CN115150085A - Method and apparatus for secure decryption of encrypted data - Google Patents

Method and apparatus for secure decryption of encrypted data Download PDF

Info

Publication number
CN115150085A
CN115150085A CN202210343079.2A CN202210343079A CN115150085A CN 115150085 A CN115150085 A CN 115150085A CN 202210343079 A CN202210343079 A CN 202210343079A CN 115150085 A CN115150085 A CN 115150085A
Authority
CN
China
Prior art keywords
count value
encryption key
key
encrypted
decrypting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210343079.2A
Other languages
Chinese (zh)
Inventor
F·阿尔贝萨
N·安奎特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STMicroelectronics Alps SAS
STMicroelectronics Grand Ouest SAS
Original Assignee
STMicroelectronics Alps SAS
STMicroelectronics Grand Ouest SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from FR2103318A external-priority patent/FR3121530A1/en
Application filed by STMicroelectronics Alps SAS, STMicroelectronics Grand Ouest SAS filed Critical STMicroelectronics Alps SAS
Publication of CN115150085A publication Critical patent/CN115150085A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the present disclosure generally relate to methods and apparatus for secure decryption of encrypted data. The method comprises the following steps: generating a first count value by a monotonic counter of a processing device; deriving, using a key derivation circuit, a first encryption key based on the first count value; transmitting the first encryption key to the cryptographic processor; and decrypting the first encrypted data based on the first encryption key.

Description

Method and apparatus for secure decryption of encrypted data
Cross Reference to Related Applications
The present application claims priority from french application No. 2103318 filed on 31/3/2021, which is incorporated herein by reference.
Technical Field
The present disclosure relates to the field of methods and devices for protecting electronic circuits, and in particular to devices and methods for decrypting data.
Background
Some processing devices include a cryptographic processor that requires the use of an encryption key that is not accessible from outside the device.
For example, the processing device operates by executing code stored in non-volatile memory of the device that is used over the life of the circuit. For security purposes, certain code is stored in an encrypted manner, and an encryption key may be loaded to decrypt the code.
Disclosure of Invention
In various embodiments, the security of storing such encryption keys is improved.
One embodiment provides a method of decrypting encrypted data, the method comprising: generating a first count value by a monotonic counter of a processing device; deriving, using a key derivation circuit, a first encryption key based on the first count value; transmitting the first encryption key to the cryptographic processor; and decrypting the first encrypted data based on the first encryption key.
According to one embodiment, the first encrypted data comprises a first set of one or more other encrypted encryption keys associated with the first count value.
According to one embodiment, the method further comprises: selecting a first set of other encrypted encryption keys from memory; and providing the first set of other encrypted encryption keys to the cryptographic processor, wherein decrypting the first data comprises decrypting, by the cryptographic processor, the first set of other encrypted encryption keys based on the first encryption key.
According to one embodiment, the method further comprises: decrypting, by the cryptographic processor or another cryptographic processor, the first other encrypted data stored in the memory or another memory based on the first set of other decrypted encryption keys.
According to one embodiment, the decryption of the first further encrypted data is performed by the cryptographic processor, wherein the first set of further decrypted encryption keys is stored in a memory of the cryptographic processor.
According to one embodiment, the method further comprises generating, by a monotonic counter of the processing device, a second count value; deriving, using a key derivation circuit, a second encryption key based on the second count value; transmitting the second encryption key to the cryptographic processor; and decrypting the second encrypted data based on the second encryption key.
According to one embodiment, the monotonic counter is initialized to a first count value upon a first boot of the processing device, and the method further comprises initializing the monotonic counter to a second count value upon a second boot of the processing device.
According to one embodiment, a method includes processing another boot of a device during which a monotonic counter is initialized to a first count value if a device state condition is satisfied.
In accordance with one embodiment of the present invention, the state condition corresponds to a programmed state of the memory region.
According to one embodiment, the memory is configured such that access to the first encrypted data is not permitted based on a count value greater than the first count value.
According to one embodiment, the transmission of the first encryption key to the cryptographic processor is performed via a dedicated bus.
One embodiment provides a data processing apparatus comprising: a monotonic counter configured to generate a first count value; a key derivation circuit configured to derive a first encryption key based on the first count value using a key derivation function; and a cryptographic processor for performing a cryptographic process, configured to receive the first encryption key and decrypt the first encrypted data based on the first encryption key.
One embodiment provides a method for decrypting encrypted data, the method comprising: receiving a first count value from a monotonic counter of a processing device; deriving, using a key derivation circuit, a first master encryption key based on the first count value and the master encryption key; transmitting the first master encryption key to the cryptographic processor; and decrypting the first encryption key stored in the non-volatile memory based on the first master encryption key.
According to one embodiment, the method further comprises decrypting the further first encryption key based on the first master encryption key, wherein the first encryption key and the further first encryption key comprise a first set of encrypted encryption keys associated with the first count value.
According to one embodiment, the non-volatile memory is configured such that access to the first encryption key is not permitted based on a count value greater than the first count value.
According to one embodiment, the method further comprises transmitting the first encryption key to the cryptographic processor or another cryptographic processor; and decrypting the first encrypted code based on the first encryption key.
According to one embodiment, the method further comprises initiating a boot sequence, initializing a monotonic counter providing a first count value, and reading and executing a first code obtained from decrypting the first encrypted code.
According to one embodiment, the method further comprises receiving a second count value from a monotonic counter of the processing device, using the key derivation circuit, deriving a second master encryption key based on the second count value, transmitting the second master encryption key to the crypto processor, decrypting the second encryption key based on the second master encryption key, transmitting the second encryption key to the crypto processor or another crypto processor, and decrypting the second encryption code based on the second encryption key.
According to one embodiment, the monotonic counter is initialized to a first count value upon a first boot of the processing device, and the method further comprises initializing the monotonic counter to a second count value upon a second boot of the processing device.
According to one embodiment, the method further comprises performing another boot of the processing device, during which the monotonic counter is initialized to the first count value if a device state condition is satisfied, wherein the state condition corresponds to a programmed state of the memory region.
Drawings
The above features and advantages, and other features and advantages, are described in detail in the following description of specific embodiments, which is given by way of illustration and not of limitation in conjunction with the accompanying drawings, in which:
FIG. 1 very schematically shows, in block diagram form, an electronic device in accordance with one embodiment of the present description;
FIG. 2 illustrates an example of operation of the processing device of FIG. 1;
FIG. 3 is a flowchart representing operations of an example method of decrypting encrypted code by a cryptographic processor in accordance with one embodiment of the present description;
FIG. 4 shows data and code accessible during secure boot according to another embodiment of the present description;
FIG. 5 is a flowchart representing operations of a secure boot method of a processing device according to an example of one embodiment of the present description; and
FIG. 6 is a flowchart representing operations of a secure boot method of a processing device according to another example embodiment of the present description.
Detailed Description
Like features are denoted by like reference numerals in the various figures. In particular, structural and/or functional features that are common in the various embodiments may have the same reference numerals and may be provided with the same structural, dimensional and material characteristics.
For the sake of clarity, only operations and elements useful for understanding the embodiments described herein are illustrated and described in detail. In particular, the design of processing equipment is well known to those skilled in the art, and certain components are not described below.
Unless otherwise stated, when two elements are referred to as being connected together, this means being directly connected, without any intervening elements other than conductors, and when two elements are referred to as being coupled together, this means that the two elements may be connected or that they may be coupled via one or more other elements.
In the following disclosure, unless otherwise indicated, reference is made to the orientation shown in the drawings when referring to absolute position determinants such as the terms "front", "back", "top", "bottom", "left", "right", etc., or to relative position determinants such as the terms "above", "below", "higher", "lower", etc., or to orientation determinants such as "horizontal", "vertical", etc.
Unless otherwise indicated, the expressions "about", "substantially" and "in the order of \8230; mean within 10%, preferably within 5%.
Fig. 1 very schematically shows in block diagram form an electronic device 100 comprising a processing device 102.
The electronic device 100 is, for example, an electronic board such as a micro circuit board, computer hardware, microprocessor circuit, or the like.
The processing device 102 includes, for example, a non-volatile memory 104 (NV MEM), such as a flash memory. Alternatively, other types of non-volatile memory may be used. The processing device 102 also includes a MONOTONIC COUNTER 106 (MONOTONIC COUNTER).
Monotonic Counters are known in the art, examples of such Counters are described in the publication "visual Monotonic Counters and counts-Limited Objects using a TPM with a Trusted OS" by L.F.G.Sarmenta, M.Van Dijk, C.W.O' Donnell, J.Rhodes and S.Devadas, especially in section 3 herein. Embodiments of counters implemented in hardware and/or software are described herein. The monotonic counter 106 is implemented in hardware, for example, by a digital circuit such as an Application Specific Integrated Circuit (ASIC). The monotonic counter is configured to maintain a count value accessible at an output of the counter. The monotonic counter increases its count value by one or more units after the increment command, but after each increment, the operation is irreversible. In practice, the monotonic counter is configured such that its count value never decreases. Furthermore, between increments the count value is protected from any modification, so it cannot be erased nor modified. Only the increment command allows the current value to be replaced with a new value higher than the current value.
For example, the monotonic counter 106 is configured such that no commands other than a reset of the processing device are allowed to return to a previous value when an increment command is executed. For example, in the case where the count value is stored in a volatile manner, the count value is lost every time the processing device is turned off (power is off), and the monotonic counter again generates the initial count value every time the device is turned back on. In the case where the count value is stored in the nonvolatile storage element. At each reboot, the initial count value is written back to, for example, the non-volatile storage element of the monotonic counter.
The processing device 102 also includes a non-secure general purpose processor 110 (CPU). For example, the general purpose processor 110 is coupled to the monotonic counter 106 as well as the non-volatile memory 114 (NV MEM) and the non-volatile memory 104 via a bus 128. The memory 114 is, for example, a flash memory, but other types of non-volatile memory may be used.
The general purpose processor 110 is further coupled via a bus 128 to a CRYPTO processor (CRYPTO) 116 and a RAM (random access memory) 112.
The cryptographic processor 116 is further coupled to a key derivation circuit 118 (KDF) having an input connected to the output of the monotonic counter 106. In particular, the key derivation circuit 118 receives the current count value (TIL) from the monotonic counter 106 at this input. The count value TIL generated by the monotonic counter 106 is, for example, a time isolation level value that allows time control of the decryption operation. In particular, the key derivation circuit 118 is configured to generate, for example, a master encryption key MK derived by the key derivation function based on the count value TIL generated by the monotonic counter 106 and optionally based on the device master encryption key (HW).
The master encryption key MK is provided to the cryptoprocessor 116, for example, via a dedicated bus 119. The crypto processor 116 is configured, for example, to decrypt encrypted data based on a master encryption key MK derived by the circuit 118. The monotonic counter 106 is controlled, for example, to increase its count value TIL during operation of the device 102, for example, during a boot phase. Since the count value TIL is taken into account by the key derivation function implemented by the circuit 118, the decryption of data by the crypto processor 116 based on the corresponding master encryption key MK is associated with the count value. Thus, the period of time during which data can be decrypted can be limited.
In an example of one embodiment, the data decrypted based on the master encryption key MK is an encrypted encryption key. For example, the non-volatile memory 114 contains encrypted data, such as encrypted boot code for the processing device 102. An encryption key that allows the encrypted data to be decrypted is also encrypted and stored in the memory 104. In the example shown in fig. 1, the encrypted encryption keys are stored in regions 122, 124, and 126 (KEYSET 0, KEYSET1, and KEYSET 2) of memory 104. For example, the key set stored in the area 122 is associated with a first TIL count value, the key set stored in the area 124 is associated with a second count value TIL that is greater than the first count value, and the key value stored in the area 126 is associated with a third count value TIL that is greater than the second count value.
In some cases, the memory 104 includes a SELECTION circuit 120 (KEY SELECTION) that receives, for example, a count value TIL and an index value transmitted by the crypto-processor 112, allowing a given KEY to be selected from each of the KEYs.
FIG. 2 illustrates an example of operations of the processing device 102 of FIG. 1 to decrypt an encryption key stored in the non-volatile memory 114. In particular, fig. 2 illustrates a key derivation circuit (KDF) 118, memories 104, 112, and 114, and a CRYPTO processor (CRYPTO) 116. In fig. 2, dashed arrows indicate data transfers over bus 128, while solid arrows indicate transfers over a dedicated bus or connection.
In the example shown in FIG. 2, the non-volatile memory 114 includes three encryption CODEs 216a, 218a, and 220a (CODE 0_ U, CODE1_ U, and CODE2_ U). These codes are, for example, boot codes. The crypto processor 116 is capable of decrypting each of these encrypted CODEs using the encryption keys stored in the memory 104 to generate three corresponding decrypted CODEs 216b, 218b, 220b (CODE 0_ C, CODE1_ C, and CODE2_ C). The device MASTER KEY (HW MASTER KEY) is, for example, securely stored in the non-volatile memory 202, which non-volatile memory 202 may, for example, be part of the memory 104. The master encryption key is, for example, a value unique to each device and is generated, for example, based on a PUF-physical Unclonable Function (physical Unclonable Function). An advantage of using a device-specific master encryption key is that it is difficult to clone the device.
In fig. 2, the selection circuit 120 is represented by a multiplexer, which receives the count value TIL and the index value as control signals. In other examples, the selection is made using only one or the other of these values, or in software only, for example, by the general purpose processor 110 (not shown in fig. 2).
In a first phase of operation of the device 102, the monotonic counter 106 generates a first count value TIL, e.g., equal to 0, and transmits this value to the key derivation circuit 118 and the selection circuit 120. The device master key is also transmitted, for example, to key derivation circuit 118, which derives a first master encryption key MK0 204 based on the first count value TIL 0 and, in some cases, also based on the device master key 202. Key derivation circuit 118 then transmits key MK0 to crypto processor 116, allowing the one or more encrypted encryption keys to be decrypted from memory 104. In this example, these are the encrypted encryption KEYs associated with the count value TIL 0, i.e., a first encryption KEY { KEY #1.0} mk0 and another encryption KEY { KEY #2.0} mk0.
In this example, the first encryption KEY { KEY #2.0} mk0 is decrypted. The KEY #2.0 KEY 206 resulting from this decryption remains in the crypto-processor 116, for example, before further use in decrypting the first encrypted code 216 a. The first encrypted code 216a is then transmitted to the crypto processor 116 and decrypted using the KEY # 2.0. For example, decryption of another encryption KEY { KEY #1.0} mk0 results in a KEY #1.0 that is used to decrypt another encrypted code that is not represented in fig. 2. The first unencrypted code 216b (corresponding to decryption of the first encrypted code 216 a) is, for example, transferred to the memory 112 and executed, for example, by the processor 110.
In a second phase of operation of the device 102, the monotonic counter 106 generates a second count value TIL, e.g., equal to 1. For example, the first unencrypted code 216b or another code executed during the first phase of operation includes an instruction to increment the monotonic counter 106. After this increment of the count value TIL, the key derivation circuit 118 is no longer able to derive the master encryption key MK0 because the value of TIL is greater than the first value TIL 0. Further, in some examples, the selection circuitry 120 is configured to inhibit access to the encrypted encryption key associated with the count value TIL 0 based on the count value TIL being greater than 0.
The second count value TIL is transmitted to the key derivation circuit 118 and the selection circuit 120. The device master key is also transmitted, for example, to the key derivation circuit 118, and the key derivation circuit 118 derives a second master encryption key MK1 208 based on the second count value TIL1 and, in some cases, also based on the device master key 202. Key derivation circuit 118 then transmits key MK1 to crypto processor 116, thereby enabling decryption of the one or more encrypted encryption keys from memory 104. In this example, these are the encrypted encryption KEYs associated with the count value TIL1, i.e., the encrypted KEYs { KEY #1.1} mk1.
In this example, the encryption KEY { KEY #1.1} mk1 is decrypted. The KEY #1.1 206 resulting from this decryption is, for example, retained in the crypto-processor 116 and is then used in turn for decrypting the second code 218 a. The second encrypted code 218a is then transmitted to the crypto processor 116 and decrypted using the KEY # 1.1. The second unencrypted code 218b corresponding to decryption of the first encrypted code 218a is, for example, transferred to the memory 112 and executed, for example, by the processor 110.
In a third phase of operation of the device 102, the monotonic counter 106 generates a third count value TIL, e.g., equal to 2. For example, the second unencrypted code 218b or another code executed during the second phase of operation includes an instruction to increment the monotonic counter 106. After this increment of the count value TIL, the key derivation circuit 118 is no longer able to derive the master encryption keys MK0 and MK1 because the value of TIL is greater than the first and second values TIL 0 and TIL 1. Additionally, in some examples, the level value TIL2 is transmitted to the selection circuitry 120, the selection circuitry 120 configured to disable access to the encrypted encryption key associated with the count values TIL 0 and TIL1 based on the count value TIL being greater than 1.
The third count value TIL is transmitted to the key derivation circuit 118 and the selection circuit 120. The device master key is also transmitted, for example, to the key derivation circuit 118, and the key derivation circuit 118 derives a third master encryption key MK2 212 based on the second count value TIL2 and, in some cases, also based on the device master key 202. Key derivation circuit 118 then transmits key MK2 to crypto processor 116, allowing decryption of the one or more encrypted encryption keys of memory 104. In this example, these are the encryption KEYs associated with the count value TIL2, i.e., the encryption KEY { KEY #3.2} mk2.
In this example, the encryption KEY { KEY #3.2} mk2 is decrypted. The KEY #3.2 214 resulting from this decryption is, for example, retained in the crypto-processor 116 and then used in turn for decrypting the third code 220 a. The third encrypted code 220a is then transmitted to the crypto processor 116 and decrypted using the KEY # 3.2. The third unencrypted code 220b corresponding to decryption of the second encrypted code 220a is, for example, transferred to the memory 112 and executed, for example, by the processor 110.
FIG. 3 is a flowchart representing operations of a method for decrypting encrypted code according to one embodiment of the present description. The method is implemented, for example, by the general purpose processor 110, monotonic counter 106, selection circuit 120, and crypto processor 108 of the processing device of FIG. 1.
In step 301 (initializing the counter), the monotonic counter 106 is initialized to an initial value, which is a natural number. In the example where the count value TIL is stored in a volatile manner, each power-up of the processing device may result in the count value being initialized, e.g., to 0. In another example, where the count value is stored on a non-volatile storage element, each power-up of the processing device may result in the current count value being replaced with an initial count value, e.g., equal to 0. For example, step 301 occurs after boot-up of the processing device 102.
In some embodiments, the initial count value generated after power up may vary depending on the context of the processing device. For example, the one or more count values correspond to isolation levels reserved for the manufacturer of device 102, and powering up of intermediate entities between the manufacturer and end user and/or the end user will trigger higher count values than these reserved count values. For example, if a count value of 0 is reserved for the manufacturer, then a power-up of an intermediate entity between the manufacturer and the end user and/or the end user will trigger a count value equal to 1 and a boot code and sensitive data associated with isolation level 0 will not be accessible. For example, once manufactured, one or more bits stored in the non-volatile memory 104 or other memory are programmed to ensure that the count value is initialized to 1. In one example, these bits correspond to a signature protection value indicating an initial count value to be applied. For example, the signature is generated based on an encryption key and may, for example, correspond to a MAC (information verification code) signature. This value is provided to the monotonic counter 106, for example, by the bus 128. The monotonic counter 106 can then be restarted to 0 or another value during the lifetime of the device by changing the signature protection value.
In step 303 (derivation of MKi by KDF) following step 301, the monotonic counter 106 transmits the current count value TIL i to the key derivation circuit 118. The key derivation circuit 118 generates a derived master key MKi based on the value of the level TIL i, and in some cases, the device master key. Other parameters may also be considered to derive the derived master key MKi.
In step 305 (transmit MKi to CRYPTO), after step 303, the derived master key MKi is transmitted to the cryptoprocessor 116.
In step 307 (select key index), an index value identifying the encrypted encryption key, e.g., from memory 104, is transmitted to selection interface 120 along with the count value TIL i in some cases.
As an example, in step 307 the general processor 110 instructs to decrypt the encrypted code whose encryption key is associated with the value of the level TIL i. Index value information identifying the corresponding encryption key is transmitted to the selection circuit 120, for example, and the selection circuit 120 selects the corresponding encrypted encryption key based on the level value TIL i and the index value.
Step 307 is presented as an example, and other ways of selecting a key from memory 104 are possible.
In step 309 (transmit KEY _ U index on TIL i to CRYPTO), after step 307, the encrypted encryption KEY selected in step 307 is transmitted to the CRYPTO processor 116, e.g., over the bus 128. In another example, the selected encrypted encryption key is transmitted to the crypto processor 116 over a dedicated bus (not shown) that specially connects the memory 104, in particular the regions 122, 124 and 126, and the crypto processor 116.
In step 311 (decrypt KEY _ U index), after step 309, the crypto processor 116 decrypts the encryption KEY transmitted to the crypto processor 116 in step 309 using the derived master KEY MKi generated in step 303. The unencrypted encryption key is thus obtained and retained, for example, in memory of the crypto processor 116. In other words, the unencrypted encryption key is not transferred to any other processor or any memory of device 102.
In step 313 (transfer CODE _ U on TIL i to CRYPTO), the encrypted CODE _ U is transferred to the CRYPTO processor 116 over the data bus 128, for example under the control of the general purpose processor 110.
In step 315 (decrypt CODE _ U), after step 315, the encrypted CODE and/or data CODE _ U is decrypted by the crypto processor 116 using the encryption key selected in step 307 and decrypted in step 311. Once the CODE _ U CODE has been decrypted, it is transferred to RAM 112 memory, for example, via bus 128, and then executed by general purpose processor 110. For example, after executing the decryption code, the method continues to step 317 (other code on TIL. If this is the case (branch Y), the method continues at step 307, where a new index value for the new code is determined and the encrypted encryption key associated with the level value TIL and identified by the new index value is selected by the selection circuit 120.
If after step 317 all encrypted codes associated with the encryption key associated with the count value TIL i have been correctly decrypted and transferred to RAM 112 memory, then the (branch N) method continues to step 319 (waiting for a new TIL i value), where selection circuit 120 is waiting for a new count value TIL i. For example, when moving from one operational phase to another operational phase of the processing circuit 102, the count value TIL i is incremented. When the monotonic counter 106 generates a new count value TIL i, the method resumes at step 303 and new encryption keys associated with TIL level values lower than the new TIL level value are no longer accessible.
Fig. 4-6 illustrate one embodiment of the present description in which the encrypted data is boot codes and/or encryption keys associated with those codes, and the level value TIL is incremented at the end of each step in the boot sequence. Each level value TIL also corresponds to one or more boot codes associated with each boot step; these codes will not be accessible when the current level value TIL is greater than its associated level value TIL.
In the example shown in FIG. 4, memory areas 406, 408, and 409 store sensitive data associated with boot codes 400, 402, and 404, respectively, that are stored in non-volatile memory 114. Regions 406, 408, and 409 are, for example, separate regions from regions 400, 402, and 404, but remain associated with isolation levels corresponding to the isolation levels of the boot code associated with the data. The sensitive data includes, for example, one or more encryption keys stored in each of the regions 406, 408, and 409, and each of these regions is contained in the non-volatile memory 104. According to another embodiment, each region 406, 408, and 409 is a sub-region of the corresponding region 400, 402, and 404.
During a first step 410 of starting up the processing device shown at the top of fig. 4, the current counter value is for example equal to 0. In the example of fig. 4, isolation level 0 is associated with a first CODE (CODE 0) and first sensitive data (KEY 0). The memory access control circuit 114 (not shown) and the selection circuit 120 are configured, for example, such that the first code and the first data are exclusively accessible when the current count value is equal to 0. However, during step 410, for example, the access control circuitry and selection circuitry grant access to all of the memory regions 400, 402, and 404, and all of the regions 406, 408, and 409. Indeed, in some cases, in order to predict subsequent steps in the boot method, for example, one or more other boot CODEs (CODE 1, CODE 2) may be accessed for reading during step 410.
For example, once the first CODE0 is executed, the general purpose processor 110 controls a first increment of the current count value by the monotonic counter 106. For example, the first code includes a command requesting a counter to increment. The command is transmitted to, for example, a control register (not shown) of the monotonic counter.
After this first increment, the current count value of the monotonic counter 204 is, for example, equal to 1, corresponding to the second bootstrapping step 511. The access control circuitry and selection circuitry 120 receives the new current count value and is configured to prevent any access to the first code and the first data associated with isolation level 0 based on the count value being greater than 0. In other words, memory regions 400 and 406 are locked based on any count value being strictly greater than 0.
Isolation level 1 is associated with the second CODE (CODE 1) contained in area 402 and the second data (KEY 1) contained in area 408. According to one embodiment, a third CODE (CODE 2) associated with isolation level 2 and contained in area 404 may be accessed for reading based on a current count value equal to 1.
For example, once the second code CODEl is executed, the general purpose processor 110 controls a second increment of the current count value by the monotonic counter 106. For example, after this second increment, the current count value of the monotonic counter 106 equals 2, corresponding to the third boot step 412. Isolation level 2 is associated with the third CODE2 and the third data (KEY 2). The access control circuitry and selection circuitry 120 receives the new count value and is configured to prevent any access to the first and second codes and the first and second data associated with an isolation level less than or equal to 1 based on the count value being greater than 1.
According to one embodiment, the general purpose processor 110 controls a third increment of the current count value by a monotonic counter when the last boot code (e.g., a third boot code) is executed. The access control circuitry and selection circuitry 120 then locks any access to the first boot code, the second boot code, and the third boot code and the first data, the second data, and the third data.
According to another embodiment, when the last boot code (e.g., the third boot code) is executed, the current count value is not incremented by the monotonic counter 106 and the access control circuitry still allows access to the third boot code and the third data.
FIG. 5 is a flowchart representing operations of a secure boot method of a processing device according to example embodiments of the present description. The method is implemented by, for example, the general purpose processor 110, monotonic counter 106, access control circuitry, and selection circuitry 120 of the processing device of fig. 1.
In step 501 (start boot sequence), the processing device 102 starts. In one example, this is the first boot of the device 102 after its manufacture. In another example, it is a boot performed by an intermediate entity between the manufacturer of the device 102 and its end user. In yet another example, it is a so-called operational guidance of the electronic device 100 performed by the end user.
In step 503 (initializing the counter), after step 501, the monotonic counter is initialized to an initial value, which is a natural number. In examples where the count value is stored in a volatile manner, each boot of the processing device results in the count value being initialized, e.g., to 0 or 1. In another example where the count value is stored in a non-volatile manner, each boot of the processing device results in the current count value being replaced by an initial count value, e.g., equal to 0 or equal to 1.
In some embodiments, the initial count value generated after booting may vary depending on the state or context of the processing device 102. For example, the one or more count values correspond to one or more isolation levels reserved for an initial setup phase of the device 102 (including, for example, installation of firmware). For example, data and/or code associated with the isolation levels is used for the initial setting.
For example, after manufacture, the processing device 102 has a context of "blank" and the initial count value is equal to a value reserved for settings, such as 0. Once the setting is completed, the context of the device becomes, for example, "setting completed". With this new context, powering up the device 102, e.g., by an intermediate entity between the manufacturer and the end user and/or by the end user, will then trigger a count value greater than the retained count value, e.g., equal to 1. Thus, boot code and sensitive data associated with the isolation level corresponding to the retained count value will not be accessible.
For example, the context of a device is detected by the presence of a voltage on an enable pin of the device, which is applied, for example, by adding a jumper between the enable pin and another pin of the supply voltage. Additionally or alternatively, the context of the device is detected by the value of one or more bits stored in a non-volatile, protected manner in memory 104 or another memory.
In one example, the general purpose processor 110 is arranged to detect the context of the device 102 when the device 102 is powered up and to configure the initial count value of the monotonic counter 106 accordingly. In another example, the monotonic counter 106 is arranged to detect the context of the device 102 itself and configure its initial count value itself upon powering up the device 102.
In step 505 (reading and executing code at level i), after step 503, the data and boot code associated with isolation level i are read by the general purpose processor 110 and the boot code associated with isolation level i is executed. Once the code of level i is executed, the general-purpose processor 110 compares the count value i with a value N at step 507 (i = N. For example, in the example of fig. 4, N equals 2. If i is not equal to N (N branch), the method continues to step 509 (i = i + 1), where the general purpose processor triggers the count value to increment. For example, the count value increases from i to i +1. Incrementing may also increase the value of i by several units. The method then continues at step 505.
If the count value is equal to N (Y-branch) as a result of the comparison step 507, the method ends at step 511 (boot end), where the booting of the processing device ends. According to one embodiment, the current count value remains equal to N after step 511. According to another embodiment, the count value is incremented in step 511 and the current count value becomes equal to N +1. In this second case, the access control circuitry and the selection circuitry are configured to prevent access to all boot codes based on the count value.
FIG. 6 is a flowchart representing operations of a secure boot method of a processing device according to another example embodiment of the present description. The method is implemented, for example, by the general processor 110, the monotonic counter 106, and the access control circuitry and selection circuitry 120 of the processing device of fig. 1.
Steps 601 and 603 are similar to steps 501 and 503 of fig. 5 and will not be described again.
In step 605 (access to code at levels i and i +1 and execution of code at level i), following step 603, the general purpose processor 110 accesses data and boot code associated with isolation level i +1, and the boot code(s) associated with isolation level i are executed.
In one example, the data or code associated with isolation level i contains one or more encrypted or unencrypted encryption keys to be used when executing the one or more codes associated with isolation level i +1. Thus, for example, write access to the memory region associated with isolation level i +1 is granted to provide the key to the code associated with isolation level i +1.
In another example, the code associated with isolation level i contains instructions to verify the integrity of the data and/or code associated with isolation level i +1. Thus, to perform this verification, read access is allowed to the memory region associated with isolation level i +1.
In step 607 (i = i + 1), after step 605, the count value is incremented. For example, the count value is increased from i to i +1. In other examples, incrementing increases i by several units.
In step 609 (i = N. If the value i is not equal to N (branch N), the method returns to step 605.
In case the count value is equal to N (branch Y) in the comparison step 609, the method continues to step 613 (executing code on level N), in which the boot code(s) associated with the isolation level N are executed.
The boot processing device ends with step 615 (boot end), and step 615 is similar to step 511 in fig. 5 and is not described again.
The method whose implementation is shown in fig. 6 allows interleaved reading of the boot code. In effect, when the count value is lower than the level value, the boot code associated with the isolation level is read. This saves time relative to the implementation of the method shown in fig. 5.
One advantage of the described embodiments is that code and confidential, sensitive data are effectively protected by locking the decryption of the encryption key through the use of a monotonic counter and a key derivation circuit.
Various embodiments and modifications have been described. Those skilled in the art will appreciate that certain features of these embodiments may be combined, and that other variations will readily occur to those skilled in the art. In particular, different types of processors may be used. Furthermore, the number of isolation levels may vary.
Finally, the actual implementation of the embodiments and variants described herein is within the capabilities of a person skilled in the art based on the functional description provided above. In particular, the implementation of the selection of the encryption key is within the abilities of those skilled in the art.

Claims (20)

1. A method for decrypting encrypted data, the method comprising:
generating, by a monotonic counter of a processing device, a first count value;
deriving, using a key derivation circuit, a first encryption key based on the first count value;
transmitting the first encryption key to a cryptographic processor; and
decrypting the first encrypted data based on the first encryption key.
2. The method of claim 1, wherein the first encryption data comprises a first set of one or more further encrypted encryption keys associated with the first count value.
3. The method of claim 2, further comprising:
selecting the first set of one or more further encrypted encryption keys from memory; and
providing the first set of one or more further encrypted encryption keys to the cryptoprocessor, wherein decrypting the first encrypted data comprises decrypting, by the cryptoprocessor, the first set of one or more further encrypted encryption keys based on the first encryption key.
4. The method of claim 3, further comprising:
decrypting, by the cryptographic processor or another cryptographic processor, first other encrypted data stored in the memory or another memory based on the first set of one or more further decrypted encryption keys.
5. The method of claim 4, wherein decrypting the first other encrypted data is performed by the cryptographic processor, the first set of one or more further decrypted encryption keys being stored in a memory of the cryptographic processor.
6. The method of claim 1, further comprising:
generating, by the monotonic counter of the processing device, a second count value;
deriving, using the key derivation circuit, a second encryption key based on the second count value; and
transmitting the second encryption key to the cryptographic processor; and
decrypting second encrypted data based on the second encryption key.
7. The method of claim 6, wherein the monotonic counter is initialized to the first count value at a first boot of the processing device, the method further comprising initializing the monotonic counter to the second count value at a second boot of the processing device.
8. The method of claim 7, further comprising: if a device state condition is satisfied, another boot of the processing device is performed, during which the monotonic counter is initialized to the first count value.
9. The method of claim 8, wherein the state condition corresponds to a programmed state of a region of non-transitory memory storing the first encrypted data.
10. The method of claim 1, wherein the first encrypted data is stored in a non-transitory memory, and wherein the memory is configured such that access to the first encrypted data is not allowed based on a count value greater than the first count value.
11. The method of claim 1, wherein transmitting the first encryption key to a cryptographic processor is performed via a dedicated bus.
12. A data processing apparatus comprising:
a monotonic counter configured to generate a first count value;
a key derivation circuit configured to derive a first encryption key based on the first count value using a key derivation function; and
a cryptographic processor configured to receive the first encryption key and decrypt the first encrypted data based on the first encryption key.
13. A method for decrypting encrypted data, the method comprising:
receiving a first count value from a monotonic counter of a processing device;
deriving, using a key derivation circuit, a first master encryption key based on the first count value and a master encryption key;
transmitting the first master encryption key to a cryptographic processor; and
decrypting a first encryption key stored in a non-volatile memory based on the first master encryption key.
14. The method of claim 13, further comprising: decrypt another first encryption key based on the first master encryption key, wherein the first encryption key and the another first encryption key comprise a first set of encrypted encryption keys associated with the first count value.
15. The method of claim 13, wherein the non-volatile memory is configured such that access to the first encryption key is not allowed based on a count value greater than the first count value.
16. The method of claim 13, further comprising:
transmitting the first encryption key to the cryptographic processor or another cryptographic processor; and
decrypting the first encrypted code based on the first encryption key.
17. The method of claim 14, further comprising:
starting a boot sequence;
initializing the monotonic counter providing the first count value; and
reading and executing a first code obtained from decrypting the first encrypted code.
18. The method of claim 13, further comprising:
receiving a second count value from the monotonic counter of the processing device;
deriving, using the key derivation circuit, a second master encryption key based on the second count value;
transmitting the second master encryption key to the cryptographic processor;
decrypting a second encryption key based on the second master encryption key;
transmitting the second encryption key to the cryptographic processor or another cryptographic processor; and
decrypting a second encrypted code based on the second encryption key.
19. The method of claim 18, wherein the monotonic counter is initialized to the first count value at a first boot of the processing device, the method further comprising initializing the monotonic counter to the second count value at a second boot of the processing device.
20. The method of claim 19, further comprising: performing another boot of the processing device if a device state condition is satisfied, during which the monotonic counter is initialized to the first count value, wherein the state condition corresponds to a programmed state of a region of the memory.
CN202210343079.2A 2021-03-31 2022-03-31 Method and apparatus for secure decryption of encrypted data Pending CN115150085A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
FR2103318A FR3121530A1 (en) 2021-03-31 2021-03-31 Method and device for secure decryption of encrypted data
FR2103318 2021-03-31
US17/657,020 2022-03-29
US17/657,020 US12045377B2 (en) 2021-03-31 2022-03-29 Method and device for secured deciphering of ciphering data

Publications (1)

Publication Number Publication Date
CN115150085A true CN115150085A (en) 2022-10-04

Family

ID=83406713

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210343079.2A Pending CN115150085A (en) 2021-03-31 2022-03-31 Method and apparatus for secure decryption of encrypted data

Country Status (1)

Country Link
CN (1) CN115150085A (en)

Similar Documents

Publication Publication Date Title
CN111095213B (en) Secure boot method, device, equipment and storage medium for embedded program
KR100294829B1 (en) Method and apparatus for protecting flash memory
JP5984625B2 (en) Semiconductor device and encryption key writing method
KR100792287B1 (en) Method for security and the security apparatus thereof
US7975151B2 (en) Decryption key table access control on ASIC or ASSP
US11914718B2 (en) Secured boot of a processing unit
EP3007094B1 (en) Boot program, information processing apparatus, information processing system, information processing method, semiconductor apparatus, and program
US11533172B2 (en) Apparatus and method for securely managing keys
US20230351056A1 (en) Sram physically unclonable function (puf) memory for generating keys based on device owner
US20230273977A1 (en) Managing ownership of an electronic device
WO2023212178A1 (en) Sram physically unclonable function (puf) memory for generating keys based on device owner
CN106919865B (en) Non-volatile memory data encryption system
JP2016146618A (en) Information processing device
US11874928B2 (en) Security device, electronic device, secure boot management system, method for generating boot image, and method for executing boot chain
US20220317184A1 (en) Secured debug
US9411984B2 (en) Cryptographic processing apparatus, cryptographic processing system, and cryptographic processing method
CN115150085A (en) Method and apparatus for secure decryption of encrypted data
US12045377B2 (en) Method and device for secured deciphering of ciphering data
US12045378B2 (en) Secured storage of ciphering keys
US11429722B2 (en) Data protection in a pre-operation system environment based on an embedded key of an embedded controller
CN115146290A (en) Secure storage of encryption keys
CN115146306A (en) Secure debug
US11934529B2 (en) Processing device and method for secured boot
CN115146324A (en) Secure boot of a processing unit
TW202343231A (en) Managing ownership of an electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination