector, and a mechanism to ensure the processor The core 10 does not access an insecure module in the cache 38 or the TCM 36. The insecure map according to an embodiment of the present invention illustrates a data processing device for a mechanism to enable the cache 38 and / Or TCM 36 controls it without providing any segmentation inspection related to MMU 2000. As shown in Figure 55, core 10 is connected to non-40 through mmu 200, cache 38 and TCM 36 are also connected to the system bus 4 〇10, cache 38 and TCM 36 are external bus 70 by external bus, which includes a single address bus 2620, non 2630 and a data bus 2640, as shown in Figure 55. , MMU200, cache 38, TCM36, and external buses constitute a single device connected to external bus 70, multiple buses, and other devices can also merge with the above devices such as security peripherals 47 or non-secure The peripheral device-to-device bus 70 is one or most of the memory list 104 200422849 yuan, such as external memory 56. In addition, a bus control unit is connected to the device bus 70, and generally includes an arbiter 2652, an encoder 2654, and a split detector 2656. For a general discussion of the operation of the components connected to the device sink, reference should be made to the previously described I diagram 'The arbiter, decoder, and segmentation detector are shown as a single block' but when placed in a single control block 2650 , These components work in the same way. MMU 2000 in FIG. 55 is further detailed in FIG. 56. Comparing Figure 56 and Figure 37, you can see that the MMU 200 is constructed in exactly the same way as the MMU in Figure 37. The only difference is that the detector 222 is not used for monitoring between the main TLB 208 and micro 206. Data transmission on path 242. If the processor core issues a memory access request specifying a virtual address, the memory access will then bypass the MMU 200 and process the micro-TLB 206 as described earlier in Figure 37 to output a physical bit via path 238 Address to system row 40. Conversely, if the memory access request directly specifies an entity, this will bypass the MMU 200 and directly route to the system bank 40 via path 236. In one embodiment, only when the processor is in the monitor mode 'generates a memory access request that directly specifies the physical address. Looking back at the previous description of MMU 200, and especially Figure 43, the 'main TLB 208 will contain some descriptors 435, and a domain flag 425 will be provided for each descriptor to determine if the corresponding descriptor is self-securing. A paging table or a non-secure paging table. The above descriptors and related domain flags 425 are the same as the 2650-streaming% 47 of MMU 2000 in Figure 55. By sending the request with a split-TLB 10 The description of the confluence operation is described in 435 Summary 105 200422849. When the core 10 issues a memory access request, a physical address that leads to the memory access request is output to the system bus 40, and at this time, the cache 38 will execute a query procedure to Determines whether the data item at the address is stored in the cache. As long as nothing happens in the cache, it means that the data item that belongs to the access request is not stored in the cache. The cache starts a linefill process to intercept a row of data from external memory 5 6 It includes data items that belong to a memory access request. That is, the cache will output a one-line fill request to the control bus 2630 of the device stream 70 through the EBI 42 and output the initial address to the address stream 2620. In addition, a HPROT signal will be output via the path 2632 to the control bus 2630, which will include a domain signal of a certain core operation mode when a memory access request is issued. Therefore, the line filling procedure can be cached for propagation of 38 to the original memory access request of the external bus. The HP ROT signal is received by the partition detector 2656, and therefore it is determined whether the partition detector installs the specified data requested by the external memory 56 when the external memory access request is issued (in this case, the Core 10 and cache 38 work together) to operate in a secure domain or a non-secure domain. The split detector 2656 will also access split information that confirms the security or non-security of the memory area, and can therefore determine whether the device will allow access to the data it requests. Therefore, if the domain name ^ in the HPROT letter (also referred to in the S bit text) declares that the access to the material is requested by the respect, then when operating in a security mode The women's volleyball segmentation detector can only allow a device to access the memory of one of the regular identifiers and transfer it to the designated white zone, which is designated as No. 106 200422849. If the partition detector decides that the core 10 is not allowed to access the requested data, for example, because the HPROT signal has confirmed that the core is not operating in a non-secure mode, but the line fill request attempts to be secure from one of the memories The external memory in the area retrieves the data, and the segmentation detector 265 6 sends a stop signal to the control bus 2630 (which will be returned to the EBI 42 via path 2636, resulting in a stop signal to the core 10 via path 2670. However, If the segmentation detector 2656 decides to allow access, it outputs an S private signature signal to determine whether the data intercepted from the external memory is security data or non-feminine data, and that the S label signal passes the path 2 6 3 4 To return to EBI 42, and set the flag related to the cache line 2600 is a line filling process. At the same time, the control logic 2650 authorizes the requested line filling data from the external memory 56 through EBI 42 via path 268 〇Returns data to cache 38 to be stored in the relevant cache line 260. Therefore, the result of this processing is filled with the data items selected in the external memory 56 The cache line will be filled with data items from the external memory 56. These data items include data items belonging to the original memory access request from the core 10. After the data items belonging to the core memory access request can be Is selectively returned from the cache 38 to the core, or can be selectively returned from the ebi 42 to the core 10 via the path 2660 for direct provisioning. Because it is in the preferred embodiment, the line filling process described above will result in Occurrence of the original stored data of the cache line. The flag 2602 related to the cache line will be set according to the value provided by the splitter 2656, and then 107 200422849 will be used by cache 38 to directly control the flag. Any subsequent access to the data item in cache line 2600. Therefore, if core 10 then causes a particular cache line 2600 in cache 38 to generate a conformant memory access request, the The cache 38 will check the value of the relevant flag 2602 and compare this value with the value of the existing operating mode of the core 10. In the preferred embodiment, the monitoring mode in the CP 15 domain status registration Set a domain The bit indicates the existing mode operated by the core 10. Therefore, when the processor core 丨 〇 is operating in a secure operation mode, the cache 38 can be arranged to cache data items that are only allowed in one cache line. The corresponding flag 2602 indicates the security data accessible by the processor core 10 "Any intention of the core to access the security data in the cache 38 when the core is operating in a non-security mode, Will result in a suspension signal via cache 3 8 via path 2 67. T c M 3 6 can be set up in a variety of ways. In one embodiment, it can be built like a cache, and the embodiment is arranged to include a majority line 2 6 10, in the same way as the cache 38, each of which has a flag 2612 associated with it. Use exactly the same method as previously described for cache 38 to manage access to TCM 36, and any TCM discrepancy that caused the first-line fill process to be performed, with the result that the data will be intercepted to—specific line 26 1 0, and segmented The detector 2656 will generate the required S-tag value to store the flag 2 6 1 2 associated with the line 2610. In an alternative embodiment, the TCM 36 can be set up as an extension of the external memory 56 and used to store data that is often used by the processor, because access to the TCM via the system bus is usually better than external memory Faster access. In such embodiments, the TCM 36 does not use the flag 108 200422849 2612 ', but instead uses a different mechanism to control access to tcm. In particular, as described above, in such embodiments, a control flag is provided that can be set by the processor and indicates whether it can be processed by the processor when executed in a permission security mode. The controller controls the beta memory, or when it is executed in at least one non-security mode, it can be controlled by the process. The control flag is set by the female holistic operating system, and it can actually define whether it can be authorized security mode or non-security mode. control. Therefore, it is sufficient to define an architecture TCM that can only be controlled when the processor is operating in a privileged security mode. In such embodiments, any intent to access the control log will result in entry into an undefined instruction exception. In an alternative architecture, the TCM can be controlled by the processor when operating in a non-security mode. In such embodiments, the TCM is used only by non-security applications. No security data can be stored or loaded from. Therefore, when performing a secure access, no query is performed in it to find out if the address matches the TCM address range. The flowchart in Figure 57 illustrates the processing performed by the device in Figure 55 when a non-female holistic program operating on the processor core generates a virtual address. First, in step 2705, in micr. -A check is performed in TLB 206, and if it generates a conformant, micr0 TLB checks the access permission in step 1. Referring to Fig. 56, the program can be regarded as being executed by the access permission logic 202. If at step 2705, a query occurs at the micro-TLB—a non-conformance is performed, the second query is performed at the main tlb2008 where the non-security descriptor is stored (step 2710). If it produces a discrepancy, a page table walking procedure is executed at step 2715 109 200422849 (as discussed previously with reference to Figure 37), where after step 2720 it decides that the main Tlb contains the valid ladder Tagged non-security descriptor. If generated / conformant 'at step 2710, the procedure proceeds directly to step 2720. Thereafter, in step 2725, micrQ.TLB loads the part of the descriptor containing the physical address, and then in step 273, the micr TLB checks the access permissions. If an access violator is found in step 2730, the program proceeds to step 2740, in which an abort signal is sent to the processor core via path 23 (similar to path 267 in FIG. 55). However, if no violator has been detected, then in step 2745 a decision is made as to whether the procedure is related to a cacheable data item. Otherwise, an external access is initiated in step 279 to attempt to intercept the data item from the external memory 56. At step 2795, the segmentation detector 2656 will determine if there is a security segmentation violation, that is, if the processor core 10 attempts to access a data item in secure memory while operating in an unsecure mode, And if a violator is picked up, the segmentation detector 2656 will generate a stop signal at step 277 < water mail elbow step 2775. However, ‘assuming there is no security name 丨 careful-another female gold 〖raw knife cutting violation, the process proceeds to step 2785, where the data access occurs. If yes, then in step 2750, the decision is made in the cache. If you find…, then in the 2nd cache query ’and if the line V snap cache determines whether there is a security line‘ signature violation ’. So 'at this stage ^ ^ & »» ^ Γ, take the value of the flag that will check the line associated with the contained data item, and compare the value of this flag with the core 200422849 1 0 operation mode to decide whether to authorize Core access requested data item. If a security line label violation is detected, the process proceeds to step 2760 where a security violation error abort signal is generated by cache 38 and sent to core 10 via path 2670. However, assuming no security line label violation is detected in step 2755, data access is performed in step 2785. If a cache mismatch occurs when the cache query is executed in step 2750, then a cache line fill is initiated in step 2765. At step 2770, the segmentation detector 2 6 5 6 detects whether there is a security segmentation violation, and if so, sends a stop signal at step 2 7 7. However, assuming no security segmentation violation is detected, the cache line filling is performed in step 2780, and data access is completed in step 2785. As shown in Figure 57, steps 2705, 2710, 2715, 2720, 2725, 2730, and 2735 are performed in the MMU, and 2745, 2750, 2755, 2 7 6 5 2 7 8 0, and 2 7 9 0 Steps are performed by the cache, and steps 2770 and 2795 are performed by the segmentation detector.

Fig. 58 is a flowchart showing a similar procedure executed when a virtual address is generated in the core (step 2800). By comparing Fig. 57 and 篦 ssm =. Fig. 8, we will understand that the 2 8 0 5 step ordered by the cat in the MMU is similar to the 2705 step through 2735 which was previously referred to Fig. 5 7 ^ . The only difference is in step 2810 :: The query performed in the main TLB is related to the main TL] == security descriptor, and the result is at step 282. Step "The TLB contains a security descriptor for a valid tag. 111 200422849 In the cache, the cache no longer needs to find any security line marking violations, because as shown in Figure 5-8, it is assumed that the security program can access security and non-security data. Therefore, if a match occurs during the cache query in step 2850, the procedure proceeds directly to step 2888 in the data access step. Similarly, if external access to external memory is required (ie, at steps 2865 or 2890), the 'segmentation detector does not need to perform a segmentation check because again it is assumed that the security program can access security data or non-security data. Steps 2845, 2850, 2865, 2880, and 289 performed in the cache are similar to steps 2745, 275, 2765, 2780, and 2790 described earlier with reference to Figure 57. Figure 59 illustrates the processor Different modes and applications on the implementation. An embodiment ' according to the invention ' dotted line indicates how different modes and / or applications can be separated and separated from each other during the monitoring of the processor. The ability to monitor a processor for possible errors and discover why an application is not performing as expected is very useful and many processors provide such functionality. This monitoring can be performed in many ways including functions for debugging and tracing. According to the technology of the present invention, the debug in the processor can be operated in several modes, including a shutdown error mode and a monitor debug mode. These modes invade and cause the program to execute when it is about to stop. In the shutdown debugging mode: When a breakpoint or a watchpoint occurs, the core stops and separates from the rest of the system and the core enters a standby state ... the core stops at the beginning, * — Cleared and no instruction was fetched 112 200422849 in advance. Freezes the PC and ignores any interrupts (IRq and FIq). Then it is possible to check the internal state of the core (via the JTAG sequence interface) and the state of the memory system. This state is Program execution is intrusive because it may modify the existing mode, change the registration status, etc. Once the debugging is terminated, the kernel uses the Debug TAP to exit the debugging state by scanning the Restart instruction. Then the program resumes execution. During monitoring In the debt fault mode, a breakpoint or a monitoring point causes the core to enter the abort mode, using prefetch or data abort vectors respectively. In this case, if the core is in the Halt debug mode 'The core is still in a functional mode and does not stop. The suspension manager communicates with a debug application to access the processor and auxiliary services Processor status or dump memory. A debug monitor is located between the debug hardware and the software debugger. If bit 11 (see below) that controls the registration of DSCR and debug status is set, it can prevent interrupts (FIQ and irq). In monitoring and debugging mode, invalidate vector interception in data aborts and prefetch aborts to avoid the processor being forced to stop due to the suspension generated for monitoring and debugging mode. Enter an unrecoverable state. It should be noted that the monitoring and debugging mode is a debugging mode and a monitoring mode that is not related to the processor (the mode of supervising the transition between the security context and the non-security context). This kind of moment can provide a snapshot of the state of the processor. When the initial request for debugging is received, it is achieved by annotating these values on various logins. These values are recorded on a scan chain (541 in Figure 67) , 5 44), and then they are sequentially output using the JTAG controller (Figure 18 in Figure 18). One option for the monitoring core is to use traces. Traces are not 113 200422849 State after. 追縱 is invasive and, if embedded Perot type 追縱 cytomegalovirus 2,26 2 in the first figure (ETM, Embedded

Trace Macrocen). ETM has—tracking port to output tracking information ’, which can then be analyzed by an external tracking port analyzer. The processor in the embodiment of the present technology operates in two domains, which are separated from each other. In the described embodiment, these domains include secure, non-human, and non-secure domains. However, due to the purpose of the monitoring function, familiarity with this skill will make it clear that this domain may be any two domains that do not leak information about each other. The embodiments of the 纟 technology are related to preventing leakage of data between two network domains and monitoring functions such as error correction and tracking, which allow convenient access to the entire system, which is also a potential for data leakage between network domains. source. In the above examples of secure and non-secure domains or situations, security information cannot be obtained by non-secure situations. In addition, if debt is allowed in a security context, it may help limit or hide some of the information in the security context. The dashed lines in Figures 5 and 9 show examples of some possible methods that divide data access and provide different levels of granularity (granuUrityp in Figure 59. Block 500 shows the monitoring mode and it is the safest of all modes and controls the security Switch between sexual and non-secure contexts. There is a supervision mode 52 under the monitoring mode 500. Then there are non-security user modes with applications 522 and M #, and security users with applications 512, 514, and 516 Mode. Only monitoring mode (debug and trace) can be controlled. Monitoring non-security mode (left side of dashed line 501). Optionally, monitoring of non-secure domains or context and security user mode (left side of 5 〇 丨) can be allowed. And 501 to the right below 502). In a further embodiment, 114 200422849 may allow execution of non-security contexts and certain applications in the security user domain, in which case, the dashed line 5 03 Further divisions. Such divisions can help prevent the leakage of security data between different users who can execute different applications. Allows monitoring of the entire system. Depending on the required granularity, during the monitoring function, the following parts of the core need to have access they control. In a debug situation, four types of logins can be set; instruction error status login (if SR), Data Error Status Registration (DFSR), Error Address Registration (FAR), and Instruction Error Address (IFAR) 〇 When changing from a security situation to a non-security situation, the above registration should be cleared in some embodiments to avoid data Any leak of the PC sample log: Debug TAP can access the PC via scan chain 7. When debugging in the security context, the value can be obscured according to the granularity selected in the security context When executing in a security context, it is important that the non-security context, or the non-security context added by the security user application, cannot get any value of p C. TLB project: CP15 may be used to read micro-TLB The project reads and writes the main TLB. We can also control the loading and matching of the main TLB and micro-TLB. This operation must be strictly controlled, especially if it is safe Thread debugging requires the assistance of MMU / MPU. Performance monitoring control registration: The performance control registration gives information on those cache mismatches, micr0-TLB non-compliances, external memory requests, branch instructions executed, etc. Non- The security context should not access this data, even in the debugging state. Even if debugging fails in the security context, these 115 200422849 counts should be operable in the security context. Debugging in the cache system: Mistakes in a cached system must be observable. This is important to maintain consistency between the cache and external memory. Using CP 15 can disable the cache, or can force the cache to write to all areas. In any case, allowing modification of cache behavior in debugging may be a weakness of security and should be controlled. Byte Order (Endianness): Non-female or female users with access to debug should not be allowed to change the byte order. Changing the order of this byte may cause a security core failure. Depending on the granularity, byte order access is disabled in the debug. At the beginning of the monitoring function, the access to the monitoring function of the core part can be controlled. Debugging and tracing can be initiated in many ways. Embodiments of the present technology control access to monitoring functions of certain security portions of the core by allowing initialization only under certain conditions. Embodiments of the present technology seek to limit access monitoring functions with the following granularities: by controlling intrusive and non-intrusive (tracing) debugging separately; by allowing only in the security user mode or throughout security Debug items in context; by allowing debugging only in the security user mode and taking thread IDs into account (application execution). To control the initialization of a monitoring function, it is important to understand how the function can be initiated. Figure 60 shows a table illustrating the possibility of initial monitoring function. 116 200422849 Method ′ The initial monitoring function type and such initialization instructions can be designed. Usually, these monitoring fingers can be accessed by software or hardware, that is, by the JTAG controller, a control value for controlling the initialization of the monitoring function. The above includes the position-dependent start bit and therefore if the special bit is set, it is only allowed to start the control when the start bit is set. The CP 14 stores these bits (error detection and status control). Login, DSCR), which is located in ICE 53 (refer to Figure 67. In the preferred embodiment, there are four bits to enable intrusion and disable intrusion and debug. The above includes a security debug startup Bits, global tracking enable bits, a security user mode enable bit, and global thread sense enable bits. These control values are used to provide a certain degree of controllable granularity for monitoring functions and can therefore help Prevent the leakage of a special domain. Figure 61 provides a summary of the bits and how they can be stored. The control bits are stored in a registry in the security domain, and access to the registry is limited to Three possibilities. Software access is provided by the auxiliary MRC / MCR command, and the above only allows those from the sexual supervision mode. Optionally, software access can be provided from any other mode using a code. A further option and hard Body access It also involves using the input port of the JTAG to write instructions. In addition to inputting control values related to the effectiveness of the monitoring function, the input ports can be used to input control values related to other functions of the processor. Related to scan chains and JTAG Further details are as follows. Program order, which makes the monitoring and control state appear) ° Non-intrusive, one security, one security can determine network access and processing security-granted for this round 117 200422849 Register logic grid (Register logic cell) Each integrated circuit (1C) contains two types of logic: • Combined logic cells; for example, AND, OR, INV gates. Based on one or more input signals, a Boolean representation is calculated using such a gate or a combination of such gates. • Log in to a logic cell; for example, LATCH, FLIP-FLOP. Use this grid to record any signal value. Figure 62 shows a positive-edge triggered FLIP-FLOP: When a positive-edge event occurs on a clock signal (CK), the output (Q) receives the value of the input (D); otherwise the output (Q ) Keep its value in memory. Scan key grid For testing or debugging purposes, it is necessary to skip the functional access of the registration logic grid and directly access the contents of the registration logic grid. Therefore, the registration grid is integrated into a scan chain shown in FIG. 63. In functional mode, Scan Enable (SE, Scan Enable) is clear and the login box functions as a single login box. In quiz or debug mode, set SE and input data can come from Scan In (SI) input instead of d input. Scan chains As shown in Figure 64, all scan chains are chained into scan chains. In the functional mode, the SE is clear and usually has access to all 118 200422849 log-in grids and interacts with the circuit's complex storage temperature and logic. In Test or Debug mode, se is produced today by ^ Broken and placed and linked all logins in a scan chain with each other. The data can be refreshed — from the scan chain and can be transformed by any straight girl at any rhythm of the clock cycle. Ability to convert data to understand login content. Use 4 贞 # TAP controller to control some scan chains. The τΑρ controller can select specific scan keys: it connects the “scan in” and “scan out” signals; to a specific scan chain. Funding can then be scanned, converted, or scanned out of the crossbar key. The TAP controller is controlled externally through a JTAG port interface. Figure 65 illustrates a TAP controller. Choosing the last name is invalid. For security reasons, some logins cannot be accessed by the scan chain, even in debug or quiz mode. A new input called jaDI (JTag Access Invalidation) allows dynamic or static removal of a scan chain from an entire scan chain without having to modify the scan chain architecture in the integrated circuit. Figures 66A and 66B should not be entered. If JADI is not enabled (jadI = 〇), the scan chain works as usual whether in functional or test or debug mode. If JADI is enabled (JAD 1 = 1), and we are in test or debug mode, some scan key grids (selected by the designer) can be removed from the scan key framework r ". To maintain the same number of scan chains, the JTAG selective fail scan chain enables 119 200422849 to use a bypass register. Please note that the scan out (SO, San out) and scan chain output (Q) are now different. Figure 67 illustrates a processor that includes portions of JTAG. In normal operation, the command memory 550 and the core communication can also communicate with the registered CP14 and reset the control value under certain conditions. Normally only self-safe supervision is allowed. When the debug is initialized, the instruction is input through the Debug TAP (Debug TAP) 580, and it is the control core. The core under debug is executed step by step. Debug TAP accesses CP14 through the core (according to the access control signal input to JSDAEN PIN, which is displayed by JADI PIN (JTAG ACCESS DISABLE INPUT in Figure 45)) and can also be reset by this method Set the control value. By the access control signal JSDAEN controls the access to the CP 14 registration by the Debug TAP 5 80. This arrangement is such that access, especially write access, must allow JSDAEN to be set high. When the entire processor has been confirmed, during the board stage, debt faults are enabled throughout the system and JSDAEN is set high. Once the system has been checked, the 1J JSDAEN PIN can be grounded, which means that debugging with the Debug TAP 5 80 cannot be enabled at this time. The general processor in production mode has a grounded JSDAEN. Therefore, the control value can only be accessed by software routed through the command memory 550. Access via this bypass is restricted to the security oversight mode or another mode that provides an authorization code (refer to Figure 68). It should be noted that by default, debugging (intrusion and non-intrusion-tracking) can only be used in non-security contexts. In order for them to be used in security situation 120 200422849, the control value enable bit needs to be set. The advantage is that debugging can only always be performed in context by the user. Therefore, although the user usually has a security context in debugging, it is not a problem in many cases' because access is limited and the security context is already in the board stage before it is available. It is therefore foreseeable that security is unnecessary in many cases. If necessary, a safety watchdog can still perform software debugging initialization for CP 14. Figures 6 and 8 illustrate the control of debug initialization. A part of the figure 1 includes a storage element 601 (which can be logged in as previously described) in which a status bit S indicating whether the system is in a security context is stored. The core 600 also includes a login 602, a mode executed by the processor (such as a user mode), and a login for a content identifier to confirm the application currently executing on the core. When a breakpoint is reached, a comparator will log in 6 1 1 compares the core address stored in the register 6 1 2 with the signal register 620. The control logic 620 looks at the security state S, the mode thread (content identifier) 603 and compares it with the control value and the conditional state at the time of deposit. If the system is not in a security context-the "Enter Debug" signal will be output at 630. However, if operating in a global context, the control logic 620 will look at the mode. If it is in user mode, it will check to see if the enable and debug enable bits are set. If they are initialized, then they will understand the thread consciousness bit (thread aware cannot be accessed in non-security. For the situation to be fully confirmed, the debugging of the situation can be written to I7, and the core 600 is a CP15 A security method includes instructing the recording or execution of instructions 603. The stored breakpoints are sent to the control logic 602 and executed in the CP14 storage operation, then the system is in An602, and the user mode has been detected. ) Has not yet been initialized. The hierarchical nature of control values is described above. Only the level energy model in Figure 68 also illustrates the thread detection part of the monitoring control and how the self-safety supervision mode (in this embodiment, the processor is in the production section and JSDAEN is grounded) is converted in the login CP14. Six μ ^ 1 TT stored control value. It is enough to use an authorization code to enter the security supervision mode from a security user mode, and then set the control value in CP14. When the address comparator 610 indicates that the breakpoint has been reached, the control logic 62 outputs-"enter debugging" signal, and understands that the thread comparator "0 shows that debugging is allowed for this thread. Assume that in Cp 丨 4 The thread-aware initialization bit is set. If the thread-aware initialization bit is set after a breakpoint, 'If the address and content identification match those indicated in the breakpoint and in the allowed thread indicators, then Only debug or trace can be entered. After the monitoring function is initialized, only when the comparator 640 detects that the detected content identifier is an allowed thread, the diagnostic data extraction can be continued. When a content identifier is displayed When the executed application is not a permissive, the extraction of diagnostic data is prevented. It should be noted that in the preferred embodiment, there is a certain level of granularity. Actually, the security debug or trace enable bit is in At the top, the bit is enabled for security user mode next, and finally the security thread detection enable bit is 70 ° as shown in Figures 69A and 69B (see below for details). control (Debug and Status Control) "log (CP 14) to retain the control value based on domain model and control security thread debugging granularity. It is on top of the security oversight model. Once the "error detection and status control" is set to log in to CP 1, 4 and the corresponding 2004 200422849 breakpoints, monitoring points, etc. are designed by the safety supervision mode, so that the core enters the debugging state. Figure 69A outlines the security debug granularity of intrusive debugging. Reset presets are shown in gray. The same applies to the granularity of debugging that is not invasive. Figure 69B outlines the security debug granularity in this case. This section also resets the preset values in gray. Note that the security user mode debug enable bit and the security thread debug enable bit are generally used for invasive and non-intrusive debugging. A thread detection initialization bit is stored in the login c p 1 4 and indicates whether the granularity is required according to the application. If the thread awareness bit has been initialized, the control logic will further check that the application identifier or thread 603 is the one indicated in the thread detection control value, and if so, the debug will be initialized. If either the user mode or the debug enable bit is not set or the thread detection bit is set and the application being executed is not the one indicated in the thread debt control value, the breakpoint will be ignored and the core will Continuing with its original performer will not be initialized. In addition to controlling the initialization of the monitoring function, the acquisition of diagnostic data during a monitoring function can also be controlled by a similar method. In order to achieve the above purpose, the core must continue to consider the two control values' during the operation of the monitoring function, i.e. the enable bits stored in the registered CP 1 4 and their related conditions. Figure 70 illustrates the granularity of a monitoring function when it is performed. In this case, the area A is related to the area where diagnostic data is allowed to be retrieved, and the area β is about the area where the control value is stored in CP 1 4, which means that it is impossible to intercept the diagnostic data. 123 200422849 Because the data field B is interrupted, and the program is intercepted, but the order is always retrieved. In this case, it is related to the detection and recovery of its failure situation. But therefore ETM should be contextual.此 When this is the case, diagnostics are output in a step-by-step manner during debugging when a debug is performed and a program is operating in area A. When the operation is converted to:, it is a place where diagnostic data is not allowed to be retrieved, and debugging is carried out automatically in a stepwise manner without any data being retrieved. Continue straight operation in this way to enter area A again, and the debugging of the diagnostic data is resumed in a stepwise manner. In the above embodiment, if the security domain is not enabled, a smi refers to as an atomic event to prevent diagnostic data. In addition, if the thread detection initialization bit is set, the application also operates. The granularity of the monitoring function during the period. In terms of non-intrusive debugging or tracking, it is achieved by the ETM and has nothing to do with error. When • Tracking is enabled, ETM functions as usual, and at that time, ETM hides tracking in a security context or partially securely depending on the granularity chosen. One method to avoid ETM from capturing diagnostic data in the security domain when it is not enabled is to reduce the etm when the s bit is high by combining the S bit with the ETMPWRDOWN signal to achieve this. When the core enters the security context, Keep the last value of ETM. Therefore, it is necessary to track an S MI instruction and then decelerate until the core returns to non-security. Therefore, ETM will only monitor non-security activities. These different monitoring functions and their granularity are summarized below. The gain stage of the board stage is incorrect. At the beginning of the board stage when the JSDAEN PIN is not grounded, it may be initially wrong at any place. Similarly, if I am in a security surveillance mode, I have similar authority. If I initiate debugging in halt debug mode, 'all logins are accessible (non-security and secure login blocks), and the entire memory can be dumped except for the bits dedicated to control body. Ability to enter debug shutdown mode from any mode and any domain. Ability to set breakpoints and watchpoints in secure or non-secure memory. In the debug state, it is possible to enter the security situation by changing only the S bit by using an MCR instruction. When a security exception occurs, the debug mode can be entered. The new bits used to expand the vector trap register are as follows; SMI vector capture is enabled; security data abort vector capture is enabled; security prefetch abort abort vector capture Enabled; and female-wide unambiguous vector capture enabled. In the monitoring and debugging mode, if we allow debugging anywhere, even when calling an SMI in a non-security situation, we may enter the security situation with step-by-step debugging. When a breakpoint occurs in the security domain, the security abort manager is operable to dump the security login block and security memory. Both abort managers in security and non-security situations give their information to the debugger application so that the debugger window (on the relevant debug control PC) is in both the security and non-security situations You can display the login status in. , 125 200422849 Figure 7 1A shows what happens when the core is set in the monitoring debug mode to be enabled in the security context. Figure 71B shows the time when δ is in the error mode and the debugger is disabled in the security context. The subsequent procedures will be detailed as follows. Intrusive Debugging in the Production Phase In the production phase, when JSDAEN has grounding and debugging limits, unless the safety supervision decides otherwise, it is showing what happened. In this case, the SMI should always be an atomic instruction, so the security function should be completed before entering the debug state. Entry into debug shutdown mode has the following limitations: External debug requests or internal requests are considered only in non-security situations. If EDBGRQ (External Debug Request) has been declared in the security situation, once the security function is terminated, the system enters the debug shutdown mode, and the core returns to the non-security situation. Designing for breakpoints or watchpoints in security memory does not produce and the kernel does not stop when the programming address matches. Vector Trap Register (see the first and non-safety exceptions for details. All extended capture enable bit effects as described above. Once in shutdown debug mode, the following restrictions apply: S bit cannot be changed to force entry The security situation, time and error detection during monitoring and detection are non-safety. Figure 71B is regarded as a ground state before the headquarters error detection request, then the core impact will be 7) Enabling An 126 200422849 comprehensive debugging. It is not possible to change the mode bits if only error detection is allowed in the sexual supervision mode < The exclusive bits that control security debugging cannot be changed. If an SMI is loaded and executed (accessed at system speed), the core enters the debug state again only when the security function is fully executed. In the monitoring and debugging mode, since monitoring cannot occur in a security context, the security suspension manager does not need to support the debugging monitoring program. In non-safety / whole-sense scenarios, step-by-step steps are possible, but as soon as one SMI is executed, the security function is fully performed, in other words, when "step-in" and "step-over" When all other instructions are possible, an XWSI allows only "step_over". Therefore xwsi is considered an atomic instruction. Once security debugging is disabled, we have the following restrictions: Before entering monitoring mode: Only consider breakpoints and monitoring points in non-security situations. If bit S is set, breakpoints / watchpoints are skipped. Please note that the watchpoint unit is accessed with MCR / MRC (CP14). This will not cause a security issue, as the breakpoints / watchpoints will not affect the security memory. BKPT is usually used to replace the instruction set by the breakpoint. It is assumed to be overwritten in memory. The above instructions are based on the BKPT instruction, which is only possible in non-safe mode. Vector capture login involves only non-security exceptions. As mentioned earlier, all extended capture enable bits have no effect. Data suspension and prefetch suspension enable 127 200422849 bits s bit in security mode It goes back into one mode Anyone's security code retention should be disabled to avoid forcing the processor into an unrecoverable state. With JTAG ’, we have the same restrictions on the shutdown mode (it cannot be modified, etc.). Once in monitoring mode (non-security abort mode) Non-Anwang | ± abort manager can dump non-security contexts and invisible full block logins and security memory. Perform security functions with basic SMI instructions. Change the s bit to force entry into the security context. If / is not allowed to debug in the security supervision mode, the bit cannot be changed. " Month / Idea 'If an external debug request (EDBGRQ) occurs, in a non-safety context, the core terminates the existing instruction and immediately enters the price state (in shutdown mode). In the security context, terminate the existing function and enter the debug state when it comes to the non-security context. New debugging requirements imply some fixes in the core hardware. The S bit must be carefully controlled, and based on security, this security bit cannot be inserted into the scan chain. ’In debugging, bits are changed only when debugging is enabled in the security oversight mode. This will prevent any access to debugging in the security domain. It will be possible to access all global situations by changing the system (modifying TBL items, etc.). In this method, each thread can debug its own program and can only debug its own code. Security must be at the core of their female sex. Therefore, when the core is executed in a non-safety situation, it will enter the detection 128 200422849 error, and only the mode bits can be changed as described above. Embodiments of the present technology use a new vector capture login register. If one of the bits in the registration is set to the corresponding vector trigger, the processor enters a debug state such as an instruction that the same breakpoint has been retrieved from the autocorrelation exception vector. The rows of these bits differ according to the bit value of "Debug in Secure world Enable" in the debug control registration. The new vector capture entry includes the following bits: D_s — abort, P — s — abort, S — undef, SMI, FIQ,

Unaligned, D — abort, P abort, SWI, and Undef. D_s — abort bit: can only be set when enabled in the security context and when debugging is set in the shutdown debug mode. In monitoring mode, this bit is never set. If it is effective in a security context, it will have no effect regardless of the value of the bit. P — s — abort bit: same as d — s —abort bit. S-undef bit: Negotiation can only be enabled when in a security context. If debugging fails in a security context, this bit has no effect whatsoever. SMI bit: Detection can only be enabled when in a security context. If debugging fails in a security context, this bit has no effect. FIQ, IRQ, D_abort, P_abort, SWI, undef correspond to security exceptions, so debugging is still effective even in a security context. 'Please note that D — abort and P abort should not (vector high and Set to possible IRQ for debugging, use debug control to debug, and set the value when the error is wrong. The value is set to Yuan: and invalid, declared high in the mode of monitoring 129 200422849.

Reset bit: When a reset occurs, we enter the security context. This bit is valid only when debugging is enabled in the security context, otherwise it will not have an impact. Although a specific embodiment of the present invention has been described herein, it is obvious that the present invention is not limited to the above, and many modifications and additions may be made within the scope of the present invention. For example, without departing from the scope of the present invention, it is possible to perform various combinations of the following subsidiary features with independent items in the scope of patent application. [Brief description of the drawings] The present invention will be further explained with reference to the preferred embodiment illustrated by the drawings, wherein: FIG. 1 is a block diagram illustrating a data processing according to a preferred embodiment of the present invention Equipment; Figure 2 illustrates different procedures for operating in a non-secure domain and a security domain; Figure 3 illustrates a matrix of processing modes related to different security modes; Figures 4 and 5 illustrate The relationship between the processing mode and the safety net is different; Figure 6 illustrates a programmer's module and a processor's login block related to the processing mode; Figure 7 illustrates an example for security A domain and a non-secure network domain provide separate login blocks. Figure 8 illustrates multiple processing modes, which are converted between the security domains by a single 2004 200422849 individual monitoring mode. Figure 9 of Figure 10 shows the conversion of a security domain using a mode switch software interrupt instruction. Figure 10 shows an example of how the system handles non-security interrupt requests and security interrupt requests. Figures 11A and 11B are based on Figure 10. , Iconic An example of an interrupt request processing and an example of a security interrupt request processing; Figure 12 illustrates an optional mechanism, compared to the one shown in Figure 10, to control the non-security interrupt request signal and security Interrupt request signal; Exemplary diagrams of Figures 13 A and 1 3B for processing a non-security interrupt request and a security interrupt request according to Figure 12; Figure 14 is an example of a vector interrupt table; The number of directions in the table is large; the domain recording network login full-time security control is the same as the normal map and the first-class display is shown in Figure 1 Figure 5 Figure 7 6 Figure 1 Figure 11 The general security alarm type is often changed, the method is changed, the method is changed, the mode is set, and the mode is set. # 3 ^ Herulinghe in each production Execute the control device of 1; y ··-Reasonable execution of the first operation system, one operation mode, one mode, and multiple modes. The model is used to control the chart. There are many types of operation modes of the control unit S at 1. Tutu ·, 9 11 11- The first controller of Tongjin 1 that executes the line; the supervisor of the logical processing mode and the control is shown in the operation mode of the system, and its lilt is shown in the line. Step 2 131 200422849 Figures 21 to 23 illustrate different processing modes and procedures for switching between secure and non-secure network domains according to another exemplary embodiment; Figure 24 illustrates Add a security processing option to the concept of a familiar ARM core; Figures 2 and 5 illustrate a processor with security and non-security domains and reset; Figure 26 illustrates the use of a software-forged interrupt transfer Processing request to a virtual operating system; Figure 27 illustrates another example, using a software-forged interrupt to pass a processing request to a virtual operating system; Figure 28 is a flowchart illustrating the receiving One of the patterns generated in Figure 27 is the processing performed when a software forgery is interrupted; Figures 29 and 30 illustrate tasks performed after a secure operating system for tracking performed by a non-secure operating system Possible task transitions; part 3 1 A flowchart showing the processing performed when a call is received in the security operating system of Figures 29 and 30; Figure 32 illustrates the interrupt priority countermeasures that may occur in one of the systems with most operating systems Problem, where different interrupts can be controlled by different operating systems; Figure 33 illustrates the use of a stub interrupt manager to avoid the problem shown in Figure 32; and Figure 34 illustrates whether they can be operated on by one or not The interrupts serviced by the system are interrupted. What is the basis for controlling interrupts of different types and priorities? 132 200422849 Figure 35 shows how the processor-specific configuration data exclusive to the monitoring mode has priority over the processor configuration data. When operating in the monitoring mode; FIG. 36 is a flowchart according to an embodiment of the present invention, illustrating how the processor setting data is converted when switching between a secure network domain and a non-secure network domain; The figure shows the memory management logic used to control the access to the memory in one embodiment of the present invention; FIG. 38 is a block diagram showing the second embodiment of the present invention Memory management logic for controlling access to memory; Figures 39 and 9 are flowcharts illustrating the processes performed in the embodiments of the present invention, and are used in the memory management logic to process a virtual memory. A memory access request for an address; FIG. 40 is a flowchart illustrating a process performed in an embodiment of the present invention and used in the memory management logic to process a physical memory dedicated to a virtual address Figure 41 illustrates how the segmentation detector of a preferred embodiment of the present invention operates to prevent access to a physical address in the security memory. When the device that issues the memory access request operates on a Non-security mode; Figure 42 illustrates the use of a non-security paging table and a security paging table in a preferred embodiment of the present invention; Figure 43 illustrates the main translation reference buffer of the preferred embodiment Two types of flags used in tlb translation lookaside buffer; Figure 44 illustrates how the memory is divided after the boot process in one embodiment of the present invention; 133 200422849 Figure 45 illustrates a method according to the present invention In one embodiment, the non-secure memory mapped by the memory management unit (MMU) after the boot partition is executed; FIG. 46 illustrates how to warn the memory in the right column according to an embodiment of the present invention. FIG. 47 illustrates how a device is connected to an external bus of a data processing device according to an embodiment of the present invention. FIG. 48 is a block diagram. FIG. 49 illustrates how a device is connected to an external bus according to a second embodiment of the present invention; FIG. 49 illustrates an arrangement of the physical memory of the embodiment using a single-component page table; FIG. 50A illustrates an arrangement, Which uses two MMUs via an intermediary address to perform virtual-to-physical address translation; Figure 50B illustrates an alternative arrangement in which two MMUs are used via an intermediary address to perform virtual-to-physical address translation; Figure 51 is only an example, showing the correspondence between the physical address space and the intermediary address space for the secure and non-secure domains. Figure 5 2 Page table control swaps memory areas between secure and non-secure network domains; the embodiment of Figure 53 illustrates the implementation using a single MMU, and the non-compliance with the main TLB results in An exception is requested to determine the virtual-to-physical address translation; Figure 54 is a flowchart illustrating the procedure executed by the processor core for the purpose of correcting the problem when the main TLB of the MMU in Figure 53 does not match. 134 200422849 Take action when abnormal; Figure 5 5 is a block diagram showing the components provided in a data processing device in an embodiment, in which information is provided to the cache to determine which ones are stored on individual cache lines The data is security data or non-security data; Fig. 56 shows the structure of the memory management unit shown in Fig. 55; Fig. 57 is a flowchart showing the data processing equipment shown in Fig. 55 The processing performed to process a non-secure memory access request; FIG. 58 is a flowchart illustrating the processing performed in the data processing device shown in FIG. 55 to process a secure memory Access request; Figure 59 For different modes and applications executed on a processor, the possible granularity of the monitoring functions; Figure 60 illustrates the possible methods of initially different monitoring functions; Figure 61 illustrates a control value table for controlling Different monitoring functions that can be used; Figure 62 shows a positive edge triggered flip-flop; Figure 63 shows a scan chain cell; Figure 64 is not in one scan Most of the serial keys scan the serial key unit; Figure 65 shows a debug TAP controller; Figure 66A shows a debug TAP controller with JADI; Figure 66B shows a bypass register (bypass register) Fig. 67 illustrates a processor, including a core, a scan chain, and a debug status and control register; 135 200422849 Fig. 68 illustrates a factor Initialization to control debugging or tracing; Figures 69 A and 69B show a summary of the granularity of debugging; Figure 70 shows the granularity of debugging during execution; and Figures 71A and 71B show debugging enabled in a security context and When it is not a Do not enable monitoring and debugging. [Simple description of component representative symbols] 10 core 12 scan chain 14 login block 16 ALU 18 JTAG controller

20 ICE

21 VIC 22 ETM 24 Login 2 6 Control Login 30 Memory Management Logic 34 Control Login 36 TCM 38 Cache 40 System Bus 42 EBI 44 Boot ROM 46 Screen

48 Registration or buffer 50 DSP 52 DMA 54 Arbiter / decoder logic 56 External memory 58 Paging table 60 Input / output interface 62 Registration or buffer 64 Key storage unit 66 Registration or buffer 70 External bus 72 Monitoring Program 200422849 4 6 8 0 2 4 6 02468002460246802468024680 2 4 6 8 0 2 4 00000122223333344444000001 1 1 1 1 2 2 2 Early release 1 2 OK}} 12 logic for business use, address should be used as intended Using logic logic B to logic logic 1-bit sexual nuclear response type TLLB to test the feasibility of anomalism, the completeness of sexuality, the model of sexuality, 0-T table, check of the property (t (^ r (> t (t security security full control Mu domain lcr to translate PU cut domain diameter diameter diameter diameter diameter diameter type inquiry page to m sub-inquiry query page non-non-security The 1111 main transfer to the security inspection area, the main transfer to the sub-storage area, Lulu Road, Lulu Road, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lulu, Lu, Lu, Lu, Lu, Lu, Lu, Lu, Lu, Lu, Lu, Lu, Lu, Lu, Lu. Sexual walking package TL Yunsheng full line LBro-separate production safety table Ticr department storage ic main m symbol description description ^ LB -TTL ο ❿ ❿

Descriptive description BW xy Descriptive description of the full position of the partial site of the body is added with the effect of containing the load BB rLB -TL 0T icr to m main character stop description in the description of the description of sexual errors Walk Xu Yi An An Bank allows non-non-table 137 200422849 6 8 0 2 4 6 8 0 2 4680246800570575050500246024 ^ 6 22 3 3 3 3 3 5 5 5557777789990002334ι4ι5ι6 66 66 6π7ππ17 33 3 3 3 3 3 3 3 33333333333344444444444444444 Main TLB contains additional non-products Security Descriptor Detector Detector Checks whether non-secure entity address is non-compliant. Security violation / non-security error is aborted. Sub-section inspection of micro-TLB loading with relevant description of entity address part Access permission (private / user ...) violated? The core generates the physical address MPU check permission, and is the non-secure physical address in non-sex memory β t $ violated? Access allows errors to be aborted in security or non-security. Full memory access non-security zone non-security zone non-security zone security zone security zone security zone non-security memory non-security paging table Base Address Security Memory Security Paging Table Female General Paging Table Base Address Domain Flag Program ID Flag Descriptor Descriptor Descriptor Item Ϊ Memory Memory Security Paging Device for External Applications Device External Memory arbiter 138 200422849 Face device punching boundary punch body body slowly out of the slow-measuring type, 1 memory AP parts are compared to the order-type die changer or lose or road inspection die line line line die chain chain record T yuan Than the logic model transfer accusation code screen entry record number cut control control isolation use the supervisor to use the E description to make a wrong heart to record the address record to record the diameter of the control path Sub-supervision sub-sub-should should be supervised and should be supervised 1C sweeping finger nuclear detection nuclear storage ascended the boarding control road supervision multi-channel SM 0 0 5 0 0 8 0246802012324602401400001230120001123 7 8888899000011122234457800001112300000 44444444555555555555555555666666666222222 materials The setting device m, l is a special device, a is a special mode control supervisor / IV type program control? Monitor in, out, enter, and enter the state of the recorded state, the state of the mesh point, and the final storage of the domain with the network direction. The instruction is}. The indicator MI refers to the state of the device. Set the rotation of the converter ο ο 4 5 ο ο 2 2 139 200422849 2060 Load the status of the destination domain 2070 and leave the monitoring program. Mode to leave monitoring mode and switch to destination domain 2100 physical address space 2 11 0 non-secure memory 2120 secure memory

2150 MMU 2 1 5 3 path

215 5 micro-TLB 2 1 5 7 path

2160 Main TLB 2165 Translation table walking logic 2 1 6 7 path

2170 MMU 2 1 7 5 path

2180 Main TLB 2185 Translation table Walking logic 2190 Data bus 2192 Path 2194 Path

2170 MMU 2200 physical address space 2210 security area 2220 non-security memory 2230 security area 2240 non-security memory 2250 paging table 2265 intermediate address space 2270 intermediate address space 2275 non-security intermediate address space 23 00 A region of memory

2305 Area in the middle address space 2310 Area 2400 MMU 24 1 0 micro-TLB 2420 Main TLB 2422 path 2430 path 2440 path 2450 path 2500 An abnormality detected by a TLB? 140 200422849 2510 2520 2530 2540 2550 2560 2570 2580 2590 2595 2600 2610 2612 2620 2630 2632 2634 2636 2640 2650 2650 2652 2654 2656 2700 2705 2710 2715 2720 Set the position to the wrong position in order to set the wrong position to the body sign. < Pre-alternatives to find the two places of the actual description 42 (I often use the description to describe the first body 2 to describe the table to the two and the real LB back to the scheduler ro- · Sexuality often cause one or two One or two sites, the first to the T return stream, the flow rate, the LCR, the first position, the first position, the first position, the first line, the first line, the first line, and the second line. Different access to the address, the diameter, the diameter, the material, the code, the code, the security, the inquiry, and the non-checking. Mistakes between virtual addresses in pseudo-addresses between addresses The virtual position fixation gives the real address description bit description, the false new mistakes and miscarriages can obtain the new address translation description description, the store in the BLT master's center address It is located in the TL descriptive TL profile of the virtual storage symbol to be stored. The effect is that it contains the Β L to be used. The main character of the page is page description. The descriptive safety is 505050505 233445566 777777777 222222222

Β B L L TT Stop Error Wrong? < Allow c C to fetch fast mlml Violate the description of the addressable location to take the body to have some information including the check to check the violation of anti-signature check to obtain the wrong line in the bid to be full of errors Illegal filling and checking whether the sexual line is all taken quickly is safe and private. ·: Participant β, the ambassador for the sound / there is 141 200422849 The midpoint of the stop address is intended to be false and anti-error. -Describe the violations, fill in the process, and take the data. LCR Sexuality Sexuality Existence Sexuality Sexuality All the material collection Department Full information Enquiry page Delimiter An'an Quick funding Foreign security Ancha's check points 050505050 50 778899001 12 777777888 88 Anti Birth of a B-character violation, TL statement, BL, T-line, table, master, BLT, master, which should be executed in the storage bank. «Allow clc

The addressable location described by BBLLTT is more accurate. The enquiries included in the investigation are privately included: The envoy used by the W / Ministry of the Ministry of Access / External Interruption System of the Access Department and the security-like imitation in the full security charge. Fill in and get back the new name, call, start, call, new check line, save, and return to the soft line. From the old to the whistle, you can call and resume to the fetching and picking department. Quick change, fast opening, external transfer, re-storage, transfer, re-transmission, re-rejection, re-transmission, 0 5 0 5 0 2 4 6802468024 5 6 8 8 9 0 0 0011111222 8 8 8 8 8 0 0 oooooooooo 2 2 2 2 2 4 4 4444444444 The trip to Quan'an is based on the current management of the line and the return of the line. The internal control of the line, the line, the line, the line, the line, the line, the line, the line, the line, the line. In the thread, the Bank of China uses the operating system to have new and existing storage, and is used by Rongxu.

Claims (1)

200422849 Blessing, patent application park: 1. A data processing device, the device includes: a processor that can operate in most modes and most network domains, the majority network domains include a secure network domain or a non-security Network domain, the majority mode includes: at least one security mode in the security network domain; and at least one non-security mode in the non-security network domain; wherein when the processor is in a security mode When a program is executed, the program accesses security data that cannot be accessed when the processor is operating in a non-secure mode; the processor responds to one or more abnormal conditions to trigger using an exception manager Exception handling. The processor is operable to select the exception manager from most possible exception managers based on whether the processor is operating in the secure or non-secure domain. 2. The device according to item 1 of the scope of patent application, wherein at least one of the exceptions is a selective exception, which is operated by a non-safety exception manager operating in a non-safety mode or a safe One of the security exception managers operating in a security mode operation; and at least one of the exceptions is an exclusive security exception managed by a security exception manager operating in a security mode management. 143 200422849 3. The device described in item 1 of the scope of patent application, wherein the one or more abnormal conditions may be one of the non-safety exception managers or One of the security exception managers operating in a security mode and also triggering any changes to the domain. 4. The device according to item 1 of the scope of patent application, which triggers a safety exception by one of the signals on a dedicated safety exception signal input and a non-safety exception signal input. 5 · The device according to item 1 of the scope of patent application, which shares an abnormal signal input between safety and non-safety abnormalities, and has a further input signal which interacts with the abnormal signal input to control Whether to trigger a security exception manager or a non-security exception manager. 6. The device according to item 1 of the scope of patent application, wherein the security exception manager is part of a security operating system operable in the security mode. 7. The device as described in item 1 of the patent application scope, wherein the non-safety exception manager is part of a non-safety operating system operable in the non-safety mode. 144 ζυ〇422849 • The device described in item 1 of the scope of patent application, wherein the processor can also be operated in a monitoring mode and any security mode and a #security mode that are performed by the monitoring mode. The processor is required to manage abnormal transitions. The processor operates at least partially in the monitoring mode to execute a monitoring program to manage transitions between the security mode and the non-security mode. 9. The device according to item 8 of the scope of patent application, wherein when switching between a security mode and a non-security mode, the monitoring program is operable to store and restore data defining processor states for management An exception. 10. The device as described in item 8 of the scope of patent application, wherein the processor includes a login block, and when transitioning from the security mode to the non-security mode, the monitoring program is operable to clear the security At least a portion of the login block shared between the security mode and the non-security mode so that security data retained in the login block cannot be transferred from the security mode to the non-security mode, unless the monitoring The program allows 0 the device described in item 丨 of the scope of patent application, wherein the abnormal conditions include one or more of the following conditions: a security interrupt signal exception; 145 200422849 a mode switch software interrupt signal; a reset exception; a An interrupt signal exception; a software interrupt signal; an undefined instruction exception; a prefetch abort exception; a data abort exception; and a fast interrupt signal exception. 12. The device according to item 1 of the scope of patent application, wherein the processor responds to an abnormal condition to select one based on an abnormal vector value associated with the abnormal conditions and stored in an enabled exception vector table. Exception manager; and the enabled exception vector table is one or more of the exception vector table. 1 3 · The device as described in item 12 of the scope of the patent application, wherein the majority exception vector table includes a security exception vector table that can be selected in the security mode and a non-security device that can be selected in the non-security mode. Sex exception vector table. 14. The device as described in item 12 of the scope of patent application, wherein the processor can also operate in a monitoring mode and any conversion between a security mode and a non-security mode by the monitoring mode, The majority exception 146 200422849 vector is executed by the monitoring mode. 15. The device as described in item 14 of the scope of patent application, wherein the majority exception vector table includes a monitoring mode exception vector table. 16. The device as described in item 15 of the scope of patent application, wherein the processor responds to one or more parameters, and specifies the exceptions that should be managed by the monitoring mode abnormality scale. 1 7. The device as described in item 13 of the scope of patent application, wherein unless the one or more parameters specify that the monitoring mode vector table is the enabled vector table for the abnormal conditions, the security vector table is in the A vector table enabled in the security mode. The non-security vector table is a vector table enabled in the non-security mode. 1 8. The device according to item 16 of the scope of patent application, wherein at least one of the parameters is an abnormal capture mask. 19. The device according to item 18 of the scope of patent application, wherein when the processor is in the monitoring mode, the exception control login is writable, and when the processor is not in the non-security network When in the domain, this exception capture mask login is not writable. 147 200422849 20. The device according to item 13 of the patent application scope, wherein the security exception vector table is writable when the processor is in a security mode, and when the processor is in a non-secure mode When in sexual mode, the security exception vector table is not writable. 2 1 · The device as described in item 13 of the scope of patent application, wherein a security exception manager is part of a security operating system using one of the security modes. 22. The device as described in item 13 of the scope of patent application, wherein a non-safety exception manager is part of a non-safety operating system using one of the non-safety modes. 23 · The device as described in item 12 of the scope of patent application, including the majority vector table, the basic address index registration, each of which stores a respective basic address value, which conforms to one of the majority abnormal vector tables. 24. A method of processing data, the method comprising the steps of: executing a program using a processor operable in one of a plurality of modes and a secure domain or a non-secure domain, the majority mode comprising: At least one security mode in the security domain; and at least one non-security mode 148 200422849 in the non-security domain; wherein when the processor is executing a program in a security mode, The above program accesses security data that cannot be accessed when the processor is operating in a non-security mode; and responds to one or more abnormal conditions by using an exception manager to trigger exception handling; the processor can The operation is based on whether the processor is operating in the secure domain or the non-secure domain, and the exception manager is selected from most possible exception managers. The normal form of the operation is the different mode. Some of the behaviors are safe and incomplete in the full mode. One security method is described by one party. The usual ¢ / 0L term is different. 4rl tube 2 Fan Yiquan Li is a security expert, please ask for one. One should apply as much as possible or choose one of the devices? · Ιa It is often different from normal sexual safety. Some people in this department are in a small V-mode. Choosing something special? _Ta Often the sex is often different. 26. The method as described in item 24 of the scope of patent application, wherein the one or more abnormal conditions may be one of the non-safety exceptions that can be programmed to trigger operation in a non-safety mode when required. The manager or one of the security exception managers operating in a security mode, and also triggers any changes to the domain. 149 200422849 27. The method according to item 24 of the scope of patent application, which has a safety abnormal signal input and a non-safety abnormal signal input. 28. The method as described in item 24 of the scope of patent application, which shares an abnormal signal input between safety and non-safety exceptions, and has a further input signal which interacts with the abnormal signal input to control Whether to trigger a security exception manager or a non-security exception manager. 29. The method of claim 24, wherein the security exception manager is part of a security operating system operable in the security mode. 30. The method as described in claim 24, wherein the non-safety exception manager is part of a non-safety operating system operable in the non-safety mode. 3 1 · The method according to item 24 of the scope of patent application, wherein the processor is also operable in a monitoring mode and any operation performed between the security mode and a non-security mode by the monitoring mode. Needed to manage an abnormal transition, the processor may be at least partially operated in the monitoring mode to execute a monitoring program to manage the transition between the security mode and the non-security mode. 150 200422849 3 2. The method as described in claim 31, wherein when switching between a security mode and a non-security mode, the monitor is operable to store and restore data defining the state of the processor To manage an exception. 33. The method of claim 31, wherein the processor includes a login block, and when transitioning from the security mode to the non-security mode, the monitoring program is operable to clear the security At least a part of the login block shared between the mode and the non-security mode, so that the security data retained in the login block cannot be transferred from the security mode to the non-security mode unless the monitor program Allow 0 34. The method as described in item 24 of the scope of patent application, wherein the abnormal conditions include one or more of the following conditions:-a security interrupt signal is abnormal;-a mode switch software interrupt signal;-a reset exception;-an interrupt signal Exception; a software interrupt signal; an undefined instruction exception; a prefetch abort exception; 151 200422849 a data abort exception; and a fast interrupt signal exception. 35. The method of claim 24, wherein the processor responds to an abnormal condition to select an abnormal vector value associated with the abnormal conditions and stored in an enabled exception vector table. Exception manager; and the enabled exception vector table is one or more of the exception vector table. 3 6. The method according to item 35 of the scope of patent application, wherein the majority exception vector table includes a safety exception vector table selectable in the security mode and a non-safety selectable in the non-safety mode Exception Vector Table. 37. The method as described in claim 35, wherein the processor is also operable in a monitoring mode and any transition between a security mode and a non-security mode, and the majority is performed by the monitoring mode Exception vector. 38. The method as described in claim 37, wherein the majority exception vector table includes a monitoring mode exception vector table. 39. The method as described in item 37 of the scope of patent application, wherein the processor responds to one or more of 152 200422849, which specifies the exceptions that should be managed by the monitoring mode abnormality scale. 40. The method as described in item 36 of the scope of patent application, wherein unless the one or more parameters specify that the monitoring mode vector table is the enabled vector table for the abnormal conditions, the security vector table is in the security The vector table enabled in the mode. The non-security vector table is a vector table enabled in the non-security mode. 41. The method as described in claim 39, wherein at least one of the parameters is stored in an anomaly capture mask. 42. The method according to item 41 of the scope of patent application, wherein the exception control login is writable when the processor is in the monitoring mode, and when the processor is not in the non-security domain This exception capture mask registration is not writable. 43. The method as described in claim 36, wherein when the processor is in a security mode, the security exception vector table is writable, and when the processor is in a non-security mode During security, the security exception vector table is not writable. 44. The method described in item 36 of the scope of patent application, wherein a security difference is 153 200422849. The regular manager is part of a secure operating system that uses one of the security modes. 45. The method as described in claim 36, wherein a non-safety exception manager is part of a non-safety operating system using one of the non-safety modes. 46. The method as described in item 35 of the scope of patent application, which includes storing the respective base address values in the majority address table base address registration, which meets one of the majority exception vector tables. 47. A computer program product having a computer program, which is operable to control a data processing device in accordance with the method described in item 24 of the scope of patent application. 154