200811658 九、發明說明: 【發明所屬之技術領域】 本發明一般而言係關於提供數位内容保護之技術。更特 疋a之’本發明係關於用於從一中央處理單元(CPU)卸載 數位内容保護方面之技術。 【先前技術】 在許多消費產品中的一問題係必須沿可能分接的信號路 徑傳輸數位内容。由此,數位内容提供者擔心駭客未經授 權地複製數位内容。例如,一家庭娛樂系統可能包括一個 人電腦(PC)、圖形子系統、高清晰度電視、數控器、數位 錄衫機及播放器、及數位多功能碟片⑴VD)播放器。因 此,存在駭客使用(例如)一或多個信號匯流排之輸出來搁 截未加密數位内容(時常稱為”明文”内容)之風險。 數位内谷保濩保護音頻及視訊内容不受未經授權複製之 重要性與日俱增。此外,數位内容保護包括用於加密將要 通過可分接之信號匯流排傳輸之内容的協定。在1998年五 家公司(5 C)開發出一數位傳輸内容保護(DTCp)方案並係說 明於1998年7月由日立公司、英特爾公司、松下電器公 司索尼A司及東芝公司所$版的白皮書,,5C數位傳輸内 合保5蒦中’其内容以引用方式併入本文。DTcp方法之額 外細節係說明於在月由日立公司、英特爾公司、 松下電器公司、索尼公司及東芝公司所出版的,,數位傳輸 内容保護規格書”版本以中,其内容以引用方式併入本 文。該DTCP方法可配合一 φ1 τ〜“ 一 117241.doc 200811658 (IEEE) 1394多媒體匯流排使用並包括使一來源器件與一下 沉器件(可接收一内容流之一器件)建立安全内容傳輸之一 協定。該DTCP包括一認證及密鑰交換(AKE)協定、内容加 密及使用一加密模式指示器(EMI)之複製控制資訊(CCI)。 數位内容保護方案(例如DTCP)之一缺點在於儘管在器件 間的系統匯流排上加密内容,但明文資料在一或多個内部 資料匯流排處易受竊取。例如,考量在一以PC為主的多媒 體系統内的DVD播放。DVD内容係採用一加密形式由一中 央處理單元(CPU)從一 DVD播放器接收。CPU解密其所接 收之數位内容。然後CPU重新加密DVD資料,之後將該資 料寫入一顯示器件。然而,CPU所執行之解密及重新加密 一般必需將明文資料寫入一記憶體系統,其中在一記憶體 匯流排處内容易受竊取。 數位内容保護方案之另一缺點在於其在執行高清晰度視 訊之加密及解密之CPU上強加一明顯負擔。例如,高級加 密標準(AES)強加大約16個循環/位元組(B)的加密代價。壓 縮格式的高清晰度電視(HDTV)對應於大約50 MB/s加密帶 寬,因此各高清晰度壓縮的HDTV内容流對應於可用CPU 時脈循環之800 MHz。在操作數千兆赫之時脈速率之一 CPU上此係一明顯負擔。而且,在某些多媒體系統中,需 要能夠同時處理數個視訊流,使得在最壞情形下在一 CPU 上的總加密/解密負擔可消耗大多數CPU時脈循環。 因此需要一種用於提供數位内容保護之裝置、系統及方 法0 117241.doc 200811658 【發明内容】 之橋接器。在該=器二央!理單元至-系統内系統組件 *央處理單元卸載給:橋::防!服:從 ^引擎在該橋接器之不安全介面處將受保^料加密= 【實施方式】 體貫施例之一數位内容系 圖1係依據本發明之一200811658 IX. INSTRUCTIONS: TECHNICAL FIELD OF THE INVENTION The present invention relates generally to techniques for providing digital content protection. More particularly, the present invention relates to techniques for offloading digital content protection from a central processing unit (CPU). [Prior Art] One problem in many consumer products is that digital content must be transmitted along signal paths that may be tapped. As a result, digital content providers are concerned that hackers are not authorized to copy digital content. For example, a home entertainment system may include a personal computer (PC), a graphics subsystem, a high definition television, a numerical control, a digital video recorder and player, and a digital versatile disc (1) VD player. Therefore, there is a risk that a hacker will use, for example, one or more signal bus outputs to intercept unencrypted digital content (often referred to as "clear text" content). The importance of Digital Valley Protection to protect audio and video content from unauthorized copying is increasing. In addition, digital content protection includes protocols for encrypting content to be transmitted over a detachable signal bus. In 1998, five companies (5 C) developed a digital transmission content protection (DTCp) solution and explained the white papers published by Hitachi, Intel, Matsushita Electric Co., Ltd. Sony A and Toshiba in July 1998. , 5C digital transmission within 5 ' ', its contents are incorporated herein by reference. Additional details of the DTcp method are described in the "Digital Transmission Content Protection Specification" version published by Hitachi, Intel Corporation, Matsushita Electric Co., Sony Corporation, and Toshiba Corporation in the month, the contents of which are incorporated herein by reference. The DTCP method can be used with a φ1 τ~"a 117241.doc 200811658 (IEEE) 1394 multimedia bus and includes one of the source devices and a sink device (a device that can receive a content stream) to establish a secure content transmission agreement. The DTCP includes an authentication and key exchange (AKE) protocol, content encryption, and copy control information (CCI) using an encryption mode indicator (EMI). One disadvantage of digital content protection schemes (e. g., DTCP) is that although the encrypted content is encrypted on the system bus between devices, the plaintext data is susceptible to being stolen at one or more internal data busses. For example, consider DVD playback in a PC-based multimedia system. The DVD content is received from a DVD player by a central processing unit (CPU) in an encrypted form. The CPU decrypts the digital content it receives. The CPU then re-encrypts the DVD material and then writes the data to a display device. However, the decryption and re-encryption performed by the CPU generally requires that the plaintext material be written to a memory system where it is susceptible to being stolen in a memory bus. Another disadvantage of the digital content protection scheme is that it imposes a significant burden on the CPU that performs the encryption and decryption of high definition video. For example, the Advanced Encryption Standard (AES) imposes an encryption cost of approximately 16 cycles/bytes (B). The compressed format high definition television (HDTV) corresponds to an encryption bandwidth of approximately 50 MB/s, so each high definition compressed HDTV content stream corresponds to 800 MHz of the available CPU clock cycle. This is an obvious burden on the CPU when operating a multi-gigahertz clock rate. Moreover, in some multimedia systems, it is desirable to be able to process several video streams simultaneously, so that in the worst case the total encryption/decryption burden on a CPU can consume most CPU clock cycles. There is therefore a need for a device, system and method for providing digital content protection. A bridge is provided. In the = device two central unit to - system system components * central processing unit unloaded to: bridge:: defense! Service: The engine is encrypted at the insecure interface of the bridge = [Embodiment] One of the contents of the physical scheme is shown in Fig. 1
…、 认以η谷示、乳1 U 之一方塊圖。數位内玄 糸、、先1 0〇包括一橋接器11 0,其具3 一防護引擎112。依據本發明一 只乃心具體貫施例,安全服泰 (例如為CPU 120下游之?,丨、一。。从 — 至夕一态件加密資料)係使用防慧 引擎112從CPU 120卸載給橋接器11()。 一組晶片或在上面形 橋接器110可實施為一單一晶片 成CPU 120的相同晶片之一部分。如下面更詳細所述,橋 接器110可包括任何橋接器’例如用作橋接一中央處理單 元(cpumo至其他器件之—晶片組之—部分,例如一北橋 晶片、一南橋晶片或北橋及南橋晶片之一組合。 防護引擎112執行橋接器110内的密碼服務。範例性密碼 服務包括加密、解密及轉碼(即在不同加密袼式之間的轉 換)。或專抵碼服務可應用於(例如)需要受保護之資料種 類。在某些應用中,穿過橋接器110之所有資料均需要密 碼服務。然而,更一般而言,僅需要受保護之資料(例如 需要數位内容保護之資料)可能需要密碼服務。防護引擎 112所提供之密碼服務可用於沿易受入侵之數位内容系統 117241.doc 200811658 ⑽之部分來保護資料(例如諸如視訊内容之數位内容)。 該等密碼服務可提供於資料存取操作期間,例如資料寫 入操作。加密/解密密鑰114係儲存於防護引擎ιΐ2内以支 援該等密碼服務。儘管可儲存一單一加密及/或解密密 錄’但更-般而言可儲存額外密输來支援多個加密、解穷 或轉碼類型。在-具體實施例中,—上下文指標ιΐ6 “ 一上下文資料來源,例如在記憶體130内的上下文資料 118。上下文資料118包括資料結構以允許—上下文切換為 特定來源/目的地位址選擇—指定密碼服務(例如加密、解 密或轉碼)供防護引擎m執行。各上下文還可指示一指定 加密/解密密鍮。 在-具體實施例中,防護引擎112支援壓縮或未遂縮資 料的標準加密及解密技術(例如高級加密標準(aes)、三重 資料加密標準(3DES)或公開/私人密鑰遠端伺服器^理 (RSM))。然而,防護引擎112還可配置成用以支援其他加 被協定。範例性轉碼應用包括從一加密標準格式轉換至另 一加密標準格式或在二不同加密密鑰之間轉換,例如在具 有一第一密鑰之AES與具有一第二密鑰之AES之間執行二 轉換。防護引擎112較佳的係至少部分地使用專用防篡改 加密硬體實施,比較僅採用軟體之操作加密/解密演算 法,該硬體在改良安全性方面提供多個好處。此外,使S 專用硬體實施防護引擎丨12還允許改良效能及功率消耗。 橋接器110耦合一 CPU 120、記憶體13〇及其他器件,例 如一圖形處理單元(GPU)14〇(顯示耦合至一顯示器15〇)。 117241.doc 200811658 橋接為110係藉由具有一匯流排介面121之一匯流排(例 如一别測匯流排(FSB))而耦合至CPU 12〇。耦合一 CPU至 一橋接器之一匯流排介面121一般係一專用高速介面,其 由於使入侵匯流排122較難的焊接連接、嵌入式電路路徑 及同速貧料速率而固有地安全。因而,在下列論述過程 中,應明白可橫跨匯流排介面121從CPU 120將明文資料安 全地傳輸至橋接器110,因為駭客從在一裝配單元内的匯 流排介面121攔截資料極為困難。 在系統100内,在橋接器110與其他組件(例如組件13〇與 140)之間存在具有不安全連結之數個路徑。例如,當一駭 客潛在地可存取一橋接器介面124或126與相關聯匯流排 135或⑷時,一連結係不安全。例#,一記憶體匯流排 135或至GPU 140之一匯流排145可能不安全,因為匯流排 135或145係不安全地焊接及/或具有一低得足以使侵入匯 流排1 3 5或145可行之資料速率。 輸入路徑包括從其他器件將輸入資料寫入橋接器U〇, 例如k CPU 120直接寫入橋接器J 1〇。輸出路徑包括使用點 對點技術從橋接器110直接將輸出資料寫入其他器件,例 士寫入GPU 140或寫入記憶體13〇。此外’直接記憶體存取 路徑包括直接寫入記憶體13〇 ’例如cpu】1〇寫入記憶體 130之一直接記憶體存取。橋接器11〇可利用任何能夠從一 器件將資料寫入另-器件並能夠進行直接記憶體存取之介 面。在-具體實施例中’橋接器11〇係調適以利用一周邊 組件介面快送(PCI-E)作為至少—其他器件(例如卿14〇) 117241.doc -10- 200811658 之一高速介面。PCI-Ε係在周邊組件介面-特殊利益組織 (PCI-SIG)所出版之”PCIe基礎規格書,,中所說明之一高速^ 面標準,其内容以引用方式併入本文。然而,更一般而1 還可使用其他產業標準介面(例如周邊組件介面(pci))替代 PCI-E耦合CPU 120至橋接器11〇。 在一具體實施例中,防護引擎112係一PCI器件,其可 (例如)實施於PCI匯流排〇上以允許在母板製造時認證並鑒 定防護引擎112。在PCI架構中,存在不同的匯流排序號, 其對應於一主匯流排序號、次匯流排序號及從屬匯流排序 號。PCI匯流排〇定義主機橋接器所連接之匯流排,其中主 機橋接器將CPU連接至PCI系統。可能使用一權限寫入來 將加密/解密密錄載入防護引擎1 1 2内。 圖1說明用於在CPU 120内運行一視訊播放器(Vp)應用程 式1 90及一圖形驅動器! 85之一範例性應用程式丨85。從一 數位内容來源160(例如DVD播放器)接收加密的數位内容 (出於說明目的,數位内容來源播放器16〇係顯示直接附著 至CPU 120,儘管更精確而言其將連接至一輸入器件埠卜 依據一數位内容保護協定,CPU 12〇包括加密/解密軟體 195並從數位内容來源16〇讀取加密數位内容並使用加密/ 解密軟體195來執行加密内容的任何初始解密。vp應用程 式190執行用於管理播放及/或儲存一或多個視訊流之操 作。 GPU 140從CPU 120接收命令用於產生視訊圖框並一般 還從記憶體130接收視訊資料。Gpu 14〇之一方面在於可將 11724I.doc 200811658 視訊處理操作卸載給GPU 140以減小CPU利用率。然而, GPU 140之另一方面在於其可產生改良顯示屬性之視訊圖 框。例如,視訊内容可採用一原始格式來產生,該格式對 於在一個人電腦或一高清晰度電視機上的顯示並非最佳。 作為一說明性範例,加利福尼亞州聖塔克拉拉市Nvidia公 司所銷售之Nvidia純視訊解碼器配合GeF〇rce 6及7系列 GPU工作。GeForce6&7系列Gpu包括一可程式化視訊處 理器、一 MPEG-2解碼引擎及一運動估算引擎。NWdia純 視訊解碼器利用硬體加速執行濾波、比例縮放、格式轉換 及其他操作來加速視訊播放。此外,可利用各種操作來減 小視覺假影而改良視訊内容在桌上型個人電腦、筆記型個 人電腦(pc)及高清晰度電視機(HDTV)上的顯示,包括次 像素計算以減小混淆效應。因而應理解,在下列論述過程 中,在一具體實施例中,GPU 140支援一或多個特徵來改 良視訊播放並減小CPU利用率,例如可程式化視訊處理。 MPEG-2解碼、解交錯、反向電視電影處理、濾波、比例 縮放、格式轉換及運動估算。 CPU 120可基於任何適當的微處理器。作為一範例, PU 1 20可以係一支援虛擬機實施方案之微處理器。一虛 擬機實施方案允許邏輯上將一微處理器cpu分成專用於執 行不同功能之分離分區。例如,在數位内容應用中,此點 允許为區專用服務於數位内容。作為一說明性範例,在 一$擬機内的一分區可專用於視訊播放器軟體。在一虛擬 枚男知方案中’視訊播放器分區與所有其他分區隔離,因 117241 .doc -12- 200811658 此沒有任何其他軟體可讀取或修改視訊播放器的資料。虛 擬機支援提供針對軟體攻擊之改良安全性,而防護引擎 Π2提供針對硬體攻擊之改良安全性。作為設計以作為一 虛擬機操作之-CPU之一範例,英特爾已開發出一M位元 奔騰微處理器,其整合安全特徵設計以支援華盛頓州 Redmond市微軟公司代號”L〇ngh〇rn,,版本的⑧作業 系統。 依據傳統内容保護方案,需要加密在匯流排145上發送 至GPU 140的一命令流,然後使用一Gpu解密引擎“?在 GPU 14〇内解密。傳統上,cpu 12〇還需執行重新加密發 达至橋接器11〇之數位内容之功能,因此加密在匯流排 上的輸出。然而,依據本發明,橋接器11〇執行任何必須 的資料重新加密。因而,從CPU 12〇卸載該重新加密功 能,從而改良cpu效能。而且,防護引擎112可包括專用 硬體,比較在CPU 195内的一以軟體為主加密/解密,盆減 小加密/解密所需之功率消耗。此外,在—具體實施例 中,橋接器110加密橫跨記憶體匯流排135傳輸用於儲存於 吕己憶體13 0之資料,從而改良安全性。 圖2顯示防護引擎112之一範例性實施方案。在一呈體實 施例中,防護引擎112包括一暫存器空間21〇、微控制器 2二及唯讀記憶體(R0M)程式碼儲存器23〇。各支援的加密 演算法可包括用於執行-加密/解密演算法的專用防篡改 密碼硬體模組24〇(—般稱為”加密硬體")及相關聯的曰曰“上 記憶體緩衝器245。-通信模組㈣支援直接記憶體存取 117241.doc 13 200811658 (DMA)及與系統1 〇〇之其他組件進行點對點(p2p)通信。 圖3說明一北橋架構。在此具體實施例中,防護引擎112 係置放於一北橋晶片305内。一傳統南橋晶片3 1 〇係耦合至 北橋晶片305。 圖4說明一南橋架構。在此具體實施例中,防護引擎112 係置放於一南橋晶片4 1 0内。南橋晶片4 10可搞合至一北橋 晶片405。然而,某些微處理器CPU(例如AMD K8處理器) 具有一整合的北橋功能性,因此應明白南橋晶片4丨〇可直 接連接至一 CPU 120。 如先前所述,在一具體實施例中,防護引擎丨丨2係設計 以在一 PCI架構環境中工作(例如,諸如在同時由pci-SiG 所出版之PCI-E規格書或PCI 2.2規格書中所述之一卩以-E X p r e s s 5衣境’各規格書内容以引用方式併入本文)。pci架 構支援針對記憶體之CPU及器件讀寫交易以及經由特殊組 態至器件之讀寫、I/O與記憶體映射I/〇(MMI〇)交易。各 PCI相容器件支援允許發現、查詢並配置器件之一”組態空 間’’。各”組態空間”可視需要地支援CPU及其他器件可讀取 及寫入器件之位址區域。該些區域係藉由’’基址暫存器,, (BAR)來定義。 圖5說明一 PCI組態空間510,其具有一基址暫存器52〇, 基址暫存器520允許從CPU或其他器件經由記憶體映射的 6貝取及寫入來存取一記憶體映射位址範圍。器件控制及資 料結構可嵌入BAR所指向之位址區域内。例如,以下所述 之控制及資料結構可在防護引擎112之一具體實施例中嵌 117241.doc -14 - 200811658 入一 BAR所指向之一或多個位址區域内。 圖6說明用於實施一上下文切換之一範例性上下文資料 結構610。在一具體實施例中,防護引擎112能夠支援整數 數目Μ個同時會話,其對應於Μ個實例的上下文資料結構 610。一密输陣列630允許需要利用不同密錄(或多個密錄) 之不同加密、解密或轉碼演算法。在一具體實施例中,密 鑰陣列630支援一整數數目Ν個密鑰。一上下文係基於來源 位址、目的地位址及記憶體屬性(例如一直接記憶體存取) 來選擇。一範例性上下文資料結構61 〇包括上下文資訊加 密/解密攔位612,其定義是否要執行加密或解密、加密/解 密演算法欄位614,其定義要使用的加密/解密演算法、一 定義是否使用DMA之欄位616、一 DMA輸入描述符攔位 618,其定義用於從記憶體進行dMa器件所需之參數、一 輸出描述符欄位620,其定義從器件輸出所需之參數、一 索引攔位622,其識別在密鑰陣列63〇内的第一密鑰、及一 序號攔位624,其指示加密/解密演算法所使用之^錄數。 一範例性上下文資料結構61〇還表述為偽代碼。在一具體 貫施例中,該防護引擎支援一 伋坌数數目Μ的上下文及一整 數數目Ν的晶片上密餘。各上 各上下文可使用—可變數目的密 錄。此外,各上下文且古&私二士 料窝A 文^有此夠項取輸入資料(或將輸入資 枓寫入其)之必須資訊與能夠 -,, J咼八翰出育料之必須資料。 可包括一 DMA位址描述符表 、 取。提彳Ί他“符以支援DMA存 攸h則·對一當刖上下文之一 令m 眾W ’其致動快速的上下 文切換(用以改變上下文 文田月J京弓| )。提供該基址暫 117241.doc 200811658 存器之一偏移以允許將防護引擎112實施為在一單一PCI器 件内的數個功能之一者。在偽代碼中,該些資料結構係映 射成一或多個防護引擎BAR,如下: integer N integer Μ index current_context..., recognize the block diagram of η谷示,乳1 U. In the digital position, the first 10 〇 includes a bridge 110 with a 3-guard engine 112. According to a specific embodiment of the present invention, the security service (for example, downstream of the CPU 120, 丨, 。, from the _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Bridge 11 (). A set of wafers or overlying bridges 110 can be implemented as a single wafer into a portion of the same wafer of CPU 120. As described in more detail below, the bridge 110 can include any bridge 'eg, for use as a bridge to a central processing unit (cpumo to other devices - a group of chips, such as a north bridge wafer, a south bridge wafer, or a north bridge and a south bridge wafer) One combination. The protection engine 112 performs cryptographic services within the bridge 110. Exemplary cryptographic services include encryption, decryption, and transcoding (ie, conversion between different encryption modes). Or a special code service can be applied (eg, The type of information that needs to be protected. In some applications, all data that passes through the bridge 110 requires a password service. However, more generally, only protected data (such as data that requires digital content protection) may be required. A cryptographic service is required. The cryptographic service provided by the protection engine 112 can be used to protect data (e.g., digital content such as video content) along the vulnerable content system 117241.doc 200811658 (10). The cryptographic services can be provided in the data. During an access operation, such as a data write operation, the encryption/decryption key 114 is stored in the protection engine ιΐ2. Supporting such cryptographic services. Although a single encryption and/or decryption cipher can be stored', it is more generally possible to store additional encryption to support multiple encryption, de-poor or transcoding types. In a particular embodiment, - Context indicator ι ΐ 6 "a contextual source of information, such as contextual material 118 within memory 130. Contextual data 118 includes data structures to allow - context switching to a particular source/destination address selection - specifies a cryptographic service (eg, encryption, decryption, or Transcoding is performed by the protection engine m. Each context may also indicate a specified encryption/decryption key. In a particular embodiment, the protection engine 112 supports standard encryption and decryption techniques for compressed or unflattened data (eg, advanced encryption standards ( Aes), Triple Data Encryption Standard (3DES) or Public/Private Key Remote Server (RSM). However, the protection engine 112 may also be configured to support other additions. Exemplary transcoding applications include Converting from an encrypted standard format to another encrypted standard format or between two different encryption keys, such as AES with a first key A second conversion is performed between AESs having a second key. The protection engine 112 is preferably implemented at least in part using a dedicated tamper-resistant cryptographic hardware, compared to a software-only operational encryption/decryption algorithm that improves security. Sexual aspects provide a number of benefits. In addition, the implementation of the protection engine 丨12 by the S-specific hardware allows for improved performance and power consumption. The bridge 110 is coupled to a CPU 120, memory 13 and other devices, such as a graphics processing unit (GPU). 14〇 (display coupled to a display 15〇) 117241.doc 200811658 The bridge 110 is coupled to the CPU 12 by having a busbar (for example, a busbar (FSB)) of one of the busbar interfaces 121. . Coupling a CPU to a bridge bus interface 121 is typically a dedicated high speed interface that is inherently safe due to the difficult connection of the intrusion busbar 122, the embedded circuit path, and the same rate. Thus, in the following discussion, it will be appreciated that the plaintext material can be transmitted securely from the CPU 120 to the bridge 110 across the busbar interface 121, as it is extremely difficult for the hacker to intercept data from the bus interface interface 121 within an assembly unit. Within system 100, there are several paths with unsafe connections between bridge 110 and other components (e.g., components 13A and 140). For example, when a hacker potentially has access to a bridge interface 124 or 126 and associated bus 135 or (4), a link is not secure. Example #, a memory bus 135 or to one of the GPU 140 bus bars 145 may be unsafe because the bus bar 135 or 145 is unsafely soldered and/or has a low enough to invade the busbar 1 3 5 or 145 Possible data rate. The input path includes writing input data from other devices to the bridge U, for example, the k CPU 120 directly writes to the bridge J1〇. The output path includes the use of point-to-point techniques to write output data directly from bridge 110 to other devices, such as writing to GPU 140 or writing to memory 13A. Further, the direct memory access path includes direct write memory 13 〇 ' for example, cpu 1) write memory 130 for direct memory access. The bridge 11 can utilize any interface that can write data from another device to another device and enable direct memory access. In a particular embodiment, the 'bridge 11 is adapted to utilize a Peripheral Component Interface Express (PCI-E) as one of the high speed interfaces of at least one of the other devices (e.g., 〇14〇) 117241.doc -10- 200811658. PCI-Ε is a high-speed surface standard described in the PCIe Basic Specification, published by the Peripheral Component Interface-Special Interests Organization (PCI-SIG), the contents of which are incorporated herein by reference. 1 may also use other industry standard interfaces (eg, Peripheral Component Interface (pci)) instead of PCI-E coupled CPU 120 to bridge 11A. In one embodiment, protection engine 112 is a PCI device that may (eg Implemented on the PCI busbar to allow authentication and authentication of the protection engine 112 at the time of motherboard manufacture. In the PCI architecture, there are different bus sorting numbers corresponding to a primary stream sort number, a secondary stream sort number, and a dependent sink. The sort number. The PCI bus bar defines the bus bar to which the host bridge is connected, where the host bridge connects the CPU to the PCI system. A permission write may be used to load the encryption/decryption key into the protection engine 1 1 2 . 1 illustrates an exemplary application 85 for running a video player (Vp) application 1 90 and a graphics driver 85 in the CPU 120. A digital content source 160 (eg, a DVD player) is connected. Encrypted digital content (for illustrative purposes, the digital content source player 16 is shown directly attached to the CPU 120, although more precisely it will be connected to an input device, according to a digital content protection protocol, the CPU 12 includes The encryption/decryption software 195 reads the encrypted digital content from the digital content source 16 and performs any initial decryption of the encrypted content using the encryption/decryption software 195. The vp application 190 performs one or more of managing playback and/or storage. The operation of the video stream. The GPU 140 receives commands from the CPU 120 for generating video frames and generally also receives video data from the memory 130. One aspect of the Gpu 14 is that the 11724I.doc 200811658 video processing operations can be offloaded to the GPU 140. Reducing CPU utilization. However, another aspect of GPU 140 is that it can produce video frames with improved display properties. For example, video content can be generated in a raw format for a computer or a high definition television. The on-board display is not optimal. As an illustrative example, it is sold by Nvidia, Inc., Santa Clara, California. Nvidia pure video decoder works with GeF〇rce 6 and 7 series GPUs. GeForce6&7 series Gpu includes a programmable video processor, an MPEG-2 decoding engine and a motion estimation engine. NWdia pure video decoder utilizes hardware Accelerate filtering, scaling, format conversion and other operations to speed up video playback. In addition, various operations can be used to reduce visual artifacts and improve video content on desktop PCs, notebook PCs and high definition Display on a television (HDTV), including sub-pixel calculations to reduce aliasing effects. Thus, it should be understood that in the following discussion, in one embodiment, GPU 140 supports one or more features to improve video playback and reduce CPU utilization, such as programmable video processing. MPEG-2 decoding, de-interlacing, reverse telecine processing, filtering, scaling, format conversion, and motion estimation. CPU 120 can be based on any suitable microprocessor. As an example, PU 1 20 can be a microprocessor that supports a virtual machine implementation. A virtual machine implementation allows for the logical division of a microprocessor cpu into separate partitions dedicated to performing different functions. For example, in digital content applications, this point allows for zone-specific services for digital content. As an illustrative example, a partition within a virtual machine can be dedicated to video player software. In a virtual male scheme, the video player partition is isolated from all other partitions, as 117241 .doc -12- 200811658 There is no software that can read or modify the video player. Virtual Machine Support provides improved security for software attacks, while Protection Engine Π2 provides improved security for hardware attacks. As an example of a CPU designed to operate as a virtual machine, Intel has developed an M-bit Pentium microprocessor with integrated security features designed to support Microsoft's codename "L〇ngh〇rn" in Redmond, Washington. Version 8 operating system. According to the traditional content protection scheme, a command stream sent to the GPU 140 on the bus 145 needs to be encrypted, and then a Gpu decryption engine is used. Decrypted within GPU 14〇. Traditionally, the CPU 12 has to perform the function of re-encrypting the digital content sent to the bridge 11, thus encrypting the output on the bus. However, in accordance with the present invention, the bridge 11 performs any necessary data re-encryption. Thus, the re-encryption function is unloaded from the CPU 12, thereby improving the cpu performance. Moreover, the protection engine 112 may include dedicated hardware that compares a software-based encryption/decryption within the CPU 195 to reduce the power consumption required for encryption/decryption. Moreover, in a particular embodiment, the bridge 110 encrypts the data transmitted over the memory bus 135 for storage in the Lv Huiyi body 130, thereby improving security. FIG. 2 shows an exemplary embodiment of a protection engine 112. In one embodiment, the protection engine 112 includes a scratchpad space 21, a microcontroller 22, and a read only memory (ROM) code memory 23A. Each supported encryption algorithm may include a dedicated tamper-resistant cryptographic hardware module 24 ("commonly referred to as "encrypted hardware") and associated 曰曰 "on-memory" for performing-encryption/decryption algorithms. Buffer 245. - Communication Module (4) Supports direct memory access 117241.doc 13 200811658 (DMA) and peer-to-peer (p2p) communication with other components of System 1. Figure 3 illustrates a north bridge architecture. In this particular embodiment, the guard engine 112 is placed within a north bridge wafer 305. A conventional south bridge wafer 3 1 is coupled to the north bridge wafer 305. Figure 4 illustrates a south bridge architecture. In this embodiment, the guard engine 112 is placed within a south bridge wafer 410. The south bridge wafer 4 10 can be integrated into a north bridge wafer 405. However, some microprocessor CPUs (e.g., AMD K8 processors) have an integrated north bridge functionality, so it should be understood that the south bridge wafer 4 can be directly connected to a CPU 120. As previously described, in one embodiment, the protection engine 2 is designed to operate in a PCI architecture environment (eg, such as a PCI-E specification or a PCI 2.2 specification published by pci-SiG at the same time). One of the above is incorporated by reference in the contents of the -EX press 5 clothing. The pci architecture supports CPU and device read/write transactions for memory and I/O and memory mapped I/〇 (MMI〇) transactions via special configuration to devices. Each PCI-compatible device supports the ability to discover, query, and configure one of the devices' "configuration spaces". Each "configuration space" can optionally support the CPU and other devices to read and write to the address area of the device. The area is defined by the ''base address register,' (BAR). Figure 5 illustrates a PCI configuration space 510 having a base register 52, the base register 520 allowing the slave CPU or Other devices access a memory mapped address range via memory mapping and write. The device control and data structure can be embedded in the address area pointed to by the BAR. For example, the control and data structures described below can be In one embodiment of the protection engine 112, 117241.doc -14 - 200811658 is embedded in one or more address regions pointed to by a BAR. Figure 6 illustrates one exemplary context material structure 610 for implementing a context switch. In a specific embodiment, the protection engine 112 is capable of supporting an integer number of simultaneous sessions corresponding to the context data structure 610 of the instances. A dense array 630 allows for the use of different secrets (or multiple secrets)Different encryption, decryption or transcoding algorithms. In a specific embodiment, the key array 630 supports an integer number of keys. A context is based on source address, destination address, and memory attributes (eg, a direct Memory access). An exemplary context material structure 61 includes a context information encryption/decryption block 612 that defines whether encryption or decryption, encryption/decryption algorithm field 614 is to be defined, which defines the encryption to be used. /Decryption algorithm, a field 616 defining whether to use DMA, a DMA input descriptor block 618 defining parameters required for the dMa device from memory, an output descriptor field 620, defined from The device outputs the required parameters, an index block 622 that identifies the first key within the key array 63A, and a sequence number block 624 that indicates the number of records used by the encryption/decryption algorithm. The exemplary context data structure 61 is also expressed as pseudo code. In a specific embodiment, the protection engine supports a number of frames of context and an integer number of blocks of memory on the wafer. Each context can be used - a variable number of ciphers. In addition, the context and the ancient & private corpus A text ^ have enough information to enter the input data (or write the input into it) must be able to - ,, J. Bhuhan must have information on the material. It can include a DMA address descriptor table, and take it. 'It motivates a fast context switch (to change the context of Wentian Yue J Jing Gong |). One of the bases of the base 117241.doc 200811658 is provided to allow the protection engine 112 to be implemented as one of several functions within a single PCI device. In pseudocode, the data structures are mapped to one or more guard engines BAR as follows: integer N integer Μ index current_context
Offset__from_base__address MMIO_inputOffset__from_base__address MMIO_input
Key keys[N] 一範例性上下文資料結構如下: struct {Key keys[N] A sample context structure is as follows: struct {
Boolean encrypt_not ^decrypt; Enumerated encryption^ decry ption_algorithm; Boolean use_dma DMA—input dma」nput Output output index start-key (索引成密输) integer number_of一 keys (密输數目必須與 encryption_decryption_algorithm相一致) } Contexts [Μ] and where struct DMA_input {Boolean encrypt_not ^decrypt; Enumerated encryption^ decry ption_algorithm; Boolean use_dma DMA—input dma”nput Output output index start-key integer number_of one keys (the number of secrets must be consistent with encryption_decryption_algorithm) } Contexts [Μ] And where struct DMA_input {
Address d at a_descripto ratable integer length 117241.doc -16- 200811658 struct Output {Address d at a_descripto ratable integer length 117241.doc -16- 200811658 struct Output {
Address addr integer limit 本發明允許防護引擎112可用來加密、解密或轉碼之數 個不同輸入杈式。防護引擎112之輸入可以係來自cpU2 直接寫入、來自另外器件之直接寫入或經由一直接記憶體 存取所進行之一輸入。作為一範例,可藉由cpu或經由點 對點交易藉由另外器件進行至器件之記憶體映射寫入。作 為一乾例,CPU可 範例 擎然後加密並將密文寫入一目的地。作為另 cpu或其他器件可向防護引擎112寫入密文。在此情況 下,防護引擎112解密該密文並將明文輸出寫入—目的 地。對於-直接記憶體存取輸人情況,使用_直接記憶體 存取來讀取CPU或另外器件所寫入來自記憶體之内容:: 料。對於直接記憶體存取針對明文資料之情況,防七^ ^執行加密及密文之以。對於直接記憶體存取針對明 文資料之情況,防護引擎112執行解密及明文資 入。 、"、之冩 輸出可以至實體記憶體或使用點對點的另外器件。 具體實施例中’藉由一可程式化位址來決 ' # y 出 例如, “〜程式化位址可以係在實體記憶體 允間肉Μ认, ^為件之記憶體 工間内的一輸·出位址範圍。 輸入模式包括藉由CPU 120或使用點對點窝 ’’兩入之其他器 117241.doc 200811658 件的MMIO寫入。輪 取與點對點。在一且興“至記憶體之直接記憶體存 資料寫… 貫施例中,CPU 12〇可直接將明文 貝枓寫入加密引擎112。 ^130以 加在引擎可將加密資料寫入記憶 體^ ’攸而排除將明文儲存於記憶體13〇内之需要。 MU例性應用包括解密並解密視訊用於播放中的 應用、在不同標進夕戸弓 ^ ’、 間加松及解密(即轉碼)用於儲存應 用,例如網路儲存、加密、解密或轉碼網路流量、及用: 在個人:影機系統内加密及解密内容之應用。 圖7況明用於安全顯示視訊之_範例性操作序列。作為 -卿範例,橋接器11〇係作為一北橋晶片61“及一南 橋曰曰片6 1 〇_B而說明。出於說明性目的省略組件之間的該 等匯流排以簡化圖式。如箭頭7〇1所示,CPU 120從一視訊 内今來源1 60讀取視訊資料。依據内容保護協定,加密該 内容。CPU 120使用軟體解密技術來執行在cpu 12〇内的 解密702。CPU 120將明文資料發送7〇3至防護引擎112。由 於一前測匯流排難以分接,因此從cpu 12〇至防護引擎 之明文資料傳輸係固有地安全。防護引擎丨丨2加密資料 704。防護引擎π2然後使用一直接記憶體存取以向記憶體 130寫入705密文。由此,透過一記憶體匯流排(未顯示)傳 輸之任何内容較安全。GPU 140然後使用一直接記憶體存 取來讀取706密文。GPU 140然後解密並顯示707内容。 參見圖7,本發明所提供之一好處在於内容可傳輸並作 為密文儲存於易受入侵之系統部分内。因而,改良數位内 容保護。此外,減小與加密内容相關聯之CPU額外負擔, 117241.doc -18- 200811658 從而改良CPU效能。此外,防護引擎i 12較佳的係設計以 在執行加密及解密操作時比CPU 120更具功率效率。由 此,將加密/解密操作卸載給防護引擎112可減小功率消 耗。 本發明之另一應用係在個人錄影機(PVR)應用中。 記錄電視信號,例如HDTV信號。圖8說明用於數位電視 (DTV)之範例性PVr系統8〇()。例如,pvR系統8〇〇可以係 一媒體為中心的個人電腦,其具有一 cpu 12〇、Gpu 140、顯示器150、記憶體13〇、及至少一橋接器(例如橋接 器110)。一視訊捕捉(VC)模組805係包括於pVR系統8〇〇内 並可(例如)包括於橋接器110内。VC模組805捕捉廣播信號 810用於儲存。一HDTV接收器8〇2可耦合至pvR系統8〇〇以 接收廣播信號。例如,HDTV接收器802可執行解調變及解 碼以產生採用解調變資料訊包之一運輸流之形式的視訊信 號810。視訊信號810可藉由橋接器u〇來直接接收或從另 外組件耦合至橋接器1丨〇内,取決於實施方案。 已提出,未來電視接收器應需要識別一廣播旗標並回應 偵測一廣播旗標來實施一數位内容保護方案來保護捕捉的 視訊免於經由網際網路或其他大量技術來分發。由此,所 接收之廣播HDTV信號之任何副本均採用一受保護格式保 持’使一終端使用者難以分發不受保護的視訊内容副本。 依據程式及系統資訊協定(PSIP),廣播旗標可(例如)包括 於先進電視系統委員會(ATSC)視訊訊包之標頭内。在本發 明之一具體實施例中,PVR系統800偵測一廣播旗標是否 1Ϊ 7241 .doc -19- 200811658 存在於視訊信號81G内4存在—廣播旗標,則將需要支 援數位内谷保濩之加密’解密服務卸載給防護引擎112。對 ;VR應用t月況’該等程序之許多程序與圖7中所述的 相同’除了資料來源係廣播信號並監視一廣播旗標之存 在例如,PVR系、統8〇〇可加冑接收的視訊信號之副本以 儲存於記憶體130内用於稍後播放並執行後續播放所需之 解密。 儘管已說明本發明之—範例性應用,但更-般而言i可 用於為各種不同器件及記憶體類型提供加密、解密或轉碼 服各。可提供加密、解密或轉碼服務至—記憶棒或網路儲 存器件。例如,在-網路儲存器件中,防護引擎112可用 於加密資料用於儲存。在用於網路儲存之一具體實施例 中防漠引擎112執行轉石馬,其中加密格式係從一第—加 =格式(例如用於透過—網路傳輸之資料之一加密格式)改 變至一第二加密格式(例如用於資料儲存之一加密格式)。 在一具體實施例中,防護引擎112係形成於不同於橋接 器110的-分離器件内。例如,防護引擎112可形成於;同 於橋接器11 〇的m。在此具體實施例中,可使用— 輸入/輸出介面(例如pCI_e)來耦合防護引擎112至該晶片組 内的其他組件。此替代性實施方案之一優點在於其允許在 具有一不同實體分區的晶片組内實現防護引擎i丨2之处 刀月匕 性好處。作為一範例,可設計一基本晶片、组而沒有防護引 擎112。對於需要增強安全性的該等市場,方可將包括防 護引擎112之器件經由—1/〇介面麵合至該基本晶片 117241.doc •20- 200811658 以產生具有增強安全性的晶片組。 如先前所述,上下文狀態係儲存於記憶體内以支援多個 上下文之使用。在一虛擬機實施方案(例如L〇ngh〇r…中, 該等分區提供-車交高程纟的保護以免受库欠體攻冑,如先前 所述。然而,在不具有用於提供容器隔離之分區之一系統 (例如運行Linux或WinXp之—系統)内,可能需要對儲存於 記憶體内的上下文資訊提供額外保護以增加安全性。在一 ”體貝鈀例中,一密鑰係儲存於防護引擎丨12之硬體内以 加解密儲存於記憶體内的上下文狀態。比較將上下文 狀態資訊作為明文儲存於記憶體内,此點允許將上下文狀 態作為密文儲存於記憶體内,藉此改良安全性。 本發明之-具體實施例係關於—種具有—電腦可讀取媒 體之電腦儲存產品,該電腦可讀取媒體在其上具有用於執 灯各種電腦實施操作之電腦程式碼。該媒體及電腦程式碼 =係為本發明目的而專門設計並構造的該等媒體及電腦 石馬,或其可以係習知電腦軟體技術者所熟知並可使用 :種類。電腦可讀取媒體之範例包括(但不限於):磁性媒 入自:如硬碟、軟碟及磁帶、光學媒體,例如CD-ROM及 Γ二件。、磁光媒體,例如光碟、及專門配置成用以儲存 (,'ASIC”r式碼之硬體器件’例如特定應用積體電路 件 、。可程式化邏輯器件("PLD”)及R0M與RAM器 Y 式碼之範例包括機器碼(例如一編譯器所產生 之機裔碼彳盥 的檔案。 3 —電腦使用轉譯器執行之更高階程式碼 ^ “ 本發明之一具體實施例可使用Java、C + + 117241.doc 200811658 或其他物件導向程式化語言及開發工星 /、水只細。本發明 另一具體實施例可取代或組合機哭 缸 硬佈線電路來實施。 ^執仃軟體指令而採用 出於解釋目的,前述說明佶 ΑΑ 月使用特疋術語以s供對本發明 的一詳盡理解。但是,習知此項 议術考應明白,為了實施 本發明不必需要特定細節。因而, 如+乂, 本發明之特定具體實施 人之則逑說明係出於例示及說明目的而呈現。並不希望該 專说明詳盡無遺或將本發明揭限於所揭示的精確形式,·顯 ,可根據以上教導進行許多修改及變更。選擇並說明具體 ㈣例目的在於最佳地解釋本發明之原理及其實際應用, 從而使習知此項技術者能最佳地利用本發明及各種且體實 施,’根據所預期的特定用途進行修改。希望下列申請專 利範圍及其等同内容定義本發明之範疇。 【圖式簡單說明】Address addr integer limit The present invention allows several different input modes that the protection engine 112 can use to encrypt, decrypt, or transcode. The input to the protection engine 112 can be one of direct input from cpU2, direct write from another device, or one input via a direct memory access. As an example, memory mapped writes to the device can be performed by the cpu or via peer-to-peer transactions by another device. As a general example, the CPU can then encrypt and encrypt the ciphertext to a destination. The ciphertext can be written to the protection engine 112 as another CPU or other device. In this case, the protection engine 112 decrypts the ciphertext and writes the plaintext output to the destination. For direct memory access and input, use _ direct memory access to read the contents of the memory written by the CPU or another device:: material. For the case where the direct memory access is directed to the plaintext data, the anti-encryption and ciphertext are performed. For direct memory access to plaintext data, the protection engine 112 performs decryption and plaintext funding. , ", 冩 Output can be to the physical memory or use a point-to-point device. In the specific embodiment, 'by a programmable address to determine '# y out, for example, "~the stylized address can be categorized in the physical memory, ^ is a memory in the memory Input and output address range. Input mode includes MMIO write by CPU 120 or other device using 117241.doc 200811658 with point-to-point nest. Round-robin and point-to-point. The memory storage data is written... In the example, the CPU 12〇 can directly write the plain text to the encryption engine 112. The ^130 is added to the engine to write the encrypted data to the memory ^', eliminating the need to store the plaintext in the memory 13'. MU example applications include decrypting and decrypting video for use in a broadcast application, at different embellishments, adding and decrypting (ie, transcoding) for storage applications, such as network storage, encryption, decryption, or Transcoding network traffic, and use: Applications for encrypting and decrypting content in personal: videophone systems. Figure 7 illustrates an exemplary operational sequence for secure display of video. As an example of the Qing, the bridge 11 is illustrated as a north bridge wafer 61" and a south bridge 6 1 〇 _B. These busbars between components are omitted for illustrative purposes to simplify the drawing. As indicated by arrow 7〇1, CPU 120 reads video material from a video source 1 60. The content is encrypted in accordance with a content protection protocol. CPU 120 uses software decryption techniques to perform decryption 702 within cpu 12〇. CPU 120 The plaintext data is sent 7〇3 to the protection engine 112. Since the front test bus is difficult to tap, the plaintext data transmission from the cpu 12〇 to the protection engine is inherently secure. The protection engine 丨丨2 encrypts the data 704. The protection engine Π2 then uses a direct memory access to write 705 ciphertext to memory 130. Thus, any content transmitted through a memory bus (not shown) is safer. GPU 140 then uses a direct memory access. To read 706 ciphertext, GPU 140 then decrypts and displays 707. Referring to Figure 7, one of the benefits provided by the present invention is that the content can be transmitted and stored as ciphertext within the vulnerable portion of the system. Good digital content protection. In addition, reduce the CPU overhead associated with encrypted content, 117241.doc -18- 200811658 to improve CPU performance. In addition, the protection engine i 12 is better designed to perform encryption and decryption operations. It is more power efficient than the CPU 120. Thus, offloading the encryption/decryption operation to the protection engine 112 can reduce power consumption. Another application of the present invention is in personal video recorder (PVR) applications. Recording television signals, such as HDTV Figure 8. Figure 8 illustrates an exemplary PVr system for digital television (DTV). For example, the pvR system 8 can be a media-centric PC with a CPU 12, Gpu 140, display 150. Memory 13A, and at least one bridge (e.g., bridge 110). A video capture (VC) module 805 is included in the pVR system 8A and can be included, for example, in the bridge 110. VC The module 805 captures the broadcast signal 810 for storage. An HDTV receiver 8〇2 can be coupled to the pvR system 8 to receive the broadcast signal. For example, the HDTV receiver 802 can perform demodulation and decoding to produce a demodulation change. Information a video signal 810 in the form of a transport stream. The video signal 810 can be received directly by a bridge or coupled from another component to the bridge 1 depending on the implementation. It has been proposed that future television receivers should A broadcast flag needs to be identified and a broadcast flag is implemented in response to detecting a digital content protection scheme to protect the captured video from being distributed via the Internet or other large technologies. Thus, any received broadcast HDTV signal The copies are maintained in a protected format to make it difficult for an end user to distribute unprotected copies of video content. According to the Program and System Information Protocol (PSIP), the broadcast flag can, for example, be included in the header of the Advanced Television Systems Committee (ATSC) video package. In a specific embodiment of the present invention, the PVR system 800 detects whether a broadcast flag is 1 Ϊ 7241. doc -19- 200811658 exists in the video signal 81G 4 exists - a broadcast flag, then it will need to support the digital valley protection The encryption 'decryption service is offloaded to the protection engine 112. VR application t month condition 'many of the procedures of the program are the same as those described in FIG. 7 'except for the data source broadcast signal and monitor the existence of a broadcast flag, for example, PVR system, system 8 can receive and receive A copy of the video signal is stored in memory 130 for later playback and decryption required for subsequent playback. Although the exemplary application of the present invention has been described, it is more generally used to provide encryption, decryption or transcoding for a variety of different device and memory types. Encryption, decryption or transcoding services can be provided to the memory stick or network storage device. For example, in a network storage device, the protection engine 112 can be used to encrypt data for storage. In a specific embodiment for network storage, the anti-descendence engine 112 performs a trans-rocking, wherein the encryption format is changed from a first-plus format (eg, one of the encrypted formats for transmission-to-network transmission) to A second encryption format (eg, one of the encryption formats for data storage). In a specific embodiment, the guard engine 112 is formed in a separate device from the bridge 110. For example, the protection engine 112 can be formed at the same level as the bridge 11 〇. In this particular embodiment, an input/output interface (e.g., pCI_e) can be used to couple the protection engine 112 to other components within the wafer set. An advantage of this alternative embodiment is that it allows for the benefit of the protection engine i丨2 in a chip set having a different physical partition. As an example, a basic wafer, group can be designed without a protection engine 112. For those markets where enhanced security is required, the device including the protection engine 112 can be joined to the base wafer via the -1/〇 interface to the base wafer 117241.doc • 20-200811658 to produce a wafer set with enhanced security. As mentioned previously, the context is stored in memory to support the use of multiple contexts. In a virtual machine implementation (eg, L〇ngh〇r..., the partitions provide the protection of the vehicle's elevation elevations from the deficiencies, as previously described. However, there is no isolation for providing containers One of the partitions (such as a system running Linux or WinXp) may need to provide additional protection for contextual information stored in memory for added security. In a "body" palladium case, a key system is stored. The context of the protection engine 丨12 is encrypted and stored in the context of the memory. The context information is stored in the memory as a plaintext, which allows the context state to be stored in the memory as a ciphertext. This improved embodiment is a computer storage product having a computer readable medium having computer code thereon for performing various computer operations on the computer. The media and computer code = such media and computer stone horses specially designed and constructed for the purpose of the present invention, or which may be well known to those skilled in the art of computer software. And can be used: types. Examples of computer readable media include (but are not limited to): magnetic media from: such as hard drives, floppy disks and tapes, optical media, such as CD-ROM and Γ. , for example, a compact disc, and a hardware device specially configured to store ('ASIC' r code), such as a specific application integrated circuit device, a programmable logic device ("PLD"), and a ROM and RAM device Y Examples of code include machine code (for example, a file of a machine-generated code generated by a compiler. 3 - a higher-level code executed by a computer using a translator) "A specific embodiment of the present invention can use Java, C + + 117241.doc 200811658 or other object oriented stylized language and development star / water only. Another embodiment of the present invention can be implemented instead of or in combination with the hard-wired circuit of the crying cylinder. For purposes of explanation, the foregoing description of the present invention is intended to provide a thorough understanding of the present invention. However, it should be understood that the specific details are not necessarily required to practice the invention. this The detailed description of the present invention has been presented for purposes of illustration and description, and is not intended to The invention has been chosen and described in order to best explain the principles of the invention and its application so that the invention can Modifications are made for specific uses. It is intended that the scope of the invention and its equivalents define the scope of the invention.
結合附圖,聯繫上述詳細說明已更全面地瞭解本發明, 其中: X 圖1係依據本發明之一具體實施例具有一防護引擎置放 於橋接器内的數位内容保護系、统之一方塊圖; 圖2係依據本發明之一具體實施例之一防護引擎之方塊 圖; 之 圖3係依據本發明之一具體實施例之一北橋實施方案 一方塊圖; 案之 圖4係依據本發明之一具體實施例之-南橋實施方 一方塊圖; 117241.doc -22- 200811658 圖5说明依據本發明之一具體實施例之一;PCI組態空間; 圖6說明依據本發明之一具體實施例之一上下文資料結 構; 圖7說明依據本發明之一具體實 之一範例性操作序列;以及 圖8係依據本發明之一具體實施例用於視訊資料之一 位内容保護系統之一方塊圖; ' 遍及該等附圖’相同參考數位係指對應的零件。 【主要元件符號說明】 100 數位内容系統 110 橋接器 112 防護引擎 114 加密/解密密錄 116 上下文指標 118 上下文資料 120 中央處理單元(CPU) 121 匯流排介面 122 匯流排 124 橋接為介面 126 橋接裔介面 127 文中未說明 130 記憶體 135 匯流排 140 圖形處理單元(GPU) 117241.doc -23 · 200811658 145 匯流排 147 GPU解密引擎 150 顯示器 160 數位内容來源 185 圖形驅動器 190 視訊播放器(VP)應用程式 195 加密/解密軟體 210 暫存器空間 220 微控制器 230 唯讀記憶體(ROM)程式碼儲存器 240 專用防篡改密碼硬體模組 245 晶片上記憶體緩衝器 250 通信模組 305 北橋晶片 310 傳統南橋晶片 405 北橋晶片 410 南橋晶片 510 PCI組態空間 520 基址暫存器 525 文中未說明 610 上下文資料結構 610-A 北橋晶片 610-B 南橋晶片 612 上下文資訊加密/解密攔位 117241.doc -24- 200811658 614 加密/解密演算法攔位 616 欄位 618 DMA輸入描述符欄位 620 輸出描述符欄位 622 索引欄位 624 序號欄位 630 密鑰陣列 800 PVR系統 802 HDTV接收器 805 視訊捕捉(VC)模組 810 廣播信號 117241.doc -25 -The present invention will be more fully understood in connection with the appended claims, wherein: FIG. 1 is a block diagram of a digital content protection system having a protective engine placed in a bridge in accordance with an embodiment of the present invention. Figure 2 is a block diagram of a protection engine in accordance with one embodiment of the present invention; Figure 3 is a block diagram of a Northbridge embodiment in accordance with one embodiment of the present invention; Figure 4 is in accordance with the present invention A specific embodiment - a south bridge implementation block diagram; 117241.doc -22- 200811658 Figure 5 illustrates one embodiment of the present invention; PCI configuration space; Figure 6 illustrates an implementation in accordance with one embodiment of the present invention Example of a contextual data structure; FIG. 7 illustrates an exemplary operational sequence in accordance with one embodiment of the present invention; and FIG. 8 is a block diagram of a one-bit content protection system for video data in accordance with an embodiment of the present invention. ; 'The same reference numerals are used throughout the drawings to refer to the corresponding parts. [Main component symbol description] 100 digital content system 110 bridge 112 protection engine 114 encryption/decryption secret record 116 context indicator 118 context data 120 central processing unit (CPU) 121 bus interface 122 bus bar 124 bridged interface 126 bridge interface 127 Not described in the text 130 Memory 135 Bus 140 Graphics Processing Unit (GPU) 117241.doc -23 · 200811658 145 Bus 147 GPU Decryption Engine 150 Display 160 Digital Content Source 185 Graphics Driver 190 Video Player (VP) Application 195 Encryption/Decryption Software 210 Scratchpad Space 220 Microcontroller 230 Read-Only Memory (ROM) Code Memory 240 Dedicated Tamper-Resistant Password Hardware Module 245 On-Chip Memory Buffer 250 Communication Module 305 North Bridge Wafer 310 Tradition South Bridge Wafer 405 North Bridge Wafer 410 South Bridge Wafer 510 PCI Configuration Space 520 Base Register 525 Not described in the text 610 Context Data Structure 610-A North Bridge Wafer 610-B South Bridge Wafer 612 Context Information Encryption/Decryption Block 117241.doc -24 - 200811658 614 Encryption/Decryption Algorithm Block 616 Field 618 DMA Input Descriptor Field 620 Output Descriptor Field 622 Index Field 624 Serial Number Field 630 Key Array 800 PVR System 802 HDTV Receiver 805 Video Capture (VC) Module 810 Broadcast Signal 117241 .doc -25 -