CN1510540A

CN1510540A - Safety mode indicator for intelligent telephone or individual digital assistant (PDA)

Info

Publication number: CN1510540A
Application number: CNA2003101239295A
Authority: CN
Inventors: F・B・达汉; F·B·达汉; 崂投特; B·考尼劳尔特
Original assignee: Texas Instruments Inc
Current assignee: Texas Instruments Inc
Priority date: 2002-12-18
Filing date: 2003-12-18
Publication date: 2004-07-07
Anticipated expiration: 2023-12-18
Also published as: CN100363854C; TW200424930A; TWI313433B; KR20040054493A

Abstract

A digital system is provided with a secure mode (3<rd >level of privilege) built in a non-invasive way on a processor system that includes a processor core, instruction and data caches, a write buffer and a memory management unit. A secure execution mode is thus provided on a platform where the only trusted software is the code stored in ROM. In particular the OS is not trusted, all native applications are not trusted. The secure mode is entered through a unique entry point. The secure execution mode can be dynamically entered and exited with full hardware assessment of the entry/exit conditions. A secure mode indicator is provided to tell a user of the digital system that the device is in secure mode. This indicator may be a small LED, for example. The user should not enter any secret information (password) or should not sign anything displayed on the screen if the secure mode indicator is not active.

Description

The secure mode indicator that is used for smart phone or PDA(Personal Digital Assistant)

The application requires the right of priority of following application: submit on January 16th, 2002, be entitled as No. the 02290115.1st, the european patent application of " Secure ModeFor Processors Supporting MMU And Interrupts " (Attorney Docket No. 33762.1EU) and submit on June 30th, 2002, No. the 02100727.3rd, the european patent application that is entitled as " Secure ModeFor Processors Supporting MMU And Interrupts " (Attorney Docket No. 33762.2EU).

Technical field

The present invention relates generally to microprocessor, relate in particular to the improvement of the security mechanism that is used to support the fail-safe software service.

Background of invention

Microprocessor is a general processor, and in order to carry out the software of operation on it, it provides high instruction throughput, and can have processing requirements widely according to related software application.Known many dissimilar processors, wherein microprocessor only is an example.For example, digital signal processor (DSP) is widely used, and especially in specific application, uses such as moving to handle.DSP generally is configured to optimize the performance of relevant application program, and in order to realize this purpose, they adopt more specifically performance element and command device.Especially in such as application such as mobile communications (but not being unique), expectation can provide the DSP that improves constantly performance simultaneously making power consumption keep alap.

In order further to improve the performance of digital display circuit, can interconnected two or more processors.For example, DSP can link to each other with a general processor in digital display circuit.When the overhead control of common treatment management is flowed, the signal processing algorithm that the DSP combine digital is intensive.These two processor sharing internal memories communicate and Data transmission.Direct memory access (DMA) controller (DMA) is associated with processor usually, so that the burden of transmission data block is transferred on another from a storer or peripheral source, thereby improves performance of processors.

Usually provide operating system (OS), by controlling resource and arrange to carry out various program modules or task and administering digital system.In the system of several processors is arranged, it will be very convenient that each processor all has an independent O S.Usually, OS supposition it control all system resources.Many OS do not design in the mode with another OS shared drive and resource.Therefore, when two or more OS are combined in the individual system, will produce resource allocation problem.The use contradiction of storer or peripherals can produce terrible consequences for system's operation.

Other special permission makes up most of processor based on two levels: one is used for OS, and another is used for user task.Once proposed the 3rd special permission rank, but realization was seldom arranged in current CPU.

It is safe that minority operating system is accredited as for the application program of specific finance or safety-critical.Some general-purpose operating system has claimed security built-in, but their fragility is well-known.

Can adopt hardware mechanisms to improve security.For example; the United States Patent (USP) 4590552 that is entitled as " Security Bit For DesignatingThe Security Status Of Information Stored In A Nonvolatile Memory " has disclosed a kind of mechanism of guaranteeing data storage safety; by providing one or more security bits that can be provided with for a long time stoping the outer resource access chip internal storage of chip, thereby protection is stored in code or data in the storage on chip.However, the maloperation of operating system might be suppressed this type of safety method.

On for the intelligent apparatus of enabling such as m-commerce (mobile trade) or e-banking (e-bank) classifications such as security application of etc.ing, especially the user imports security information, such as input password on keyboard, perhaps signs the message that is presented on the screen.When the user does like this, except the integrality of trusting its device fully, have no option.Yet the user can't find hacker or viral security framework of having invaded its device.

Summary of the invention

Thereby, be necessary to improve the security of system.Generally, with form of the present invention, digital display circuit has the safe mode of setting up in harmless (non-invasive) mode (third level is not speciallyyed permit) on processor system.Thereby, provide on it that unique believable software is the code that is stored among the integrated chip ROM in platform of if secure execution.The digital display circuit user is provided visible device indicating, and wherein device indicating only can be activated by credible program code when the security of operation pattern.

In one embodiment, enter safe mode by unique entrance.Can enter according to whole hardware/assessment of exit status dynamically enters or withdraws from if secure execution.

Description of drawings

Only as an example, describe according to specific embodiment of the present invention below in conjunction with accompanying drawing.In whole accompanying drawing, identical label is represented identical parts, and except that specifying, accompanying drawing relates to digital display circuit shown in Figure 1; Wherein:

Fig. 1 is the digital display circuit block diagram, and it comprises embodiments of the invention in having the megacell of a plurality of processor cores (megacell);

Fig. 2 is the block diagram of the MPU piece in the system shown in Figure 1, and the distributed security that uses selected hardware block and the protected software execution environment combination that strengthens by security state machine (SSM) has been described;

Fig. 3 is explanation ROM content shown in Figure 2 and the block diagram that ROM is separated into the circuit of public part and security;

Fig. 4 is the process flow diagram of security operating mode on the explanation visit system shown in Figure 2;

Fig. 5 is the constitutional diagram of security state machine operation in the explanation system shown in Figure 2; And

Fig. 6 has illustrated the wireless personal digital assistant that comprises the embodiment of the invention.

Unless have other to indicate, otherwise corresponding digital and the corresponding parts of symbolic representation in different diagram and the form.

Embodiment

Sensitive information the message that shows on password or screen with user exchange must be in safe mode following time at treating apparatus and operate.The apparatus and method that safe mode is provided in European patent application EP 02100727.3, June 30 2002 applying date, be entitled as in the related application of " Secure mode for processorssupporting MMU and Interrupts " and be described.The abundant description of safe mode is included in this, so that those skilled in the art can understand its running.

Under safe mode, limited visit, to guarantee the safety of application program by credible driving to physical user interface such as keyboard, display.In fact, by safe mode locking the visit of keyboard and display is not enough to guarantee safety with user's exchange.Present inventor of the present invention has found to need device, is used for indicating OS to the user and calls suitable believable keyboard or display driver, just is stored in the driver under the safe mode, and enters safe mode and just carry out.Otherwise if virus/hacker has successfully downloaded the driver of a forgery on intelligent apparatus, the user just can't know that he should not trust his device.

According to an aspect of the present invention, the intelligent apparatus of carrying out security application also will have secure mode indicator except having display and keypad.This indicator will inform whether its device of user is in safe mode.For example, this indicator can be a compact LED.If safe mode is implemented full inertia, then the user should not input any security information (password), should not sign any content that shows on the screen yet.If the user is prompted to import his pin sign indicating number when the indicator inertia, then the user's device that will understand him is invaded, and this device can not provide safe operation.

In order to realize this characteristic, only in the digital display circuit of Fig. 1, provide can be under safe mode accessed general input and output (GPIO) latched bit 154.This safe GPIO latch is used to drive safety indicator LED 155.Credible keyboard that moves under the safe mode from secure ROM/SRAM (ROM (read-only memory)/static RAM) and display driver are in charge of safe GPIO latch.

Because non-Secure Application software can be visited these devices under non-security mode, so secure mode indicator must be independent of keyboard and display.Especially, the message such as " inputing password now " that shows on the screen is normally insecure.In addition, because the computer hacker code can access screen, so symbols displayed or message on the screen, such as the locking symbol that indicates safe operation, also be incredible.Secure mode indicator indicating device reliably operates under the safe mode, and indicates only can move under being installed on safe mode the time.Unless it is movable that the user should be apprised of secure mode indicator, otherwise do not import any security information,, do not sign any content that shows on the screen yet such as password.

Fig. 1 is the digital display circuit block diagram that has comprised the embodiment of the invention in having the megacell (megacell) 100 of a plurality of processors 102,104.For clarity, Fig. 1 only illustrates the megacell relevant with understanding the embodiment of the invention 100 parts.The general CONSTRUCTED SPECIFICATION of digital signal processor (DSP) is well-known, and can find in other places at an easy rate.For example, 5,072, the 418 couples of DSP of United States Patent (USP) that license to people such as Frederick Boutaud describe in detail.The United States Patent (USP) 5,329,471 that licenses to people such as Gary Swoboda is described in detail and how DSP is tested and emulation.Describe the part details of the megacell relevant 100 below in detail, so that the present invention can be made and use to the those of ordinary skill of field of microprocessors with the embodiment of the invention.

For example be implemented in special IC (ASIC) although the present invention is particularly suitable for digital display circuit, it is also had place to show one's prowess in other forms of system.ASIC may comprise one or more megacells (megacell), and the functional circuit of the self-definition design that the functional circuit of design in advance that each megacell all comprises with design library provides combines.

The distributed secure system that utilizes selected hardware block to combine with protected software execution environment is provided in the megacell 100.This distributed secure system is a kind of scheme that solves ecommerce (e-commerce) and Mobile business (m-Commerce) safety problem under the mobile phone environment.Safety problem comprises following content:

---confidentiality (Confidentiality): guarantee that only the communication party can understand the information transmitted content;

---integrality (Integrity): guarantee that information is not changed during the transmission;

---checking (Authentication): guarantee that other communication parties are the assertor of institute;

---do not deny (non-repudiation): guarantee that the sender can not deny sending message;

---user's protection: assumed name and anonymity;

---anti-clone's protection (Protection against Clone).

Current operating system (OS) can not be thought safe.Some operating system is claimed to be safe, yet their complicacy makes it be difficult to realize or guarantee.For ecommerce and other Secure Transactions, need the software layer of safety.It must be transparent for existing operating system, and it also will support the use of Memory Management Unit (MMU) and high-speed cache when supporting that real-time interrupt and operating system are supported.

Undoubtedly, the solution of pure software is also sane inadequately, and these problems can only solve by the good combination of hardware and software structure.Developed in the present embodiment employed safe mode and be in order to make total safety approach have the hardware robustness, this safe mode is based on following supposition:

---operating system OS is incredible;

---all local softwares that move on platform all are incredible:

---unique believable software is the code of storing in security procedure ROM/SRAM;

---high-speed cache can start because of performance reason;

---for real-time reason is enabled interruption;

---for MMU is enabled in the dirigibility meeting.

More than supposition draws following result.At first, the operating system memory management is incredible.Just, the conversion table of the operation of Memory Management Unit (MMU) and operating system definition is insecure.Safe mode should be able to be resisted any mistake of MMU, and can resist the fact that the conversion table of operating system definition may be invaded.The second, the interrupt vector table and the Interrupt Service Routine of operating system definition are incredible.Be necessary under safe mode to realize specific interrupt management,, and can resist the fact that interrupt vector table and interrupt service routine (ISR) may be invaded so that safe mode can be resisted any wrong use of interruption.The 3rd, the integrality that exhausts the OS basic operation of (draining) etc. such as environment preservation, high-speed cache emptying (flush), TLB emptying, write buffer is incredible, and safe mode should not rely on them.Last but not least is to need to forbid all tests, debugging and simulation capacity under safe mode.

In the present embodiment, set up " safe mode " of a subregion, made it can be when carrying out safe operation as independent " virtual secure processor " running for processor 102.Safe mode can be counted as the 3rd special permission rank of processor 102.Its activity depends on the existence of specialized hardware, sets up the environment that the protection sensitive information is not subjected to the untrusted softward interview.Safe mode provides asserts special-purpose safety signal 152 and is provided with that this signal is propagated in system, and trusted software can accessed resources and all available resource of any software between set up the separatrix.

The activity of safe mode equally also depends on the suitable control of fail-safe software.Fail-safe software is stored among the security procedure ROM/SRAM, and carries out therefrom.Can not there be such flow process: i.e. untrusted code or can cheat hardware and enter safe mode, the task of perhaps making trusted code carry out it should not to carry out.If reasonably set up the separatrix, then should have no idea to utilize normal handling device operation handlebar information to move to the outside, unless by controlled operation from inside, separatrix.Notice that the operation of normal handling device comprises that execution has " personal code work " of latent defect.

Security software layer is believable and is stored in the safe storage.It enters by software sequences, and this software sequences proves it when protection MMU is not modified to hardware security state machine (SSM) 150, arrives safe mode and has carried out security code really by passing single, a safe gateway.When fail-safe software was carried out under safe mode, interrupt vector changed direction, so that security control software triggers where necessary from correct the withdrawing from of safe mode.Redirection process is transparent finishing for operating system, and stops any secure data to become as seen after transmission.

GPIO latch 154 is memory map latchs, and except it only can be visited and activate by fail-safe software, it moved in a usual manner.Indicator 155 is coupled to GPIO 154, and response GPIO and illuminating.By being write latch 154, a logical value opens indicator 155, such as logical one; And close by the complementary logic value is write latch 154, such as logical zero.Core 103 can be by peripheral bus signal 156 visit latchs 154.However, the operation of GPIO latch 154 is limited by the safety signal 152 that is subjected to SSM150 control.Like this, GPIO 154 only indicates processor 102 and is carrying out active state following time of fail-safe software routine and can be written into when safety signal 152 is in.In the present embodiment, indicator 155 is light emitting diodes (LED); Yet, in other embodiments, can be at two different conditions: the indicator of any type that shifts between opening and closing.For example, can use dissimilar lamps, such as neon lamp, plasma lamp or the like.Can use various mechanical hook-ups, show different colours indicating the dish of On/Off state, or mobile indicator is with gearing of expression On/Off state or the like such as rotation.In other embodiments, these two states can be by texture, highly, surface such as temperature changes and indicates, and arbitrary state so that there is the people who looks barrier or other physiological defects to discover.For example, go up in conjunction with tactile indicators is provided in braille display device (brail display device).In another embodiment, indicator can provide the audio frequency indication; For example, playback represents that the safe mode state opens; Yet the source can be imitated because voice are non-secure audio, therefore needs to note to some extent.

Referring again to Fig. 1, megacell 100 has comprised the digital processing system (DSP) 104 that 102 and one of a microprocessor (MPU) that have 32 cores 103 has digital processing system (DSP) core 105, and both share a piece of the storer 113 that is called as layer 2 (L2) memory sub-system.Traffic controll block 110 receives transfer request from the primary processor that is connected to main interface 120b, from the request of processor controls 102 and from the transfer request of memory access question node among the DSP 104.Staggered these requests of traffic controll block are also submitted to shared storage and high-speed cache to them.Visit shared peripheral hardware 116 by traffic controll block equally.Direct memory access (DMA) controller 106 can be between such as the external source of memory chip 132 or storage on chip 134 and shared storage transferring data.Various application specific processors or hardware accelerator 108 are also contained in the megacell according to the requirement of different application, by traffic controll block and DSP and MPU interaction.

In the outside of megacell, connect the 3rd layer of (L3) controll block 130 response and receive memory requests from internal traffic controll block 110 from the clearly request of DSP and MPU.Outer (off chip) storer 132 of chip and/or storage on chip 134 are connected to system's traffic controller 130; These are called as the L3 memory sub-system.Frame buffer 136 and display device 138 are connected to system's traffic controller is used for the display graphics image with reception data.Primary processor 120a is by system's traffic controller 130 and external resource interaction.The main interface that is connected to traffic controller 130 makes main frame 120a be able to access external memory and is connected to the device of traffic controller 130 with other.Like this, primary processor 120 can connect on layer 3 or layer 2 among the different embodiment.One group of privately owned (private) peripheral hardware 140 is connected to DSP, and another is organized privately owned peripheral hardware 142 and is connected to MPU.

Fig. 2 is the block diagram of MPU 102 in the system shown in Figure 1, has illustrated the distributed security that utilizes selected hardware block to combine with the protected software execution environment of being strengthened by security state machine 300.In another embodiment of digital display circuit, for example, processor 102 may exist with single-processor, or is coupled to one or more other processors in order to co-operating.

Safe mode is processor 102 " the 3rd a special permission rank ".If be provided with suitable execution environment, this safe mode just provides hardware unit to be used for the visit of restriction to the secure resources of processor subsystem (CPU) 200.Safe mode is set up around CPU 200, and CPU 200 comprises processor core, data and instruction cache 204,206 and MMU210.The security feature of present embodiment is for the preferably harmless type of CPU 200, so can use another processor to replace this processor in another embodiment.

Secure hardware is divided into two kinds: the logical circuit of control safety signal, and the hardware resource that is subjected to the safe mode restriction.The former mainly is made up of security state machine (SSM) 300.SSM 300 is responsible for the conditions that monitoring enters safe mode, asserts/goes to assert safety signal 302, and detect safe mode and invade.When detecting the safety infringement, exist by asserting that the infringement signal 304 that is connected to reset circuit 306 is invaded with indication, make system reset.The various signals 330, the particularly address of obtaining by the processor on the instruction bus of safe condition machine monitoring from processor 200 external interfaces.Security state machine with from the inlet sequence low layer assembler code close-coupled.It is made a response to the incident that is produced by the inlet sequence on the monitored signal.

When asserting safety signal 302, enter safe mode.When asserting safety signal, it propagates into total system with to the release of access security resource.Only processor 200 can be in access security resource under the safe mode.Because design limit, in the present embodiment DSP 104 and DMA 106 uncommitted under safe mode the access security resource.Secure resources in the present embodiment comprises: secure ROM 310 (part of whole ROM), safe SRAM 312, and various secure peripheral 316a, b.Visit to GPIO latch 318 is limited by safety signal 302 equally, consequently only is at safety signal 302 to indicate CPU200 when carrying out the active state of fail-safe software routine, and GPIO 318 can be written into.Security state machine (SSM) 300 is asserted safety signal 302 under certain conditions.Under safe mode, CPU 200 only can carry out the code that is stored among secure ROM 310 or the safe SRAM 312.Any operation is stored in any attempt of the code beyond these trustworthy location will be by asserting that (asserting) signal 304 generates " safety is invaded ", and this will cause that reset circuit 306 carries out system's Global reset.

This ROM is divided into two parts: be subjected to security bit protection and only can be under safe mode accessed ROM security; But and access all the time and comprise the public part of ROM of boot section.Public ROM311 also comprises various security procedures and participates in the overall safety scheme.

Safe storage RAM 312 is places (safe stack, safe global data, safety heap) of storage security operational data.Security procedure RAM 312 (choosing wantonly) is specifically designed to and carries out non-resident security code.Non-resident security code at first is downloaded from external memory devices in security procedure RAM, then is verified before execution.

A few bytes address among the safe storage SRAM realizes with register (register) 306, and register 306 is resetted by global reset signal.These registers cover a small amount of normal SRAM storage unit, and can be used as common SRAM address.Only difference is that these registers/SRAM storage unit can be reset and helps 1 value.Therefore under safe mode, have and seldom can be reset and have known initial value and the variable that only can be modified is very useful under safe mode.For example, this feature can be used for: detect entering first of safe mode; The suitable mode value exit mode (normal, exception, invade) that withdraws from is set; Detect electric power starting or the like.In another embodiment, these reducible values can realize with other method, such as by register being placed on the address space that does not cover SRAM, by reset signal being connected to selected memory cell among the SRAM or the like.

There is not software mode can assert safety signal 302 or revise the behavior of state machine.SSM and active sequences close-coupled, active sequences will be described in more detail in conjunction with Fig. 5.The physical instruction address bus 330 of SSM monitoring from processor 200 and the various entry condition signal 321-327 that receive from various resources.The instruction interface signal 331 of from processor 200 and data-interface signal 333 are also monitored and are defined in the bus of carrying out which kind of type on instruction bus 330 and the data bus 332 respectively and handled.

Safe mode enters by being branched off into the particular address that is called as single entrance in the public ROM, and this address is severity code among the SSM (hard coded) address.The entrance is the start address of " active sequences ".Active sequences is a block code that is stored among the public ROM that is coupled with security state machine, and guarantees to satisfy some entry condition of safe mode.Other entry conditions are directly concluded by monitoring specific entry condition signal.

Active sequences generates defined sequence of events on by some signal of safe condition machine monitoring.These incidents are guaranteed to enter the desired condition of safe mode and are met.Security state machine is approved this pattern and is asserted safety signal.Under safe mode, security state machine continues a little signal of monitoring to detect the safe mode infringement and to guarantee to quit a program according to safe mode.As long as invade, SSM just discharges safety signal, and asserts and invade signal 304 safely.The typical infringement is the instruction of attempting to obtain outside the ROM/SRAM address realm.

Active sequences is stored among the public ROM.It guarantees to satisfy the safe mode entry condition.The environment set sequence is stored in the secure ROM.It sets suitable execution environment for safe mode, wherein can enable high-speed cache, interruption and MMU.Withdrawing from sequence is stored in the secure ROM.It is strengthened abideing by safe mode and quits a program.It is by dividing branch road BRANCH or under interrupting, providing the safety method that withdraws from safe mode.It is " maintaining secrecy " content of protection secure ROM and RAM when withdrawing from also

Still check Fig. 2, security control register 319 only can be used as the memory map register under safe mode accessed, and is used to enable/forbid that test, debugging and emulation etc. may be used for destroying safety by the hacker but to limiting and the essential again device of debug system hardware and software.For example, one of signal 321 representative operation of having enabled/having forbidden the used embedded track macroelement (ETM) 350 of program development.The operation of the jtag interface on the processor 200 has been enabled/forbidden to signal 322.Signal 323 enables/operation of debugging interface (dbg I/F) on the disable process device 200.

Safety condition register 320 can be used as the memory map register under non-security mode accessed, and can be used to set some safety condition under safe mode by the operational mode that the hacker is used for destroying safe various resources by control.The signal that the safety condition register is sent is also monitored by state machine.For example, direct memory access (DMA) (DMA) enable signal 324 be used to enable can access secure memory 312 the dma controller (not shown).

In the present embodiment, provide scan chain interface (Scan I/F) to be used for test, and can provide safety to invade point.Yet processor 200 can not provide any method to forbid the output of scan chain.For fear of the internal signal of revising processor 200, the outside provides sweep gate 342, is used in equaling processor 200 a plurality of year clock period shielding processing device scanning output of 200 of long scan chain.Thisly shelter scheme initialization (counter reset) when resetting and install, scan under the control of testing apparatus (not shown) externally and enable at every turn from functional mode slew test pattern.

Two look-at-mes 362,363 of external interrupt processor 360 to receive one group of look-at-me and these signal multiplexings are become to be received by processor 200 subsequently are provided.Interrupt processor 360 has global barrier position 364, and this mask bit can and allow all interrupt operations of software overall situation disable process device by software set.As long as set global barrier position and look-at-me 362,363 inertias, interruptable controller is just asserted masking signal 325.Asserting after the shielded signal 325, just can not assert look-at-me 362,363 by interruptable controller output again, till the global barrier position is removed by software.SSM 300 monitoring shielded signals 325 are activated or conductively-closed to determine interruption.

From the external memory storage guidance system is the ways customary that computer hacker obstructs safety.In the present embodiment, forbid exterior guiding.In addition, SSM 300 monitors the pilot signal of asserting 327 when attempting to carry out exterior guiding.Yet, during program development, allow the operation exterior guiding useful so that debugging software is more preferably.Holding circuit (fuse circuit) 328 distinguishes transmitting apparatus and process units.Type of device signal 326 is subjected to SSM 300 monitoring, therefore can provide undemanding safe mode on development device.With regard to development device, SSM 300 ignores pilot signal 327.

Fig. 3 is the ROM content of key diagram 2 and the block diagram that ROM is divided into the circuit of public part and security.Public ROM 311 and secure ROM 310 realize with single ROM in the present embodiment.In another embodiment, they can separate, and do not influence inventive features herein.Address decoder circuit 370a is the part of decoder circuit 370 that is decoded to the visit of ROM.For SRAM provides similar circuit with the device that other instructions or data bus are connected.

Whenever response corresponds respectively to the address decoding signal 406 or 407 and when asserting address corresponding to ROM 310,311 on instruction address bus 330a of public ROM address or secure ROM address, thereby just enable driving circuit 400 on instruction bus 330b, to provide the director data of being asked.

As mentioned above, as if access security resource when not being in safe mode, then provide pseudo-virtual (dummy) data.If secure ROM is accessed and safety signal is not asserted, then gate circuit 404 is monitored safety signal 302 and secure ROM decoded signals 407 and is made driving circuit 400 transmit empty data.

Safe mode

Fig. 4 is the process flow diagram that explanation conducts interviews to the security operating mode in the system of Fig. 2, below with more detailed being described.Step 500,502,504 has been represented on processor 200 with application program normal, that the operation of Non-Patent level is carried out.Sometimes, the operating system (OS) of service in the privilege level operation made call 502, shown in step 510,512,514,516.In case be called, the OS preservation state also switches to the special permission pattern in step 510, and the operation of speciallyying permit in step 514 returns to form in step 516, and returns the application of Non-Patent in step 504.These two operation ranks are well-known.

In step 512, test to determine whether institute's requested service is used for safe operation, if then system will enter the 3rd safe level that is called as safe mode.In step 520, the OS driver carries out housekeeping task, for entering safe mode system is placed suitable state.This comprises that shielding interrupts, sets safety condition register 320 and forbid the various resources that can cause security risks and confirm whether Memory Management Unit 210 is activated, whether be noted as " not cacheable " corresponding to the page table entry of active sequences.This will be explained in more detail afterwards.

In step 522 and refer again to Fig. 3, jump to entrance 410 in the inlet sequence 412 that is positioned at public ROM 311.The inlet sequence is a block code, before the security code of any other type of operation on the platform, all will carry out it during application call " security service " at every turn.This sequence is also being carried out when the exceptional cast of interrupting the security code execution is returned.The address that defines from ROM of inlet sequence begins, this address be severity code and be called as " entrance ".The inlet sequence is made up of two parts: safety signal active sequences 413 and safe mode environment set sequence 414.

The purpose of active sequences is the execution flow process of taking over processor 200, and guarantees that it can not be tried to be the first by any other untrusted code and occupy.At this part some some place of inlet sequence, assert safety signal 302 entering safe mode, and release is to the visit of secure resources (ROM, SRAM, peripheral hardware or the like).

The purpose of environment sequence 414 is to carry out set environment for security code.Advantageously, by setting security context, possibly safety is enabled program and data cache and handling interrupt exception.

Safety signal active sequences 413 is arranged in public ROM, and safe mode environment set sequence bit 414 is in secure ROM.The total code size (part 1+ part 2) that requires the inlet sequence is less than 1 kilobyte, so that it can be mapped in the page of 1 kilobyte, this is the minimum memory section in the MMU conversion table of present embodiment.Like this, inlet sequence virtual address just can not be shone upon on two sections, so that in some judgement of inlet sequence implementation period chien shih processor preemption.During the operation inlet sequence, the locked memory pages of inlet sequence be not cacheable or instruction cache disabled also be very important.

Safe conversion table (STT) 420 and safe interrupt vector table (SIVT) 430 will be described later.

If 1 kilobyte code size is considered to too limited for specific embodiment, then can forbids MMU, and reactivate it at environment sequence 414 ends at active sequences 413 ends.Like this, the restriction of 1KB just only has been applied to active sequences.

Referring again to Fig. 4, in step 524, the correctness of SSM 300 Survey Operations sequences, this will have more detailed description in conjunction with Fig. 5.If active sequences is not executed correctly, SSM 300 has just asserted the infringement signal in step 540, and system is reset.In step 526, set the environment that sequence 414 is set up safety by execution environment.This has more detailed description in the back.

In case set up safe environment, just in step 528, as Non-Patent application program initial request, begun to carry out the safe operation of being asked from security code 416.According to one aspect of the present invention, security code 416 only comprises in the step 528.1 in safe mode following time and writes GPIO latch 318 to open the instruction of secure mode indicator 319.Then, in step 528.2, security code 416 can require the user that security information is provided, then in step 528.3 by writing the GPIO latch once more the closed safe mode indicator.In step 528.4, finish additional safe handling.Should be appreciated that this special sequence is just in order to illustrate.For example, before opening secure mode indicator, may carry out other safe handling.For another example, secure mode indicator may be opened earlier a little while, then closes a little while, and then opens.May carry out countless other sequences according to the requirement of application program.

After safe operation was finished, in step 530, the normal mode that withdraws from safe mode was to jump to secure ROM to withdraw from " normally withdrawing from sequence " in the sequence 418.The purpose that normally withdraws from sequence is to abide by safe mode to quit a program, and protection " maintaining secrecy " content when guaranteeing to withdraw from.Normally withdraw from sequence and can be arranged in secure ROM Anywhere.The address check that in security state machine, does not have severity code.

When being in safe mode, SSM 300 continues pilot signal 321-327 and 331.SSM can invade according to these signal discovery safety.Invade as long as safe mode takes place, SSM just detects infringement, discharges safety signal and generates safety and invades, shown in camber line 542.Infringement can cause the Global reset of device.Safety is invaded and is made SSM enter the blocked state that can only withdraw from by resetting.Below invade and to be detected: invade the address place of 1-outside whole ROM and address ram scope and obtain instruction; Invading 2-processor 200 is reset; Invade 3-and enable test, emulation, debug features.

When exception took place, processor 200 jumped to corresponding exception vector in the interrupt vector table (ITV), and it redirects to specific interruption routine from here.IVT is generally managed by OS, and is not arranged in safe SRAM.Therefore, its content is not protected, and is insincere yet.In addition, from the angle of safety, it is unacceptable allowing processor directly to jump to the exception vector, and reason has two: this does not meet the overall safety scheme (1); " saltus step " outside the safe storage address realm is considered to safe infringement; (2) high-speed cache and processing register have been full of " maintaining secrecy " content, need remove before discharging security bit and carrying out untrusted code.Safety IV T is provided in order to allow to interrupt in safe mode.

Fig. 5 is the constitutional diagram that is described in more detail security state machine 300 operations.In ROM active sequences the term of execution, for entering safe mode, security state machine is asserted safety signal at some point.The purpose of this part inlet sequence is the sequence of events of generation definition on the signal that security state machine detects.These incidents are guaranteed to satisfy the required condition of safety signal are set, and they are followed the tracks of by SSM." condition " signal is monitored in whole active sequences.If do not satisfy arbitrary entry condition, perhaps condition lost efficacy before active sequences finishes, and then security state machine will be transformed into infringement state 630, and asserted and invade signal 304 safely.Entry condition in the SSM monitoring has two common-denominator targets behind: (1) processor 200 is obtaining, and the most important thing is just at the executed activity sequence code; (2) trusted code has been taken over the execution flow process of CPU fully, and before or after safety signal is set, is not detected except passing through controlled operation, do not have thing to try to be the first to occupy.

Active sequences is to set up in the mode that generates unique pattern (pattern) on instruction address bus.This pattern is made up of with relative (physics) address value of active sequences code constantly, and these addresses can occur on bus.But, the foundation of this pattern is independent of the access latency of accumulator system.Actual active sequences mode bus from emulation obtain and among SSM by severity code.Therefore, SSM meets the active sequences mode bus fully.Generally speaking, the final injunction of active sequences is branch instruction (branchinstruction), and except the clear instruction and high-speed cache illegal instruction of high-speed cache, the every other instruction in the active sequences all is the NOP instruction.

After entering safe mode and asserting safety signal, entry condition need not be effective, and SSM does not continue to test them yet.Yet SSM constantly surveys various signals and invades to detect safe mode, and this has description in the back.The safe mode exit criteria is just tested after effectively entering safe storage.

Referring again to Fig. 5, state 600 is idle conditions, during SSM monitored address bus 330 with the entry point address of seeking the inlet sequence (ESA[EP]).In case detect entry point address, if satisfy all entry conditions, then SSM is transformed into state 601; If do not satisfy, then be transformed into infringement state 630, wherein assert and invade signal 304.

By detecting correct inlet sequence address and corresponding entry condition signal, each state of 601-615 must travel through in turn, otherwise SSM is transformed into infringement state 630.If this sequence correctly traveled through, then enter safe mode state 620, and assert safety signal 302.

For example, in order to be transformed into state 601 from state 600, the address of entrance instruction must occur with all correct conditioned signals.In order to be transformed into state 602, the next address that occurs must be the address of next sequential instructions, otherwise SSM is transformed into infringement state 630.Similarly, each address of active sequences must occur be transformed into safe mode state 620 at last to be transformed into state 602-615.Mistake in the address of mistake, address sequential or the conditioned signal changes all can cause being transformed into infringement state 630, shown in camber line 601a.Similarly, all be cacheable if status signal is indicated arbitrary active sequences visit, then active sequences will be ended.

In safe mode state 620 and in the address that effectively detects security procedure (ESA[SR]), show enter safe storage after, if SSM detects the address of public ROM, the not busy pattern 600 of SSM transition back then is shown in camber line 621.If SSM detects ROM or the outer address of SRAM, if the conversion of the mistake in the perhaps monitored signal indicates safe infringement, then SSM is transformed into infringement state 630, shown in camber line 622.

During active sequences, need not the illegal instruction high-speed cache; Not cacheable property (non-cacheability) the sufficient to guarantee inlet sequence of instruction firm.But, making the high-speed cache forbidding can eliminate the hacker who uses based on the malice of high-speed cache purge mechanism attempts.

Safe mode environment set sequence

Referring again to Fig. 4, in the step 526,, set up security context by carrying out environment set sequence 414 from secure ROM.The purpose of this sequence is to carry out for security code to set suitable environment.Security context allows the program of enabling and data cache, real-time interrupt and potential MMU.Wherein some step is exclusively used in the safe mode operation, and some operation should normally be carried out by OS before calling active sequences.As previously discussed, safe mode can not depend on basic OS operation.Therefore, the environment set sequence need be carried out some context conversion operation (context switch operation), such as the basic high-speed cache of safe mode integrality is removed, TLB removes etc.

System embodiment

Fig. 6 has illustrated the exemplary realization of using integrated circuit of the present invention in mobile communications device, and as mobile personal digital assistants (PDA) 10, it has display 14 and is positioned at integrated input pickup 12a, the 12b of display 14 peripheries.Digital display circuit 10 comprises the megacell (megacell) 100 of Fig. 1, and this megacell as the special-purpose peripheral hardware 142 of MPU, is connected to input pickup 12a, b by the adapter (not shown).Can use input pen or refer to and information is input to PDA by input pickup 12a, b.Display 14 is connected to megacell 100 by the local frame impact damper that is similar to frame buffer 136.Display 14 provides figure and video output with overlaid windows, and for example MPEG video window 14a shares text window 14b and three-dimensional recreation window 14c.

Radio frequency (RF) circuit (not shown) is connected to antenna 18, is driven by megacell 100, as DSP special peripheral equipment 140, and provides wireless network links therefrom.Connector 20 is connected to cable adaptor-modulator-demodular unit (not shown), and is thus connected megacell 100, as the special-purpose peripheral hardware 140 of DSP, provides the spider lines link for using between the static operating period in such as office environment.Short range links 23 also ' attach ' to earphone 22, and drives by being connected to the low-powered transmitter (not shown) of megacell 100 as DSP special peripheral equipment 140.Equally, microphone 24 is connected to megacell 100, like this, just can utilize microphone 24 and wireless headset 22 to exchange two way audio information with other users on wireless or cable network.

Megacell 100 is for providing code and decoding by wireless network links and/or based on wired network link transmission and all Voice ﹠ Video/graphical informations that receive.Advantageously, megacell 100 also provides safe operator scheme.As the described herein, safe mode pilot lamp 30 is controlled by latch, and the code of carrying out in the time of only carrying out under safe mode by megacell 100 is opened.Therefore, when the application program of go up carrying out for PDA when sensitive data is provided is safe, safe mode pilot lamp 30 is given user's indication of PDA 10.Like this, PDA 10 provides solution for solving the ecommerce (e-commerce) in the mobile phone environment and the safety problem of Mobile business (m-commerce).

Certainly prediction, much the communication system of other type and computer system also can be benefited from the present invention.The example of these other computer systems of class comprise portable computer, smart phone, the networking telephone, or the like.The microprocessor applications of unifying is concerned about because security also is desktop and line powering department of computer science, particularly from the reliability angle, therefore can expect that equally the present invention also can provide benefit for the system of this type of line powering.

The manufacture process of digital display circuit 100 comprises a plurality of steps, wherein various amount of impurities is injected in the Semiconductor substrate, and makes diffusion of contaminants arrive the selected degree of depth in the substrate, to form transistor unit.Form the placement of mask with control impurity.Multilayer conductive of material and insulating material are deposited also etching so that each device interconnects.These steps are carried out in clean room environment.

The pith of the cost of production data treating apparatus relates to test.In the wafer form, individual device is biased into running status, and surveys the device test to basic operational function.Then, wafer is divided into independently square, and these pieces can be used as the chip direct marketing, or encapsulation is sold.After the encapsulation, the part of finishing is biased to running status, and the test operational function.

Just as used in this, term " is applied in ", the connection on " being connected ", " connection " the expression electricity, and wherein add ons is being electrically connected on the path." association " expression control relation, such as, the memory resource that controlled by associated ports.Term " assert (assert), assert (assertion), go to assert (de-assert), remove to assert (de-assertion) " be used to avoid when handling the potpourri of high state activity and low state active signal, produce and obscure." assert " to be used to show that signal is movable, or be true in logic." go to assert " to be used to show that signal is inactive, or be false in logic.

Like this, digital display circuit just has the safe mode of setting up in harmless (non-invasive) mode (the 3rd special permission rank) on processor system, this processor system comprises processor core, instruction and data high-speed cache, write buffer and Memory Management Unit.Provide on it on platform of if secure execution, unique believable software is the code that is stored among the ROM.If particularly OS is insincere, then all local applications are all insincere.Provide secure mode indicator to inform that this device of user is in safe mode.

Although the present invention describes with reference to illustrative embodiment, yet this description can not be understood that it is determinate.With reference to this description, various other embodiment of the present invention are conspicuous for a person skilled in the art.For example, by utilizing safe mode described here, can the processor type as form of ownerships such as RISC, CISC, wide byte, DSP be improved.

In another embodiment, security context may enlarge to allow sharing secure resources between several starter resources, such as DSP.In such embodiments, each starter resource of safe condition machine monitoring is to strengthen above-mentioned security principle.

In various embodiments, can provide the different dribblewares of secure hardware, comprise various external units, as WatchDog Timer, encrypt/decrypt hardware accelerator, random number generator (RNG) etc.; And various I/O devices, such as keyboard, LCD (LCD), touch-screen etc.

Referring again to Fig. 1, in another embodiment, can in DSP 104, use the 2nd SSM in similar mode on the processor 102, be that the security software layer of carrying out on the DSP 104 generates safety signal.In this embodiment, the bus pattern of safety signal can be included in the traffic control bus 110, so that the single processing that is started by processor 102 or DSP104 can the access security resource, some shared external unit 116 of the safety signal that generates according to SSM separately for example.

Referring again to Fig. 1, in another embodiment, safety signal may extend into outside the megacell 100, so that can be with the resource of secured fashion firing floor 3.

Active sequences, environment set sequence and withdraw from sequence and can change according to the requirement of different embodiment.For example, different instruction flow line line length and different cache line length requires active sequences different.The housekeeping task of carrying out in the step 520 in another embodiment, can be included in the active sequences.

In another embodiment, entering the device of safe mode can be different with SSM described here.In case obtained safe operator scheme in any way, visit available secure mode indicator under safe mode is only just moved under safe mode to user's indication mechanism so.

In another embodiment, provide device except that the GPIO latch to activate secure mode indicator.For example, a position that can control register 319 safe in utilization.Similarly, also can a position of installing one of 316a or 316b safe in utilization.Basic demand is that device is only accessed under safe mode.

In another embodiment, secure mode indicator may directly produce response to safety signal, so that processor is in all processes of safe mode, secure mode indicator all is movable.Yet in this class embodiment, the time that the user may the sensory pointer activity is too many, and therefore ignores it easily, so this is not first-selected embodiment.

Referring again to Fig. 2, safety feature 316a can be the input media that is used for accepting from the user sensitive signal.Like this, only when system moves under safe mode, just enable this input media and receive sensitive information.Fig. 2 attempts to represent that safety feature is the sheet in-core.This is not all to be necessary to all embodiment.It also can be the outer device of chip, for example independent finger mark recognition device.Visit to this external unit can be limited to safe mode.Generally speaking, only encrypted, otherwise need not to be private data with the data of safety external unit exchange.External security appliances is visible to the user when it moves.If this device can not move beyond safe mode, then will make the hacker be difficult to user cheating once more.

Referring again to Fig. 2, can randomly provide tampering detection apparatus 380.The output 380.1 of tampering detection apparatus 380 provides an indication, shows that the visit covering of the packing that comprises CPU 200 is modified.Then, signal 380.1 is monitored by SSM 300, so that if detect when distorting, can't enter safe mode.Similarly, if distort in safe mode, SSM 300 just detects it by signal 380.1, and as previously discussed, withdraws from safe mode, shows an infringement information.Tampering detection apparatus also can be that outside chip installs outward.The output of tampering detection apparatus can be monitored by SSM, or is recorded among the safe GPIO.Visit to GPIO is limited to safe mode makes the hacker can not remove it.Like this, fail-safe software can be seen it next time when entering safe mode.

Therefore can estimate that appended claims will comprise any this type of modification of embodiment, they all drop in true spirit of the present invention and the spirit.

Claims

1. a method of moving digital display circuit is characterized in that, may further comprise the steps:

Safe operational mode is provided, only can carries out believable program code under this pattern; And

Providing to be provided observable safe mode indicating device by the user of digital display circuit, and wherein during security operating mode, indicating device only can be activated by credible program code.

2. the method for claim 1 is characterized in that, and is further comprising the steps of:

Executive utility;

Enter security operating mode, with the security of executive utility;

The security of response executive utility activates the safe mode indicating device; And

When indicating device was activated, the request user provided sensitive information to the security of application program.

3. method as claimed in claim 2 is characterized in that, also comprises the steps:

When the security of application program continues to carry out under safe mode, after receiving sensitive information, the safe mode indicating device is stopped.

4. as claim 2 or 3 described methods, it is characterized in that the step of described activation safe mode indicating device comprises:

Execution writes the instruction of memory map latch, just can be written into when wherein the memory map latch only executes instruction under security operating mode.

5. as the described method of above-mentioned arbitrary claim, it is characterized in that the described step of security operating mode that provides comprises following steps:

The saltus step of particular address place is to the entry address in command memory;

The active sequences that begins to execute instruction from the entry address; And

Only when the active sequences of instruction is carried out with predetermined order fully by central processing unit (CPU), enter security operating mode.

6. as the described method of above-mentioned arbitrary claim, it is characterized in that, also comprise the steps:

Provide tampering detection apparatus whether to be distorted to detect digital display circuit; And

Wherein, if tampering detection apparatus indicates digital display circuit and distorted, then forbid providing the step of security of operation pattern.

7. digital display circuit is characterized in that it comprises:

CPU (central processing unit) (CPU) is used for execution command;

Common storage is connected to the instruction bus of CPU, is used to keep non-safety command, and common storage can be visited by CPU all the time;

Safe storage is connected to the cpu instruction bus, is used to keep safety command, and this safe storage only can be accessed when asserting safety signal;

Safety circuit has when setting up security operating mode and asserts the output of safety signal; And

The secure mode indicator of response safety signal, the user of digital display circuit can be observed this secure mode indicator, and wherein safety indicator only can be placed under the activity pattern by carrying out an instruction when asserting safety signal.

8. digital display circuit as claimed in claim 7 is characterized in that, described secure mode indicator comprises:

The memory map latch, connection receives the data bit signal from CPU with the response write command, the operation of memory map latch is controlled by safety signal so that only when asserting safety signal latch can be written into, the memory map latch has the output signal of indicating lock storage state; And

The safe mode indicating device, be connected to the output signal of memory map latch, the state of safe mode indicating device response latch, wherein the safe mode indicating device is a lamp, or can indicate out the mechanical hook-up of state and off status, or can indicate out the audio devices of state and off status.

9. as claim 7 or 8 described digital display circuits, it is characterized in that, also comprise:

Be used for the device whether tamper detection is distorted with the designation number system, wherein safety circuit monitoring is used for the device of tamper detection, and the device of response tamper detection and be used for stoping and set up security operating mode.

10. be wireless device as each the described digital display circuit among the claim 7-9, it is characterized in that, also comprise:

Integrated keyboard is connected to CPU by keyboard adapter unit;

Display is connected to CPU by display adapter;

Be connected to radio frequency (RF) circuit of CPU; And

Be connected to the antenna of RF circuit; And

Wherein secure mode indicator comprises that is installed in a near light emitting diode (LED) of as seen locating the display.