TW201721506A - Hardware protection based on fabrication characteristics - Google Patents

Abstract

This disclosure is directed hardware protection based on fabrication characteristics. In general, an integrated circuit (IC) device may be configured to determine a string of logical values or "fingerprint" based at least on fabrication characteristics of the device. An example device may comprise at least functional circuitry corresponding to the functional purpose of the device and hardware protection circuitry (HPC). Example HPC may include interpreter circuitry and fingerprint circuitry. For example, the interpreter circuitry may measure at least one parameter (e.g., voltage) of at least one electronic component in the fingerprint circuitry, and in at least one embodiment, may compare voltages measured from different components in the fingerprint circuitry and then assign a logical one or zero to the fingerprint string based on the results of each component comparison. Example electronic components may include transistors, resistors, etc. whose performance, may depend on the fabrication characteristics of the device.

Description

Hardware protection based on production characteristics

The present invention relates to semiconductor production and, more specifically, to systems that generate device specific authentication data based on production characteristics.

Security has become and continues to be a major focus area for new developments in various forms of electronic technology. Transactions including sensitive, confidential, and the like are more frequently implemented via electronic communications, and as such, the security of the electronic device is the key to protecting this information. An attacker (eg, a hacker) initially locks the device at the software level, attempts to gain control of the device, or at least access information stored on the device. When software-based defenses are conceived to block such attacks, hackers have moved deeper into the protection circle to attack higher privilege levels. In this way, malicious code (eg, toxic software) can be injected into a higher-privilege system than existing software-based protection (eg, antivirus, software firewall, etc.) and may overcome existing software-based protection. .

Due to these more advanced attacks, device developers have begun to design hardware-based protection. This lower order type of protection can be initiated in the device before the software, such as an operating system (OS), and can be provided in the device. More basic security. However, increasingly resourceful attackers are now designing new ways to attack the hardware of the device to overcome hardware-based defenses. For example, an attacker may attempt to alter (eg, reprogram), replace, or otherwise replace an IC device in a system in which an integrated circuit (IC) device is installed to affect or alter the behavior of the system. The resulting behavioral change may permit an attacker to control the system or at least access information in the system. While existing IC devices can be protected against such attacks by hardware-based encoding, encryption, etc., the existing protections are programmed in the device in a reverse engineerable manner. In this way, an attacker can design an alternative IC that can mimic a known good IC device, but can in turn affect system changes that compromise system security.

100‧‧‧ device

102‧‧‧ functional circuit

104, 104’‧‧‧HPC

106, 106’‧‧ Interpreter circuit

108, 108'‧‧‧ Fingerprint circuit

200A, 200A', 200B, 200B', 200C, 200C', 200D, 200n, 200n'‧‧‧FCU

202, 202'‧‧‧ multiplexer and / or decoder circuit

204, 204'‧‧‧ comparison circuit

206, 206'‧‧‧ Fingerprinting circuit

208‧‧‧Safe storage circuit

300, 400, 404‧‧ ‧ Logic

402‧‧‧Logical relationship

500‧‧‧Traditional interface circuit

502‧‧‧Programmable fuse circuit

700‧‧‧ system

702‧‧‧System Circuit

704‧‧‧Processing Circuit

706‧‧‧ memory circuit

708‧‧‧Power circuit

710‧‧‧User interface circuit

712‧‧‧Communication interface circuit

714‧‧‧Communication Module

Q1, Q2, Q3, Q4, Q5, Q6, Q7, Q8, Q9‧‧‧ transistors

Qref‧‧‧ reference transistor

R1, R2, R3, R4, R5, R6‧‧‧ resistors

V1, V2, V3‧‧‧ voltage

VLA, VLB, VLn‧‧‧ left voltage

VRA, VRB, VRn‧‧‧ right voltage

Vref‧‧‧ voltage drop

Vs‧‧‧ supply voltage

The features and advantages of the claimed subject matter will be apparent from the following description of the embodiments of the invention. An exemplary integrated circuit device including hardware protection based at least on production characteristics is depicted; FIG. 2 depicts an example hardware protection circuit in accordance with at least one embodiment of the present disclosure; FIG. 3 depicts a production feature unit in accordance with at least one embodiment of the present disclosure. Example of Structure and Interpreter Circuit Operation; FIG. 4 depicts an alternative example of a production characteristic cell structure and interpreter circuit operation in accordance with at least one embodiment of the present disclosure; FIG. 5 depicts a conventional process in accordance with at least one embodiment of the present disclosure. Example hardware protection circuit of interface circuit; FIG. 6 depicts example operations for fingerprint determination in accordance with at least one embodiment of the present disclosure; FIG. 7 depicts, for example, depicted in FIG. 1 in accordance with at least one embodiment of the present disclosure. Apparatus Example System; and FIG. 8 depicts example operations for integrated circuit device authentication in accordance with at least one embodiment of the present disclosure.

While the following detailed description will be described with reference to the embodiments of the invention,

SUMMARY OF THE INVENTION AND EMBODIMENTS

This disclosure relates to hardware protection based on production characteristics. Typically, an integrated circuit (IC) device can be configured to determine a logical value or a "fingerprint" string based at least on the production characteristics of the device. The example device can include functional circuitry and hardware protection circuitry (HPC) that correspond at least to the functional purpose of the device. An example HPC can include an interpreter circuit and a fingerprint circuit. For example, the interpreter circuit can measure at least one parameter (eg, voltage) of at least one electronic component of the fingerprint circuit, and in at least one embodiment, can compare measurements from different components in the fingerprint circuit The voltage is then assigned a logic one or zero to the fingerprint based on the result of each component comparison. Example electronic components can include transistors, resistors, etc., the performance of which can depend on the manufacturing characteristics of the device. The resulting fingerprint string can be used by a system including the device to authenticate the device. Failure to authenticate the device may result in at least one secure operation being performed The protection system is not damaged by the device.

In at least one embodiment, an example IC device can include at least a substrate, a functional circuit, and an HPC. The functional circuit can be produced on the substrate. The HPC can also be produced on the substrate and can include, for example, at least a fingerprint circuit and an interpreter circuit to determine the fingerprint of the device based on the production characteristics of the fingerprint circuit.

In at least one embodiment, the interpreter circuit can measure at least one voltage corresponding to at least one of the production characteristic units (FCUs) in the fingerprint circuit. The at least one FCU can include at least one electronic component that is dedicated only to fingerprint decisions in the device.

In the same or different embodiments, the interpreter circuit can be used to compare voltages measured from at least two of the electronic components of the fingerprint circuit. For example, the fingerprint string in the device may include a logical value corresponding to each voltage comparison, and then if the two voltages satisfy a particular relationship, the interpreter circuit may assign a logic one to a fingerprint string, and if the two voltages do not satisfy a particular relationship, Assign a logic zero to the fingerprint string. For example, the particular relationship can be one of the first voltage of the two voltages being greater or less than the second voltage of the two voltages. Alternatively, the particular relationship may be one in which the absolute value of the difference between the two voltages is greater or less than a standard value.

In the same or different embodiments, the at least two electronic components can be transistors or resistors. Alternatively, the at least two electronic components can include a group of components each including at least one transistor coupled to the resistor. One of the at least two electronic components can be designated as a reference, and each subsequent electronic component can be compared to the reference. In an example implementation, the interpreter circuit can include at least a comparison circuit and a fingerprint forming circuit. The interpreter circuit can also include multiplexer power At least one of a path, a decoder circuit, or a secure storage circuit. The interpreter circuit can also include a conventional interface to cause the fingerprint to be written to the fuse circuit within the device. Consistent with the disclosed invention, for example, a method for formulating a fingerprint of an IC device can include initializing an IC device; initializing a fingerprint determination in the device and determining a fingerprint of the device based on production characteristics of the device.

1 depicts an example integrated circuit device including hardware protection based at least on production characteristics, in accordance with at least one embodiment of the present disclosure. Initially, benchmarks can be created for various semiconductor components and/or structures, such as transistors, resistors, comparators, multiplexers, decoders, storage structures, and the like. The example fittings and/or structures have been referred to in order to provide an easy understanding of the various embodiments disclosed herein, and are not intended to limit the actual implementations only to such particular accessories or structures. Additionally, a single quotation mark (e.g., 100') that is included after the item number in the drawing may indicate an example embodiment of displaying the particular item. The example embodiments are not intended to limit the invention to the description, and are presented herein for the purpose of explanation.

Apparatus 100 is depicted in FIG. Device 100 can include, for example, an IC device that deposits one or more layers via a series of semiconductor fabrication operations. Exemplary techniques for depositing layers of semiconductor material can include, but are not limited to, molecular beam epitaxy (MBE), physical vapor deposition (PVD), chemical vapor deposition (CVD), electrochemical deposition (ECD), atomic layers. Deposition (ALD), etc. The junctions located between the layers can be modified using light lithography to incorporate various features. Device 100 can include, for example, functional circuitry 102 and HPC 104. Functional circuit 102 can implement at least one operation associated with the primary function of device 100. For example, functional circuit 102 can include read only memory (ROM) data storage area, or data processing circuit for microprocessor. The configuration, content, etc. of the functional circuit 102 may vary depending on the type of device, configuration, packaging, technology, power limitations (eg, for mobile devices), and the like.

Consistent with the disclosed invention, HPC 104 can include at least interpreter circuit 106 and fingerprint circuit 108. The interpreter circuit can determine at least one production characteristic of the fingerprint circuit 108, which can then be used to formulate a fingerprint for the device 100. As referred to herein, "production characteristics" may include parameters of the operation of at least one of the electronic components in the fingerprint circuit 108 that may vary based on how the device 100 is produced. For example, random dopant fluctuations (RDF) can distinguish each single transistor during production, and thus, the performance of each single transistor can deviate from each other. The voltage, current, resistance, and the like may vary in various electronic components (eg, transistors, resistors) produced in the device 100 based only on various subtle differences in semiconductor manufacturing processes. Consistent with the disclosed invention, this equivalent energy offset can be used to encode a bit string or "fingerprint" unique to each device 100 without the need to explicitly program the bit string. Instead, the electronic components are essentially "programmed" differently based on the production process in a manner that is unique to the device 100 and not replicable.

The inability to replicate the fingerprint of device 100 in another device (e.g., such that other devices can mimic device 100) is a significant benefit of HPC 104. This can be accomplished by requiring the fingerprint string of device 100 to be generated based on measurements taken directly from the electronic components in fingerprint circuit 108. In response to the request to the device 100 received from the system, etc., the measurement and generation of the fingerprint bit string can be, for example, at the beginning of the device 100 initialization, at the beginning of the system in which the device 100 is embedded. Occurs when initializing. The measurements taken directly from the fingerprint circuit 108 can then be used to generate a fingerprint bit string, and thus cannot be duplicated, as they are based on the manufacturing-specific characteristics of the device 100. While the example device 100 includes a fingerprint circuit 108 dedicated only to fingerprint generation, in another embodiment consistent with the disclosed invention, the fingerprint circuit 108 can be omitted from the device 100 and the interpreter circuit 106 can alternatively measure functionality. The characteristics of the electronic components within circuit 102. In this manner, functional circuit 102 can serve a two-purpose service: implementing a primary function associated with device 100 and also providing one or more electronic components that can be measured for determining a fingerprint corresponding to device 100.

2 depicts an example HPC in accordance with at least one embodiment of the disclosed invention. Initially, the circuitry shown in dotted lines in FIG. 2 may be optional, including the selective circuitry being operative (eg, based on device size, technology, package, limitations, size of fingerprint circuit 108', etc. ). The HPC 104' may include at least an interpreter circuit 106' and a fingerprint circuit 108'. Fingerprint circuitry 108' may include, for example, FCU 200A, FCU 200B, FCU 200C, FCU 200D ... FCU 200n (collectively referred to as FCUs 200A...n). Each of the FCUs 200A...n can include at least one electronic component (eg, a transistor, a resistor, or a combination thereof). The configuration of at least two example components for the FCUs 200A...n is depicted in Figures 3 and 4.

In an operational example, interpreter circuit 104' may measure characteristics of at least one of each of FCUs 200A...n and may use the measurements to generate a fingerprint bit string. The interpreter circuit 106' can include, for example, a multiplexer and/or decoder circuit 202, a comparison circuit 204, a fingerprint forming circuit 206, and a secure storage circuit 208. Multiplexer and/or decoder circuit 202 may include circuitry To select one or more FCUs 200A...n for processing by comparison circuit 204 (e.g., FCU 200A, FCU 200A, FCU 200B, etc. are selected separately). Comparison circuit 204 can measure (and/or determine) characteristics (eg, voltage, current, resistance, capacitance, inductance, etc.) from each FCU 200A...n and can be implemented from the same FCU 200A...n Between the characteristics, the comparison between the characteristics obtained from the different FCUs 200A...n. Consistent with the disclosed invention, the comparison result can be converted to a logical value (e.g., a "1" or zero "0"), which can then be provided to the fingerprint forming circuit 206. Fingerprint forming circuitry 206 can connect the logical values into a string of bits that form the fingerprint of device 100. In at least one embodiment, the generated bit string can be stored in secure storage circuitry 208. The secure storage circuit 208 can be tied to an encrypted storage area or memory within the HPC 104' for storing fingerprint strings that are later accessed by, for example, the system into which the device 100 is incorporated. For example, secure storage circuitry 208 can be encrypted in a manner that allows the system to decrypt and read fingerprint strings. The system can be based on the fingerprint authentication device 100. In another embodiment, the secure storage circuit 208 can be omitted and the system including the device 100 can receive the fingerprint string directly from the fingerprint forming circuit 206.

3 depicts an example of a production characteristic cell structure and interpreter circuit operation in accordance with at least one embodiment of the present disclosure. Each of FCUs 200A', 200B', ... 200n' (collectively referred to as FCUs 200A'...n') may include circuitry to generate voltages that are comparable in comparison circuit 204'. The circuitry in the FCUs 200A'...n' can generally include at least one electronic component from which a voltage can be derived, such as a transistor, a resistor, or a combination thereof. The logic value (1 or 0) can be determined based on the result of each voltage comparison. Each logical value can be added To a string of bits that can form the fingerprint of device 100.

For example, FCU 200A' can include at least transistor Q1 and transistor Q2. The left side voltage (VLA) of the FCU 200A' and the right side voltage (VRA) of the FCU 200A' can be generated based on the supply voltage (Vs) supplied to the two transistors. The transistors Q1 and Q2 can be switched to "on", and their gates can also be coupled to Vs. In accordance with the disclosed invention, transistors Q1 and Q2 can be coupled to at least resistor R1 and resistor R2, respectively. For example, the resistance values of resistors R1 and R2 can be selected to be only large enough to stabilize the operational characteristics of transistors Q1 and Q2 from random variations. Similarly, FCU 200B' can generate left side voltage (VLB) and right side voltage (VRB) based on transistor Q3, transistor Q4, resistors R3 and R4, and FCU 200n' can be based on transistor Q5, transistor Q6, resistor R5 and R6 generate a left voltage (VLn) and a right voltage (VRn). While only three FCUs 200A'...n' are depicted, the actual number of FCUs can be implemented to be dependent.

In an operational paradigm, circuitry in device 100 (e.g., comparison circuit 204') may cause multiplexer or decoder circuitry 202' to select each of FCUs 200A'...n' in succession. For example, selection of FCU 200A' may result in providing VLA and VLB to comparison circuit 204', which may include example logic 300 for comparing the voltage received from FCU 200A'. As shown at 302, comparison circuit 204' compares the received left side voltage (VL) with the received right side voltage (VR). For example, if it is determined that VL is greater than VR (e.g., VL > VR), the logical value of "1" is passed to fingerprint generation circuit 206' for assignment to the fingerprint bit string. Otherwise, the logical value of "0" can be passed to The pattern forming circuit 206'. The alternate logic is shown at 304, where the absolute value of the difference between VL and VR (eg, |VL-VR|) can be compared to a predetermined standard value. If it is determined that the absolute value is greater than the predetermined standard value, "1" can be transmitted to the fingerprint forming circuit. Otherwise, the logical value of "0" can be passed to the fingerprint forming circuit 206'. The logic shown at 302 and 304 is only an example. Other logic is consistent with the disclosed invention.

Comparison circuit 204' may then cause multiplexer or decoder circuit 202' to pass through FCU 200B' to compare VLB and VRB, and finally through FCU 200n' to compare VLn and VRn. Exemplary results of such comparisons are described in relation to fingerprinting circuitry 206'. The bit corresponding to FCU 200A' may be "1" because it is determined that VLA is greater than VRA, and the bit corresponding to FCU 200B' may be "1" because it is determined that VLB is greater than VRB, and finally, bit corresponding to FCU 200n' The element can be "0" because it is determined that VLn is less than VRn. As a result, the fingerprint string can include 11...0 depending on the total number of FCUs 200A'...n'.

4 depicts an alternate example of a production characteristic cell structure and interpreter circuit operation in accordance with at least one embodiment of the present disclosure. In Fig. 4, each FCU 200A'...n' can use a circuit configuration that can provide only one characteristic (e.g., voltage). For example, the FCU 200A' can provide a voltage V1 corresponding to the voltage drop across the transistor Q7, and the FCU 200B' can provide a voltage V2 corresponding to the voltage drop across the transistor Q8. The FCU 200n' can be provided to correspond to the transistor. Q9 voltage drop voltage V3. While the comparison circuit 204 may compare the FCUs 200A'...n' with each other (e.g., V1 may be compared to V2), another example implementation is presented in FIG. Instead, each The FCUs 200A'...n' can be compared to the reference transistor Qref. The example logic 400 includes a two-logic relationship involving Vref (e.g., voltage drop across Qref) and V1... (e.g., the second value "V1" is changed based on the selected FCU 200A'...n'). The logical relationship 402 simply determines if Vref > V1. If it is determined that Vref is greater than V1, "1" is transmitted to the fingerprint forming circuit 206' for the fingerprint bit string assigned to the device 100. Otherwise, "0" can be transmitted. Similarly, in logic example 404, if |Vref-V1| is determined to be greater than a predetermined standard value, then "1" can be passed to fingerprint formation 206'. Otherwise, "0" can be passed to the fingerprint forming circuit 206'. The fingerprint forming circuit 206' can then connect the bits corresponding to the comparison between the transistor Qref and the FCUs 200A'...n' to form a fingerprint bit string corresponding to the device 100 (eg, 10.... 0).

FIG. 5 depicts an example hardware protection circuit including a conventional interface circuit in accordance with at least one embodiment of the present disclosure. Figure 5 is substantially similar to the example configuration of HPC 104' disclosed in Figure 2, but incorporates at least conventional interface circuit 500. The programmable fuse circuit 502 can be used to protect the integrity of an existing IC device. The programmable fuse circuit 502 can include, for example, programmable bits (e.g., a bit array) in an IC device that can be grouped in a manner similar to setting a machine switch in a dual column package (DIP) switch. state. The existing system may interact with the programmable fuse circuit 502 when authenticating the IC device to determine whether the IC device has been damaged or the like.

Consistent with the disclosed invention, conventional interface circuit 500 may program stylized fuse circuit 502 using the fingerprint bit string of device 100. In this way, the fingerprint determination circuit, structure, method, data, etc. described herein It is possible to interact with conventional systems that are compatible with the programmable fuse circuit 502. The example legacy interface circuit 500 can include at least analog to digital converters (ADCs) to convert analog data generated by the fingerprint decision circuit into digital data. The resulting digital data can then be provided to the stylized fuse to provide, for example, a stylized circuit within the programmable fuse circuit.

6 depicts example operations for fingerprint determination in accordance with at least one embodiment of the present disclosure. The operations shown in dotted lines may be selective based on, for example, the configuration of the device that determines its fingerprint, the configuration of the system that incorporates the device, and the like. In operation 600, the device may be initialized, which may include booting, rebooting, etc. the device itself, a system into which the device is incorporated, and the like. The fingerprint decision can be initialized in operation 602. As part of the fingerprint determination, the fingerprint bit of the next FCU may be determined in operation 604. Fingerprint bit decisions may include, for example, comparing characteristics of the FCU (eg, voltages measured from the FCU) and another characteristic measured from the FCU (eg, another voltage), characteristics measured from another FCU ( For example, the voltage measured from another FCU), the characteristic measured from the reference (for example, the voltage measured from the reference), and the like. While the measurement voltage is used herein as an example, other characteristics can be measured consistent with the disclosed invention. The logical value (e.g., "1" or "0") can then be determined based on the comparison, and in operation 606, the logical value can be added to the fingerprint bit string.

A decision may then be made in operation 608 as to whether other FCUs are to be compared (e.g., to generate additional bits of the fingerprint bit string). After the additional FCU in operation 608 compares the decisions to be implemented, it may return to operation 604 to perform the next comparison. If in operation 608 it is determined that all comparisons have been Implemented, a fingerprint bit string can be output in operation 610. Operation 612 pertains to selective operations that may be implemented based on the configuration of the device/system. For example, the fingerprint bit string can be stored in device 100 (eg, in a secure memory circuit) or can be converted to another format for use in staging a programmable fuse circuit that is also in the device. .

7 depicts an example system that can be used, such as that depicted in FIG. 1, in accordance with at least one embodiment of the present disclosure. System 700 is an example of a platform in which one or more devices, such as device 100, may be installed, and is not intended to limit the disclosed invention to any particular implementation. Examples of system 700 may include, but are not limited to, a mobile communication device such as a cellular handset or based on Android® OS from Google Inc., iOS® or Mac OS® from Apple, Windows® OS from Microsoft, from Tizen® OS from the Linux Foundation, Firefox® OS from Mozilla Project, Blackberry® OS from BlackBerry, Palm® OS from HP Technologies, Symbian® OS from the Symbian Foundation, mobile computing, mobile computing Devices such as tablets, such as iPad® from Apple, Surface® from Microsoft, Galaxy Tab® from Samsung, Kindle® from Amazon, etc., include ultra-power chipsets from Intel Corporation Lightweight Notebook®, EasyMesh, Notebook, Laptop, Palm, etc., typical stationary computing devices such as desktops, servers, smart TVs, small form factor computing solutions ( For example, for applications with limited space, TV set-top boxes, etc.), such as the Next Generation Computing Unit (NUC) platform from Intel Corporation.

System circuitry 702 can manage the operation of system 700. System circuitry 702 can include, for example, processing circuitry 704, memory circuitry 706, power supply circuitry 708, user interface circuitry 710, and communication interface circuitry 712. System 700 can further include a communication module 714. When communication module 714 is depicted as being separate from system circuit 702, the example configuration shown in Figure 7 is provided for purposes of explanation only. For example, some or all of the functionality associated with communication module 714 can also be incorporated into system circuitry 702.

In system 700, processing circuit 704 can include one or more processors located on separate components, or alternatively in one or more cores of a single component (eg, in a system single-chip (SoC) configuration), And processor-related support circuits (for example, bridge interfaces, etc.). Example processors may include, but are not limited to, various x86-based microprocessors from Intel Corporation, including micro-processing in the Pentium, Xeon, Itanium, Celeron, Atom, Quark, Core i series, Core M family of products. , advanced RISC (for example, reduced instruction set computing) machines or "ARM" processors. Examples of support circuits may include a chipset configured to provide an interface (e.g., Northbridge, Southbridge, etc. from Intel Corporation) via which the processing circuitry 704 can operate at different speeds in the system 700, at different busbars Other system components interact with each other. Moreover, some or all of the functionality associated with the support circuitry may also be included in the same physical package as the processor (eg, the Sandy Bridge processor family provided by Intel Corporation).

Processing circuitry 704 can be configured to execute various instructions in system 700. The instructions can include being configured to cause the processing circuit 704 to implement the readout The code of the activity of writing, writing data, processing data, formulating data, converting data, changing data, etc. Information (eg, instructions, materials, etc.) can be stored in the memory circuit 706. Memory circuit 706 can include random access memory (RAM) and/or read only memory (ROM) in a fixed or removable format. The RAM may include volatile memory configured to maintain information during operation of system 700, such as static RAM (SRAM) or dynamic RAM (DRAM). The ROM may include non-volatile (NV) memory, programmable memory, such as electronically programmable ROM (EPROM), flash memory, etc., configured to provide instructions when the system 700 is booted based on BIOS, UEFI, and the like. . Other fixed/removable memories may include, but are not limited to, magnetic memories such as floppy disks, hard disks, etc., electronic memories such as solid state flash memory (eg, embedded multimedia cards (eMMC), etc. ), removable memory card or stick (eg, micro storage device (uSD), USB, etc.), optical memory, such as CD-ROM, digital video disc (DVD), Blu-ray Disc, etc. .

The power circuit 708 can include an internal power source (eg, a battery, a fuel cell, etc.) and/or an external power source (eg, an electromechanical or solar generator, a power grid, an external fuel cell, etc.) configured to operate the desired power supply system 700. And related circuits. The user interface circuit 710 can include hardware and/or software to allow a user to interact with the system 700, such as various input mechanisms (eg, microphones, switches, buttons, knobs, keyboards, speakers, touch surfaces, configured to Taking images and/or sensing one or more sensing of proximity, distance, motion, gestures, orientation, biometrics, etc. And various output mechanisms (eg, speakers, displays, illuminating/flashing indicators, electromechanical components for vibration, motion, etc.). The hardware in the user interface circuit 710 can be incorporated into the system 700 and/or can be coupled to the system 700 via a wired or wireless communication medium. The user interface circuit 710 is selectable in a particular environment, such as the system 700 does not include the user circuit 710 and instead relies on a server of another device (eg, a management terminal) for user interface functionality. (For example, rack server, blade server, etc.).

Communication interface circuit 712 can be configured to manage packet routing and other control functions for communication module 714, which can include resources configured to support wired and/or wireless communication. In some examples, system 700 can include one or more communication modules 714 (eg, including separate physical interface modules for wired protocols and/or radios) managed by centralized communication interface circuitry 712. Wired communications may include serial and parallel wired media such as Ethernet, USB, Firewire, Thunderbolt, Digital Video Interface (DVI), High Resolution Multimedia Interface (HDMI), and the like. Wireless communications may include, for example, short-range wireless media (eg, radio frequency (RF) based on RF (RFID) or near field communication (NFC) standards, infrared (IR), etc.), short-range wireless media (eg, Bluetooth, WLAN, Wi-Fi, etc., long-distance wireless media (for example, cellular wide-area radio communication technology, satellite-based communication, etc.), electronic communication via sound waves, and the like. In an embodiment, the communication interface circuit 712 can be configured to prevent wireless communications that are active in the communication module 714 from interfering with each other. When implementing this function, the communication interface circuit 712 can be based on, for example, a message waiting for transmission The relative priority schedules the activity of the communication module 714. While the embodiment disclosed in FIG. 7 depicts that the communication interface circuit 712 is separate from the communication module 714, it is also possible to incorporate the functions of the communication interface circuit 712 and the communication module 714 into the same module.

8 depicts example operations for integrated circuit device authentication in accordance with at least one embodiment of the present disclosure. In general, a fingerprint bit string can be used to authenticate device 100 to determine the integrity of device 100 (eg, it can indicate whether the security of device 100 has been compromised), and the like. As disclosed in FIG. 7, the "known good" fingerprint can be recorded and stored before the device 100 is accumulated in the system 700. For example, the fingerprint of device 100 can be determined and stored by the manufacturer during device manufacture. This information can then be made available later, for example, via a cloud-based architecture (eg, at least one server accessible via a network, such as the Internet). The system 700 may retrieve stored fingerprint data from the cloud-based architecture during startup and may authenticate the device 100 using the acquired fingerprint data. Alternatively, the fingerprints may be stored within each device itself (eg, within secure storage circuitry 208). When the device 100 is turned on for the first time, the fingerprint data can be temporarily accessible. System 700 can record fingerprint information from device 100 during initial power up, and then the fingerprint can be cleared from secure storage circuit 208. During subsequent initialization, device 100 may generate a fingerprint based on the production characteristics, and authentication of device 100 may be determined by comparing fingerprints generated during startup and fingerprint data originally obtained from secure storage circuitry 208. In another example implementation, the fingerprint data may be permanently stored in the secure storage circuit 208, and only the system 100 containing a particular configuration (eg, including a particular IC device, chipset, program, etc.) may be Can access the stored fingerprint data. System 700 can use the stored fingerprint data to authenticate device 100 based on the fingerprint bit string generated by device 100 (eg, as described above).

At operations 800 through 810, the system can authenticate at least one device. In operation 800, the system can be initialized. Then in operation 802, the system can receive a fingerprint from the device. For example, fingerprints received from the device can be generated using operations such as those disclosed in FIG. In operation 804, the system can verify the known good fingerprint of the device from the fingerprint received by the device. This known good fingerprint can be obtained by the system in such a manner as described above. A determination is then made in operation 806 as to whether the fingerprints match. If fingerprint matching is determined in operation 806, the system may continue initialization in operation 808. If a fingerprint mismatch is determined in operation 806, a security exception may occur in operation 810. Example security exceptions can interrupt the initialization of devices and/or systems, trigger security in the system (eg, blockade, data encryption, etc.), users of the system, manufacturers of devices/systems, distributors of devices/systems A notification regarding the failure of the authentication device is generated. In at least one embodiment, operation 810 can be followed by operation 808 such that the system can continue initialization despite a security exception. This can occur in instances where the security anomaly in operation 810 can protect the integrity of the system (eg, to isolate any device that cannot be authenticated) without having to stop the overall system.

While Figures 6 and 8 depict operations in accordance with various embodiments, it is to be understood that not all operations depicted in Figures 6 and 8 are necessary for other embodiments. In fact, it is fully contemplated herein that in other embodiments of the disclosed invention, the operations depicted in Figures 6 and 8 and/or other operations described herein are contemplated. Combinations of methods not specifically shown in any of the figures are possible, but are still fully consistent with the disclosed invention. Therefore, it is believed that the scope of the patents and the scope of the present invention are not limited to the scope of the invention.

The list of items combined by the term "and/or" as used in this application and in the scope of the patent application can mean any combination of the listed items. For example, the phrase "A, B, and/or C" can mean A; B; C; A and B; A and C; B and C; or A, B, and C. As used in this application and in the scope of the claims, the list of items by the term "at least one" can mean any combination of the listed terms. For example, the phrase "at least one of A, B, and C" can mean A; B; C; A and B; A and C; B and C; or A, B, and C.

As used in any embodiment herein, the term "system" can refer to, for example, a software, firmware, and/or circuitry configured to perform any of the operations recited above. The software may now be a software package, code, instruction, instruction set, and/or material recorded on a non-transitory computer readable storage medium. The firmware may be a code, instruction, or instruction set and/or material that is now hard coded (eg, non-volatile) in the memory device. A "circuit," as used in any embodiment herein, may comprise a hard-wired circuit, a programmable circuit, such as a computer processor, state comprising one or more independent instruction processing cores, alone or in any combination. Machine circuit, and/or firmware that stores instructions executed by the programmable circuit. The modules, collectively or independently, may be circuits that form part of a larger system, such as integrated circuits (ICs), and system-on-a-chip (SoC), desktop computers, laptops. Computers, tablets, servers, smart phones, etc.

Any of the operations described herein can be implemented in a system including one or more storage media (eg, non-transitory storage media) having instructions stored thereon separately or in combination, when the instructions are by one or more processors When implemented, the method is implemented. Here, the processor may include, for example, a server CPU, a mobile device CPU, and/or other programmable circuitry. Also, the operations described herein tend to be spread across a plurality of physical devices, such as processing structures at more than one different physical location. The storage medium may include any kind of physical media, such as any kind of disc, including hard discs, floppy discs, compact discs, CD-ROMs, rewritable discs (CD-RWs), and magneto-optical discs. , semiconductor devices such as read only memory (ROM), random access memory (RAM), such as dynamic and static RAM, erasable programmable read only memory (EPROM), electrically erasable programmable Read-only memory (EEPROM), flash memory, solid state drive (SSD), embedded multimedia card (eMMC), secure digital input/output (SDIO) card, magnetic or optical card, or for storing electronic instructions Any kind of media. Other embodiments may be implemented as a software module executed by a programmable control device.

Thus, this disclosure relates to hardware protection based on production characteristics. Typically, an integrated circuit (IC) device can be configured to determine a logical value or a "fingerprint" string based at least on the production characteristics of the device. The example device can include functional circuitry and hardware protection circuitry (HPC) that correspond at least to the functional purpose of the device. An example HPC can include an interpreter circuit and a fingerprint circuit. For example, the interpreter circuit can measure at least one electronic group in the fingerprint circuit At least one parameter (eg, voltage) of the component, and in at least one embodiment, the voltages measured from different components in the fingerprint circuit can be compared, and then a logic one or zero is assigned to the fingerprint string based on the results of the component comparisons . Example electronic components can include transistors, resistors, etc., the performance of which can depend on the manufacturing characteristics of the device.

The following examples pertain to other embodiments. The following examples of the disclosed invention may include subject matter, such as apparatus, methods, at least one machine readable medium for storing instructions that when executed cause a machine to perform actions based on the method, for performing actions based on the method Institutions, and/or systems for hardware protection based on production characteristics.

According to the first example, an integrated circuit device is provided. The device may include a substrate, a functional circuit produced on the substrate, and a hardware protection circuit produced on the substrate, the hardware protection circuit including at least a fingerprint circuit and an interpreter circuit to determine based on a production characteristic of the fingerprint circuit The fingerprint of the device.

Example 2 can include the elements of Example 1, wherein the interpreter circuit is operative to measure at least one voltage corresponding to at least one of the production characteristic units of the fingerprint circuit.

Example 3 can include the elements of Example 2, wherein the at least one production characteristic unit can include at least one electronic component that is dedicated only to fingerprint determinations in the device.

Example 4 can include the components of any of examples 1 to 3, wherein the interpreter circuit is operative to compare voltages measured from at least two of the electronic components of the fingerprint circuit.

Example 5 can include the components of Example 4, wherein the fingerprint string in the device Included with a logic value corresponding to each voltage comparison and the interpreter circuit is configured to assign a logic one to the fingerprint string if the two voltages satisfy a particular relationship, and assign a logic zero to the fingerprint if the two voltages do not satisfy the particular relationship string.

Example 6 can include an element of any of examples 4 to 5, wherein the particular relationship is one of a first voltage of the two voltages being greater than or less than a second voltage of the two voltages.

Example 7 can include the elements of any of Examples 4 to 6, wherein the particular relationship is one in which the absolute value of the difference between the two voltages is greater or less than a standard value.

Example 8 can include the components of any of Examples 4-7, wherein the at least two electronic components are transistors or resistors.

Example 9 can include the component of any of examples 4 to 8, wherein the at least two electronic components comprise at least one of a transistor or a resistor.

Example 10 can include the elements of any of examples 4-9, wherein the at least two electronic components comprise a group of components each comprising at least one transistor coupled to a resistor.

Example 11 can include the elements of any of examples 4 to 10, wherein one of the at least two electronic components is designated as a reference, and each subsequent electronic component is compared to the reference.

Example 12 can include the elements of any of examples 1 to 11, wherein the interpreter circuit includes at least a comparison circuit and a fingerprint forming circuit.

Example 13 can include the elements of any of examples 1 to 12, wherein the interpreter circuit comprises at least one of a multiplexer circuit, a decoder circuit, or a secure storage circuit.

Example 14 can include the elements of any of examples 1 to 13, wherein the interpreter circuit includes a conventional interface to cause the fingerprint to be written to a fuse circuit within the device.

Example 15 can include the components of any of examples 1-14, wherein the hardware protection circuitry is to provide the fingerprint to an external tracking system during manufacture of the integrated circuit device.

Example 16 can include the elements of Example 15, wherein the system including the integrated circuit device is operative to obtain the fingerprint from the external tracking system to authenticate the integrated circuit device.

According to Example 17, a method for formulating a fingerprint of an integrated circuit device is provided. The method can include initializing the integrated circuit device, initializing a fingerprint determination in the device, and determining a fingerprint of the device based on the production characteristics of the device.

Example 18 can include the elements of Example 17, wherein the step of determining a fingerprint based on production characteristics comprises measuring a voltage of at least one of the fingerprint circuits in the device.

Example 19 can include the elements of example 18, wherein the step of determining a fingerprint based on production characteristics includes assigning a logic to a fingerprint string in the device if the first voltage and the second voltage measured from the fingerprint circuit satisfy a particular relationship, the fingerprint string A logic value corresponding to each voltage comparison is included, and if the first voltage and the second voltage do not satisfy the particular relationship, a logic zero is assigned to the fingerprint string.

Example 20 can include the element of example 19, wherein the particular relationship is that the first voltage is greater than or less than one of the second voltages.

The example 21 can include the element of any one of examples 19 to 20, wherein the particular relationship is one of an absolute value of a difference between the first voltage and the second voltage being greater than or less than a particular standard value.

Example 22 can include elements of any of Examples 19-21, and can further include storing the fingerprint string.

Example 23 can include the elements of any of Examples 17 to 22, and can be further included in a system including at least the device, in an attempt to authenticate the device based on the fingerprint, perform at least one security operation on the system based on the authentication failure, And based on successful authentication, the system is allowed to continue during initialization.

Example 24 can include the elements of example 23, and can further include implementing at least one activity associated with the security exception based on the authentication failure.

Example 25 can include the elements of any of Examples 17-24, and can further include providing the fingerprint to an external system during manufacture of the integrated circuit device.

According to example 26, there is provided a system comprising at least one device configured to implement the method of any of the above examples 17 to 25.

According to Example 27, a chip set configured to implement the method of any of the above Examples 17 to 25 is provided.

According to example 28, at least one machine readable medium is provided, comprising a plurality of instructions responsive to the instructions being executed on a computing device, causing the computing device to perform the method according to any of the above examples 17 to 25.

According to example 29, at least one device configured to formulate a fingerprint is provided, the at least one device being configured to implement the method of any of the above examples 17 to 25.

According to the example 30, a system for formulating a fingerprint of an integrated circuit device is provided. The system can include a mechanism for initializing the integrated circuit device, a mechanism for initializing fingerprint determinations in the device, and a mechanism for determining a fingerprint of the device based on the production characteristics of the device.

Example 31 can include the elements of example 30, wherein the mechanism for determining a fingerprint based on production characteristics includes a mechanism for measuring a voltage of at least one of the fingerprint circuits in the device.

Example 32 can include the elements of example 31, wherein the means for determining a fingerprint based on production characteristics includes assigning a logic to a fingerprint in the device if the first voltage and the second voltage measured from the fingerprint circuit satisfy a particular relationship A string of mechanisms, the fingerprint string including a logic value corresponding to each voltage comparison, and a mechanism for assigning a logic zero to the fingerprint string if the first voltage and the second voltage do not satisfy the particular relationship.

Example 33 can include the element of example 32, wherein the particular relationship is that the first voltage is greater than or less than one of the second voltages.

The example 34 can include an element of any one of the examples 32 to 33, wherein the particular relationship is one in which the absolute value of the difference between the first voltage and the second voltage is greater than or less than a particular standard value.

Example 35 can include elements of any of Examples 32 through 34, and can further include a mechanism for storing the fingerprint string.

The example 36 can include elements of any of the examples 30 through 35, and can be further included in a system including at least the device for attempting to authenticate the device based on the fingerprint, based on authentication failure, for use on the system An institution that implements at least one secure operation, and based on successful authentication, is used to allow The mechanism that the system continues within the initialization.

The example 37 can include the elements of the example 36 and can further include a mechanism for implementing at least one activity associated with the security exception based on the authentication failure.

The example 38 can include elements of any of the examples 30 through 36, and can further include means for providing the fingerprint to an external system during manufacture of the integrated circuit device.

The terms and expressions used herein are used to describe and not to limit the invention, and the use of such terms and expressions are not intended to exclude any equivalent examples of the features shown and described (or their Part of it, and recognize that various modifications may be within the scope of the patent application. Therefore, the scope of the patent application is intended to cover all such equivalent examples.

100‧‧‧ device

102‧‧‧ functional circuit

104‧‧‧HPC

106‧‧‧Interpreter circuit

108‧‧‧Fingerprint circuit

Claims (25)

An integrated circuit device comprising: a substrate; a functional circuit produced on the substrate; and a hardware protection circuit produced on the substrate, the hardware protection circuit comprising at least a fingerprint circuit and an interpreter circuit based on the fingerprint circuit The production characteristics determine the fingerprint of the device. The apparatus of claim 1, wherein the interpreter circuit is operative to compare voltages measured from at least two of the electronic components of the fingerprint circuit. The device of claim 2, wherein the fingerprint string in the device includes a logic value corresponding to each voltage comparison; and the interpreter circuit is configured to assign a logic one to the fingerprint string if the two voltages satisfy a specific relationship And if the two voltages do not satisfy the particular relationship, assign logic zero to the fingerprint string. The device of claim 2, wherein the specific relationship is one of a first voltage of the two voltages being greater than or less than a second voltage of the two voltages. The device of claim 2, wherein the specific relationship is one in which the absolute value of the difference between the two voltages is greater than or less than a standard value. The device of claim 2, wherein the at least two electronic components are transistors or resistors. The device of claim 2, wherein the at least two electronic components each comprise at least one transistor coupled to the resistor Component group. The device of claim 2, wherein one of the at least two electronic components is designated as a reference and each subsequent electronic component is compared to the reference. The device of claim 1, wherein the interpreter circuit comprises at least a comparison circuit and a fingerprint forming circuit. The apparatus of claim 1, wherein the interpreter circuit comprises at least one of a multiplexer circuit, a decoder circuit, or a secure storage circuit. A device as claimed in claim 1, wherein the interpreter circuit comprises a conventional interface to cause the fingerprint to be written to a fuse circuit within the device. A method for formulating a fingerprint of an integrated circuit device, comprising: initializing an integrated circuit device; initializing a fingerprint decision in the device; and determining a fingerprint of the device based on a production characteristic of the device. The method of claim 12, wherein the step of determining a fingerprint based on the production characteristic comprises measuring a voltage of at least one of the electronic components in the fingerprint circuit in the device. The method of claim 13, wherein the step of determining a fingerprint based on the production characteristic comprises: assigning a logic to a fingerprint string in the device if the first voltage and the second voltage measured from the fingerprint circuit satisfy a specific relationship, The fingerprint string includes a logical value corresponding to each voltage comparison; and If the first voltage and the second voltage do not satisfy the particular relationship, a logic zero is assigned to the fingerprint string. The method of claim 14, wherein the specific relationship is that the first voltage is greater than or less than one of the second voltages. The method of claim 14, wherein the specific relationship is that the absolute value of the difference between the first voltage and the second voltage is greater than or less than one of a particular standard value. For example, the method of claim 14 further includes storing the fingerprint string. The method of claim 12, further comprising: in a system including at least the device, attempting to authenticate the device based on the fingerprint; performing at least one security operation in the system based on the authentication failure; and allowing the authentication to succeed based on the authentication The system continues during initialization. At least one machine readable storage device having instructions stored thereon independently or in combination, when the instructions are executed by one or more processors, for formulating a fingerprint of the integrated circuit device to cause the one or more The processor is configured to: initialize the integrated circuit device; initialize a fingerprint decision in the device; and determine a fingerprint of the device based on a production characteristic of the device. The storage device of claim 19, wherein the instruction to determine a fingerprint based on the production characteristic comprises an instruction to measure a voltage of at least one of the fingerprint circuits in the device. The storage device of claim 20, wherein the instruction for determining a fingerprint based on the production characteristic includes an instruction to: assign a logic to the device if the first voltage and the second voltage measured from the fingerprint circuit satisfy a specific relationship a fingerprint string including a logical value corresponding to each voltage comparison; and if the first voltage and the second voltage do not satisfy the specific relationship, assigning a logic zero to the fingerprint string. The storage device of claim 21, wherein the specific relationship is that the first voltage is greater than or less than one of the second voltages. The storage device of claim 21, wherein the specific relationship is one in which an absolute value of a difference between the first voltage and the second voltage is greater than or less than a certain standard value. The storage device of claim 21, further comprising instructions that, when executed by one or more processors, cause the one or more processors to: store the fingerprint string. The storage device of claim 19, further comprising instructions that, when executed by one or more processors, cause the one or more processors to: in a system comprising at least the device, attempt to base the fingerprint Authenticating the device; performing at least one security operation on the system based on the authentication failure; and allowing the system to continue within the initialization based on the successful authentication.