CN118245428A - SOC architecture with secure, selective peripheral enablement/disablement - Google Patents
SOC architecture with secure, selective peripheral enablement/disablement Download PDFInfo
- Publication number
- CN118245428A CN118245428A CN202311772648.6A CN202311772648A CN118245428A CN 118245428 A CN118245428 A CN 118245428A CN 202311772648 A CN202311772648 A CN 202311772648A CN 118245428 A CN118245428 A CN 118245428A
- Authority
- CN
- China
- Prior art keywords
- peripheral
- enable
- disable
- security
- information item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002093 peripheral effect Effects 0.000 title claims abstract description 301
- 230000007246 mechanism Effects 0.000 claims abstract description 18
- 230000004048 modification Effects 0.000 claims description 26
- 238000012986 modification Methods 0.000 claims description 26
- 238000000034 method Methods 0.000 claims description 17
- 230000002085 persistent effect Effects 0.000 claims description 13
- 101100257262 Caenorhabditis elegans soc-1 gene Proteins 0.000 description 16
- 239000011159 matrix material Substances 0.000 description 7
- 230000008859 change Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 3
- 108020001568 subdomains Proteins 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000000630 rising effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
A SoC includes a core, a peripheral device, and a bus for interconnecting the core and the peripheral device. Some peripheral devices may be selectively enabled or disabled as desired. The SoC also includes peripheral enable/disable electronics and peripheral enable/disable circuitry coupled to the peripheral. The peripheral enabling/disabling electronics are directly connected to the peripheral enabling/disabling circuitry and are configured to store an item of information related to the enabled/disabled peripheral configuration, indicate the enabled peripheral and the disabled peripheral according to the enabled/disabled peripheral configuration, and provide a signal to the peripheral enabling/disabling circuitry based on the stored item of information. The peripheral enable/disable circuit arrangement allows operation of the enabled peripheral device and prevents operation of the disabled peripheral device based on signals received from the peripheral enable/disable electronics. The peripheral device enables/disables the electronic device to implement a security mechanism.
Description
Priority claim
The present application claims the priority of the italian patent application number 102022000026793 filed on 12/23 2022, the contents of which are incorporated herein by reference in their entirety to the maximum extent allowed by law.
Technical Field
The present disclosure relates to an improved architecture for a system-on-chip (SoC) device, such as to allow secure, selective enabling/disabling of peripheral devices, interfaces, memory, hardware features, or the like.
Background
As is well known, a system-on-a-chip (or SoC) is an integrated circuit that integrates most or all of the components of a computer or other electronic system into a single chip or substrate. These components may typically include a microprocessor or core, a microcontroller, several peripheral devices, and interfaces (e.g., memory interfaces, input/output interfaces, secondary storage interfaces, etc.), often with additional components/devices such as a radio modem, radio Frequency (RF) signal processing electronics, a Graphics Processing Unit (GPU), or the like. As a result, the SoC may include digital, analog, mixed-signal, RF circuitry, and the like.
SoC technology is typically used for embedded applications with the reduced size and high integration of such integrated circuits.
Today, the enabling/disabling of active peripherals of the SoC is performed according to customer requests. The enabled/disabled peripheral configuration is hardwired and defined during the design phase and is done in a deterministic manner in the factory. Such known solutions are inflexible (in fact, the configuration is decided during the design phase and is performed in a fixed manner during manufacturing) and do not allow the user to make any changes to the enabled/disabled peripheral configuration.
Accordingly, there is a need in the art to overcome the above-described technical drawbacks and limitations.
Disclosure of Invention
In accordance with the present disclosure, a system-on-chip (SoC) device is provided with peripherals that can be selectively enabled or disabled as desired, and related methods for selectively enabling/disabling operation of the peripherals of the SoC device are disclosed.
In more detail, the SoC device includes: at least one core; a plurality of peripheral devices; at least one bus for interconnecting the at least one core and the plurality of peripheral devices, wherein the plurality of peripheral devices comprises a set of peripheral devices that can be selectively enabled or disabled as desired; and peripheral enable/disable electronics and peripheral enable/disable circuitry, the peripheral enable/disable circuitry being coupled to the plurality of peripherals, wherein the peripheral enable/disable electronics are directly connected to the peripheral enable/disable circuitry. The peripheral enable/disable electronic device is configured to: storing an information item relating to an enabled/disabled peripheral configuration and indicating an enabled peripheral device of a plurality of peripheral devices and a disabled peripheral device of the plurality of peripheral devices according to the enabled/disabled peripheral device configuration; and providing a first signal to the peripheral enabling/disabling circuit means based on the stored information item.
The peripheral enable/disable circuit arrangement is configured to allow operation of an enabled peripheral device of the set of peripheral devices and to block operation of a disabled peripheral device of the plurality of peripheral devices based on a first signal received from the peripheral enable/disable electronic device. The peripheral enabling/disabling electronic device is further configured to implement a security mechanism that allows access to the peripheral enabling/disabling electronic device and modification of the stored information item only if the security criteria are met.
The peripheral enable/disable electronic device may include a one-time programmable memory configured to store an information item, and a plurality of registers. The plurality of registers may be configured to: based on the stored information item, enable/disable data is written/loaded; and providing the peripheral enable/disable circuit arrangement with a first signal based on the written/loaded enable/disable data and a second signal indicating whether the first signal is valid.
The peripheral enable/disable circuitry may be configured to enable operation of an enabled peripheral device of the set of peripheral devices and to block operation of a disabled peripheral device of the plurality of peripheral devices based on the first signal received from the plurality of registers if the second signal received from the plurality of registers indicates that the first signal is valid.
The peripheral enabling/disabling electronic device may further comprise a security stub coupled to the one-time programmable memory and configured to implement a security mechanism, thereby allowing access to the one-time programmable memory and modification of the stored information item if the security criteria are met.
The security stub may be provided between the one-time programmable memory and at least one bus of the system-on-chip device or an interconnect of the system-on-chip device, and the security stub may be configured to: receiving a security signal indicating whether access to the one-time programmable memory and modification of the stored information item is allowed; and allowing or preventing access to the one-time programmable memory and modification of the stored information item via the at least one bus or interconnect based on the received security signal.
The at least one core may be configured to implement a secure firmware module configured to: providing a security signal to a security stub; accessing the one-time programmable memory via at least one bus or interconnect; performing a modification to the stored information item; and manages the security signal such that the security stub allows access to the one-time programmable memory and modification of the stored information item.
The SoC device may include a user interface and the at least one core may be configured to implement a peripheral device enable/disable firmware module that: operable to access the one-time programmable memory via at least one bus or interconnect and to modify the stored information item; and is configured to provide a security signal to the security stub. The user interface may be configured to: allowing a user to request modification of the enabled/disabled peripheral configuration; and providing corresponding commands to the peripheral enable/disable firmware module to modify the information items stored on the one-time programmable memory in accordance with a user request. The peripheral enabling/disabling firmware module may be further configured to access the one-time programmable memory and modify the stored information item upon receipt of a command from the user interface by managing the security signal such that the security stub allows said access and said modification.
The peripheral enable/disable firmware module and user interface may be configured to implement cryptography (cryptology) techniques when a command is sent from the user interface to the peripheral enable/disable firmware module.
The plurality of registers may be persistent registers configured to re-write/reload enable/disable data after each power-up of the system-on-chip device.
The plurality of registers may be non-persistent registers configured to re-write/reload enable/disable data after each power-up and each standby of the system-on-chip device.
The plurality of registers may be directly connected to the one-time programmable memory.
The plurality of registers may be connected to the one-time programmable memory via an interconnect of the system-on-chip device, and a master unit may be provided in said system-on-chip device, the master unit being configured to manage reading of information items from the one-time programmable memory and writing/loading of corresponding enable/disable data to the plurality of registers via the interconnect.
The method aspect disclosed herein is a method for selectively enabling/disabling operation of a peripheral device of a system-on-chip device, the system-on-chip device including a core, a peripheral device, at least one bus, peripheral device enable/disable circuitry, and peripheral device enable/disable electronics, the peripheral device being selectively enabled or disabled as desired, the at least one bus for interconnecting the core and the peripheral device, the peripheral device enable/disable circuitry being coupled to the peripheral device, the peripheral device enable/disable electronics being directly connected to the peripheral device enable/disable circuitry. The method may include: storing an information item on a peripheral enable/disable electronic device, the information item relating to an enabled/disabled peripheral configuration and indicating enabled peripheral devices and disabled peripheral devices according to the enabled/disabled peripheral configuration; providing a security mechanism to a peripheral enabling/disabling electronic device, thereby allowing access to the peripheral enabling/disabling electronic device and modification of a stored information item if a security criterion is met; operating the peripheral enabling/disabling electronics to provide a first signal to the peripheral enabling/disabling circuitry based on the stored information item; and operating the peripheral enable/disable circuit arrangement to allow operation of the enabled peripheral and to prevent operation of the disabled peripheral based on the first signal received by the peripheral enable/disable circuit arrangement from the peripheral enable/disable electronic device.
Drawings
For an understanding of the present disclosure, embodiments of the disclosure will be described hereinafter, purely by way of non-limiting, non-limiting example, with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a typical multi-core SoC architecture;
FIG. 2 schematically illustrates an architecture of peripheral domains and peripheral sub-domains of the SoC architecture shown in FIG. 1;
FIG. 3 schematically illustrates peripheral enable/disable circuitry integrated into the peripheral domain/sub-domain architecture shown in FIG. 2 for implementing a secure, selective peripheral enable/disable mechanism;
FIG. 4 schematically illustrates two architectures for peripheral enable/disable electronics for driving the peripheral enable/disable circuit arrangement shown in FIG. 3;
FIG. 5 schematically illustrates an exemplary embodiment of a peripheral enabling/disabling an electronic device having either of the two architectures shown in FIG. 4;
FIG. 6 schematically illustrates a security mechanism for accessing an OTP memory of a peripheral enable/disable electronic device having either of the two architectures shown in FIG. 4 in order to change/modify a predefined enable/disable peripheral configuration stored on the OTP memory;
FIG. 7 schematically illustrates two additional architectures for enabling/disabling an electronic device for a peripheral device;
FIG. 8 schematically illustrates an exemplary embodiment of a peripheral enabling/disabling an electronic device having either of the two architectures shown in FIG. 7; and
Fig. 9 schematically illustrates a security mechanism for accessing an OTP memory of a peripheral enable/disable electronic device having either of the two architectures shown in fig. 7 in order to change/modify a predefined enable/disable peripheral configuration stored on the OTP memory.
Detailed Description
Hereinafter, for simplicity of description, the term "peripheral(s)" (PERIPHERAL (S)) will be used to refer to any peripheral, interface, hardware feature or device of the SoC that has a bus interface to one of the internal buses of the SoC (e.g., based on bus protocol AHB, AXI, OBI, APB, etc.), such as a digital peripheral (e.g., core, interface, cipher, encoder, decoder, etc.), memory controller (e.g., SRAM, FLASH, OTP), analog peripheral (e.g., oscillator, pre-amp, DC-DC, regulator, charge pump (if bus management is available), or the like. Accordingly, the term peripheral device(s) is also used in the appended claims, having the same intended meaning as described above.
Fig. 1 schematically illustrates a typical multi-core SoC architecture, whereby not all of its components will be described below, but only those components relevant to the description and understanding of the present disclosure will be described. Accordingly, reference numerals will also be used for only those components relevant to the description and understanding of the present disclosure.
In particular, the SoC shown in fig. 1 (and denoted herein as a whole by 1) comprises a plurality of cores 2 connected by at least one bus matrix 3 (e.g. based on bus protocols AHB, AXI, etc.) to several peripheral devices (denoted herein as a whole by 4) organized into domains and sub-domains.
In this regard, for a better understanding of the peripheral domain/sub-domain concepts, referring to fig. 2, fig. 2 schematically illustrates a more detailed architecture of the peripheral domain and sub-domain shown in fig. 1.
Specifically, the peripheral domain shown in fig. 2 (and denoted herein as a whole by 40) comprises a decoder 41 coupled to a plurality of first peripherals 42, wherein the decoder 41 and the first peripherals 42 are connected to a main bus of the SoC 1 (e.g. based on a bus protocol AHB, AXI, OBI or the like), such as bus matrix 3, and wherein the decoder 41 is operable to select (i.e. activate) the first peripherals 42 each time via a respective select line 43.
Furthermore, the decoder 41 is further operatively coupled to a peripheral sub-field (indicated as a whole by 400) comprising a sub-decoder 401, which sub-decoder 401 is coupled to a plurality of second peripheral devices 402 and is operative to select (i.e. activate) the plurality of second peripheral devices 402 each time via a respective selection line 403, wherein said sub-decoder 401 and said second peripheral devices 402 are interconnected with each other and connected to the bus matrix 3 via a secondary bus or sub-bus 404 (e.g. based on a bus protocol APB or the like). Sub-decoder 401 may also include a protocol bridge if peripheral domain 40 and peripheral sub-domain 400 operate with different bus protocols (e.g., AHB and APB, respectively).
More generally, peripherals belonging to the same peripheral domain (such as first peripheral 42 belonging to peripheral domain 40) share the same clock CLK, the same supply voltage V dd, and the same bus protocol (e.g., AHB, AXI, OBI), while peripherals belonging to the same peripheral sub-domain (such as second peripheral 402 belonging to peripheral sub-domain 400) share the same clock CLK, the same supply voltage V dd, and the same sub-bus protocol (e.g., APB).
In accordance with the present disclosure, a secure, selective peripheral enablement/disablement mechanism is integrated into SoC 1 to allow for on-demand and/or field-selective enablement/disablement of one or more peripheral devices, whereby SoC 1 has a set of peripheral devices that may be enabled or disabled by a manufacturer or customer. During the design phase, some peripherals may be excluded from the peripherals that may be enabled or disabled.
In this regard, fig. 3 schematically illustrates peripheral enable/disable circuitry (indicated generally at 5) integrated into peripheral domain 40 to perform the secure, selective peripheral enable/disable mechanism, wherein the peripheral enable/disable circuitry 5 comprises: for each first peripheral device 42 (denoted 421 in fig. 3) that can be enabled or disabled, a respective AND logic gate 51, AND logic gate 51 is configured to: via respective input select lines 43 Into (I) (43IN) receives as input a respective input select signal from decoder 41, a respective enable signal via a respective enable line (in fig. 3 AND the following figures, only one enable line 52 is shown for simplicity of illustration), AND a valid signal via a valid line 53 common to all AND logic gates 51; and provides a respective output select signal to a respective peripheral device 421 via a respective output select line 43 Out of (43OUT).
In other words, all AND logic gates 51 receive the same valid signal indicating whether the received enable signal is valid via the same valid line 53, AND each AND logic gate 51 receives a respective enable signal for enabling/disabling a respective peripheral 421 via a respective enable line 52 AND receives a respective peripheral select signal for operational selection (i.e., activation) of the respective peripheral 421 from decoder 41 via a respective input select line 43 Into (I) .
In fig. 3, it is also shown that a peripheral 422 belonging to the first peripheral 42, which peripheral 422 is excluded from the secure, selective peripheral enabling/disabling mechanism during the design phase, that is to say that this peripheral 422 is directly connected to the decoder 41 via the respective selection line 43, to thereby be directly selected (i.e. activated).
The secure, selective peripheral enabling/disabling mechanism may be applied to all peripheral domains and sub-domains managed via a standard bus.
Fig. 4 schematically illustrates a first architecture AND a second architecture for peripheral enable/disable electronics integrated into the SoC 1 to provide valid signals AND enable signals to the peripheral enable/disable circuitry 5 (i.e., AND logic gate 51).
According to the two architectures shown in fig. 4, the peripheral enabling/disabling electronics (in the first and second architecture, denoted overall by 6A and 6B, respectively) comprise a one-time programmable (OTP) memory 61 connected to the bus matrix 3 via a bus interface 62.
Furthermore, in the first architecture, the peripheral enabling/disabling electronic device 6A comprises a permanent register 63A directly coupled/connected to the OTP memory 61 and supplied with the battery voltage V batt, so that said permanent register 63A holds the loaded information during standby; in contrast, in the second architecture, the peripheral enabling/disabling electronic device 6B includes a non-persistent register 63B, the non-persistent register 63B being directly coupled/connected to the OTP memory 61 and supplied with the supply voltage V dd, so that the non-persistent register 63B must be rewritten after standby. The outputs of the permanent/non-permanent registers 63A, 63B are directly connected to the peripheral enable/disable circuit arrangement 5 (i.e. AND logic gate 51) via the active line 53 AND the enable line 52 to provide an active signal AND an enable signal to the peripheral enable/disable circuit arrangement 5.
The OTP memory 61 is programmable via the bus matrix 3 to permanently store information items relating to predefined enabled/disabled peripheral configurations of the SoC 1. The OTP memory 61 is designed to function as an autonomous system that does not require any external intervention of the master unit.
When the SoC 1 is powered up, the information items stored on the OTP memory 61 are read AND then loaded/written to the permanent/non-permanent registers 63A, 63B, the permanent/non-permanent registers 63A, 63B being configured to output an enable signal for driving the peripheral enabling/disabling circuit means 5 (i.e. the AND logic gate 51) based on the predefined enabled/disabled peripheral configuration loaded on said permanent/non-permanent registers 63A, 63B. Furthermore, in the second architecture, information items related to predefined enabled/disabled peripheral configurations must also be reloaded onto the non-persistent register 63B after each standby.
For example, as shown in fig. 5, the permanent/non-permanent registers 63A, 63B may include n+2 binary registers 631, 632 (N is an integer greater than zero) for driving N AND logic gates 51, where the N binary registers 631 are each intended to store a respective enable/disable bit (e.g., 1 or 0) that determines the value of the respective enable signal for enabling/disabling the respective peripheral 421, while the remaining two binary registers 632 are intended to store two protection bits that determine the value of the valid signal indicating whether the enable signal is valid. These two protection bits are conveniently set to be valid only when the reading of all information items in the OTP memory 61 and the loading/writing of data into the N binary registers are completed.
In more detail, upon power up: when the power-up signal rises, on the rising edge, for security reasons, all N binary registers 631 are configured to be disabled and both protection bits are set to be inactive; and the OTP content is read such that N enable/disable bits are read and written to N binary registers 631.
Once the reading of all the information items in the OTP memory 61 is successfully completed, both protection bits are set to valid protection bits (e.g., in response to the OTP done signal rising as shown in fig. 5) so that the valid signal is also correctly set to indicate the validity of the enable signal.
In the event of a power loss, the contents (i.e., protection bits) of both binary registers 632 are lost and the data becomes invalid.
The information items stored on the OTP memory 61 (and thus the corresponding predefined enabled/disabled peripheral configuration) may be modified by the manufacturer or customer as explained below.
Fig. 6 schematically illustrates a security mechanism for accessing the OTP memory 61 in order to change/modify a predefined enabled/disabled peripheral configuration stored thereon, wherein a security stub 7 is provided between the bus matrix 3 and the OTP memory 61, which security stub is configured to receive a security signal via a security line 71 and to allow access to the OTP memory 61 only if some predefined security criteria are met.
For example, assuming that [ add_low, add_high ] is the address range of the OTP memory 61, an information item relating to a predefined enabled/disabled peripheral configuration is stored in the address range of the OTP memory 61, then: if the security signal is set to zero and an access to an address within the address range add_low, add_high is requested (via bus matrix 3), the security stub 7 denies the access; otherwise (i.e. the security signal is set to 1 or the requested address is outside the address range add_low, add_high) the security stub 7 allows access.
Fig. 7 schematically illustrates a third architecture and a fourth architecture of a peripheral enabling/disabling an electronic device.
Furthermore, in the architecture shown in fig. 7, the peripheral enabling/disabling electronics (in the third and fourth architectures, denoted as a whole by 6C and 6D, respectively) comprise an OTP memory 64 connected to the interconnect bus 8 via a bus interface 65, wherein, unlike the OTP memory 61, the OTP memory 64 is designed to be controlled by a main unit 66, the main unit 66 being for example one of the cores 2, or a dedicated electronic control unit integrated into the SoC 1, or an ad hoc control module implemented in one of the cores 2.
Furthermore, in the third architecture, the peripheral enabling/disabling electronic device 6C comprises a permanent register 67A, which permanent register 67A is coupled/connected to the OTP memory 64 through the interconnection bus 8 via a respective bus interface 68A and is supplied with the battery voltage V batt, so that said permanent register 67A holds the loaded information during standby; in contrast, in the fourth architecture, the peripheral enabling/disabling electronic device 6D comprises a non-persistent register 67B, which non-persistent register 67B is coupled/connected to the OTP memory 64 by the interconnection bus 8 via a respective bus interface 68B and is supplied with a supply voltage V dd, so that said non-persistent register 67B has to be reloaded after standby. The outputs of the permanent/non-permanent registers 67A, 67B are also directly connected to the peripheral enable/disable circuitry 5 (i.e., AND logic gate 51) via the active line 53 AND enable line 52 to provide an active signal AND an enable signal to the peripheral enable/disable circuitry 5.
When the SoC 1 is powered up, the information items related to the predefined enabled/disabled peripheral configuration AND stored on the OTP memory 64 are read by the master unit 66 AND then loaded/written by the master unit 66 into the permanent/non-permanent registers 67A, 67B, the permanent/non-permanent registers 67A, 67B being configured to output an enable signal for driving the peripheral enabling/disabling circuit arrangement 5 (i.e. the AND logic gate 51) based on the predefined enabled/disabled peripheral configuration loaded on said permanent/non-permanent registers 67A, 67B. Furthermore, in the fourth architecture, information items related to predefined enabled/disabled peripheral configurations must also be reloaded to the non-persistent register 67B after each standby.
For example, as shown in fig. 8, the permanent/non-permanent registers 67A, 67B may include n+2 binary registers 671, 672 (N is an integer greater than zero) for driving N AND logic gates 51, where N binary registers 671 are each intended to store a respective enable/disable bit (e.g., 1 or 0) that determines the value of the respective enable signal for enabling/disabling the respective peripheral 421, while the remaining two binary registers 672 are intended to store two protection bits that determine the value of the valid signal indicating whether the enable signal is valid.
In more detail, upon power up: when the power-up signal rises, the controller of the permanent/non-permanent registers 67A, 67B (shown in fig. 8 as integrated with the respective bus interfaces 68A, 68B) presets all N binary registers 671 by configuring all features as "safe" (i.e., "safe" meaning disabled or enabled depending on the feature managed with the ith bit) and configuring both protection bits as inactive.
In addition, OTP memory 64 initializes all features utilized thereon; once this task is completed, the otp_done signal goes up to indicate that OTP memory 64 is ready to be accessed by master unit 66, and the protection bit is set to the valid protection bit so that the valid signal is also correctly set to indicate the validity of the enable signal, and once the otp_done signal equals 1, master unit 66 accesses the data stored on OTP memory 64 (in secure or protected mode) to initialize the n+2 binary registers; such access and register updating is performed via the interconnection bus 8.
The N bits stored in binary register 671 remain valid until: in a third architecture involving a permanent register 67A, a battery voltage V batt is available; or in a fourth architecture involving non-persistent registers 67B, supply voltage V dd is available.
Regardless, at each power cycle, the N bits are reloaded according to the procedure described previously.
The information items stored on OTP memory 64 (and thus the corresponding predefined enabled/disabled peripheral configuration) may be modified by the manufacturer or customer as explained below.
Fig. 9 schematically illustrates a security mechanism for accessing an OTP memory 64 in order to change/modify a predefined enabled/disabled peripheral configuration stored thereon, wherein a security stub 9 is provided between the interconnect bus 8 and the OTP memory 64 (more specifically between the interconnect bus 8 and a bus interface 65 of said OTP memory 64), wherein said security stub 9 is configured to receive a security signal via a security line 91 and to allow access to the OTP memory 64 only if some predefined security criteria are met.
As previously explained, in all four architectures, the peripheral enabling/disabling electronic devices 6A, 6B, 6C, 6D are equipped with a secure stub 7, 9 for controlling access to the OTP memory 61, 64 storing the predefined enabling/disabling peripheral configuration in a secure manner. Specifically, when the requested OTP address falls within the address range [ add_low, add_high ], a secure signal is used to selectively allow or disallow access.
The generation of a security signal for correctly accessing the OTP memory 61, 64 and modifying the data/information item stored thereon can be managed in mainly two ways, namely: 1) By using a dedicated trusted/secure Firmware (FW) module implemented in one of the cores 2; and/or 2) by implementing a symmetric or asymmetric cryptography-based authentication mechanism for authenticating commands received from a user via a user interface of the SoC 1.
For methodology 1), it is worth noting that today, it is common practice to provide SoC devices that are equipped with trusted/secure FW modules. Thus, a trusted/secure FW module implemented in one of the cores 2 of the SoC 1 may be suitably configured/programmed to: managing the security signal for accessing the OTP memory 61, 64; and configures the OTP memory 61, 64 to selectively enable/disable the peripheral 421.
For example, the trusted/secure FW module may be configured/programmed to: for security reasons, a particular peripheral device is disabled after it has been used a particular number of times (e.g., a peripheral device designed to be used only once, twice, or more generally a particular number of times and then disabled); and/or enabling a particular peripheral device when one or more predefined conditions occur (e.g., a peripheral device designed to be used only when very specific operating conditions occur).
Furthermore, if the stored enabled/disabled peripheral configuration must be changed, the trusted/secure FW module may be updated or a new version thereof may be installed on the SoC 1. For example, if a client requests a peripheral configuration modification, the manufacturer may provide the client with an update or new version of a trusted/secure FW module to be installed on the SoC 1.
For methodology 2), it is notable that SoC devices are typically provided with several standard user interfaces (SPI, USB, JTAG, debug, etc.). Thus, a user (e.g., manufacturer or customer) may use the user interface of SoC 1 to modify the stored enabled/disabled peripheral configuration. In this case, the dedicated peripheral enable/disable FW module implemented in one of the cores 2 of the SoC 1 is configured/programmed to: verifying authenticity of a peripheral device configuration modification command received from a user via a user interface; and, if the command is authenticated, the security signal is managed to access the OTP memory 61, 64 and the OTP memory 61, 64 is configured to selectively enable/disable the peripheral 421 in accordance with the received command.
Authentication may be based on symmetric and/or asymmetric cryptography.
For example, with reference to symmetric cryptography, symmetric encryption/decryption (e.g., AES or the like) may be used: 1) The user encrypts the peripheral enable/disable message by using a secret key known to both the user and the dedicated peripheral enable/disable FW module of the SoC 1; 2) The dedicated peripheral enable/disable FW module decrypts the received message by using the secret key and then implements the received peripheral enable/disable command.
To avoid any replay attacks, the peripheral enable/disable messages are completed with freshness (freshness) (e.g., monotonic counter, timestamp, etc.).
In particular, if a monotonic counter is used, the received counter value must be greater than the last counter value used, otherwise a replay attack is detected.
Alternatively, if a time stamp is used, the time distance between two consecutive time stamps must not exceed a predefined threshold.
Referring again to symmetric cryptography, signatures (e.g., SHA256, MD5, etc.) may also be used: 1) The user sends a plaintext peripheral enable/disable message (again with freshness) that is signed with a signature calculated based on a secret key known to both the user and the dedicated peripheral enable/disable FW module; whereby the plaintext peripheral enable/disable message + freshness + signature is sent to the dedicated peripheral enable/disable FW module via the user interface of the SoC 1; 2) The dedicated peripheral enable/disable FW module receives the clear peripheral enable/disable message + freshness + signature and verifies the signature by computing it again and then by comparing the computed signature with the signature sent by the user; if the verification is successful, the special peripheral enable/disable FW module implements the received peripheral enable/disable command.
With reference to asymmetric cryptography, asymmetric encryption/decryption (e.g., RSA or the like) may be used: 1) Encrypting the peripheral device enable/disable message by the user using the public key of the private peripheral device enable/disable FW module; 2) The dedicated peripheral enable/disable FW module decrypts the received message by using its secret key and, if decryption is successful, implements the received peripheral enable/disable command.
Also in this case, in order to avoid any replay attacks, the peripheral enable/disable messages are completed with freshness (e.g., monotonic counter, timestamp, etc.) according to the same implementation logic as previously described.
Referring again to asymmetric cryptography, signatures (e.g., ECDSA, etc.) may also be used: 1) The user sends a clear peripheral enable/disable message (again with freshness) that is signed with a signature calculated based on his/her secret key; whereby the plaintext peripheral enable/disable message + freshness + signature is sent to the dedicated peripheral enable/disable FW module via the user interface; 2) The dedicated peripheral enable/disable FW module receives the clear peripheral enable/disable message + freshness + signature and verifies the signature based on the user's public key; if the verification is successful, the special peripheral enable/disable FW module implements the received peripheral enable/disable command.
Hybrid approaches based on both methodology 1) and methodology 2) and/or based on both symmetric and asymmetric cryptography may also be implemented.
Technical advantages and innovative features of the present device will be apparent to those skilled in the art from the foregoing.
In particular, the present disclosure allows for, on the manufacturer's side: optimizing production by unifying several production lines, thereby saving costs; avoiding unlocking the test mode to rework dice, wherein rework may also occur in the field; and create a new traffic model by applying pay-per-use policies to peripheral device/feature enablement/disablement.
Furthermore, on the client side, it is possible to: requesting a new peripheral license; by adding some new peripherals (under manufacturer's license), flexibility in implementation of new functions is achieved; and disable/enable licensed peripherals when not in use (e.g., to avoid hacking).
The device allows a high degree of flexibility in product definition, providing many opportunities for manufacturers and customers.
In fact, in the factory: only a "few" product lines with several on-board peripherals can be produced, which can only be enabled/customized in a secure way upon customer request; only the peripheral devices requested by each customer are enabled (i.e., only those peripheral devices paid for by the customer); the frequency range (speed class selection and consumption) of some peripheral devices may be enabled; and all the devices present in the warehouse can be reworked to enable only the required peripheral devices in case of sudden market demands. For this operation, no test mode access is required (and thus, if the devices are locked, it is not necessary to unlock them for reconfiguration), as everything is based on cryptographic methods.
Furthermore, in the field: the customer may request that the manufacturer enable a new peripheral device (pay-per-use) on the device that has been soldered on the board; thus, the manufacturer provides some keys for the new peripheral devices that are needed to allow the customer to enable the new service; the client may manage licensed peripheral devices in a secure manner, disabling/enabling some of these peripheral devices in certain situations, such as: in the event that hacking is detected, the client may prevent (disable) the use of some peripheral devices; customers may disable some sensitive memory modules when they are not needed; then, the customer can re-enable them only when needed (power optimization, reduced hacking risk); and the customer may disable some interfaces (e.g., debug, etc.) when not needed; the customer may then re-enable them only when needed (power optimisation, reduced risk of hacking).
In summary, it is evident that numerous modifications can be made to the device described and illustrated herein, all falling within the scope of the invention as defined in the appended claims. For example, the various embodiments described above may be combined to provide further embodiments.
Claims (14)
1.A system-on-chip device comprising:
At least one core;
a plurality of peripheral devices;
At least one bus for interconnecting the at least one core and the plurality of peripheral devices, wherein the plurality of peripheral devices comprises a set of peripheral devices that can be selectively enabled or disabled as desired; and
A peripheral enable/disable electronics and peripheral enable/disable circuitry, the peripheral enable/disable circuitry coupled to the plurality of peripheral devices, wherein the peripheral enable/disable electronics are directly connected to the peripheral enable/disable circuitry and are configured to:
Storing an information item, the information item relating to an enabled/disabled peripheral device configuration and indicating the enabled peripheral device of the plurality of peripheral devices and the disabled peripheral device of the plurality of peripheral devices according to the enabled/disabled peripheral device configuration; and
Providing a first signal to the peripheral enable/disable circuit arrangement based on the stored information item;
Wherein the peripheral enable/disable circuitry is configured to enable operation of the peripheral device of the set of peripheral devices and to block operation of the peripheral device of the plurality of peripheral devices that is disabled based on the first signal received from the peripheral device enable/disable electronics; and
Wherein the peripheral enabling/disabling electronic device is further configured to implement a security mechanism whereby access to the peripheral enabling/disabling electronic device and modification of the stored information item is only allowed when a security criterion is met.
2. The system-on-chip device of claim 1, wherein the peripheral device enable/disable electronic device comprises a one-time programmable memory configured to store the information item and a plurality of registers configured to:
Based on the stored information item, enable/disable data is written/loaded; and
Providing the peripheral enable/disable circuitry with the first signal based on the written/loaded enable/disable data and a second signal indicating whether the first signal is valid;
Wherein the peripheral enable/disable circuitry is configured to enable operation of the enabled peripheral device of the set of peripheral devices and to block operation of the disabled peripheral device of the plurality of peripheral devices based on the first signals received from the plurality of registers if the second signals received from the plurality of registers indicate that the first signals are valid;
Wherein the peripheral enabling/disabling electronic device further comprises a security stub coupled to the one-time programmable memory and configured to implement the security mechanism, thereby allowing access to the one-time programmable memory and modification of the stored information item if security criteria are met.
3. The system-on-chip device of claim 2, wherein the security stub is provided between the at least one bus of the system-on-chip device or an interconnect of the system-on-chip device and the one-time programmable memory, and the security stub is configured to:
receiving a security signal indicating whether said access to said one-time programmable memory and said modification of said stored information item are allowed; and
Based on the received security signal, the access to the one-time programmable memory and the modification of the stored information item via the at least one bus or the interconnect is allowed or prevented.
4. The system-on-chip device of claim 3, wherein the at least one core is configured to implement a secure firmware module configured to:
providing the security signal to the security stub;
Accessing the one-time programmable memory via the at least one bus or the interconnect;
performing a modification of the stored information item; and
The security signal is managed such that the security stub allows the access to the one-time programmable memory and the modification of the stored information item.
5. The system-on-chip device of claim 3, further comprising a user interface;
wherein the at least one core is configured to implement a peripheral enabling/disabling firmware module that:
operable to access the one-time programmable memory via the at least one bus or the interconnect and to modify the stored information item; and
Configured to provide the security signal to the security stub;
wherein the user interface is configured to:
Allowing a user to request modification of the enabled/disabled peripheral device configuration; and
Providing corresponding commands to the peripheral enable/disable firmware module to modify the information items stored on the one-time programmable memory in accordance with a user request; and
Wherein the peripheral enable/disable firmware module is further configured to access the one-time programmable memory and modify the stored information item upon receipt of the command from the user interface by managing the secure signal such that the secure stub allows the access and the modification.
6. The system-on-chip device of claim 5, wherein the peripheral enable/disable firmware module and the user interface are configured to implement cryptographic techniques when the command is sent from the user interface to the peripheral enable/disable firmware module.
7. The system-on-chip device of claim 2, wherein the plurality of registers are persistent registers configured to re-write/reload the enable/disable data after each power-up of the system-on-chip device.
8. The system-on-chip device of claim 2, wherein the plurality of registers are non-persistent registers configured to re-write/reload the enable/disable data after each power-up and each standby of the system-on-chip device.
9. The system-on-chip device of claim 2, wherein the plurality of registers are directly connected to the one-time programmable memory.
10. The system-on-chip device of claim 2, wherein the plurality of registers are connected to the one-time programmable memory via an interconnect of the system-on-chip device, and wherein a master unit is provided in the system-on-chip device, the master unit being configured to manage reading of the information items from the one-time programmable memory and writing/loading of the corresponding enable/disable data to the plurality of registers via the interconnect.
11. A method for selectively enabling/disabling operation of a peripheral device of a system-on-chip device, the system-on-chip device including a core, a peripheral device, at least one bus, peripheral device enable/disable circuitry, and peripheral device enable/disable electronics, the peripheral device being selectively enabled or disabled as needed, the at least one bus for interconnecting the core and the peripheral device, the peripheral device enable/disable circuitry being coupled to the peripheral device, the peripheral device enable/disable electronics being directly connected to the peripheral device enable/disable circuitry, the method comprising:
Storing an information item on the peripheral enabled/disabled electronic device, the information item relating to an enabled/disabled peripheral configuration, and the information item indicating enabled peripherals and disabled peripherals according to the enabled/disabled peripheral configuration;
Providing a security mechanism to the peripheral enabling/disabling electronic device, thereby allowing access to the peripheral enabling/disabling electronic device and modification of the stored information item if a security criterion is met;
operating the peripheral enable/disable electronic device to provide a first signal to the peripheral enable/disable circuitry based on the stored information item; and
The peripheral enable/disable circuitry is operative to enable operation of the peripheral enabled and to block operation of the peripheral disabled based on the first signal received by the peripheral enable/disable circuitry from the peripheral enable/disable electronics.
12. The method of claim 11, further comprising:
storing enable/disable data in a register;
Providing the first signal based on the stored enable/disable data and a second signal to the peripheral enable/disable circuitry, the second signal indicating whether the first signal is valid;
Allowing operation of the peripheral device of a set of peripheral devices that is enabled and preventing operation of the peripheral device of a plurality of peripheral devices that is disabled based on the first signal received from the register if the second signal received from the register indicates that the first signal is valid; and
The security mechanism is implemented using a security stub, whereby access to the one-time programmable memory and modification of the stored information item is allowed if security criteria are met.
13. The method of claim 12, further comprising: at the secure stub:
receiving a security signal indicating whether said access to said one-time programmable memory and said modification of said stored information item are allowed; and
Based on the received security signal, the access to the one-time programmable memory via the at least one bus and the modification of the stored information item are allowed or prevented.
14. The method of claim 13, further comprising: implementing a secure firmware module at the core, the secure firmware module configured to:
providing the security signal to the security stub;
accessing the one-time programmable memory via the at least one bus or interconnect;
performing a modification of the stored information item; and
The security signal is managed such that the security stub allows the access to the one-time programmable memory and the modification of the stored information item.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IT102022000026793 | 2022-12-23 | ||
| US18/541,747 US20240211643A1 (en) | 2022-12-23 | 2023-12-15 | Soc architecture with secure, selective peripheral enabling/disabling |
| US18/541,747 | 2023-12-15 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118245428A true CN118245428A (en) | 2024-06-25 |
Family
ID=91563690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311772648.6A Pending CN118245428A (en) | 2022-12-23 | 2023-12-21 | SOC architecture with secure, selective peripheral enablement/disablement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118245428A (en) |
-
2023
- 2023-12-21 CN CN202311772648.6A patent/CN118245428A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3570167B1 (en) | Processing system, related integrated circuit and method | |
| US8332653B2 (en) | Secure processing environment | |
| US20060059372A1 (en) | Integrated circuit chip for encryption and decryption having a secure mechanism for programming on-chip hardware | |
| US20060059369A1 (en) | Circuit chip for cryptographic processing having a secure interface to an external memory | |
| US8108941B2 (en) | Processor, memory, computer system, system LSI, and method of authentication | |
| US20060059574A1 (en) | System for securely configuring a field programmable gate array or other programmable hardware | |
| US20030018892A1 (en) | Computer with a modified north bridge, security engine and smart card having a secure boot capability and method for secure booting a computer | |
| US20060059373A1 (en) | Integrated circuit chip for encryption and decryption using instructions supplied through a secure interface | |
| US20060059368A1 (en) | System and method for processing by distinct entities securely configurable circuit chips | |
| US9092322B2 (en) | Processor system and control method thereof | |
| CN112384922B (en) | Encryption key distribution | |
| JP3516162B2 (en) | Semiconductor integrated circuit | |
| US20230259629A1 (en) | Secure programming of one-time-programmable (otp) memory | |
| CN118245428A (en) | SOC architecture with secure, selective peripheral enablement/disablement | |
| EP4390733A1 (en) | Soc architecture with secure, selective peripheral enabling/disabling | |
| US20230010319A1 (en) | Deriving independent symmetric encryption keys based upon a type of secure boot using a security processor | |
| CN113642050B (en) | Self-configuration encrypted hard disk, configuration method and system thereof, and starting method of system | |
| CN113515414B (en) | Data processing system and non-transitory machine readable medium | |
| US11816252B2 (en) | Managing control of a security processor in a supply chain | |
| US20230015519A1 (en) | Automatically evicting an owner of a security processor | |
| CN112585038A (en) | Control device for activating a function, motor vehicle having a control device, and method for operating a control device | |
| US20230015334A1 (en) | Deriving dependent symmetric encryption keys based upon a type of secure boot using a security processor | |
| US11977639B2 (en) | Indicating a type of secure boot to endpoint devices by a security processor | |
| EP4187415A1 (en) | Processing system, related device and method for protecting latches or flip-flops of a register | |
| US8627406B2 (en) | Device for protection of the data and executable codes of a computer system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |