TWI791244B - Monitor system booting security device and method thereof - Google Patents
Monitor system booting security device and method thereof Download PDFInfo
- Publication number
- TWI791244B TWI791244B TW110126479A TW110126479A TWI791244B TW I791244 B TWI791244 B TW I791244B TW 110126479 A TW110126479 A TW 110126479A TW 110126479 A TW110126479 A TW 110126479A TW I791244 B TWI791244 B TW I791244B
- Authority
- TW
- Taiwan
- Prior art keywords
- security
- bus
- boot
- processor
- host
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/14—Handling requests for interconnection or transfer
- G06F13/16—Handling requests for interconnection or transfer for access to memory bus
- G06F13/1668—Details of memory controller
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/42—Bus transfer protocol, e.g. handshake; Synchronisation
- G06F13/4282—Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
- Alarm Systems (AREA)
Abstract
Description
本發明有關於一種電子系統安全,特別是有關於一種自助安全(secure bootstrapping)的方法以及系統。 The present invention relates to electronic system security, in particular to a method and system for self-service security (secure bootstrapping).
電子裝置系統使用多種類型的匯流排介面進行主機裝置以及周邊裝置之間的進行通訊。匯流排介面之一示例是序列周邊介面匯流排(SPI bus)。可支援SPI匯流排的周邊裝置有包含,例如,序列式快閃記憶體裝置。 The electronic device system uses various types of bus interfaces for communication between the host device and peripheral devices. One example of a bus interface is the Serial Peripheral Interface Bus (SPI bus). Peripheral devices that can support the SPI bus include, for example, serial flash memory devices.
本發明之一實施例提供一種安全裝置,其包含一介面以及一處理器。此介面用以連接一服務一主機裝置以及一非揮發性記憶體(NVM)裝置的匯流排。處理器連接至該匯流排,該主機裝置以及該NVM裝置也連接至該匯流排,該處理器係用以偵測該匯流排上的一開機程序,在該開機程序中該主機裝置從該NVM裝置取得一啟動代碼,以及根據主機裝置之該啟動代碼之至少一部分之一副本,確定該開機程序之安全。 An embodiment of the invention provides a security device, which includes an interface and a processor. This interface is used to connect a bus serving a host device and a non-volatile memory (NVM) device. The processor is connected to the bus, and the host device and the NVM device are also connected to the bus. The processor is used to detect a boot process on the bus. The device obtains an activation code and secures the boot process based on a host device's copy of at least a portion of the activation code.
在一些實施例中,處理器係用以從該匯流排擷取該啟動代碼之至少一部份,以及當偵測到從該NVM裝置取得的該啟動代碼之該至少一部分與該副本之間有不符合時,啟動一回應措施。 In some embodiments, the processor is configured to retrieve at least a portion of the boot code from the bus, and when detecting a discrepancy between the at least a portion of the boot code retrieved from the NVM device and the copy In case of non-compliance, initiate a countermeasure.
在一實施例中,副本包含該啟動代碼之該至少一部分之一映像(image),而該處理器係比較該映像與從該NVM裝置取得的該啟動代碼之至少一部分,以偵測該不符合。在另一實施例中,副本包含該啟動代碼之該至少一部分之一真實摘要(authentic digest),而該處理器係計算從該NVM裝置取得的該啟動代碼之該至少一部分之一摘要,並比較從該NVM裝置取得的該啟動代碼之該至少一部分之該摘要與該真實摘要,以偵測該不符合。 In one embodiment, the copy includes an image of the at least a portion of the boot code, and the processor compares the image with at least a portion of the boot code obtained from the NVM device to detect the non-compliance . In another embodiment, the copy includes an authentic digest of the at least a portion of the boot code, and the processor calculates an authentic digest of the at least a portion of the boot code obtained from the NVM device and compares The digest and the true digest of the at least a portion of the boot code obtained from the NVM device to detect the mismatch.
在一些實施例中,處理器係在該開機程序進行時偵測該不符合。在一示例性實施例,回應偵測到該不符合時,該處理器係用以強加一個或多個虛擬值在該匯流排之至少一線路上,以擾亂該開機程序。在一實施例,回應偵測到該不符合時,該處理器係擾亂該主機裝置與該NVM裝置之間的該匯流排該一個或多個線路,以擾亂該開機程序。在另一實施例中,回應偵測到該不符合,該處理器係在該匯流排上代替該NVM裝置回應該主機裝置,以使用該副本完成該開機程序。在其他實施例,處理器偵測該不符合係獨立於該開機程序之進行。 In some embodiments, the processor detects the violation during the boot process. In an exemplary embodiment, in response to detecting the violation, the processor is operable to impose one or more dummy values on at least one line of the bus to disrupt the boot process. In one embodiment, in response to detecting the violation, the processor disrupts the one or more lines of the bus between the host device and the NVM device to disrupt the boot process. In another embodiment, in response to detecting the mismatch, the processor responds to the host device on the bus instead of the NVM device to use the replica to complete the boot process. In other embodiments, the processor detects the non-compliance independently of the boot process.
在一實施例中,處理器係在該安全裝置之一內部記憶體中保存該副本,或是在該安全裝置外部的一記憶體保存該副本。在另一實施例中,在該開機程序之安全確定之前,該處理器係防止該主機裝置對一既定機密資訊進行存取。 In one embodiment, the processor stores the copy in an internal memory of the secure device, or stores the copy in a memory external to the secure device. In another embodiment, the processor prevents the host device from accessing a given confidential information until the security of the boot process is determined.
在一實施例中,處理器係執行以下操作以確定該開機程序之安全:代替該NVM裝置回應該主機裝置,並提供一啟動代碼給該主機裝置,其中該啟動代碼係造成該主機裝置在該匯流排上進行的活動在該開機程序之第一實 體(instance)及第二實體之間有所不同;以及監控該主機裝置在該匯流排上之該活動,以及確認該活動符合提供給該主機裝置之該啟動代碼。 In one embodiment, the processor performs the following operations to determine the security of the boot process: responding to the host device on behalf of the NVM device, and providing a boot code to the host device, wherein the boot code causes the host device to run on the host device activity on the bus at the first implementation of the boot sequence different between an instance and a second entity; and monitoring the activity of the host device on the bus, and confirming that the activity matches the activation code provided to the host device.
在又一實施例,當該匯流排之一晶片選擇(CS)線未被設定有效(assert)時,該處理器係藉由確保該匯流排之所有數據線與時脈線之邏輯狀態不改變,以確定該開機程序之安全。在另一實施例,該處理器係藉由確保只有在一預先定義白名單上出現的匯流排指令被施加至該NVM裝置,以確定該開機程序之安全。 In yet another embodiment, when a chip select (CS) line of the bus is not asserted, the processor does this by ensuring that the logic states of all data lines and clock lines of the bus do not change , to ensure the safety of the boot process. In another embodiment, the processor secures the boot process by ensuring that only bus commands appearing on a predefined white list are applied to the NVM device.
在一示例性實施例,處理器係藉由確保在該開機程序中從一既定重置訊號或是開機訊號至一既定事件的一時間延遲有在一預先定義範圍內,以確定該開機程序之安全。此外,處理器係藉由確保該匯流排之至少一線路之一類比參數值落在一預先定義範圍內,以確定該開機程序之安全。在一實施例中,啟動代碼係指示該主機裝置在該匯流排上輸出一個或多個主機參數值,且該處理器係藉由監控以及確認輸出在該匯流排上之該主機參數值,以確定該開機程序之安全。 In an exemplary embodiment, the processor determines the start-up sequence by ensuring that a time delay from a given reset signal or a start-up signal to a given event during the start-up sequence is within a predefined range. Safety. In addition, the processor determines the safety of the boot process by ensuring that an analog parameter value of at least one line of the bus falls within a predefined range. In one embodiment, the boot code instructs the host device to output one or more host parameter values on the bus, and the processor monitors and confirms the host parameter values output on the bus to Make sure the boot process is safe.
本發明之一實施例提供一種安全方法,其包含下列步驟:使用一安全裝置通過一匯流排進行通訊,其中一主機裝置以及一非揮發性記憶體(NVM)係連接該匯流排;以及使用該安全裝置偵測在該匯流排上之一開機程序,在該開機程序中該主機裝置係從該NVM裝置取得一啟動代碼,並根據該主機裝置之該啟動代碼之至少一部分之一副本確定該開機程序之安全。 One embodiment of the present invention provides a security method comprising the steps of: using a security device to communicate over a bus to which a host device and a non-volatile memory (NVM) are connected; and using the The security device detects a boot sequence on the bus in which the host device obtains a boot code from the NVM device and determines the boot sequence based on a copy of at least a portion of the boot code for the host device. Program security.
在另一實施例,本發明提供一種安全裝置,其包含一介面以及一處理器。介面用於連接一服務一個或多個周邊裝置的匯流排。此匯流排包含一個或多個專用訊號,其分別用於一周邊裝置;以及一個或多個共享訊號,其透過匯流排共享於周邊裝置。處理器係連接至匯流排作為一額外裝置。周邊裝置 係連接至匯流排。處理器可藉由擾亂與既定周邊裝置相關的專用訊號,以擾亂在匯流排上匯流排主裝置嘗試存取既定周邊裝置的操作。 In another embodiment, the invention provides a security device, which includes an interface and a processor. The interface is used to connect a bus serving one or more peripheral devices. The bus includes one or more dedicated signals, which are respectively used for a peripheral device; and one or more shared signals, which are shared by the peripheral devices through the bus. The processor is connected to the bus as an additional device. Peripherals connected to the busbar. The processor can disrupt the operation of a bus master attempting to access a given peripheral device on the bus by disrupting dedicated signals associated with the given peripheral device.
在一些實施例中,在進行擾亂操作時,處理器保持在匯流排上的共享訊號不中斷。在一實施例中,此介面包含一輸入,用以從匯流排主裝置接收專用訊號;以及一輸出,用以傳送專用訊號至既定周邊裝置,而處理器可藉由防止輸入接收之專用訊號傳送到輸出,以擾亂上述操作。在一些實施例中,處理器係取代既定周邊裝置回應匯流排主裝置,藉此擾亂專用訊號。在一示例性實施例,專用訊號包含一晶片選擇(CS)訊號。 In some embodiments, the processor keeps the shared signals on the bus uninterrupted while performing the scrambling operation. In one embodiment, the interface includes an input for receiving dedicated signals from the bus master, and an output for sending dedicated signals to a given peripheral device, and the processor can transmit the dedicated signals by preventing the input from receiving them. to the output to disrupt the above operation. In some embodiments, the processor responds to the bus master instead of the intended peripheral, thereby disrupting the dedicated signal. In an exemplary embodiment, the dedicated signal includes a chip select (CS) signal.
在一實施例,處理器藉由監控匯流排,偵測須被擾亂之操作。再一實施例中,處理器在一輔助介面上與匯流排主裝置進行通訊,以偵測須被擾亂之操作。輔助介面係位於匯流排外部。 In one embodiment, the processor detects operations that need to be disturbed by monitoring the bus. In yet another embodiment, the processor communicates with the bus master over an auxiliary interface to detect operations that need to be disrupted. The auxiliary interface is located outside the bus.
在一實施例中,處理器不確定地擾亂專用訊號,直到系統重置。在另一實施例中,偵測到上述操作後,處理器在一有限時間週期擾亂專用訊號。在一實施例中,藉由擾亂操作,處理器使得在一個或多個周邊裝置捨棄操作。在一些實施例中,在擾亂操作之後,處理器回復匯流排之正常操作。 In one embodiment, the processor indefinitely disturbs dedicated signals until the system is reset. In another embodiment, the processor disrupts the dedicated signal for a limited time period after detecting the above-mentioned operation. In one embodiment, the processor causes operations at one or more peripheral devices to be discarded by disrupting operations. In some embodiments, after the disturb operation, the processor resumes normal operation of the bus.
根據本發明之一實施例,再提供一種安全裝置,其包含一介面以及一處理器。該介面連接一服務一個或多個周邊裝置的匯流排。處理器以及周邊裝置係連接至匯流排,該處理器藉由取代既定周邊裝置回應匯流排主裝置,以擾亂在匯流排上一匯流排主裝置嘗試存取一既定周邊裝置之操作。 According to an embodiment of the present invention, a security device is further provided, which includes an interface and a processor. The interface connects to a bus serving one or more peripheral devices. The processor and peripheral devices are connected to the bus, and the processor disrupts the operation of a bus master on the bus trying to access a given peripheral device by responding to the bus master instead of the given peripheral device.
在一實施例中,匯流排包含一個或多個專用訊號,其分別專用於周邊裝置;以及一個或多個共享訊號,其在匯流排服務之周邊裝置之間共享,而處理器藉由擾亂既定周邊裝置相關的專用訊號,並於專用訊號被擾亂時回應匯流排主裝置,以擾亂匯流排主裝置之操作。 In one embodiment, the bus includes one or more dedicated signals, each dedicated to a peripheral device; and one or more shared signals, which are shared among the peripheral devices served by the bus, and the The dedicated signal related to the peripheral device, and responds to the bus master device when the dedicated signal is disturbed, so as to disturb the operation of the bus master device.
在一些實施例中,周邊裝置包含一記憶體裝置,而處理器識別出該操作中匯流排主裝置對記憶體裝置讀取數據之要求,並以安全裝置內部儲存之另一數據回應此要求。在一示例性實施例,處理器係以另一數據回應匯流排主裝置對記憶體裝置存取一預先定義位址區的要求,藉此擾亂此操作。 In some embodiments, the peripheral device includes a memory device, and the processor recognizes a request from the bus master to read data from the memory device during operation, and responds to the request with another data stored inside the secure device. In an exemplary embodiment, the processor responds with another data to the bus master's request to the memory device to access a predefined address area, thereby disrupting the operation.
在另一實施例中,根據在操作期間既定周邊裝置回傳至匯流排主裝置的數據,處理器識別出匯流排主裝置嘗試存取既定周邊裝置之操作。在又一實施例,根據操作中使用的指令碼,處理器識別匯流排主裝置嘗試存取既定周邊裝置之操作。 In another embodiment, the processor identifies an operation in which the bus master attempts to access a given peripheral device based on data sent back from the given peripheral device to the bus master during operation. In yet another embodiment, based on the command code used in the operation, the processor identifies an operation in which the bus master device attempts to access a given peripheral device.
根據本發明之一實施例,再提供一種安全方法,其包含下列步驟:使用一安全裝置通過一匯流排進行通訊,其中一主機裝置以及一個或多個周邊裝置係連接該匯流排;其中匯流排包含一個或多個專用訊號,其分別專用於周邊裝置;以及一個或多個共享訊號,其在匯流排服務之周邊裝置之間共享。使用安全裝置藉由擾亂與既定周邊裝置相關的專用訊號,以擾亂在匯流排上匯流排主裝置嘗試存取一既定周邊裝置的操作。 According to an embodiment of the present invention, a security method is further provided, which includes the following steps: using a security device to communicate through a bus, wherein a host device and one or more peripheral devices are connected to the bus; wherein the bus One or more dedicated signals are included, each dedicated to a peripheral device; and one or more shared signals, shared among peripheral devices served by the bus. A security device is used to disrupt an attempt by a bus master to access a given peripheral on the bus by disrupting dedicated signals associated with the given peripheral.
根據本發明之一實施例,再提供一種安全方法,其包含下列步驟:使用一安全裝置通過一匯流排進行通訊,其中一主機裝置以及一個或多個周邊裝置係連接該匯流排;使用安全裝置藉由代替既定周邊裝置回應匯流排主裝置,以擾亂在匯流排上匯流排主裝置嘗試存取一既定周邊裝置的操作。 According to an embodiment of the present invention, a security method is further provided, which includes the following steps: using a security device to communicate through a bus, wherein a host device and one or more peripheral devices are connected to the bus; using the security device The operation of the bus master attempting to access a given peripheral device on the bus is disrupted by responding to the bus master instead of the given peripheral device.
根據本發明的另一實施例,提供一種安全裝置,其包含一介面以及一處理器。介面係通過一匯流排進行通訊。處理器係藉由平行於操作之至少一部分而強加一個或多個虛擬值在匯流排上至少一線路上,以擾亂在匯流排上匯流排主裝置未經授權嘗試存取一周邊裝置的操作。 According to another embodiment of the present invention, a security device is provided, which includes an interface and a processor. The interface communicates through a bus. The processor disrupts an unauthorized attempt by a bus master to access a peripheral device on the bus by imposing one or more dummy values on at least one line on the bus in parallel with at least a portion of the operation.
在一實施例中,處理器係在匯流排之一數據線上強加虛擬值,藉以擾亂在數據線上來自周邊裝置發送或接收之數據值之傳送。此外,處理器可 在匯流排之時脈線上強加虛擬值,藉以擾亂此操作使用的時脈訊號。此外,處理器可在匯流排之晶片選擇線上強加虛擬值,藉以擾亂匯流排主裝置對周邊裝置之選擇。 In one embodiment, the processor imposes a dummy value on a data line of the bus, thereby disrupting the transmission of data values sent or received from peripheral devices on the data line. Additionally, the processor can Imposes dummy values on the clock lines of the bus to disturb the clock signal used for this operation. In addition, the processor can impose dummy values on the chip select lines of the bus, thereby disrupting the selection of peripheral devices by the bus master.
在一些實施例中,匯流排包含一具有預設邏輯值的汲極開路或是集極開路匯流排,而處理器可藉由對此匯流排之至少一線路寫入預設邏輯值之相反值,以強加虛擬值。 In some embodiments, the bus includes an open-drain or open-collector bus with a preset logic value, and the processor can write the opposite value of the preset logic value to at least one line of the bus. , to impose a dummy value.
在一些實施例中,藉由強加虛擬值,處理器可覆蓋匯流排主裝置或是周邊裝置已在至少一線路上寫入的對應對應值。在一示例性實施例,處理器可藉由驅動驅動強度強匯流排主裝置或是周邊裝置知驅動強度的至少一線路,以覆蓋匯流排主裝置或是周邊裝置已寫入的數值。在其他的實施例中,此裝置包含至少一電阻,其插置在至少一線路上,用以減弱匯流排主裝置或是周邊裝置已寫入的數值,使其弱於處理器已寫入之虛擬值。 In some embodiments, by imposing a dummy value, the processor can override the corresponding corresponding value that the bus master or peripheral device has written on at least one line. In an exemplary embodiment, the processor can overwrite the value written by the bus master or peripheral device by driving at least one line with a high drive strength to the bus master device or peripheral device. In other embodiments, the device includes at least one resistor inserted on at least one line to attenuate the value written by the bus master or peripheral device from a value written by the processor to a dummy value written by the processor. value.
在一些實施例中,處理器僅使用匯流排主裝置以及周邊裝置之間進行通訊的匯流排之既有線路,以強加虛擬值。在一些實施例中,處理器係監控匯流排,以偵測須被擾亂的操作。在一實施例中,處理器係藉由在輔助介面上與匯流排主裝置進行通訊,以偵測須被擾亂之操作。輔助介面係位於匯流排外部。 In some embodiments, the processor only uses the existing lines of the bus for communication between the bus master and peripheral devices to impose dummy values. In some embodiments, the processor monitors the bus to detect operations that need to be disturbed. In one embodiment, the processor detects operations to be disturbed by communicating with the bus master over the secondary interface. The auxiliary interface is located outside the bus.
在一實施例中,處理器不確定地強加虛擬值直到此裝置被重置。在另一實施例中,偵測到此操作之後,處理器在有限時間週期內強加虛擬值。在一實施例中,在擾亂操作之後,處理器可回復匯流排之正常操作。 In one embodiment, the processor imposes dummy values indefinitely until the device is reset. In another embodiment, the processor imposes a dummy value for a finite period of time after detecting such an operation. In one embodiment, the processor may resume normal operation of the bus after the disturb operation.
根據本發明之一實施例,再提供一種安全系統,其包含一周邊裝置以及一安全裝置。一個或多個匯流排主裝置可通過一匯流排存取周邊裝置。安全裝置可藉由平行於操作之至少一部分強加一個或多個虛擬值在至少一線路上,以擾亂在匯流排上匯流排主裝置未經授權嘗試存取周邊裝置之操作。 According to an embodiment of the present invention, a security system is further provided, which includes a peripheral device and a security device. One or more bus master devices can access peripheral devices through a bus. The security device may disrupt an unauthorized attempt by a bus master to access a peripheral device on the bus by imposing one or more dummy values on at least one line in parallel with at least a portion of the operation.
根據本發明之一實施例,再提供一種安全方法,其包含下列步驟:使用一安全裝置耦接於一匯流排,決定擾亂匯流排主裝置未經授權嘗試存取一周邊裝置的操作。藉由平行於此操作之至少一部分強加一個或多個虛擬值在此匯流排之至少一線路上,以擾亂此操作。 According to an embodiment of the present invention, a security method is further provided, which includes the following steps: using a security device coupled to a bus to determine to disturb the operation of a bus master device trying to access a peripheral device without authorization. Disrupting the operation by imposing one or more dummy values on at least one of the buses in parallel with at least a portion of the operation.
110、189、130、140、170、70、20:安全系統 110, 189, 130, 140, 170, 70, 20: Security system
144、74、24:主機裝置 144, 74, 24: host device
148:快閃記憶體 148: Flash memory
152、82:SPI匯流排 152, 82: SPI bus
178、160、90、40:介面 178, 160, 90, 40: interface
182、164、94、44:處理器 182, 164, 94, 44: Processor
186、168:副本 186, 168: copy
187、174、156、86、36:安全裝置 187, 174, 156, 86, 36: safety device
188:SPI匯流排監控器 188: SPI bus monitor
28、78:周邊裝置 28, 78: Peripheral devices
32:I2C匯流排 32: I 2 C bus
48、98:記憶體 48, 98: memory
91:從屬介面邏輯電路 91: slave interface logic circuit
92:介面監控邏輯電路 92: Interface monitoring logic circuit
S100、104、108、112、116、120、190、194、198、202、206、210、214、62、66、50、54、58:步驟 S100, 104, 108, 112, 116, 120, 190, 194, 198, 202, 206, 210, 214, 62, 66, 50, 54, 58: steps
第1圖係為根據本發明之一實施例繪示之安全系統之一方塊圖,其中在安全系統中多個裝置透過一I2C匯流排進行通訊。 FIG. 1 is a block diagram of a security system according to an embodiment of the present invention, wherein multiple devices communicate through an I 2 C bus in the security system.
第2圖係為根據本發明之一實施例繪示在一I2C匯流排上對一周邊裝置進行安全存取的方法之流程圖。 FIG. 2 is a flowchart illustrating a method for securely accessing a peripheral device on an I 2 C bus according to an embodiment of the present invention.
第3-5圖係為根據本發明的其他實施例繪示一安全系統之一方塊圖,其中在安全系統中多個裝置透過一SPI匯流排進行通訊。 3-5 are block diagrams illustrating a security system according to other embodiments of the present invention, wherein in the security system multiple devices communicate through an SPI bus.
第6圖係為根據本發明之一實施例繪示之一安全裝置之方塊圖。 FIG. 6 is a block diagram of a safety device according to an embodiment of the present invention.
第7圖係為根據本發明之一實施例之安全啟動主機裝置之方法的流程圖。 FIG. 7 is a flowchart of a method for securely booting a host device according to an embodiment of the present invention.
第8-10圖係為根據本發明之實施例繪示在一SPI匯流排上一安全裝置使主機裝置從一快閃記憶體取得安全開機程序的安全系統的方塊圖。 8-10 are block diagrams of a security system showing a security device on an SPI bus enabling a host device to obtain a secure boot procedure from a flash memory according to an embodiment of the present invention.
第11圖係為根據本發明之一實施例繪示之安全啟動主機裝置之方法之流程圖。 FIG. 11 is a flowchart of a method for safely booting a host device according to an embodiment of the present invention.
以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。 The implementation of the present invention will be described in detail below in conjunction with the drawings and examples, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.
概述 overview
本發明的實施例係描述一種在匯流排介面上保護周邊裝置存取安全的方法以及裝置。周邊裝置可包含,例如,加密引擎、儲存敏感數據之記憶體裝置、或是其他任何會通過一匯流排進行存取之類似裝置。 Embodiments of the present invention describe a method and a device for protecting peripheral device access security on a bus interface. Peripheral devices may include, for example, encryption engines, memory devices storing sensitive data, or any other similar devices that may be accessed through a bus.
在一些實施例中,安全裝置監控在匯流排上的操作(transaction),以及識別主機裝置或其他匯流排主裝置未經授權而周邊裝置進行存取的操作。根據任何適合標準(criterion)或是策略(policy),此些操作可分類成經授權的操作以及未經授權的操作。 In some embodiments, the security device monitors transactions on the bus and identifies unauthorized access by peripheral devices by the host device or other bus master devices. Such operations may be classified into authorized operations and unauthorized operations according to any suitable criterion or policy.
當識別到一未經授權的操作,安全裝置可藉由平行於此操作進行時同時在匯流排之一個或多個線路上或是訊號上刻意強加一些虛擬值,以擾亂此未經授權的操作。上述虛擬值可強加在,例如,一時脈訊號上、一數據訊號及/或一晶片選擇(CS)訊號上。 When an unauthorized operation is identified, the security device can disrupt the unauthorized operation by deliberately imposing some dummy values on one or more lines or signals of the bus while parallel to the operation . The aforementioned dummy values can be imposed on, for example, a clock signal, a data signal and/or a chip select (CS) signal.
藉由在匯流排上強加虛擬值以擾亂操作的方式係適合於,例如,汲極開路(open-drain)匯流排或是集極開路(open-collector)匯流排,例如I2C匯流排,以及推挽式(push-pull)匯流排,例如SPI匯流排。平行於未經授權之操作同時進行在匯流排上強加虛擬值可蓋過與該周邊裝置的通訊,並擾亂時脈訊號。 Disrupting the operation by imposing dummy values on the bus is suitable, for example, for an open-drain bus or an open-collector bus, such as an I 2 C bus, And a push-pull bus, such as an SPI bus. Imposing dummy values on the bus in parallel to unauthorized operations can override communications with the peripheral and disrupt clock signals.
以下將描述幾個用於在I2C與SPI匯流排上擾亂未經授權之操作示例技術,同時也描述在擾亂之後回復正常操作的技術。在一些實施例中,安全裝置可不須先在匯流排上偵測此未經授權之操作、甚至不須監控匯流排,便 可進行擾亂。例如,安全裝置可在某一主機之晶片選擇(CS)線路上強加虛擬值,直到或是除非此主機取得授權。 Several example techniques for disrupting unauthorized operation on the I2C and SPI buses are described below, as well as techniques for restoring normal operation after the disturbance. In some embodiments, the security device may perform the tampering without first detecting this unauthorized operation on the bus, or even monitoring the bus. For example, a security device may impose dummy values on a host's chip select (CS) line until or unless the host is authorized.
在一些實施例中,例如,在SPI匯流排中,安全裝置所保護的匯流排包含:(i)一個或多個專用訊號,其分別專用於一周邊裝置;以及(ii)一個或多個共享訊號,其藉由匯流排在多個周邊裝置之中共享。共享訊號之示例為數據訊號以及時脈訊號。專用訊號之示例係為CS訊號。在一些實施例中,安全裝置係藉由擾亂與受保護之周邊裝置相關的專用訊號,並同時在匯流排上保持共享訊號,以擾亂此未經授權的操作。然而,應注意的是,並非所有匯流排都有專用訊號。例如,在I2C匯流排,所有訊號都是共享訊號。 In some embodiments, such as in an SPI bus, the bus protected by the security device includes: (i) one or more dedicated signals, each dedicated to a peripheral device; and (ii) one or more shared signals. Signals are shared among multiple peripheral devices via the bus. Examples of shared signals are data signals and clock signals. An example of a dedicated signal is the CS signal. In some embodiments, the security device disrupts this unauthorized operation by disrupting dedicated signals associated with the protected peripheral while maintaining shared signals on the bus. It should be noted, however, that not all buses have dedicated signals. For example, on the I 2 C bus, all signals are shared signals.
在其他的實施例中,安全裝置藉由代替受保護之周邊裝置來回應此未經授權主機,以擾亂此操作。在一示例性實施例,周邊裝置包含一快閃記憶體,其包含用以儲存敏感數據(例如金鑰、組態數據及/或啟動代碼)之一個或多個位址區。藉由選擇性地蓋過快閃記憶體之CS訊號,安全裝置能覆蓋對快閃記憶體之數據進行存取之操作。安全裝置係以其內部儲存的數據回應該主機。以下將描述此種安全開機程序。 In other embodiments, the security device disrupts the operation by responding to the unauthorized host instead of the protected peripheral device. In an exemplary embodiment, the peripheral device includes a flash memory including one or more address areas for storing sensitive data such as keys, configuration data, and/or boot code. By selectively overriding the CS signal of the flash memory, the security device can override operations to access data in the flash memory. The security device responds to the host with its internally stored data. This secure boot procedure will be described below.
本發明揭露之技術提供在逐筆操作的等級上(transaction-by-transaction level)上對周邊裝置即時安全選擇性存取。在本發明之實施例中,僅使用匯流排之既有訊號來進行操作識別以及操作擾亂。因此,本發明揭露之技術不需要額外接腳或是互連線路,藉此降低整體系統尺寸以及成本。 The techniques disclosed in the present invention provide instant secure selective access to peripheral devices on a transaction-by-transaction level. In the embodiment of the present invention, only the existing signals of the bus are used for operation identification and operation disturbance. Therefore, the technique disclosed in the present invention does not require additional pins or interconnection lines, thereby reducing overall system size and cost.
在其他實施例中,安全裝置係保護主機裝置之開機程序之安全,在開機程序中,主機裝置通過一匯流排從一非揮發性記憶體(NVM)裝置取得一啟動代碼。例如,主機可在一SPI匯流排上從一SPI快閃記憶體裝置開始啟動。在一些實施例中,在開機程序之期間內安全裝置會監控匯流排,並比較主機取得 之啟動代碼之至少一部分以及一已知的副本,例如啟動代碼映像(boot code image)或是摘要(digest)。當偵測到在匯流排上取得之啟動代碼與安全裝置已知的副本之間不符合時,觸發一回應措施。本發明之此技術能啟動安全裝置保護系統抵抗多種安全威脅,例如,被盜用的主機或是快閃記憶體裝置,或是對匯流排訊號的攻擊。以下將描述幾種安全開機程序之示例性實施例以及變化型。 In other embodiments, the security device secures a boot process of the host device. During the boot process, the host device obtains a boot code from a non-volatile memory (NVM) device through a bus. For example, the host can boot from an SPI flash memory device on an SPI bus. In some embodiments, the safety device monitors the bus during the boot sequence and compares the At least a portion of the boot code and a known copy, such as a boot code image or a digest. A countermeasure is triggered when a discrepancy between the boot code obtained on the bus and the copy known to the security device is detected. The technology of the present invention can activate the security device to protect the system against various security threats, such as stolen host or flash memory device, or attacks on bus signals. Several exemplary embodiments and variants of the secure boot procedure will be described below.
在I2C匯流排上安全存取周邊裝置 Secure Access to Peripherals on the I 2 C Bus
第1圖係根據本發明之一實施例繪示之安全系統20之方塊圖。在本示例中,安全系統20包含一主機裝置24以及一周邊裝置28,兩者連接至一I2C匯流排32。為使描述更為精簡,主機裝置24以及周邊裝置28係分別可稱為主機以及周邊。主機裝置24有時亦稱為一匯流排主裝置(bus master)。
FIG. 1 is a block diagram of a
安全裝置36係藉由監控在I2C匯流排上的操作,以保護對周邊裝置28的存取,並防止主機24或是另一具有匯流排主裝置能力的裝置未經授權就嘗試存取周邊28的未經授權操作。安全裝置36有時亦稱為一控制裝置或是信任平台模組(TPM)。在本示例中,安全裝置36包含一介面40、一處理器44以及一記憶體48。介面40用以連接I2C匯流排32,處理器44執行本發明揭露之技術,而記憶體48儲存由處理器44實施之一個或多個安全政策。
根據任何預先定義或設置之策略,處理器44可分類一操作(transaction)。一般而言,未經授權操作會嘗試對該周邊裝置寫入數據、從周邊裝置讀取數據、設置或是傳送指令至周邊裝置、或是以其他任何方式存取周邊裝置。安全裝置實施之策略可包含正向策略,例如白名單(whitelist);負向策略,例如黑名單(blacklist);取決於裝置位址或是暫存器偏移量的策略;或是其他任何類型之策略。
例如,在主機被授權對周邊裝置進行存取之前,主機可被要求讓安全裝置驗證身份。未經授權的主機嘗試的操作會被認定是未經授權。例如, 可在主機以及安全裝置之間使用一些題詢答程序(challenge-response process)以執行驗證(authentication)。此外,主機可被要求以其他適合方式證明身份、或是成功完成一安全開機程序。 For example, the host may be required to have the security device authenticate its identity before the host is authorized to access the peripheral device. Operations attempted by unauthorized hosts are considered unauthorized. For example, Some challenge-response process can be used between the host and the security device to perform authentication. In addition, the host may be required to prove its identity in other suitable ways, or to successfully complete a secure boot procedure.
此外,一些類型之操作(例如,讀取操作)可視為已經授權,而其他類型操作(例如,寫入操作)可視為未經授權。在另一示例中,對周邊裝置之預設位址進行存取之操作可視為已經授權,而對其他位址進行存取之操作可視為未經授權。在另一示例中,在匯流排上之一些位元序列可代表一未經授權操作。 Furthermore, some types of operations (eg, read operations) may be considered authorized, while other types of operations (eg, write operations) may be considered unauthorized. In another example, the operation of accessing the default address of the peripheral device may be regarded as authorized, while the operation of accessing other addresses may be regarded as unauthorized. In another example, a sequence of bits on the bus may represent an unauthorized operation.
一般而言,處理器44可用任何適合的方式區分已經授權操作以及未經授權操作。用於區分已經授權操作以及未經授權操作的至少一策略可儲存在記憶體48中。
In general,
I2C匯流排32包含一串列數據(SDA)線,用以輸送一串列數據訊號;以及一串列時脈(SCL)線,用以承載一串列時脈訊號。用語"線或線路(line)”以及“訊號”在本文中可以互換使用。藉由監控SDA線以及SCL線,處理器44可監控在I2C匯流排上互動的任何操作,並識別出未經授權操作。
The I 2 C bus 32 includes a serial data (SDA) line for transmitting a serial data signal; and a serial clock (SCL) line for carrying a serial clock signal. The terms "line" and "signal" are used interchangeably herein. By monitoring the SDA line as well as the SCL line,
當識別出一未經授權操作時,處理器44藉由在I2C匯流排32之DSA線及/或SCL線上強加一個或多個虛擬值,以擾亂此未經授權操作。由於I2C匯流排之汲極開路/集極開路結構,使得此機制可行。通常,SDA線以及SCL線會使用上拉電阻而預設上拉成邏輯“1”狀態(即高電壓位準)。任何裝置可在任何時間在SDA線或是SCL線上寫入一“0”值,以強加一邏輯“0”(即低電壓位準),而不管其他裝置同時寫入什麼數值。
When an unauthorized operation is identified,
因此,在一些實施例中,當識別出一未經授權操作時,安全裝置36之處理器44會使用介面40在匯流排32之SDA線或是SCL線上強加一邏輯“0”(預設“1”邏輯值之相反值)。在此,“0”值係視為一虛擬值。“0”值強加在SDA線上以蓋過從主機裝置24寫至周邊裝置28之任何數據值、或是主機裝置24從周
邊裝置28讀取的任何數據值、或是預設“1”值。強加在SCL線上的“0”值會停止時脈訊號。在任一情況中,操作會受到擾亂。
Therefore, in some embodiments, when an unauthorized operation is identified, the
在一些實施例中,處理器44繼續不確定地強加“0”值,例如,直到上電重置被執行。在其他的實施例中,處理器44可讓主機重置24以及周邊重置28從被擾亂操作的狀態復原到正常操作。一些主機重置及/或週邊裝置無法從時脈暫停恢復到正常運作。因此,如果主機重置以及周邊裝置需要恢復到正常運作,較佳的是可在SDA上強加虛擬值,而不在SCL線上強加虛擬值。
In some embodiments,
在一實施例中,為了在擾亂操作後回復到正常操作,處理器44在匯流排上產生一I2C停止或是重啟動條件。本文中,I2C停止或是重啟動條件可包含任何序列之告知裝置匯流排可以自由地開始操作的匯流排訊號值。
In one embodiment,
處理器44可使用多種技術以從擾亂操作恢復到正常運作。在一實施例中,處理器44只有在一預先定義的時間長度中強加“0”值,其足以擾亂此未經授權操作。可使用任何預先定義時間長度。例如,SMBus規範有界定25mS的暫停時間。因此,在I2C上運行SMBus(SMBus-over-I2C)之應用中,可設定預先定義時間長度為25mS,以觸發暫停。
在另一實施例中,處理器44可在SDA線上強加“0”值,直到偵測SCL線已經處於高位準(例如,不擾動)達到至少一預先定義時間週期。此條件可表示主機已經結束或是捨棄此操作。接著,處理器44可釋出SDA線,並可能產生一I2C停止條件。
In another embodiment, the
在又一實施例中,為了有效擾亂從周邊裝置讀取數據的未經授權操作,安全裝置36可作為一具有與週邊28相同裝置位址的I2C從屬裝置。安全裝置36之處理器44可用“0”數據值回應此未經授權之讀取要求。在處理器44運作的同時,週邊裝置28亦會回應此讀取要求,但其傳送的數據值會被安全裝置36發送之“0”值覆蓋。此程序會繼續執行直到主機因為一停止條件而結束此操作。應
注意的是,根據I2C規範,在傳送數據時,I2C從屬裝置不會驅動ACK/NEGACK位元。
In yet another embodiment, the
在另一實施例中,為了有效擾亂讀取操作以及寫入操作,處理器44可在SDA線上強加“0”值。接著,如果主機裝置24沒有辨識出擾亂,則操作會以匯流排上的“0”數據而正常結束,藉此取代從週邊28傳送出的數據。如果主機裝置24偵測到擾亂(例如,因為其支援I2C多主機仲裁機制)而捨棄該操作,則處理器44可在SCL線上產生額外時脈週期,以接管主機24捨棄的操作。接著,處理器44可完成目前正在傳輸的位元組,並發布一停止條件以結束該操作。
In another embodiment,
上述擾亂以及恢復技術僅為例示性說明。在其他實施例,安全裝置36之處理器44可使用其他任何適合技術來擾亂操作,以及從擾亂恢復到正常運行。
The disruption and recovery techniques described above are illustrative only. In other embodiments, the
在上述示例中,偵測未經授權之操作、擾亂未經授權操作、以及在擾亂之後恢復正常運行,都只使用匯流排既有的線路來實現。在其他實施例,安全裝置36以及主機24亦可藉由匯流排32外部的一些輔助介面而相互連接。此機制適用於,例如,當安全裝置36以及主機24係整合在相同積體電路(IC)中並共享積體電路之SDA接腳以及SCL接腳的情況。
In the above example, detecting unauthorized operations, disrupting unauthorized operations, and restoring normal operation after the disturbances are all accomplished using only the existing lines of the bus. In other embodiments, the
在此些實施例,安全裝置36以及主機裝置24可使用輔助介面以確認沒有其他主機裝置存取周邊裝置28。在一示例性實施例,每當主機24存取週邊裝置28時,主機裝置24透過輔助介面通知安全裝置36。回應此通知,處理器44不會在匯流排上強加偽“0”值,而讓此操作進行。當偵測到有操作操作在存取週邊28但輔助介面上並無通知時,處理器44假定此操作係由未經授權之主機所進行的,就會強加“0”值以擾亂此未經授權操作。
In these embodiments, the
第2圖係根據本發明之一實施例繪示之在I2C匯流排32上安全存取周邊裝置的方法的流程圖。一開始,在監控步驟50,安全裝置36之處理器44使用介面40,監控在I2C匯流排32上的操作。
FIG. 2 is a flowchart illustrating a method for securely accessing peripheral devices on the I 2 C bus 32 according to an embodiment of the present invention. Initially, at monitoring
在操作偵測步驟54,處理器44識別主機裝置24嘗試存取週邊裝置28之操作。在一檢查步驟58,處理器44檢查是否此操作是經過授權的。例如,處理器44可檢查此操作是否違反儲存在記憶體48中的安全政策。
In an
在一同意步驟62,如果發現此操作是經過授權的,處理器44允許此操作正常進行。否則,在一擾亂步驟66,如果發現此操作是未經授權的,處理器44在匯流排32之SCL線及/或SDA線上強加偽“0”值,以擾亂此操作。
In a
在SPI匯流排上安全存取周邊裝置 Secure Access to Peripherals on the SPI Bus
第3圖係根據本發明的再一實施例繪示一安全系統70之方塊圖。在第3圖中,安全系統70包含一主機裝置74、一周邊裝置78以及一安全裝置86,此些裝置皆連接至一SPI匯流排82。
FIG. 3 is a block diagram of a
安全裝置86識別以及擾亂主機裝置74未經授權便嘗試存取週邊78的操作。在本示例中,安全裝置86包含一介面90以連接SPI匯流排82、一處理器94用以執行上述揭露之技術、以及一記憶體98用以儲存由處理器94實施之一個或多個安全政策。
在此實施例中,用以區分經授權操作以及未經授權操作的安全政策,以及安全裝置86之處理器94用於識別未經授權操作的方式,係與上述安全系統20的政策與方式相似。以下的技術係與上述安全裝置86在匯流排82上強加虛擬值以擾亂未經授權操作的方式不同。
In this embodiment, the security policy used to distinguish between authorized and unauthorized operations, and the manner in which
SPI匯流排82包含一時脈(CLK)線、以及兩數據線,其包含一主出從入(MOSI)線以及一主入從出(MISO)線。CLK線、MISO線以及MOSI線係共用於所有裝置,例如此實施例中的安全裝置74、78以及86。除此之外,可使用一
專用晶片選擇(CS)線來選擇每一從屬裝置。在本示例中,主機裝置74使用CS線CS2#來選擇週邊裝置78,以及使用CS線CS1#來選擇安全裝置86。
The
作為一主控者的主機裝置74係連接至所有CS線。另一方面,周邊裝置皆為從屬裝置,而每一週邊裝置只連接至自己本身的CS線。通常,主機裝置74使用CS線選擇所需要的週邊裝置並接著與使用此CLK線、MOSI線以及MISO線的裝置進行通訊,以開始一操作(transaction)。MOSI線係用於從主機裝置傳送數據至週邊裝置,而MISO線係用於從週邊裝置傳送數據至主機裝置。
The
與傳統SPI從屬裝置不同的是,安全裝置86係定義為一可驅動所有CS線的從屬裝置。如第3圖所示,安全裝置86之介面90可平行於主機裝置74而驅動CS線CS2#。當此系統包含複數個有各自CS線的周邊裝置78時,安全裝置86通常可平行於主機裝置74而驅動任何CS線。
Unlike conventional SPI slaves,
在一些實施例中,此安全系統係設計成當主機裝置74與安全裝置86使用相反的邏輯值來驅動CS線時,安全裝置86驅動的邏輯值可蓋過主機裝置74驅動的邏輯值。也就是說,如果主機裝置74以及安全裝置86用相反的邏輯值來驅動CS線,則週邊裝置將接收到安全裝置86驅動的邏輯值並根據此接收到的邏輯值進行作動。
In some embodiments, the safety system is designed so that when
為了擾亂主機裝置以及週邊裝置之間的未經授權操作,另一示例是覆蓋CS線以阻擋在此匯流排上的操作。上述覆蓋機制可用多種辦法實現。上述說明是以CS線CS2#選擇周邊裝置78來說明,但是相同機制也可應用於複數個周邊裝置以及各自的CS線。
To disrupt unauthorized operations between the host device and peripheral devices, another example is to cover the CS line to block operations on this bus. The overlay mechanism described above can be implemented in a number of ways. The above description is for the CS line CS2# to select the
在一實施例中,安全裝置86用於驅動介面90之CS線CS2#的線驅動器(line driver)會強於主機裝置74用於驅動CS線CS2#的線驅動器。在一實施例中,一串聯電阻100可插置在主機裝置74之輸出的CS線CS2#。相對於安全裝置86之CS2#線驅動器之輸出,電阻100會減弱主機裝置74之CS2#線驅動器之輸
出。此外,安全裝置86可使用其他任何辦法來用以覆蓋主機裝置74對CS線CS2#的驅動。
In one embodiment, the line driver used by the
安全裝置86之處理器94可監控SPI匯流排82之CS線、CLK線、MISO線及/或MOSI線,用任何適合的方式來識別未經授權操作。在一些實施例中,當識別到有未經授權的主機裝置74嘗試存取某一周邊裝置,安全裝置86之處理器94會重置(de-assert)周邊裝置之CS線,以擾亂此操作。由於安全裝置86會覆蓋主機裝置74對CS線CS2#的驅動,周邊裝置將被重新選擇,藉此擾亂此操作。另一方面,當判斷此操作是經過授權的,處理器94會停止自己的CS2#線驅動器,藉此讓主機裝置能存取周邊裝置78而不受影響。
第4圖係根據本發明的另一實施例繪示之一安全系統110之方塊圖。安全系統110係基於SPI匯流排82實現,與第3圖之系統70相似。然而,安全系統110並不覆蓋CS線,而是安全裝置86藉由在CLK線、MISO線及/或MOSI線上強加虛擬值來擾亂未經授權之操作。
FIG. 4 is a block diagram illustrating a
在本示例中,在安全系統110,安全裝置86會覆蓋主機裝置74對CLK線、MISO線及/或MOSI線的驅動。如圖中所示,串聯電阻100係插置在CLK線、MISO線以及MOSI線,以實現上述功能。在此例中,由於CS線CS2#沒有被覆蓋,所以沒有串聯電阻插置在CS線。
In this example, in the
在其他實施例,可藉由讓安全裝置86之CLK線、MISO線及/或MOSI線之線驅動器強於主機裝置74之相對應的線驅動器,以實現上述覆蓋機制。
In other embodiments, the overriding mechanism described above may be implemented by having the line drivers of the CLK line, MISO line, and/or MOSI line of the
在其他的實施例中,也可以使用結合覆蓋CS線(如第3圖所示)以及覆蓋CLK線、MISO線及/或MOSI線(如第4圖所示)的混合機制。 In other embodiments, a hybrid scheme combining overlaying CS lines (as shown in FIG. 3 ) and overlaying CLK, MISO and/or MOSI lines (as shown in FIG. 4 ) may also be used.
覆蓋專用點對點訊號以安全存取周邊裝置 Overlay dedicated point-to-point signals for secure access to peripherals
匯流排(例如SPI匯流排)之訊號可區分成共享訊號以及專用訊號。共享訊號為並聯於匯流排上的複數個周邊裝置(例如,所有周邊裝置)的訊號。例如,共享SPI訊號包含數據訊號(MOSI以及MISO訊號)以及時脈(CLK)訊號。專用訊號係為專用於特殊周邊裝置的訊號。例如,此匯流排之專用訊號係為一晶片選擇(CS)訊號。除此之外,此匯流排可擴充成有外加專用訊號,例如寫入保護(WP)訊號,當周邊裝置包含記憶體裝置時可使用。專用訊號亦可稱為一點對點(PTP)線。 The signals of a bus (such as an SPI bus) can be divided into shared signals and dedicated signals. The shared signal is a signal of a plurality of peripheral devices (eg, all peripheral devices) connected in parallel on the bus. For example, shared SPI signals include data signals (MOSI and MISO signals) and clock (CLK) signals. Dedicated signals are signals dedicated to specific peripheral devices. For example, the dedicated signal for this bus is a chip select (CS) signal. In addition, this bus can be expanded to have additional dedicated signals, such as write protect (WP) signals, which can be used when peripheral devices include memory devices. Dedicated signals may also be referred to as point-to-point (PTP) lines.
在一些實施例中,在專用訊號抵達周邊裝置之前,專用訊號會先通過安全裝置86。相對地,共享訊號會以傳統方式傳送到周邊裝置而不會通過安全裝置。此互連機制會啟動安全裝置以有效保護周邊裝置安全,以下將有詳細描述。
In some embodiments, the dedicated signal passes through the
第5圖係根據本發明的再一實施例繪示的安全系統130之方塊圖。第5圖之安全系統130與第3圖之安全系統70相似,但是第5圖之系統之CS2#訊號不會直接驅動周邊裝置78之輸入。替代地,主機裝置74之CS線CS2#會輸入至安全裝置86,接著,安全裝置86驅動連接至周邊裝置78之輸入的CS2_O#訊號。
FIG. 5 is a block diagram of a
在此實施例中,CS2#訊號係作為通過安全裝置連接至受保護之周邊裝置的專用PTP訊號之示例。如圖中所示,主機裝置74以及周邊裝置78之間的共享訊號(MOSI、MISO以及CLK)不會被中斷(unbroken)。
In this embodiment, the CS2# signal is used as an example of a dedicated PTP signal connected through the security device to the protected peripheral device. As shown in the figure, the shared signals (MOSI, MISO, and CLK) between the
安全裝置86藉由選擇性致能(enable)到達周邊裝置的CS2#訊號或是防止CS2#訊號抵達周邊裝置,以擾亂主機裝置74以及周邊裝置78之間的操作。第5圖之示例中,可藉由設定有效(assert)或是設定無效(deassert)控制訊號MASK_CS2#來執行上述選擇。
The
第6圖係根據本發明之一實施例之第5圖之系統130之安全裝置86之方塊圖。在本示例中,安全裝置86包含一介面90,用以連接SPI匯流排82;一
處理器94,用以執行上述揭露之技術;以及一記憶體98,用以儲存由處理器94實施之一個或多個安全政策。處理器94包含一從屬介面邏輯電路91以及介面監控邏輯電路(interface monitor logic,IML)92。從屬介面邏輯電路91用以處理安全裝置86以及主機裝置74之間的通訊。IML 92用以監控、控制以及選擇性覆蓋主機裝置74對周邊裝置78之存取。
FIG. 6 is a block diagram of the
在一實施例中,安全裝置86識別並擾亂未經授權之主機裝置74在SPI匯流排82上嘗試存取周邊裝置78之操作。從第5圖及第6圖可瞭解到第3圖所示之系統之任何安全特徵亦可實現在第5圖之系統。
In one embodiment,
在上述實施例中,安全裝置係連接至匯流排且作為一額外的從屬裝置。然而,在其他的實施例中,此安全裝置可連接作為一主控裝至。例如,此種實施例可應用於支援多主控裝置(mult-master)能力的匯流排協議(bus protocol)。 In the above embodiments, the safety device is connected to the busbar and acts as an additional slave device. However, in other embodiments, the security device can be connected as a master device. For example, this embodiment can be applied to a bus protocol that supports multi-master capability.
由安全裝置代替周邊裝置回應以防範未經授權操作 Response by security device instead of peripheral device to prevent unauthorized operation
在另一實施例中,安全裝置86可代替周邊裝置78對所選主機操作進行回應。以下說明主要參考第5圖及第6圖所示之配置,進行式例性說明。一般而言,本發明揭露之技術不限於特殊系統配置而可應用於其他任何配置,例如第3圖或是第4圖所示之系統配置。
In another embodiment, the
在第5圖及第6圖之配置有關的一示例性實施例中,當偵測到有讀取指令針對周邊裝置78之位址空間中某一位址區,IML 92可對訊號CS2_O#強加高位準訊號,並以安全裝置之內部記憶體98服務(回應)主機的讀取指令(或是讀取指令之一部分)。主機裝置74通常不知道此回應不是來自周邊裝置。在一些實施例中,上述機制也可適用於第4圖之安全系統110,例如,安全裝置可覆蓋MISO訊號。
In an exemplary embodiment related to the configurations of FIG. 5 and FIG. 6, when it is detected that a read command is directed to a certain address area in the address space of the
此機制之使用範例是周邊裝置78包含SPI快閃記憶體裝置的系統,以及安全裝置86覆蓋快閃記憶體位址空間之一部分,藉此針對此位址區提供安全快閃記憶體仿真(emiulation)。例如,安全裝置86可包含一信任平台模組(TPM),其使用IML 92覆蓋包含初始主機啟動代碼之快閃記憶體位址區。此初始主機啟動代碼係為主機開機時提取的啟動指令。信任平台模組可覆蓋單獨儲存有此經過驗證的初始啟動代碼的快閃記憶體位址區,例如,此經過驗證的初始啟動代碼可在程式執行跳至代碼之其餘部分之前對此其進行驗證。
An example of the use of this mechanism is a system where
在一些實施例中,安全裝置86更包含一用於SPI快閃記憶體裝置的主控介面。除此之外,安全裝置86可包含一適合介面以及電路以使主機裝置74在存取SPI快閃記憶體裝置時保持在重置狀態,此機制通常為系統開機程序之一部分。例如,安全裝置86可為一嵌入控制器(EC)、一超級輸入輸出裝置(super I/O)或是一基板管理控制器(BMC)裝置。
In some embodiments, the
第7圖係為根據本發明之一實施例繪示之安全開機程序之示例之流程圖。此方法從上電開始,例如,系統電力開始供應。在重置維持步驟S100,安全裝置86維持主機裝置74在重置狀態並可選地(optionally)啟動SPI快閃記憶體(周邊裝置78)。在初始載入步驟104(此為可選步驟),安全裝置86從SPI快閃記憶體載入一數據段,驗證此數據段之真實性,並將其儲存在內部記憶體98。
FIG. 7 is a flowchart illustrating an example of a secure boot procedure according to an embodiment of the present invention. This method begins with power-up, ie, system power is supplied. In the reset maintenance step S100 , the
在一覆蓋步驟108,安全裝置86設定IML 92以覆蓋對SPI快閃記憶體(其為本示例之周邊裝置78)中的至少一預先定義位址區的存取。此受保護之位址區可儲存,例如,一個或多個金鑰、組態數據及/或主機裝置74之初始啟動數據段。
In an
在一重置解除步驟112,安全裝置86解除主機裝置之重置狀態。因此,在一啟動步驟116,主機裝置74開始自己的開機程序。在開機程序中,在
一區域存取子步驟120,由安全裝置86以內部記憶體98服務對預先定義位址區的存取。
In a
以此方式,安全裝置可安全保護敏感資訊例如金鑰、組態數據及/或初始啟動代碼。主機裝置74不知道其接收的資訊係來自安全裝置而不是SPI快閃記憶體。
In this way, the security device can securely protect sensitive information such as keys, configuration data, and/or initial boot code. The
第7圖繪示安全裝置如何覆蓋對周邊裝置之預先定義位址區之存取的範例方法。在其他實施例,其他任何適合方法可用於此應用。此外,當冒充此SPI快閃記憶體裝置時,安全裝置可使用其他任何適合方式藉由覆蓋及/或擾亂未經授權操作,以保護快閃記憶體裝置(或其他周邊裝置)。 FIG. 7 illustrates an example method of how a secure device overrides access to a predefined address area of a peripheral device. In other embodiments, any other suitable method may be used for this application. Additionally, the security device may use any other suitable means to protect the flash memory device (or other peripheral devices) by overriding and/or disrupting unauthorized operations when impersonating the SPI flash memory device.
再者,對未經授權操作之覆蓋不限於保護特殊預先定義位址區。例如,可根據保護周邊裝置回傳的數據或是SPI指令碼來決定是否觸發此覆蓋操作。例如,安全裝置可實施安全政策以禁用程式化、抹除、致能寫入、狀態/組態指令、及/或快閃記憶體裝置之其他任何指令或功能。2015年8月24日華邦電子公司出版的"具有Dual/Quad SPI以及QPI的SPI 3V快閃記憶體"文件中已經載明SPI快閃記憶體指令以及控制之示例規範。 Furthermore, the coverage against unauthorized operations is not limited to protecting specific pre-defined address areas. For example, whether to trigger the overlay operation can be determined according to the data returned by the protection peripheral device or the SPI instruction code. For example, a security device may implement a security policy to disable programming, erasing, enabling writes, status/configuration commands, and/or any other commands or functions of the flash memory device. The "SPI 3V Flash Memory with Dual/Quad SPI and QPI" document published by Winbond Electronics Corporation on August 24, 2015 has set forth the example specifications of SPI flash memory instructions and control.
另一示例,在第7圖所示之方法,敏感資訊係位於快閃記憶體裝置,由安全裝置啟動以及讀取,以作為開機程序之一部分。在其他實施例,敏感資訊可初始儲存在安全裝置中,例如,安全裝置與快閃記憶體都儲存此敏感資訊,或是安全裝置代替快閃記憶體而儲存此安全裝置。在此實施例,安全裝置不需要從快閃記憶體裝置讀取此敏感資訊。 Another example, in the method shown in FIG. 7, the sensitive information is located in the flash memory device, activated and read by the secure device as part of the boot process. In other embodiments, the sensitive information may be initially stored in the security device, for example, both the security device and the flash memory store the sensitive information, or the security device stores the security device instead of the flash memory. In this embodiment, the security device does not need to read this sensitive information from the flash memory device.
在另一示例,第7圖所示之方法係搭配SPI匯流排。在其他實施例,安全裝置可使用匯流排之專用訊號(如果有)及/或共享訊號,來覆蓋透過其他匯流排以及協議對周邊裝置之預先定義位址區進行的存取。例如,I2C匯流排是一上拉雙向匯流排,其用於支援複數個從屬裝置以及複數個主控裝置。因此,
此協議具有一嵌入機制用於處理多個裝置之間競爭。例如,當一I2C裝置嘗試將其設定成"1"(即是上拉操作)而偵測到SDA線為"0",則此裝置會假定出現競爭並會釋放匯流排,直到下一次操作。在一實施例中,I2C安全裝置(例如,第1圖之安全裝置36)係用以重疊另一周邊從屬裝置(例如,第1圖之周邊裝置28)之一些位址空間。例如,安全裝置可用以回答另一周邊裝置所期待的相同數據。如果此安全裝置偵測到有數據不符合,例如,有裝置嘗試上拉成"1"但是SDA線上偵測為"0",則安全裝置可開始進行回應措施,例如,產生一停止條件、在一個或多個數據線上驅動"0"、設定一無窮的時脈延展、或是其他任何適合動作。此技術使用一傳統I2C從屬裝置(實體層不須有硬體改變)以監控拉下數據位準的裝置。
In another example, the method shown in Figure 7 is used with an SPI bus. In other embodiments, the security device may use the bus's dedicated signals (if any) and/or shared signals to override accesses to the peripheral device's predefined address areas via other buses and protocols. For example, the I 2 C bus is a pull-up bidirectional bus for supporting slave devices as well as master devices. Therefore, the protocol has a built-in mechanism for handling contention among multiple devices. For example, when an I 2 C device detects that the SDA line is "0" while attempting to set it to "1" (that is, a pull-up operation), the device assumes contention and releases the bus until the next operate. In one embodiment, an I2C secure device (eg,
在又一實施例中,安全裝置86(其使用ILM 92)亦監控SPI位址之數據相位。當辨識到有數據不符合,安全裝置可啟動回應措施,例如,中斷此操作、重置系統、鎖住對金鑰的存取、或是其他任何適合措施。 In yet another embodiment, the watchdog 86 (which uses the ILM 92) also monitors the data phase of the SPI address. When a data discrepancy is identified, the security device can initiate a response, such as interrupting the operation, resetting the system, locking access to the key, or any other suitable measures.
在一示例情境中,安全裝置86持有儲存在SPI快閃記憶體之某一代碼部份之簽章(signature)或是摘要(digest)。安全裝置係監控主機裝置74對SPI快閃記憶體之存取,並在背景計算此代碼部份之簽章或是雜湊值。如果偵測到簽章錯誤、雜湊值錯誤或是SPI提取序列錯誤,則安全裝置86可啟動適合的回應措施。
In an example scenario, the
在又一實施例,安全裝置可監控在匯流排82上至少一周邊裝置78,並驗證不同的裝置之存取順序是否與期待的相同。
In yet another embodiment, the security device may monitor at least one
在又一實施例中,當偵測到對周邊裝置78的經授權操作時,安全裝置86使用一個或多個訊號(除了CS訊號以外的訊號)以限制對周邊裝置78之存取或是實施某一系統狀態,例如以下示例,但本發明不受其限制:
In yet another embodiment, the
˙搭配第4圖之安全系統證明的任何訊號。 ˙Cooperate with any signal attested by the security system in Figure 4.
˙快閃記憶體之防寫(write-protect)訊號 ˙Flash memory anti-write (write-protect) signal
˙控制重置訊號。 ˙Control reset signal.
˙控制電力管理訊號。 ˙Control the power management signal.
˙控制給一個或多個裝置的電力。 ˙Control the power to one or more devices.
˙禁能系統通訊;例如,可藉由禁能一網路介面控制器(NIC)來禁能系統通訊。 ˙Disable system communication; for example, system communication can be disabled by disabling a network interface controller (NIC).
˙重置系統。 ˙Reset the system.
安全裝置監控SPI匯流排,讓主機從快閃記憶體安全啟動 Safeguard monitors SPI bus to allow host to boot safely from flash memory
在一上述實施例中,為了保護開機程序安全,安全裝置代替快閃記憶體來回應啟動代碼給一主機裝置。在以下描述之其他實施例,主機裝置可通過一匯流排(例如SPI匯流排)從快閃記憶體取得啟動代碼。安全裝置可藉由監控主機在匯流排上對記憶體存取操作,保護開機程序安全。安全裝置持有或是可存取主機啟動代碼及/或其摘要之至少一些之副本。安全裝置可比較副本與主機從快閃記憶體取得之啟動代碼(如需要可計算其摘要),並當偵測到不符合時啟動回應措施。 In one of the above-mentioned embodiments, in order to protect the security of the boot process, the security device replaces the flash memory to respond the boot code to a host device. In other embodiments described below, the host device can obtain the boot code from the flash memory through a bus (eg, SPI bus). The security device can protect the security of the boot process by monitoring the memory access operation of the host on the bus. The secure device holds or has access to a copy of at least some of the host activation code and/or digest thereof. The security device can compare the copy with the host's activation code from flash memory (computing its digest if necessary), and initiate countermeasures when a discrepancy is detected.
本發明揭露之技術會啟動安全裝置以防範多種安全威脅,例如,一個被盜用的主機或是快閃記憶體裝置的安全威脅、或是在上匯流排訊號上的安全威脅。以下說明係以SPI匯流排以及SPI快閃記憶體舉例說明。本發明揭露之技術可以類似方式應用於其他任何適合匯流排以及其他任何適合的非揮發性記憶體(NVM)。 The technique disclosed in the present invention enables security devices to prevent various security threats, for example, security threats of a stolen host or flash memory device, or security threats on upper bus signals. The following description is based on the example of SPI bus and SPI flash memory. The techniques disclosed in the present invention can be applied in a similar manner to any other suitable bus and any other suitable non-volatile memory (NVM).
在各種實施例中,副本包含啟動代碼之至少一部分之一真實映像,例如,一個或多個啟動代碼指令之清單。在此映像中的指令順序可為啟動代碼之外顯顺序、啟動代碼執行時的執行順序(不一定依序執行)、或是其他任何順序。在其他的實施例中,此副本可包含啟動代碼之至少一部分之真實摘要。此摘要可包含啟動代碼此任何部分或是全部運算所產生的函數(function)。在一 示例實施例中,此摘要(亦稱為稱為簽章)可包含一雜湊值(hash value)或是一標記雜湊值(signed hash value)。在本發明中,上述摘要可參考保全散列演算法(例如SHA-256)、或是使用類似HMAC/CMAC之機制參考代碼簽章、或是參考其他任何適合演算法。 In various embodiments, the copy includes a true image of at least a portion of the boot code, eg, a manifest of one or more boot code instructions. The order of instructions in the image can be the explicit order of the boot code, the execution order of the boot code (not necessarily executed sequentially), or any other order. In other embodiments, this copy may contain an actual digest of at least a portion of the activation code. The summary may include functions resulting from the operation of any or all of the startup code. In a In example embodiments, the digest (also referred to as a signature) may include a hash value or a signed hash value. In the present invention, the above-mentioned digest may refer to a secure hash algorithm (such as SHA-256), or refer to a code signature using a mechanism like HMAC/CMAC, or refer to any other suitable algorithm.
用語“真實”係指此映像或是摘要為已知的且有高度信心其為未受破壞,因此值得信賴。為描述清楚起見,此真實映像或是摘要在以下段落係稱為主機之啟動代碼之至少一部分之"副本"。在以下的示例中,副本係儲存於內部,即安全裝置之一非揮發性記憶體。然而,在其他實施例,此副本可儲存在安全裝置外部的非揮發性記憶體;在後者的實施例,副本可標記有適合的安全金鑰,其儲存在安全裝置中。 The term "authentic" means that the image or digest is known with a high degree of confidence that it is uncorrupted and therefore trustworthy. For clarity of description, this actual image or abstract is referred to in the following paragraphs as a "copy" of at least a portion of the host's boot code. In the following example, the copy is stored internally, in non-volatile memory of one of the secure devices. However, in other embodiments, this copy may be stored in non-volatile memory external to the secure device; in the latter embodiment, the copy may be signed with the appropriate security key, which is stored in the secure device.
作為示例,以下描述之組態係指具有時脈訊號CLK、晶片選擇訊號CS#、四條數據線D0~D3的SPI匯流排。其他匯流排類型可具有不同的數量以及類型之線路。例如,單一數據線SPI可具有較少的線路。本發明揭露之技術可用任何類型之匯流排來實現。 As an example, the configuration described below refers to an SPI bus with a clock signal CLK, a chip select signal CS#, and four data lines D0-D3. Other bus bar types may have different numbers and types of wires. For example, a single data line SPI may have fewer wires. The techniques disclosed in this invention can be implemented with any type of busbar.
第8圖係根據本發明之一實施例繪示之安全系統140之方塊圖,安全系統140之安全裝置156係保護主機裝置144在SPI匯流排152上從快閃記憶體148取得開機程序之安全。安全裝置156包含一介面160用以連接SPI匯流排152、以及處理器164用以執行本發明描述之方法。處理器164可保存或是存取主機144之啟動代碼之至少一部分之副本168(例如,映像或是摘要)。在此例中,用於選擇快閃記憶體裝置148的晶片選擇線(CS#)亦提供輸入至安全裝置156。
FIG. 8 is a block diagram of a
第9圖係根據本發明之一實施例繪示一安全系統170之方塊圖,安全系統170之安全裝置174係保護主機裝置144在SPI匯流排152上從快閃記憶體148讀取之開機程序之安全。安全裝置174包含一介面178用以連接SPI匯流排152、以及一處理器182執行本發明所揭露之方法。處理器182可保存或是存取主
機144之啟動代碼之至少一部分之副本186(例如,映像或是摘要)。在本實施例中,SPI匯流排152之所有線路(包含四條數據線D0~D3、時脈線CLK、以及用於選擇快閃記憶體裝置148之CS#線)係提供輸入至安全裝置174。
FIG. 9 is a block diagram illustrating a
第10圖係根據本發明之一實施例繪示一安全系統189之方塊圖,安全系統189之安全裝置187係保護主機裝置144在SPI匯流排上從快閃記憶體148讀取開機程序之安全。在此例中,安全裝置187包含一SPI匯流排監控器188,其可用硬體及/或軟件模組執行本發明揭露之技術。安全裝置更包含一記憶體(圖中未顯示),其儲存主機144之啟動代碼之至少一部分之副本。
FIG. 10 is a block diagram illustrating a
相較於第8圖以及第9圖之示例,在本示例中,SPI匯流排之快閃記憶體之CS#線會通過安全裝置187。因此,安全裝置187能斷開及/或修改主機144以及快閃記憶體148之間的訊號。在本示例中,數據線(D0~D3)、時脈線(CLK)、以及用於選擇快閃記憶體裝置148之CS#線係全部穿過安全裝置187,因此此些訊號分支不易斷開,無須斷開主機與快閃記憶體裝置之間的連接,便可進行SPI匯流排監控。數據線以及時脈線沒有被中斷,但SPI匯流排監控器188可修改CS#線。例如,如果在匯流排上取得的啟動代碼不符合此副本,SPI匯流排監控器188可重置CS#線,例如,將其設定成高位準),藉此擾亂開機程序。
Compared to the examples of FIGS. 8 and 9 , in this example, the CS# line of the flash memory of the SPI bus passes through the
第11圖係根據本發明之一實施例繪示之保護主機裝置144啟動安全之方法之流程圖。方法之變化型可藉由本發明之安全裝置(例如第8、9與10圖所示之安全裝置156、174與187)來執行。為使描述更為精簡,所述的安全裝置正執行的動作實際上係由安全裝置之處理器(例如處理器164或182)執行、或是由SPI匯流排監控器188執行。
FIG. 11 is a flow chart of a method for protecting the startup security of the
此方法一開始,在重置持有步驟190,一安全裝置會讓主機144保持在一重置狀態。在取得副本步驟194,當主機在重置狀態時,安全裝置取得主機之啟動代碼之至少一部分之副本,例如,映像或是摘要。如果副本是從一
外部記憶體取得且有標記,則在處理之前安全裝置通常會先驗證副本之真實性。在一實施例中,副本可預先儲存於安全裝置中,例如在系統生產期間或系統提供給最終用戶之前的其他階段。在此實施例,可省略步驟190以及194。
The method begins with a security device holding the
在開機啟動步驟198,安全裝置將主機144從重置狀態解除,主機進行開機。在開機程序,主機144透過SPI匯流排152從快閃記憶體裝置148取得啟動代碼,並運行所取得的啟動代碼。
In the power-on
在主機之開機程序期間,在一監控與比對步驟202,安全裝置監控在匯流排上傳輸之數據,並擷取正在傳送之啟動代碼之至少一部分,以及將此擷取之代碼與副本進行比較。
During the boot process of the host, in a monitor and compare
在一實施例中,安全裝置可藉由識別主機正進行存取之位址(其指定為啟動代碼之位址),以識別有關於開機程序的操作。 In one embodiment, the security device can identify the operation related to the boot process by identifying the address that the host is accessing (which is designated as the address of the boot code).
在一實施例中,當副本包含啟動代碼之一部分之映像,安全裝置通常會比較在匯流排上取得之原始數據值以及副本之對應數據值。當副本包含啟動代碼之一部分之摘要,則安全裝置通常會計算在匯流排上取得之代碼之摘要,接著比較所計算之摘要以及副本。 In one embodiment, when the copy contains an image of a portion of the boot code, the secure device typically compares the original data value fetched on the bus with the corresponding data value of the copy. When the copy contains a digest of a portion of the boot code, the secure device typically computes a digest of the code fetched on the bus, then compares the computed digest with the copy.
在一符合性檢查步驟206,安全裝置檢查主機正從快閃記憶體裝置取得之啟動代碼(安全裝置監控SPI匯流排所截取的)是否符合副本。若是,則在成功完成步驟210,安全裝置讓開機程序成功完成。若否,例如,在開始應對措施步驟214,如果偵測到兩者不符合,安全裝置假定開機程序已經被盜用,並啟動一適合的回應措施。
In a
第11圖所示之流程圖係為了清楚描述概念的一示例性流程圖。在其他實施例,可使用其他任何適合的流程。例如,安全裝置不一定需要將主機裝置保持在重置狀態。在其他實施例,例如,安全裝置可在主機之開機程序開始之前或之後取得副本,而不須延宕(stall)主機裝置。 The flowchart shown in FIG. 11 is an exemplary flowchart for clearly describing the concept. In other embodiments, any other suitable procedure may be used. For example, the security device does not necessarily need to hold the host device in a reset state. In other embodiments, for example, the security device can obtain the copy before or after the host's boot process begins without stalling the host device.
在一些情況,在計算於SPI匯流排上所截取的啟動代碼之至少一部分之摘要時,此摘要可能會受系統狀態或其他參數影響。因此,此摘要可能會合法地符合至少二不同的副本。因此,在一些實施例中,安全裝置可保存摘要之複數個不同的副本。安全裝置將從匯流排所截取的代碼所計算的摘要與複數個副本進行比較。如果所計算出的摘要與任何副本相符合,安全裝置可許可開機程序完成。如果所計算的摘要不符合任一副本,則安全裝置觸發回應措施。 In some cases, when calculating the digest of at least a portion of the boot code intercepted on the SPI bus, the digest may be affected by system state or other parameters. Therefore, this abstract may legally correspond to at least two different copies. Thus, in some embodiments, the secure device may maintain multiple different copies of the digest. The watchdog compares the digest computed from the code intercepted from the bus to the plurality of copies. If the calculated digest matches any of the replicas, the security device may allow the boot process to complete. If the calculated digest does not comply with any of the replicas, the security device triggers countermeasures.
在各種實施例,當在步驟206偵測到不符合時,安全裝置可執行或是啟動多種回應措施,例如,但本發明不限於,以下幾個示例性動作。
In various embodiments, when a non-compliance is detected in
˙觸發系統進行重置。 ˙Trigger system to reset.
˙藉由在SPI匯流排152之至少一線路上強加一個或多個虛擬值以擾亂開機程序。本發明描述過的任何擾亂技術都可使用。
˙ Disturb the boot process by imposing one or more dummy values on at least one line of the
藉由擾亂主機裝置以及NVM裝置之間的SPI匯流排之一個或多個線路,例如快閃記憶體之CS#訊號,以擾亂開機程序。 Disrupt the boot process by disturbing one or more lines of the SPI bus between the host device and the NVM device, such as the CS# signal of the flash memory.
˙覆蓋在主機裝置以及NVM裝置之間之SPI匯流排之一個或多個線路上的訊號,例如,在匯流排上強加與原來訊號相衝突的訊號。 ˙Overlay the signal on one or more lines of the SPI bus between the host device and the NVM device, for example, impose a signal on the bus that conflicts with the original signal.
代替快閃記憶體裝置在SPI匯流排上回應主機裝置,並使用副本完成開機程序。 Replacing the flash device responds to the host device on the SPI bus and uses the copy to complete the boot process.
˙防止主機裝置對安全裝置之資源進行存取,例如,對儲存在安全裝置中的既定機密資訊進行存取。 ˙Prevent the host device from accessing the resources of the security device, for example, accessing the predetermined confidential information stored in the security device.
˙在內部記憶體(例如,RAM或是OTP)記錄警示或是錯誤記錄事件,或是發布一警報訊號。 ˙Record warning or error logging events in internal memory (eg, RAM or OTP), or issue an alarm signal.
其他任何適合的回應措施或是其組合 Any other suitable response or combination thereof
在一些實施例中,例如,當開機程序仍然在進行時,安全裝置可即時(on-the-fly)偵測到取得之啟動代碼與副本之間不符合,因此擾亂開機程序的回應措施仍是有效的。 In some embodiments, for example, while the boot process is still in progress, the security device can detect on-the-fly a discrepancy between the retrieved boot code and the copy, so the countermeasures for disrupting the boot process are still Effective.
在其他的實施例中,安全裝置是在線下(offline)偵測上述不符合之情況,例如在背景進行偵測。在本發明中,所謂"線下"係指安全裝置獨立於開機程序之進行而獨立偵測是否有不符合之情形,因此不符合偵測不是在開機程序之關鍵路徑中,對開機延遲的影響較小或是不會有影響。線下不符合偵測可在開機程序完成之後執行、或是與開機程序平行或是半平行進行。在此些實施例,安全裝置通常將所取得之啟動代碼全部或是至少一部分儲存在記憶體暫存器中,用於做副本線下比對。對於在線下進行不符合偵測,安全裝置不需要將主機裝置保持在重置狀態或是延宕主機裝置。 In other embodiments, the security device detects the aforementioned non-compliance offline, for example, in the background. In the present invention, the so-called "offline" means that the safety device independently detects whether there is a non-compliance situation independently of the boot process, so the non-compliance detection is not in the critical path of the boot process, and the impact on the boot delay Little or no effect. Off-line non-conformance detection can be performed after the boot process is complete, or in parallel or semi-parallel to the boot process. In these embodiments, the security device usually stores all or at least a part of the obtained activation code in the temporary memory for offline comparison of copies. For non-compliance detection to be performed offline, the security device does not need to hold the host device in reset or stall the host device.
在一些實施例中,安全裝置可保存或是存取在啟動期間允許的SPI指令之可配置的"白名單"。在監控匯流排時,安全裝置可根據此白名單過濾SPI指令,例如,以確保只有在白名單上的指令可實際傳送到快閃記憶體裝置。此白名單可限制指令之類型或是被存取之位址。例如,可允許對一指定位址範圍的讀取指令,而禁止寫入命令或是對此指定位址範圍以外的位置的讀取指令。 In some embodiments, the security device may maintain or access a configurable "white list" of SPI commands that are allowed during boot. While monitoring the bus, the security device can filter SPI commands against this white list, for example, to ensure that only commands on the white list can actually be sent to the flash memory device. This white list can limit the type of command or address to be accessed. For example, read commands to a specified address range may be allowed, while write commands or read commands to locations outside the specified address range may be prohibited.
第1、3-6以及8-10圖所示之系統20、70、110、130、140、170以及189之設置、多種系統裝置(例如多種安全裝置以及匯流排)之配置,係為了清楚描述概念而繪示的示例性配置圖。在其他實施例,可使用其他任何適合的配置。
The arrangement of
例如,為清楚描述,上述圖中只顯示單一周邊裝置以及單一主機裝置。在一些實施例中,此系統可包含至少二周邊裝置及/或至少二主機裝置。本發明所述之I2C匯流排以及SPI匯流排也僅是舉例說明,而非為限制。在其他實 施例,本發明揭露之技術可用其他任何適合類型之匯流排來實現或是做必要的修改。 For example, for clarity of description, only a single peripheral device and a single host device are shown in the above figures. In some embodiments, the system may include at least two peripheral devices and/or at least two host devices. The I 2 C bus bar and the SPI bus bar mentioned in the present invention are only for illustration rather than limitation. In other embodiments, the technology disclosed in the present invention can be implemented with any other suitable type of busbar or with necessary modifications.
如上所述,安全裝置可在SPI匯流排上作為一從屬裝置。然而,在此實施例,即使開機程序不是由主機裝置要求,安全裝置仍能保護開機程序安全。再者,在一些實施例中,安全裝置可在開機程序期間運行一個或多個負面測試(negative test)。例如,當CS#線未設成有效時(例如,在邏輯高位準),安全裝置可檢查是否任何數據線或是時脈線有改變或切換(toggle)自己的邏輯狀態。在一些系統,當在啟動時間的期間快閃記憶體裝置沒有被選擇,則SPI線路不應在邏輯高位準以及邏輯低位準之間改變。例如,因為在匯流排上沒有其他SPI從屬裝置,或是即使有其他SPI從屬裝置,其也不會在啟動時間的期間被定址。因此,當CS#線尚未被設定有效(即,位於低位準)但是數據線或是時脈線上訊號卻有變化,其指示有攻擊出現。安全裝置可使用此指示觸發一適合回應措施。 As mentioned above, the security device can act as a slave device on the SPI bus. However, in this embodiment, even if the boot process is not required by the host device, the security device can still protect the boot process. Furthermore, in some embodiments, the security device may run one or more negative tests during the boot process. For example, when the CS# line is not asserted (eg, at a logic high level), the watchdog can check whether any data line or clock line has changed or toggle its logic state. In some systems, the SPI line should not change between logic high and logic low when the flash memory device is not selected during boot time. For example, because there are no other SPI slaves on the bus, or if there are other SPI slaves, they will not be addressed during start-up time. Therefore, when the CS# line has not been asserted (ie, is at a low level) but there is a signal change on the data line or the clock line, it indicates that an attack has occurred. The security device can use this indication to trigger an appropriate response.
安全裝置可執行的另一完整性檢查可以是時序完整性(timing integrity)檢查。在一實施例中,在開機程序中,安全裝置可驗證是否從一既定重置訊號或是上電訊號到一既定事件之間的時間延遲有在一預先定義範圍內。例如,安全裝置可測量從系統重置到在SPI匯流排上出現第一存取指令之間的時間延遲。如果時間延遲沒有在預先定義範圍內,例如時間延遲比正常值更長或更短,則安全裝置可假定匯流排被篡改,進而觸發一適合回應措施。在另一實施例中,當主機解除重置後,安全裝置可檢查主機在某一時間週期取得的映像或是摘要,假設主機應該在此時間內結束開機序列。 Another integrity check that a security device may perform may be a timing integrity check. In one embodiment, during the boot process, the security device may verify whether the time delay from a predetermined reset signal or power-on signal to a predetermined event is within a predefined range. For example, the watchdog may measure the time delay between a system reset and the first access command appearing on the SPI bus. If the time delay is not within a predefined range, eg, longer or shorter than normal, the security device may assume that the bus has been tampered with, thereby triggering an appropriate countermeasure. In another embodiment, after the host is released from reset, the security device can check the image or digest obtained by the host within a certain period of time, assuming that the host should end the boot sequence within this time.
此外,安全裝置可測量SPI匯流排之至少一線路之類比電性參數值,如果類比電性參數值落於預先定義範圍外,則安全裝置觸發適合回應措施。可用於上述用途之類比數值可包含,例如SPI匯流排之一個或多個線路之電容值 電容值、傳輸時間或是LRC延遲。在一些實施例中,當對應線路沒有被匯流排上之主機或是其他任何裝置驅動時可測量此類比電性參數,例如當主機沒有上電或是保持在重置狀態。此類技術已經在美國專利7,797,115所解決,其公開內容通過引用併入本文。此外,其他任何適合之偵測技術可用於測量匯流排訊號之類比電性參數值。在一示例性實施例,既定類比電性參數之預先定義範圍,例如,考量SPI匯流排之既定線路之正常電容值之範圍,可在系統製造期間決定並儲存在非揮發性記憶體中。在啟動期間,安全裝置係測量目標參數之目前值,並確認量測值是否在允許之預先定義範圍內。 In addition, the safety device can measure an analog electrical parameter value of at least one line of the SPI bus, and if the analog electrical parameter value falls outside a predefined range, the safety device triggers a suitable response measure. Analogous values that can be used for the above purposes may include, for example, the capacitance of one or more lines of an SPI bus Capacitance value, propagation time or LRC delay. In some embodiments, such analog electrical parameters may be measured when the corresponding line is not being driven by the host or any other device on the bus, eg, when the host is not powered on or held in reset. Such techniques have been addressed in US Patent 7,797,115, the disclosure of which is incorporated herein by reference. In addition, any other suitable detection technique can be used to measure the analog electrical parameter value of the bus signal. In an exemplary embodiment, a predefined range for a given analog electrical parameter, eg, considering the normal capacitance value of a given line of an SPI bus, may be determined during system manufacture and stored in non-volatile memory. During start-up, the safety device measures the current value of the target parameter and confirms whether the measured value is within the allowed predefined range.
為了提高安全,主機裝置、安全裝置以及NVM裝置之間的SPI訊號之路線以及實體佈局可依循特定原則(guideline)。例如,當在印刷電路板(PCB)上實現本發明之系統時,以下原則可讓SPI匯流排較不易受到攻擊。 To improve security, the routing and physical layout of SPI signals among the host device, security device, and NVM device can follow certain guidelines. For example, the following principles can make the SPI bus less vulnerable when implementing the system of the present invention on a printed circuit board (PCB).
主機裝置以及安全裝置使用球狀矩陣(BGA)類型封裝。 The host device as well as the security device use a ball matrix (BGA) type package.
在印刷電路板之內層(inner layer)傳送,例如,在從外部不能直接接觸或接近的層。 Transport in inner layers of a printed circuit board, eg on layers that are not directly contactable or accessible from the outside.
當透過通孔(via)傳送SPI訊號時,較佳的是使用盲孔(blind via),例如使用盲孔連接內層之間的連接,並不允許從外界接觸或接近。 When transmitting SPI signals through vias, it is better to use blind vias, such as using blind vias to connect connections between inner layers, and not allowing contact or access from the outside.
將安全裝置盡可能放置相鄰於主機裝置之SPI接腳。 Place the security device as close as possible to the SPI pins of the host device.
為了再提高安全性,啟動代碼可設定成在SPI匯流排上輸出一些數據,而安全裝置可確認此些數據。例如,啟動代碼可輸出一些主機暫存器值、組態、狀態變數、常數、OTP位元位元其他任何適合的主機參數值,使得安全裝置能窺視匯流排來確認這些數值。在一些實施例中,主機參數值可經處理作為代碼映像/摘要的一部分,而在其他的實施例中,主機參數值具有參考數據或是摘要之個別副本。 To further increase security, the boot code can be set to output some data on the SPI bus, and the security device can confirm this data. For example, the boot code may output some host register values, configuration, status variables, constants, OTP bits, and any other suitable host parameter values, so that the security device can peek at the bus to verify these values. In some embodiments, the host parameter value may be processed as part of the code image/digest, while in other embodiments the host parameter value has reference data or a separate copy of the digest.
在一些實施例中,安全裝置係藉由代替NVM裝置回應主機,並代替NVM裝置回應啟動代碼之副本給主機,以確保開機程序之安全。在一實施例中,安全裝置回應之啟動代碼是可變的,其造成主機在SPI匯流排上的活動於開機程序之不同實體(instance)時會有所不同。啟動代碼不一定需要造成主機活動在每一開機程序實體都不同,但是至少在所選的實體下造成不同的主機活動。藉由監控主機裝置在匯流排上活動,安全裝置能確認主機在開機程序之實體執行的啟動代碼符合安全裝置提供給主機裝置的啟動代碼。 In some embodiments, the security device ensures the security of the boot process by responding to the host instead of the NVM device, and responding to the host with a copy of the boot code instead of the NVM device. In one embodiment, the boot code that the security device responds to is variable, which causes the host's activity on the SPI bus to be different for different instances of the boot process. The boot code does not necessarily need to cause host activity to be different under each boot program entity, but at least under selected entities. By monitoring the activity of the host device on the bus, the security device can confirm that the boot code executed by the host during the boot process matches the boot code provided by the security device to the host device.
在上述實施例,安全裝置可提供任何適合代碼,其可造成主機在匯流排上可偵測之活動有所變化。例如,在不影響執行流程的情況下,安全裝置可藉由改變至少一代碼值,以操作此啟動代碼映像。例如,此代碼值可為專用代碼固定值。因此,在此操作下,根據此代碼值,主機執行之啟動代碼會在匯流排上輸出一數值;因此,在安全裝置已知之方式下與開機程序之情況不同。安全裝置從匯流排讀取上述數值,並確認此數值符合目前提供給主機的啟動代碼。輸出值可包含,例如,代碼自行檢查摘要、數值本身或是其任何功能。此外,輸出值可由主機以及安全裝置已知之共享機密來決定。 In the embodiments described above, the security device may provide any suitable code that causes a change in the activity detectable by the host on the bus. For example, the security device can manipulate the boot code image by changing at least one code value without affecting the execution flow. For example, this code value may be a dedicated code fixed value. Thus, in this operation, according to the value of this code, the boot code executed by the host will output a value on the bus; thus, in a manner known to the security device differently than in the case of the boot procedure. The security device reads the above value from the bus and confirms that this value matches the activation code currently provided to the host. The output value can contain, for example, a summary of the code's own checks, the value itself, or any function of it. Additionally, the output value can be determined from a shared secret known by the host and the secure device.
在其他的實施例中,啟動代碼可造成主機在匯流排上活動在其他方面有差異,而不一定有關於輸出值。例如,啟動代碼可造成主機在開機程序之不同實體之間出現不同延遲。此延遲差異可藉由例如,安全裝置將不同數量之NOP指令插置於不同開機程序實體之啟動代碼。在此例中,安全裝置測量此延遲並確認此實際延遲符合期待延遲。期待延遲可用插置在目前之開機程序的NOP指令之實際數量來判斷。此外,安全裝置可確認所有插置的NOP指令都有被讀取;或是,安全裝置可測量在匯流排上之啟動代碼之摘要,並將此摘要與自己的副本摘要做比較。其他任何能造成主機活動上的差異都可使用,只要安全裝置可偵測到此差異。 In other embodiments, the startup code may cause the host's activity on the bus to differ in other ways, not necessarily with respect to output values. For example, boot code may cause the host to experience different delays between different entities of the boot process. This difference in latency can be caused by, for example, a security device inserting different numbers of NOP instructions into the startup code of different boot process entities. In this example, the watchdog measures this delay and confirms that the actual delay matches the expected delay. The expected latency can be determined by the actual number of NOP instructions inserted in the current boot process. Additionally, the watchdog can verify that all inserted NOP commands have been read; alternatively, the watchdog can measure the digest of the boot code on the bus and compare this digest with its own copy digest. Anything else that can cause a difference in host activity can be used as long as the security device can detect the difference.
安全系統20、70、110、130、140、170、189之不同裝置可用任何適合硬體來實現,例如特殊應用積體電路(ASIC)、或是現場可程式邏輯閘陣列(FPGA)。在一些實施例中,本發明之安全裝置之一些裝置,例如,處理器44或是94可用軟體、或是硬體以及軟體模組之組合,來實現。記憶體48與98、以及記憶體保存第8-10圖所示之啟動代碼之副本,可由任何適合類型之記憶體裝置來實現,例如隨機讀取記憶體(RAM)或是快閃記憶體。
The various devices of the
在一些實施例中,處理器44、94、164及/或182可包含一通用可編程處理器,其由軟體編程以執行本發明之功能。此軟體可透過網路以電子訊號形式下載至處理器,例如,或是可提供及/或儲存在非暫時性有形媒體(例如磁性、光學、或是電性記憶體)。
In some embodiments,
在上述一些實施例中,安全裝置首先藉由監控匯流排以偵測一未經授權之操作,接著擾亂此操作。其他實施例,安全裝置可不須先在匯流排上偵測或是不須監控匯流排,便可擾亂上述操作。例如,此安全裝置可覆蓋某一主機之晶片選擇(CS)線,直到或是除非此主機有被授權。上述授權可用任何適合方式執行,而不一定要使用相同匯流排。 In some of the embodiments described above, the security device first detects an unauthorized operation by monitoring the bus, and then disrupts the operation. In other embodiments, the security device may disrupt the above operation without first detecting on the bus or without monitoring the bus. For example, the security device can override a host's chip select (CS) line until or unless the host is authorized. The authorization described above can be performed in any suitable way and does not have to use the same bus.
本發明之方法以及系統可使用於各種應用,例如安全記憶體應用、物聯網(IoT)應用、嵌入式應用或是汽車應用。以上僅為舉例,本發明不受其限制。 The method and system of the present invention can be used in various applications, such as secure memory applications, Internet of Things (IoT) applications, embedded applications or automotive applications. The above are examples only, and the present invention is not limited thereto.
雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。 Although the present invention is disclosed above with the aforementioned embodiments, it is not intended to limit the present invention. Any person familiar with similar skills may make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of patent protection shall be subject to what is defined in the scope of patent application attached to this manual.
28:周邊裝置 28: Peripheral devices
32:I2C匯流排 32: I 2 C bus
36:安全裝置 36: Safety device
40:介面 40: interface
44:處理器 44: Processor
48:記憶體 48: Memory
Claims (29)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US16/377,212 US10691807B2 (en) | 2015-06-08 | 2019-04-07 | Secure system boot monitor |
| US16/377,212 | 2019-07-04 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW202143033A TW202143033A (en) | 2021-11-16 |
| TWI791244B true TWI791244B (en) | 2023-02-01 |
Family
ID=72805504
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW108143848A TWI738135B (en) | 2019-04-07 | 2019-12-02 | Monitor system booting security device and method thereof |
| TW110126479A TWI791244B (en) | 2019-04-07 | 2019-12-02 | Monitor system booting security device and method thereof |
| TW110126482A TWI756156B (en) | 2019-04-07 | 2019-12-02 | Monitor system booting security device and method thereof |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW108143848A TWI738135B (en) | 2019-04-07 | 2019-12-02 | Monitor system booting security device and method thereof |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW110126482A TWI756156B (en) | 2019-04-07 | 2019-12-02 | Monitor system booting security device and method thereof |
Country Status (3)
| Country | Link |
|---|---|
| JP (1) | JP7005676B2 (en) |
| CN (1) | CN111797442B (en) |
| TW (3) | TWI738135B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI738135B (en) * | 2019-04-07 | 2021-09-01 | 新唐科技股份有限公司 | Monitor system booting security device and method thereof |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW200622892A (en) * | 2004-06-29 | 2006-07-01 | Koninkl Philips Electronics Nv | Safe flashing |
| TW200627174A (en) * | 2004-08-09 | 2006-08-01 | Sandisk Corp | Ring bus structure and its use in flash memory systems |
| WO2007095465A2 (en) * | 2006-02-10 | 2007-08-23 | Qualcomm Incorporated | Method and apparatus for securely booting from an external storage device |
| CN101281570A (en) * | 2008-05-28 | 2008-10-08 | 北京工业大学 | Credible computing system |
| CN101281577A (en) * | 2008-05-16 | 2008-10-08 | 北京工业大学 | Dependable computing system capable of protecting BIOS and method of use thereof |
| TW200949687A (en) * | 2008-05-24 | 2009-12-01 | Via Tech Inc | Termination of secure execution mode in a microprocessor providing for execution of secure code |
| WO2012020292A1 (en) * | 2010-08-10 | 2012-02-16 | Sandisk Il Ltd | Host device and method for securely booting the host device with operating system code loaded from a storage device |
| TW201224752A (en) * | 2005-02-02 | 2012-06-16 | Insyde Software Corp | System and method for providing secure storage areas for firmware |
| TW201234210A (en) * | 2010-12-29 | 2012-08-16 | Viaccess Sa | Method for loading a code of at least one software module |
| US8914627B2 (en) * | 2011-02-11 | 2014-12-16 | Samsung Electronics Co., Ltd. | Method for generating a secured boot image including an update boot loader for a secured update of the version information |
| US20150012737A1 (en) * | 2013-07-04 | 2015-01-08 | Microsemi SoC Corporation | Secure Boot for Unsecure Processors |
| TW201502990A (en) * | 2013-02-22 | 2015-01-16 | Marvell World Trade Ltd | Patching boot code of read-only memory |
| US20160275290A1 (en) * | 2015-03-19 | 2016-09-22 | Karunakara Kotary | Dynamic Firmware Module Loader in a Trusted Execution Environment Container |
| WO2018222666A1 (en) * | 2017-06-02 | 2018-12-06 | Apple Inc. | Method and apparatus for secure system boot |
| US10223531B2 (en) * | 2016-12-30 | 2019-03-05 | Google Llc | Secure device state apparatus and method and lifecycle management |
| WO2019112971A1 (en) * | 2017-12-07 | 2019-06-13 | Apple Inc. | Method and apparatus for secure system boot |
| TWI738135B (en) * | 2019-04-07 | 2021-09-01 | 新唐科技股份有限公司 | Monitor system booting security device and method thereof |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2030124A4 (en) * | 2006-05-24 | 2012-12-12 | Safend Ltd | Method and system for defending security application in a user's computer |
| US7769993B2 (en) * | 2007-03-09 | 2010-08-03 | Microsoft Corporation | Method for ensuring boot source integrity of a computing system |
| JP5085287B2 (en) * | 2007-11-21 | 2012-11-28 | 株式会社リコー | Information processing apparatus, validity verification method, and validity verification program |
| US8555015B2 (en) * | 2008-10-23 | 2013-10-08 | Maxim Integrated Products, Inc. | Multi-layer content protecting microcontroller |
| US8561138B2 (en) * | 2008-12-31 | 2013-10-15 | Intel Corporation | System and method to provide added security to a platform using locality-based data |
| CN101520831B (en) * | 2009-03-27 | 2011-08-24 | 深圳市永达电子股份有限公司 | Safe terminal system and terminal safety method |
| CN102262557B (en) * | 2010-05-25 | 2015-01-21 | 运软网络科技(上海)有限公司 | Method for constructing virtual machine monitor by bus architecture and performance service framework |
| US8479017B2 (en) * | 2010-06-21 | 2013-07-02 | Intel Corporation | System and method for N-ary locality in a security co-processor |
| JP2014021953A (en) * | 2012-07-24 | 2014-02-03 | Ricoh Co Ltd | Information processor, image processor, start-up control method and start-up control program |
| JP2014056390A (en) * | 2012-09-12 | 2014-03-27 | Ricoh Co Ltd | Information processor and validity verification method |
| US10095891B2 (en) * | 2015-06-08 | 2018-10-09 | Nuvoton Technology Corporation | Secure access to peripheral devices over a bus |
| CN105843671B (en) * | 2016-03-22 | 2018-11-16 | 西安电子科技大学 | Resources of virtual machine security monitoring and risk pretreatment system based on cloud platform |
| US10055155B2 (en) * | 2016-05-27 | 2018-08-21 | Wind River Systems, Inc. | Secure system on chip |
| US20170364683A1 (en) * | 2016-06-17 | 2017-12-21 | Google Inc. | Computing device secure boot |
-
2019
- 2019-12-02 TW TW108143848A patent/TWI738135B/en active
- 2019-12-02 TW TW110126479A patent/TWI791244B/en active
- 2019-12-02 TW TW110126482A patent/TWI756156B/en active
- 2019-12-30 CN CN201911391289.3A patent/CN111797442B/en active Active
-
2020
- 2020-04-03 JP JP2020067752A patent/JP7005676B2/en active Active
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW200622892A (en) * | 2004-06-29 | 2006-07-01 | Koninkl Philips Electronics Nv | Safe flashing |
| TW200627174A (en) * | 2004-08-09 | 2006-08-01 | Sandisk Corp | Ring bus structure and its use in flash memory systems |
| TW201224752A (en) * | 2005-02-02 | 2012-06-16 | Insyde Software Corp | System and method for providing secure storage areas for firmware |
| WO2007095465A2 (en) * | 2006-02-10 | 2007-08-23 | Qualcomm Incorporated | Method and apparatus for securely booting from an external storage device |
| CN101281577A (en) * | 2008-05-16 | 2008-10-08 | 北京工业大学 | Dependable computing system capable of protecting BIOS and method of use thereof |
| TW200949687A (en) * | 2008-05-24 | 2009-12-01 | Via Tech Inc | Termination of secure execution mode in a microprocessor providing for execution of secure code |
| CN101281570A (en) * | 2008-05-28 | 2008-10-08 | 北京工业大学 | Credible computing system |
| WO2012020292A1 (en) * | 2010-08-10 | 2012-02-16 | Sandisk Il Ltd | Host device and method for securely booting the host device with operating system code loaded from a storage device |
| TW201234210A (en) * | 2010-12-29 | 2012-08-16 | Viaccess Sa | Method for loading a code of at least one software module |
| US8914627B2 (en) * | 2011-02-11 | 2014-12-16 | Samsung Electronics Co., Ltd. | Method for generating a secured boot image including an update boot loader for a secured update of the version information |
| TW201502990A (en) * | 2013-02-22 | 2015-01-16 | Marvell World Trade Ltd | Patching boot code of read-only memory |
| US20150012737A1 (en) * | 2013-07-04 | 2015-01-08 | Microsemi SoC Corporation | Secure Boot for Unsecure Processors |
| US20160275290A1 (en) * | 2015-03-19 | 2016-09-22 | Karunakara Kotary | Dynamic Firmware Module Loader in a Trusted Execution Environment Container |
| US10223531B2 (en) * | 2016-12-30 | 2019-03-05 | Google Llc | Secure device state apparatus and method and lifecycle management |
| WO2018222666A1 (en) * | 2017-06-02 | 2018-12-06 | Apple Inc. | Method and apparatus for secure system boot |
| WO2019112971A1 (en) * | 2017-12-07 | 2019-06-13 | Apple Inc. | Method and apparatus for secure system boot |
| TWI738135B (en) * | 2019-04-07 | 2021-09-01 | 新唐科技股份有限公司 | Monitor system booting security device and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI756156B (en) | 2022-02-21 |
| JP7005676B2 (en) | 2022-02-04 |
| TWI738135B (en) | 2021-09-01 |
| JP2020173806A (en) | 2020-10-22 |
| TW202143034A (en) | 2021-11-16 |
| TW202143033A (en) | 2021-11-16 |
| CN111797442B (en) | 2023-11-24 |
| CN111797442A (en) | 2020-10-20 |
| TW202102997A (en) | 2021-01-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10691807B2 (en) | Secure system boot monitor | |
| US10452582B2 (en) | Secure access to peripheral devices over a bus | |
| JP6703064B2 (en) | How to safely access peripheral devices over the bus | |
| KR102513435B1 (en) | Security verification of firmware | |
| US10776527B2 (en) | Security monitoring of SPI flash | |
| CN111226215B (en) | Transparent attached flash memory security | |
| US11556651B2 (en) | Method for secure booting using route switchover function for boot memory bus and apparatus using the same | |
| US20190236276A1 (en) | Secured master-mediated transactions between slave devices using bus monitoring | |
| US11188321B2 (en) | Processing device and software execution control method | |
| TWI791244B (en) | Monitor system booting security device and method thereof | |
| TWI733399B (en) | Secured device, secured method, secured system, and secured apparatus | |
| TWI698769B (en) | Secure access to peripheral devices over a bus | |
| JP7079558B2 (en) | Safety device for SPI flash |