WO2002099809A2

WO2002099809A2 - Method and device for masking out non-serviceable memory cells

Info

Publication number: WO2002099809A2
Application number: PCT/EP2002/006145
Authority: WO
Inventors: Gerd Dirscherl; Heimo Hartlieb; Christian May; Holger Sedlak
Original assignee: Infineon Technologies Ag
Priority date: 2001-06-05
Filing date: 2002-06-04
Publication date: 2002-12-12
Also published as: DE10127194A1; DE10127194B4; TW559822B; WO2002099809A3

Abstract

The invention relates to a method for controlling the mapping of a logical address of a logical address space to a physical address of a physical address space (20). Said method involves the following steps: a first physical address and a corresponding memory cell, which are associated by the mapping (30) of a logical address, are determined; the memory cell is checked for serviceability; and the mapping (30) is modified if the check reveals that the memory cell is not serviceable, in such a way that the logical address is mapped to a second physical address in the physical address space (20). In this way, access to a physical memory is carried out by means of logical addresses which are mapped to the physical addresses of the physical memory, i.e. virtual memory addressing is used in order to mask out non-serviceable memory cells in a simple and effective manner.

Description

description

Method and device for hiding non-functional memory cells

The present invention relates to a method and an apparatus for controlling a mapping of a logical address of a logical address space to a physical address of a physical address space in order to store non-functional memory cells of, for example, an EEPROM

Hide memory. In particular, the present invention relates to the masking of non-functional memory cells of a non-volatile memory of security modules, such as e.g. Chip cards, multi-application chip cards, smart cards etc.

Chip cards are used today in almost all areas of everyday life, e.g. as a telephone card, as a smart card for pay-TV applications or cell phones, as electronic ID cards, credit cards etc. Particularly high demands are placed on the capabilities of a chip card, particularly when using chip cards in the area of cashless payment transactions and identification. For example, smart cards today have to have a high level of security, computing power and miniaturization. These requirements for chip cards in chip card production are exacerbated by the fact that they have to be mass-produced inexpensively and have to be small and that the power consumption in mobile applications is limited.

To ensure high security, so that, for example, unauthorized access to the information stored on the chip card, e.g. a secret key and in the case of a credit card the credit card number, the account number and the credit and in the case of a pay TV

In order to prevent a smart card from entering a smart card ID, a customer ID and other customer specific information Nowadays, chip cards have to be implemented with complex cryptography algorithms in order to be able to carry out digital signatures, authentication and encryption and decryption tasks. Known cryptography algorithms include asymmetrical encryption algorithms, such as the RSA algorithm, symmetrical encryption methods, such as the DES method, and methods based on elliptic curves. All these methods have in common that the security of the cryptography algorithms increases with the length of the underlying crypto operands, so that considerable computing power is required to achieve high security. When using the RSA algorithm, the operands usually have a length of 1024 or 2048 bits, for example.

A problem-free implementation of secure chip cards is opposed above all by the high demands on miniaturization and the low maximum power requirement in mobile applications. While the small chip area limits the available memory space on the chip card, the power consumption limitation limits the computing power and the clock rate. Today's chip cards therefore use microprocessors for chip card applications that, in addition to a CPU, use fast and performance-optimized crypto coprocessors that are specifically designed to perform specific computing operations for the cryptography algorithms, such as for performing a modular or arithmetic arithmetic operation, hashing or the like.

Due to the increasing development in semiconductor technology with regard to the degree of integration and the power consumption, chip cards have recently been made possible which can be used for several applications. In addition to the microprocessor, these chip cards include a ROM for storing an operating system, a RAM as working memory and an NVM (NVM = non-volatile memory) for storing the various programs. me for the various applications that can run on the chip card.

A problem that arises with the newer chip cards is that the memory cells of the non-volatile ones

Memory in which the programs of the various applications as well as the chip card-specific information are stored, have a limited lifespan and lose their functionality after a certain period of time, the errors being identified via checksums. The loss of information must be prevented by software from the program running on the chip card using suitable measures.

The object of the present invention is a

To provide an apparatus and a method which offers a program accessing a memory an error-free, linear address space of the memory, even if physical memory cells have failed or are defective.

This object is achieved by a method according to claim 1 and an apparatus according to claim 12.

The present invention is based on the finding that by accessing a physical memory using logical addresses which are mapped to the physical addresses of the physical memory, i. by means of virtual memory addressing, non-functional memory cells can be hidden in a simple and effective way. The

The problem of replacing defective physical memory areas does not arise for workstations in which virtual memory addressing is used, since only RAM that has very low failure rates can be considered as the underlying physical memory. According to the invention, the suppression of non-functional memory cells of a physical memory is achieved in that, after a check of a memory cell has shown that it is not functional, the mapping from the logical address space into the physical address space is changed such that the logical address is changed to which the physical address to which the memory cell belongs, which has been mapped so far by the mapping, is mapped to another physical address in the physical address space. An application that runs in the logical address space and accesses the physical memory via logical addresses consequently “sees” only functional memory cells because of the logical address space, since the mapping is controlled or “redirected” in such a way that no logical address is assigned to a physical one Address is mapped to which a non-functioning memory cell belongs. In addition, the program design of the programs executable on the chip card can be retained due to the invariance of the logical address space, that is to say the address space relevant for the program flow, and need not be changed because of the change in the mapping.

The physical memory is preferably a non-volatile memory, e.g. an EEPROM or a flash memory, as used in security modules, e.g. Smart cards or

Smart cards, is often available, with these memories the operating time or the life of the memory cells is relatively short. The mapping of the logical addresses to the physical addresses can be stored, for example, in the form of a translation look-up table in which pairs of a logical address and a physical address are entered. In a first exemplary embodiment, all the logical addresses are entered in the look-up table together with a physical address which have been mapped to another physical address on the basis of a determined non-functional memory cell. ^" In this embodiment, all logical addresses are the are not in the translation look-up table, mapped to an identical physical address to the logical address by an identity map. If a check of a memory cell reveals that it is not functional and the image is to be changed on the basis of this, the logical address is entered together with another, new physical address in the translation look-up table or the existing entry of the logical address is changed or replaced. When the physical memory is accessed by a read,

Writing or executing a logical address by an application, for example, the translation look-up table is first checked to determine whether there is an entry for the logical address or not, and if this is the case, the memory cells of the physical memory are accessed during the process, which are assigned to the physical address in the translation look-up table entry and, if there is no entry with the logical address in the translation look-up table, the logical address is used as the physical address and the physical memory is accessed on the basis of this identical physical address.

In a second embodiment, the principle of identity mapping does not exist, and a translation look-up table is always looked up to convert a logical address into a physical address. If a logical address is not in the table, an operating system routine is called up by the hardware, which performs an exception handling and enters a physical one for the corresponding logical address in the table. Logical addresses which are assigned to "defective" physical addresses, ie physical addresses which are assigned to defective memory cells, are assigned new physical addresses which are related to a non-defective memory. In both exemplary embodiments, in order on the one hand to keep the administration and the associated storage space of the translation table as small as possible and on the other hand, when a defective or non-functional memory cell is hidden, as few functional memory cells as possible are discarded or “given away” ", not an entry for each individual address in the table but for certain sections of the memory. In fact, an address entry in the table corresponds to the beginning of a section of memory with a certain length in the logical and physical address space. Each logical address within such a section of memory a physical address is therefore assigned in such a way that the distances to the respective beginning of the memory section are identical, which results in a page-by-page and not a word-by-page mapping for the mapping from the logical address space to the physical address space results in which page or memory sections (page frames) of the physical address space of a predetermined size are mapped onto pages of the logical address space.

The page section size is preferably between 32 and 128 bytes, such as 64 bytes, for the best possible balance between the amount of memory required to manage the translation look-up table and the size of the "wasted" memory in the case of a defective memory cell being hidden. This area results in an optimal adaptation the page size to the operating times or lifetimes of the memory cells of a non-volatile memory and, in particular, to the available storage space, as is customary, for example, with chip cards.

The check of the memory cells of the physical memory can, for example, either be carried out immediately before an access, such as a read, write or execution process, with regard to a physical address, or the check can be carried out for all logical addresses Addresses when the system using the physical memory is initialized.

In the event that a check determines that a memory cell is not functional, the logical address assigned to it is mapped to a new physical address, as a result of which the memory area assigned to the old physical address is hidden.

According to a special exemplary embodiment, the physical memory is arranged on a chip card which is intended for a number of applications. Each application is assigned its own predetermined section of the logical address space, which does not change even if a memory cell of a physical address to which a logical address of the address space is mapped does not become functional. In particular, the sequence of the individual memory lines of a memory section of an application is not disturbed by the fact that one physical address is hidden or replaced by another.

With a multi-application chip card, there is the additional advantage that the logical address space assigned to the individual applications is retained even if individual memory cells fail. The linearity of the address space of a specific application is also retained with regard to the logical address space.

The invention consequently enables the construction of a logical address space from exclusively functioning physical memory at runtime and the replacement of a defective memory occurring during the runtime with correctly working memory without changing the logical address space.

Further developments and variations of the present invention are defined in the accompanying claims, at which the specified method steps in a device according to the invention can be carried out by appropriate devices, which can be implemented, for example, in software or hardware.

Preferred exemplary embodiments of the present invention are explained in more detail below with reference to the accompanying drawings. Show it:

Figure 1 is a schematic sketch illustrating the mapping of a logical address space into a physical address space.

FIG. 2 is a flowchart illustrating a check of the memory cells of a non-volatile memory for an initialization;

3 is a flowchart illustrating access to a non-volatile memory upon a read, write, or export operation according to a first embodiment;

4 is a flowchart illustrating access to non-volatile memory upon a read, write, or export operation according to a second embodiment;

5 shows a flowchart which illustrates a check of the memory cells of a non-volatile memory for initialization in accordance with a specific exemplary embodiment; and

Fig. 6 is a block diagram illustrating the arrangement of a translation device in a chip card according to an embodiment of the present invention. Before exemplary embodiments of the present invention are described with reference to FIGS. 2 to 6, the mapping of a logical address space into a physical address space for virtual addressing, as is used according to the present invention, in order to detect defects or "to hide" non-functional memory cells.

Before referring to Fig. 1, it should be noted that the following description refers to the application of the present invention to non-volatile memories in smart cards, such as e.g. those of the multi-application type, but the present invention can also be used with other memory-containing devices.

1 schematically shows the mapping of a logical address space into a physical address space in the case of a multi-application chip card. The logical address space 10 is divided into a plurality of non-overlapping, equally large pages which are represented as rectangles and arranged in columns. The physical address space 20 similarly consists of a plurality of non-overlapping, equally large side sections, which are represented as rectangles and are arranged in columns. Arrows 30 are intended to illustrate which pages of the logical address space are mapped to which side section of the physical address space 20. Each arrow is based on a different side of the logical address space and generally points to a different side section of the physical address space 20.

As shown in FIG. 1, not every page of the logical address space 10 is mapped to a side section of the physical address space 20. Rather, only those pages of the logical address space 10 are mapped onto a ^" page section of the physical address space 20 that contain an address of the logical address space or memory at which there is readable or writable data or executable code from one of the applications executable on the chip card. In the page sections of the physical address space 20, on which the pages of the logical address space 10 are mapped, the data or the code are actually physically stored.

As can be seen from FIG. 1, the logical address and the associated physical address have no relation to one another apart from FIG. 30. The logical address space 10 can be substantially larger than the physical address space 20, in the case of FIG. 1 the size of the logical address space 10 being for example in the gigabyte range and that of the physical address space 20 in the megabyte range. Pages with no readable or writable data or executable code, such as the page 40 are usually not mapped to the physical address space 20. Conversely, physical page sections can also remain unused, e.g. the side section 45.

The mapping of the logical address space 10 into the physical address space 20 represented by the arrows 30 is completely transparent for the applications executable on the chip card, so that an application code can be created on the basis of a corresponding specification of the logical address space. The logical address space 10 is divided into individual parts, which in turn are assigned to the different applications. A part of an application that is connected in the logical address space 10 can consequently be stored in the physical address space 20 in any order based on the illustration 30. In particular, the individual pages of the logical address space 10 can be mapped as desired to other page sections of the physical address space 20 if, for example, a memory cell of a page section loses its functionality. As mentioned, the logical address space 10 and the physical address space 20 are subdivided into pages or page sections by subdividing the two address spaces 10 and 20 into equally large, overlap-free memory areas, the one page section in the physical

Address space 20 covered memory area is exactly as large as that of a page in the logical address space 10. A logical address within a page is assigned to a physical address in the associated page section with an equal distance or offset from the respective start address, so that each logical address and each assigned physical address consists of the same offset value and a page or section start address.

A page section in the physical address space 20 can also be assigned additional memory bits, as indicated by the larger width of the rectangles of the physical page sections, which are not accessible to the applications via the normal addressing method and also not to expand the physical address space 20 for Keep application data. These additional memory bits include, for example, error correction code (ECC) bits which enable the detection of an incorrect function of the physical data memory of the page section or even a reconstruction of the memory content thereof, valid flags which indicate the validity of those in the corresponding page specify data, and / or access rights to the corresponding side of the logical address space. The pages and the page sections are assigned using a page table or translation table which has address pairs or tuples of respective start addresses of a logical page and an assigned physical page section.

In the case of FIG. 1, an entry in the page table contains, for example, the start address of the first page 50 of the logical address space 10 and the start address of the sixth page section 60 of the physical address space 20, as represented by the arrow 70 and the number “6” in the rectangle 50. Logical pages that are not assigned are not contained in the page table.

As shown by way of example in FIG. 1 for the page 50 of the logical address space 10, the size of a page according to one exemplary embodiment is between 32 and 128 bytes. Although other address space division sizes are also possible, e.g. a word size of 1 byte, the size of between 32 and 128 bytes has been found to be particularly advantageous in that it represents a favorable compromise between on the one hand the least possible effort for storing and managing the page table and on the other hand the least possible memory cell loss if a section of the physical address space 20 is hidden due to only a defective memory cell by changing the figure 30. In particular, the size of the pages or page sections depends on the operating times of the memory cells.

Further advantages of using the virtual memory addressing for chip cards are described in the article Stephan Ondrusch, "Protected Virtual Memory - 32-bit power without the handbrake on", 10th GMD SmartCard Workshop Darmstadt, 9 February 2000, which is hereby is incorporated by reference.

After the mapping of logical addresses to physical addresses has been described above with reference to FIG. 1, an example case is described below with reference to FIG. 1, by means of which the uncomplicated “masking out” of defective memory cells is illustrated by the page 30 illustration For this purpose, it is assumed below that the memory cells of the logical address space 10 belong to a single application. It is further assumed that one of the memory cells of the page section 60, on which the logical page 50 is currently mapped, loses its functionality. In this case, as shown by a dashed arrow 80, the entry in the page table and thus the mapping itself can be changed such that a free page section 90 of the physical address space 20 is assigned to the logical page 50. The application which "expects" specific data or a specific code on the logical page 50 does not "notice" that after changing the mapping when accessing the first logical page, it accesses another page section of the physical address space 20 ,

In order to make it possible for the correct data to be located in the page section 90 after the redirection of “the figure”, redundant information is added to the page sections of the physical address space 20, for example, from which the memory content of the defective memory cell is reconstructed and the entire memory content of the old memory content, ie 60, can be copied into the new page section 90. It is particularly advantageous here that the application maintains the linear order within the address space in which it operates - a positive side effect on the side of the physical storage of the data consists in the fact that the data arranged linearly within the logical address space are scrambled or chopped up by the mapping or the change of the mapping, so that an additional advantage, particularly for chip cards, is that a potential attacker who owns a Chip card et, in the event of an attack on the chip card, the scrambling of the stored data, such as of an application's algorithm code.

Referring to FIG. 2, the change in the page-by-page illustration explained with reference to FIG. 1 is described below when defective memory cells are detected or the hiding of such memory cells is explained according to an exemplary embodiment of the present invention. 1 relates to an exemplary embodiment in which, after initialization, all the logical addresses are first checked to determine whether the memory cells of the physical addresses to which the logical addresses are mapped are functioning or not. In another exemplary embodiment, however, the checking of the memory cells can also be postponed to a later point in time at which a reading, writing, executing or other process takes place with respect to a specific logical address and thus an assigned physical address.

After an initialization 200, the physical address or the start address of the physical page section and the associated memory cells are determined in a step 210, which are assigned via the mapping of the logical address or the start address of the logical page. Thereupon, in a step 220, the memory cell is checked for its functionality. If the check in step 220 shows 230 that the memory cells are functional, the mapping is left unchanged. However, if the check 220 determines 230 that one of the memory cells is not functional, the mapping of the logical address space to the physical address space is changed in a step 240 such that the logical address is mapped to a different physical address, as previously referred to Fig. 1 has been described. After steps 230 and 240, it is checked in a step 260 whether there are further logical addresses which have not yet been checked. If this is the case, the skip sequence jumps back to step 210, steps 210-240 being carried out with respect to a next logical address. If no further logical addresses are found during the check 260, the stripping end ends. run and, for example, the execution of an application begins.

With regard to the preceding description of FIG. 2, it is pointed out that step 240, for example, changes or replaces a corresponding entry of the logical address in a page table or, in the event that an entry with the logical address is not yet in the page table , which may include entering a corresponding entry with the logical address and the other physical address.

Referring to Fig. 3, a flow will be described as it takes place according to an embodiment of the present invention to perform the access to the physical memory, which is carried out by a corresponding process or a corresponding transaction, e.g. a read, write or execute transaction triggered by an application. In this exemplary embodiment, in a page translation look-up table which defines the mapping between the logical and the physical address space, there are only entries with such logical addresses which differ from the physical address at which the data or code of the logical address is actually stored. In other words, in this exemplary embodiment the basic state of the mapping rule between the logical and the physical addresses consists of an identity mapping which maps logical addresses to identical physical addresses. Only in the case of a defective memory cell is that logical address which is mapped to the physical address associated with the defective memory cell "redirected" to another physical address, as a result of which the defective memory cell is hidden in a manner which is transparent to the application.

After an application has read, written or exported a logical step in a step 300 Address has been started, a step 310 is looked up in a translation look-up table or a page table in order to check whether there is an entry for the logical address therein.

If step 310 determines 320 that there is an entry with the logical address, this entry is read in step 330 to obtain the physical address. However, if step 310 results 320 that there is no corresponding entry with the logical address, the logical address is mapped to the physical address so that the physical address is identical to the logical address.

After one of the two steps 330 or 340 has been carried out, in a step 350 the specific physical address, i.e. the physical address identical to the logical address or the physical address of the entry is accessed and the reading, writing or exporting process is carried out.

It is pointed out that steps 310 to 340 take place virtually imperceptibly for the application and that the application can access the logical address space assigned to the application as usual even after the event of a defective memory cell.

A process is described with reference to FIG. 4, as takes place according to a further exemplary embodiment of the present invention, in order to access the physical

Execute memory by a corresponding process and a corresponding transaction, for example, is dissolved a read, write or Ausführtransaktion by an application from ^¬. In this embodiment, not only the changed or redirected logical addresses are in the

Look-up table saved but also ^" other. The executing hardware expects this execution example, always an entry in the lookup table. If it does not find an entry for a special logical address, an exception routine is carried out by the operating system, which then adds the searched logical address together with the associated physical address to the look-up table.

The steps shown in FIG. 4 correspond to those of FIG. 3 up to the point at which it is determined that the logical address sought is not present in the look-up table, for which reason these identical steps are provided with the same reference symbols and to avoid repetitions not be discussed again.

If step 310 thus results 320 that an entry with the logical address is present, this entry is read in a step 330 as in the previous exemplary embodiment in order to obtain the physical address. If, however, step 310 results in 320 that there is no corresponding entry with the logical address, the hardware starts an exception routine of the operating system in a step 340 ′, unlike in the previous exemplary embodiment, or a trap to the operating system takes place. As part of the exception routine, the operating system determines the missing physical address that corresponds to the requested logical address and also enters it in the lookup table.

After one of the two steps 330 or 340 'has been carried out, the determined physical one is carried out in a step 350

Address, i.e. the physical address identical to the logical address or the physical address of the entry is accessed and the reading, writing or exporting process is carried out.

5, a possible sequence for hiding defective memory cells according to a specific Example embodiment described how it can be done by software when initializing a chip with a non-volatile memory. In a step 360, the first page is searched for in the NVM. In a step 362, the physical side is then checked for a defect. If it is determined 364 that at least one of the memory cells of the physical page is defective, the associated physical address of the defective physical page section is stored in a list in the RAM in a step 366. After step 364 or 366, the next NVM page is selected in step 368. If it is determined 370 here that such a next, not yet checked memory cell exists, control loops back to step 362. Otherwise, in a step 372 in the case of the embodiment of FIG. 3, the "defect" addresses stored in the RAM are stored as logical addresses from the list in the RAM in the NVM, with the still valid physical page section addresses being added so that in a complete look-up table with logical defect addresses and associated valid physical addresses of intact memory sections is created for the NVM In the case of the exemplary embodiment of FIG be used after each reset of the controller to ensure that a defective physical address is never addressed when the translation lookup table is built in. Upon completion of step 372, initialization is complete.

With reference to FIG. 6, a block diagram of a circuit of a chip card according to an embodiment of the present invention will now be described, in which the mapping of a logical address space into the physical address space for access to both a read-only and a. eg a ROM, a working memory, such as a RAM, as well as a non-volatile memory, such as an EEPROM or TJ

P

4 o 3 α. ω 4J

0

H P U α. 0

CO

P

Φ

>

Φ

^• H

P φ ß

CD

4->

^• H ε

X

• -

Φ O ε

Φ

TJ

>

4

4- o

90

©

4

O

m σ U0 oo uo rH rH CM cn ro

4-> 1 0ι 1 1 ß ß 1 CO 1 1

0ι CG 1 ß Φ • H Φ ß 1 • H C, ε P 1 O 0ι 1 1

• 1 • H ro O P 3 ε 1 ro 1 0 o J φ φ ro ro t ß

01 -H cG 4H 4-1 1 φ P co ro 1 4-1 o τs • H 3 ro CM _v Φ TJ 4H> 4- ⁾ P ro <

• H Φ: ro ε φ Φ • H> φ 0ι - * • H φ Φ φ 01 ^ r 1 CO φ 3 0ι P 4- ⁾ cn

C * 4 α, ε 3 CJ • H ß 4-> ß • H Φ X TJ PXO -H Φ CO • H 4H ro P ro φ ß ß • © O φ ro TJ Φ 1 ro co ^• H 3 CO OH 4 -J ß TJ • H TJ CO 2 O φ TJ 3 φ TJ -H ro 4H

<4-1 P 73 ß CO -P Λ; ro Φ PO • H ^• H ro Φ ß o φ P ro 4-> 4-1 Xi Cd P 3

Q- ro Φ 3 3 TJ Φ φ co P • H α ß P Φ M 4-4 O CO C cu <X Φ u 3 co ß

W ß τs ß X φ -P Cd O φ Φ X Φ 3> Cd ß • H O • H X • H φ o

H 73 • HP 4-> 3 0 01 ß X cG CO co ß 4-4 ro 4-1 φ Cd -HP 01 co P ε υ ß Φ ^• H «r

U ß Φ ro P 3 to φ ft ro P Φ φ φ CO 0ι φ 4-3 Φ P 4-J Φ φ φ α 3 ro Φ TJ «3" α. Φ Xi Xi φ 3 4-J 4-1 φ P 73 o Φ ß QP Φ Λ. Ε XPO 2 CO 4-> ε 01: 3 ro PP ε ß τs φ X 3 P ro X Φ φ. U ß TJ CO CO o O x ß 0 ¹ 4-1 ß φ φ 3 ^• H <01 4-1 4-1 ß 3 ro Ü 4-4 TJ CQ o Φ <o ß P φ r ~ 3

Φ 3 ß Φ φ φ Φ X ß Φ ß Φ • H = 3 ON Oι -H Φ • ^• H 4H r- ro Φ P ^• "^ CQ ß 4-1 3 01 NX • H υ • H co Φ 3 0 «Ss P> Φ 73 ß N 01 • H ß ^• * r τs TJ •

0ι α P x P 73 • H φ 4-1 ß P X α TJ P, • H 0 Φ φ o: ß 01

3 P Φ υ Φ Φ Φ 4-1 -H ro Φ ε ε υ P Φ P Φ co ß Φ P X 0ι CM ß Φ ß Φ

N α 3 PXO α, 0 ¹ -H ε 4-> CO Φ 4-J ^• H 73 φ Φ Φ ^• H 01 υ ß ^ ^• H ß X 3 73

Φ P Φ 3 O P co ß ß P P -H 73 X X O 3 01 CO • -H 3 X 3 CO 3 φ u 4-J

X Φ 4-J 73 Φ φ 3 X Φ o Φ ro o -H ß co ß 73 υ N -H 4-J s X X 3 X 4-1

X CO φ TJ ro CJ) 4-1 υ 73 ß 3 CO P Φ • H ß φ Φ ^• H 3 01 X o φ υ CO CJ 3

P o o (X 4-1: 3 CO P 3 Φ ß 4-J Φ P 73 «. Ss N O υ OS 73 CO -H ro

Φ P 4 4 CΛ o φ PX 4-1 Cd ro X Φ φ O τs P ß φ 01 -HC ^• H 3 P

73 Φ Φ • ^ φ X Q. ro CO 3 υ 0ι ß 4J CO Φ 0 ß α Φ P Cd N ß Φ

-H 01 P 4-> P ß Φ ro P ε ^• H • H • H 3 φ 3 • H o N CO P ß Cd ro ^• HO

01 Q • H 01 Φ CO Φ φ Φ TJ 3 Φ cG Φ ro P ß 4-J ^• H Φ O φ -H St CO Φ CO

^• H c2 ß J ro ^• HOX -P o 4-JN, ß X 73 Φ ß ro 4-JX Φ 73 Φ CO • HO Φ cG •: ro 3 X φ O ^• H o X • H cn g 4-J Φ Φ ro X Φ ** - * P CO Φ ro CO ß 01 P

^; ro 4 ε 4-> ß ß 0ι • H Φ P υ 4-1 Φ Φ CO 4-1 01 4-J ü CO • ro JX CO 73 ro ß TJ ε P Φ Xi Φ • H ^• H TJ Φ CO 3 • HX ß PX 01 4H P co φ CO 0ι ü 0 ¹ Φ X 0ι 3 <

• α N

4 P ^• • 3 rO • H • H Φ X υ M -H • HX 3: ro Φ ro X 01 3 α ro ro φ 3 ü co o 4-1 ß ro 4-1 3 P Φ υ 3 • H 3 Φ ß ε u 4-> ß N o 0 Φ <P 01 X 01 N • H φ ß> Φ Φ

3 Φ 4-> ß P υ: 3 ro NP 4-1 CO 4-4 3 P o 0ι EH P u ^• • 3 XP φ 1 CO X

4-> 0ι 4-1 • HX • H -P 01 XP CO τs «. ^• HON Φ r- ß 3 P o co N φ τ> 01 φ P o

4-1 o O Φ O Φ CO P: 0 o ^• H ß 4-> CO • = r Φ cG N φ ß> • H Φ O: 3 < ^• H co φ co

O 3 CO CO co α ß Φ ε CO Λ, 3 ß ro O P X ro ß Φ 1 0ι X P N P φ X • H O ro 01 φ co 0 TJ X P 4-J Φ Λ; ß CM Φ Φ υ τs Φ • H TJ P O φ Φ ß: 0

P ß CQ • H Φ υ Φ P 4-1 • H -H Φ r TJ CO X Φ ß X ß X X Φ X ro

0ι 4-1 Φ 3 o 4-1 ß P • H Φ CO 73 CO X -H .. υ ^• H ^• • 3 0 o X Φ φ st ß 3 4-1 4-1 CO φ ΛJ o Φ Φ Xi X • HOS 4-4 Φ 73 • H 0 ¹ 4-1 44 Φ ^• H 01 υ 01 φ • H • H

3 ro ß: 3 ro 73 ß • H TJ P φ υ CO X ^• H o 3 X ro P Φ ß CO ß 4-J φ ß CO 3 τs TJ O

P 3 P 73 3 4-1 ß Φ D-4 • HP Φ α CC ro ro M ^• HP 3 ^ 3 • H ^• H ro ^• HN

Φ X α ß 4-1 ro ro X φ ro g Cn a> 4-1 • H 3 Φ P 4-J <Φ ro Q 01 01 Φ -P X

^• H 73 P Φ Φ ε P co α X 3 CO ß Cd TJ 01 co XX CO co P 0 X CO X α

CO P Φ co CO Φ P Φ φ φ co 4-1 ro Φ ^• -ro Cd ß ro ß P: 3 ^• HP 4-1 ß • O u CO • H

^• H φ • H X5 • H Φ 0 ß X ß φ • HP τs 4-1 Φ Xi Φ Φ 44 Φ 3 ro CO> ro Φ 0ι P ß 3 O φ 4-1 • H υ • H 01 Φ cG ß ε PX α 73 X CO 4-J 73 ro P 3 1 P ß P φ ro φ 3 CO Φ ß Cd ^• H φ P Φ 4-> ro φ Φ υ Φ υ 3 P 0 H ro φ φ 73 TJ

^• HX Φ Φ co 3 N • H Φ ß 01 P 73 • H CO J ^• H • H Φ ε co 73 o <ß

4-> Φ • H <P P. Q, ß Φ 3 TJ ro P O X ß ε Φ X 1 CD Φ X φ r ~ Φ 4->

90 ß P Φ • H co XXXX ß TJ ^• H CQ ro φ o Φ • H • H • -H • ^ ß Φ ß ε

Xi NX α φ υ u υ ß υ Φ Φ ß • H 2 ß> TJ Φ Φ X φ ^• ^ ß 3 Φ X ro

4 P CO φ P • H ß Φ Φ P X Φ CO 0 X φ P u υ ß Φ X -H X • H co X ro σ co τs ß <H CO P 0

otherwise control is given to the operating system, which then executes an exception handling and, taking into account the list in the EEPROM 420, enters a physical address table 470 for the logical address. Each time the EEPROM 420 is accessed, the checking device 460 becomes active, which then checks the functionality of the memory cells corresponding to the logical address by means of a checksum comparison, and if an error is found, the physical defect address is noted, the logical address in the Another valid address is assigned to table 470, and the physical defect address is noted and taken into account for future blanking.

6, it is pointed out that the storage of the entries in the translation look-up table 470 defining the mapping of the logical address space into the physical address space merely represents an exemplary embodiment and can also be carried out differently. Part of the translation look-up table can, for example, be located in a cache memory, which is referred to, for example, as a TLB (TLB = translation look-aside buffer). If there is a start address pair for a page and the assigned page section in the TLB, the calculation of the address mapping is hardware-accelerated due to the fast cache access. However, if the pair of start addresses for a logical page is not in the TLB, then in a special exemplary embodiment either a trap or failure process is carried out, which the controller passes on to the operating system in order to add the desired address tuple in the TLB, or on an additional hardware (not shown) designed by the chip card manufacturer to calculate the physical one based on a logical address, or a loading process in which a memory stored in a non-volatile memory secured translation look-up table, the required data is automatically reloaded into the TLB.

The translation lookup table 470 can either be in non-volatile memory, e.g. EEPROM or a flash memory, or is in volatile memory, e.g. a RAM, is saved and is changed and rebuilt upon each initialization upon detection of the defective memory cells.

In order to protect the translation look-up table 470, which is itself stored in non-volatile memory, from a loss of information due to defective memory cells, in the event of a memory loss in a row of the translation look-up table, the corresponding entry in the row can be reconstructed, the entry copied into a row other line of the translation look-up table and marking the defective line as inoperable. The reason for the simple handling in the case of defective memory cells in the translation look-up table is that the order of the entries does not matter in the translation look-up table.

Referring to Figure 6, it is noted that part of the logical address space, e.g. the one who got the RAM

410 is assigned, can be used for direct, physical addressing bypassing the translation device.

With reference to the preceding description, it is pointed out that the steps described above can be implemented either by hardware or by software that can be run on the chip card. Furthermore, it is pointed out that the application of the present invention is not limited to chip cards, but that the present invention is also applicable to other devices that use vulnerable storage, such as a TPM.

Claims

claims

1. A method for controlling a mapping of a logical address of a logical address space to a physical one of a physical address space (20), the method comprising the following steps:

Determining (210) a first physical address and an associated memory cell which are assigned to a logical address via the mapping (30);

Checking (220) the memory cell for functionality; and

if the step of checking reveals that the memory cell is not functional, changing (240) the map (30) so that the logical address is mapped to a second physical address in the physical address space (20).

2. The method of claim 1, wherein the physical address space (20) in page sections and the logical address space

(10) is divided into pages, each physical address being assigned to a section of a page and each logical address being assigned to a page, the mapping being a page by page

Figure is that maps pages to page sections and the page size is equal to the page section size.

3. The method of claim 2, wherein the page section size is between 32 and 128 bytes.

4. The method according to any one of claims 1 to 3, wherein the step of changing (240) the mapping comprises entering the logical address together with the second physical address in a translation look-up table (470).

5. The method according to any one of claims 1 to 4, wherein the mapping for those logical addresses for which the mapping has not been changed is an identity mapping so that they are identical to the physical addresses to which they are mapped ,

6. The method according to any one of claims 1 to 5, in which the steps of determining (210) and checking (220) are carried out during initialization for all logical addresses in the logical address space (10).

7. The method as claimed in one of claims 1 to 5, in which the steps of determining (210) and checking (220) are carried out in response to a read, write or execute operation with regard to the logical address.

8. The method according to any one of claims 1 to 7, wherein the step of checking (220) comprises comparing the content of the memory cell with an error correction code.

9. The method according to any one of claims 1 to 8, wherein the physical memory is an EEPROM or a flash memory.

10. The method according to any one of claims 1 to 9, wherein the page sections are assigned a label which has the functionality of the memory cells of the page section, a validity of data stored in the memory cells, an error correction code and / or access rights.

11. The method according to any one of claims 1 to 10, wherein after the step (220) of verifying the memory cell associated with the storage of the physical address ical in a list of phy ^¬ addresses the defective memory cells, takes place, if the memory cell non-functional and in which the step of changing (240t is carried out at runtime.

12. Device for controlling the mapping of a logical address of a logical address space (10) to a physical address in a physical address space (20), the device having the following features:

means for determining a first physical address and an associated memory cell which are assigned to a logical address via the mapping (30);

means for checking (220) the memory cell for proper functioning; and

means for changing (240) the map (30) so that the logical address is mapped to a second physical address in the physical address space (20) if the means for checking determines that the memory cell is not functional.