[go: up one dir, main page]

TWI698769B - Secure access to peripheral devices over a bus - Google Patents

Secure access to peripheral devices over a bus Download PDF

Info

Publication number
TWI698769B
TWI698769B TW108108029A TW108108029A TWI698769B TW I698769 B TWI698769 B TW I698769B TW 108108029 A TW108108029 A TW 108108029A TW 108108029 A TW108108029 A TW 108108029A TW I698769 B TWI698769 B TW I698769B
Authority
TW
Taiwan
Prior art keywords
bus
data processing
peripheral devices
security device
peripheral
Prior art date
Application number
TW108108029A
Other languages
Chinese (zh)
Other versions
TW201944281A (en
Inventor
赫詩曼 日弗
亞隆 摩西
摩瑞 丹
塔納密 歐倫
Original Assignee
新唐科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US15/955,715 external-priority patent/US10452582B2/en
Application filed by 新唐科技股份有限公司 filed Critical 新唐科技股份有限公司
Publication of TW201944281A publication Critical patent/TW201944281A/en
Application granted granted Critical
Publication of TWI698769B publication Critical patent/TWI698769B/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)
  • Bus Control (AREA)
  • Information Transfer Systems (AREA)

Abstract

A security device includes an interface and a processor. The interface is configured for connecting to a bus that serves one or more peripheral devices. The bus includes (i) one or more dedicated signals that are each dedicated to a respective one of the peripheral devices, and (ii) one or more shared signals that are shared among the peripheral devices served by the bus. The processor is connected to the bus as an additional device in addition to the peripheral devices, and is configured to disrupt on the bus a transaction in which a bus-master device attempts to access a given peripheral device, by disrupting a dedicated signal associated with the given peripheral device.

Description

透過匯流排安全存取周邊裝置之裝置及方法 Device and method for safely accessing peripheral devices through bus

相關申請案的交互參照 Cross-reference of related applications

本申請案為在2016年3月21日提交的美國專利申請號15/075,219的部分延續申請案(Continuation-In-Part,CIP),其要求於2015年6月8日提交的美國臨時專利申請62/172,298,其公開內容通過引用併入本文。 This application is a Continuation-In-Part (CIP) of U.S. Patent Application No. 15/075,219 filed on March 21, 2016, which requires a U.S. provisional patent application filed on June 8, 2015 62/172,298, the disclosure of which is incorporated herein by reference.

本發明一般涉及電子系統安全,特別涉及用於保護對周邊裝置的存取的方法和系統。 The present invention generally relates to electronic system security, and particularly relates to a method and system for protecting access to peripheral devices.

電子系統使用各種匯流排介面以在主機裝置與周邊裝置間通信。例如匯流排介面包含內部集成電路間(Inter-Integrated-Circuit,I2C)匯流排及串行外圍介面(SPI)匯流排。I2C匯流排的相關內容,例如在“I2C匯流排規範和用戶手冊”UM10204,NXP半導體,修訂版6,2014年4月4日,其通過引用併入本文。 Electronic systems use various bus interfaces to communicate between host devices and peripheral devices. For example, the bus interface includes an Inter-Integrated-Circuit (I 2 C) bus and a serial peripheral interface (SPI) bus. The relevant content of the I 2 C bus is, for example, in "I 2 C Bus Specification and User Manual" UM10204, NXP Semiconductors, revision 6, April 4, 2014, which is incorporated herein by reference.

此處描述的本發明的實施例提供了一種包含介面與處理器的安全裝置。介面設置為用於連接到服務於一個或複數個周邊裝置的匯流排。匯流排係傳輸包含(i)一個或複數個專用訊號,分別專用於相應的一個或複數個周邊裝置,以及(ii)一個或複數個共享訊號,共享於匯流排所服務的一個或複數個周 邊裝置之間。處理器連接到匯流排,並且作為一個或複數個周邊裝置之外的附加設備,並且透過中斷與給定周邊裝置相關聯的專用訊號,藉此在匯流排上中斷匯流排主裝置試圖存取給定周邊裝置的數據處置。 The embodiments of the present invention described herein provide a security device including an interface and a processor. The interface is configured to connect to a bus that serves one or more peripheral devices. The bus system transmission includes (i) one or more dedicated signals, respectively dedicated to the corresponding one or more peripheral devices, and (ii) one or more shared signals, shared in one or more weeks served by the bus Between the side devices. The processor is connected to the bus and serves as an additional device in addition to one or more peripheral devices, and by interrupting the dedicated signal associated with a given peripheral device, it interrupts the bus main device trying to access the Determine the data handling of peripheral devices.

在一些實施例中,處理器在中斷數據處置時係維持匯流排上的共享訊號不中斷。在一實施例中,介面包含:(i)用以從匯流排主裝置接收專用訊號的輸入部,以及(ii)用以輸出該專用訊號至給定周邊裝置的輸出部,且處理器係透過防止輸入接收的專用訊號被該輸出部發送,藉此中斷數據處置。在一些實施例中,處理器係設置為當專用訊號被中斷時,回應匯流排主裝置而不回應給定周邊裝置。在例示性實施例中,專用訊號包含晶片選擇訊號。 In some embodiments, the processor keeps the shared signal on the bus uninterrupted when interrupting data processing. In one embodiment, the interface includes: (i) an input unit for receiving a dedicated signal from the bus master device, and (ii) an output unit for outputting the dedicated signal to a given peripheral device, and the processor is through The dedicated signal to prevent input and reception is sent by the output unit, thereby interrupting data processing. In some embodiments, the processor is configured to respond to the bus master device instead of a given peripheral device when the dedicated signal is interrupted. In an exemplary embodiment, the dedicated signal includes a chip select signal.

在揭露的實施例中,處理器係監視匯流排來檢測要中斷的數據處置。在一替代的實施例中,處理器係透過在匯流排外部的輔助介面與匯流排主裝置進行通訊來檢測要中斷的數據處置。 In the disclosed embodiment, the processor monitors the bus to detect data processing to be interrupted. In an alternative embodiment, the processor detects the data processing to be interrupted by communicating with the bus master through an auxiliary interface outside the bus.

在一實施例中,處理器係設置為持續中斷該專用訊號,直到重置訊號出現。在另一實施例中,處理器係設置為在檢測到數據處置後的有限時間段內中斷專用訊號。在一實施例中,藉由中斷數據處置,處理器係設置為在一個或複數個周邊裝置處產生數據處置中止。在一些實施例中,處理器係設置為在數據處置中斷後恢復匯流排的正常操作。 In one embodiment, the processor is configured to continuously interrupt the dedicated signal until the reset signal appears. In another embodiment, the processor is configured to interrupt the dedicated signal within a limited period of time after detecting the data processing. In one embodiment, by interrupting data processing, the processor is configured to generate data processing aborts at one or more peripheral devices. In some embodiments, the processor is configured to resume normal operation of the bus after data processing is interrupted.

依據本發明的實施例,還提供了一種包含介面跟處理器的安全裝置。介面用於連接到服務於一個或複數個周邊裝置的匯流排。處理器除了連接到一個或複數個周邊裝置外也連接到匯流排,並且透過回應於匯流排主裝置而不回應一個或複數個周邊裝置的方式,以中斷匯流排主裝置嘗試存取給定周邊裝置的數據處置。 According to an embodiment of the present invention, a security device including an interface and a processor is also provided. The interface is used to connect to a bus that serves one or more peripheral devices. In addition to being connected to one or more peripheral devices, the processor is also connected to the bus, and by responding to the main bus device and not responding to one or more peripheral devices, interrupts the main bus device trying to access a given peripheral device Device data handling.

在一實施例中,匯流排係傳輸包含(i)一個或複數個專用訊號,分別專用於相應的一個或複數個周邊裝置,以及(ii)一個或複數個共享訊號,共享於匯流排所服務的一個或複數個周邊裝置之間,其中處理器透過(i)中斷與給定周邊裝置相關的專用訊號,以及(ii)當專用訊號被中斷時回應該匯流排主裝置來中斷數據處置。 In one embodiment, the bus transmission includes (i) one or more dedicated signals, respectively dedicated to the corresponding one or more peripheral devices, and (ii) one or more shared signals, which are shared by the bus service Between one or more peripheral devices, the processor interrupts data processing by (i) interrupting dedicated signals related to a given peripheral device, and (ii) responding to the bus master device when the dedicated signal is interrupted.

在一些實施例中,給定周邊裝置包含記憶體裝置,其中處理器係設置為在數據處置中識別來自匯流排主裝置的用以該記憶體裝置讀取數據的請求,以及以儲存於安全裝置的替代數據回應該請求。在例示性實施例中,處理器係設置為識別到匯流排主裝置請求存取記憶體裝置中的預定義地址區時,中斷數據處置並以替代數據回應。 In some embodiments, the given peripheral device includes a memory device, and the processor is configured to recognize a request from the bus master device to read data from the memory device during data processing, and store it in the security device The replacement data in response to the request. In an exemplary embodiment, the processor is configured to recognize that the bus master device requests to access the predefined address area in the memory device, interrupt data processing and respond with substitute data.

在另一實施例中,處理器係設置為基於從給定周邊裝置在數據處置中回傳給匯流排主裝置的數據,以識別匯流排主裝置嘗試存取給定周邊裝置的數據處置。在又另一實施例中,處理器係設置為基於數據處置中使用的指令代碼來識別匯流排主裝置嘗試存取給定周邊裝置的數據處置。 In another embodiment, the processor is configured to identify the data processing of the bus master attempting to access the given peripheral device based on the data sent back from the given peripheral device to the bus master device during data processing. In yet another embodiment, the processor is configured to recognize the data processing of the bus master attempting to access a given peripheral device based on the instruction code used in the data processing.

根據本發明的實施例,還提供了一種透過匯流排安全存取周邊裝置之方法,包含使用安全裝置經由匯流排進行進行通訊,其中安全裝置係連接到匯流排,且作為一個或複數個周邊裝置之外的附加設備,其中匯流排上係傳輸包含(i)一個或複數個專用訊號,分別專用於相應的一個或複數個周邊裝置,以及(ii)一個或複數個共享訊號,共享於匯流排所服務的一個或複數個周邊裝置之間;使用該安全設備,藉由中斷與給定周邊裝置相關聯的專用訊號,藉此以在匯流排上中斷匯流排主裝置試圖存取給定周邊裝置的數據處置。 According to an embodiment of the present invention, there is also provided a method for safely accessing peripheral devices through a bus, including using a security device to communicate via the bus, wherein the security device is connected to the bus and serves as one or more peripheral devices Additional equipment other than that, where the transmission on the bus includes (i) one or more dedicated signals, respectively dedicated to the corresponding one or more peripheral devices, and (ii) one or more shared signals, shared on the bus Between one or more peripheral devices served; using the security device, by interrupting the dedicated signal associated with a given peripheral device, thereby interrupting the bus main device trying to access the given peripheral device on the bus Data disposal.

根據本發明的實施例,還提供了一種透過匯流排安全存取周邊裝置之方法,使用安全裝置經由匯流排進行通訊,安全裝置連接到匯流排,且作為一個或複數個周邊裝置之外的附加設備;以及使用安全裝置透過回應匯流排 主裝置而不回應給定周邊裝置的方式,以在匯流排上中斷匯流排主裝置試圖存取給定周邊裝置的數據處置。 According to an embodiment of the present invention, a method for securely accessing peripheral devices through a bus is also provided. The security device is used to communicate via the bus, and the security device is connected to the bus and used as an addition to one or more peripheral devices. Equipment; and the use of security devices through the response bus The main device does not respond to a given peripheral device in order to interrupt the bus on the bus when the main device attempts to access the data processing of the given peripheral device.

在另一實施例中,提供了一種裝置包含介面跟處理器。介面係設置為透過匯流排通信,處理器係設置為在匯流排主裝置未通過授權要存取周邊裝置時,強制地並行寫入一個或多個虛擬值至匯流排的至少一條線上以中斷至少一部分數據處置。 In another embodiment, a device including an interface and a processor is provided. The interface is set to communicate through the bus, and the processor is set to forcibly write one or more dummy values in parallel to at least one line of the bus to interrupt at least one line when the bus master device wants to access peripheral devices without authorization. Part of the data processing.

在一個實施例中,處理器係設置為強制寫入虛擬值至匯流排上的數據線以阻斷其透過數據線接收或傳送周邊裝置的分別數據值。附加地或替代地,處理器係設置為強制寫入虛擬值至匯流排上的時脈線,以中斷數據處置所使用的時脈訊號。進一步附加地或替代地,處理器係設置為強制寫入虛擬值至匯流排上的晶片選擇線,以中斷匯流排主裝置選擇周邊裝置。 In one embodiment, the processor is configured to force a virtual value to be written to the data line on the bus to block it from receiving or transmitting the respective data value of the peripheral device through the data line. Additionally or alternatively, the processor is configured to force a virtual value to be written to the clock line on the bus to interrupt the clock signal used for data processing. Further additionally or alternatively, the processor is configured to forcibly write a dummy value to the chip selection line on the bus bar to interrupt the bus main device to select peripheral devices.

在一些實施例中,匯流排包含一個具有預設邏輯值的集極開路匯流排或汲極開路匯流排,且處理器係設置為強制寫入與預設邏輯值相反的虛擬值至匯流排上的至少一線。 In some embodiments, the bus includes an open-collector bus or open-drain bus with a preset logic value, and the processor is configured to force a virtual value opposite to the preset logic value to be written to the bus At least one line.

在一些實施例中,透過強制寫入虛擬值,處理器係設置為覆寫匯流排主裝置或周邊裝置上被寫入的至少一線的對應值。在一個舉例的實施例中的,處理器係設置為透過驅動驅動強度大於匯流排主裝置或周邊裝置的至少一線來覆寫匯流排主裝置或周邊裝置上被寫入的至少一線的對應值。在另一個實施例中,裝置包含至少一電阻,其係設置於至少一線上,電阻係設置用以將被寫入至匯流排主裝置或周邊裝置的值減弱至較處理器所寫入之虛擬值弱。 In some embodiments, by forcing the virtual value to be written, the processor is configured to overwrite the corresponding value of at least one line written on the bus main device or peripheral device. In an exemplary embodiment, the processor is configured to overwrite the corresponding value of at least one line written on the main bus device or the peripheral device by driving at least one line whose drive strength is greater than that of the main bus device or the peripheral device. In another embodiment, the device includes at least one resistor, which is arranged on at least one line, and the resistor is arranged to reduce the value written to the bus main device or peripheral device to a virtual value that is lower than that written by the processor. The value is weak.

在一些實施例中,處理器係設置為僅透過被用於在匯流排主裝置與周邊裝置之間通信的匯流排的現有的一線上強制寫入虛擬值。在一些實施例中,處理器係設置為透過監視匯流排來檢測要中斷的數據處置。在一個實施例 中,處理器係設置為透過在匯流排主裝置外部的輔助介面上與匯流排主裝置通信來檢測要中斷的數據處置。 In some embodiments, the processor is configured to forcibly write the dummy value only through the existing line of the bus used for communication between the bus main device and the peripheral device. In some embodiments, the processor is configured to detect data processing to be interrupted by monitoring the bus. In one embodiment , The processor is set to detect the data processing to be interrupted by communicating with the bus main device on the auxiliary interface outside the bus main device.

在一個公開的實施例中,處理器係設置為無限制的強制寫入虛擬值直到此裝置被重置。在另一個實施例中,處理器係設置為在偵測到數據處置時,在有限時間內強制寫入虛擬值。在一個實施例中,處理器係設置為在數據處置被中斷後,適度地回復匯流排的正常操作。 In a disclosed embodiment, the processor is set to forcibly write virtual values without limitation until the device is reset. In another embodiment, the processor is configured to force a virtual value to be written within a limited time when data processing is detected. In one embodiment, the processor is configured to moderately resume normal operation of the bus after data processing is interrupted.

根據本發明的實施例,還提供了一種包含周邊裝置和安全裝置的系統。周邊裝置可以透過匯流排存取一個或多個匯流排主裝置。此安全裝置係透過當匯流排主裝置未通過授權要存取周邊裝置時,強制地並行寫入一個或多個虛擬值至匯流排的至少一條線上以中斷至少一部分數據處置。 According to an embodiment of the present invention, a system including a peripheral device and a safety device is also provided. Peripheral devices can access one or more bus master devices through the bus. This security device interrupts at least a part of data processing by forcibly writing one or more dummy values to at least one line of the bus in parallel when the bus master device is not authorized to access peripheral devices.

依據實施例,本發明還提供了一種方法,包含使用耦合到匯流排的安全裝置,決定是否中斷匯流排主裝置未經授權嘗試存取周邊裝置的數據處置,並透過強制地並行寫入一個或多個虛擬值至匯流排的至少一條線上以中斷至少一部分數據處置。 According to an embodiment, the present invention also provides a method that includes using a security device coupled to the bus to determine whether to interrupt the data processing of the bus master device from unauthorized attempts to access peripheral devices, and write one or more data in parallel forcibly A plurality of dummy values are sent to at least one line of the bus to interrupt at least a part of data processing.

從下面結合附圖對其實施例的詳細描述中,將更全面地理解本發明: From the following detailed description of its embodiments in conjunction with the accompanying drawings, the present invention will be more fully understood:

20、70、110、130:系統 20, 70, 110, 130: system

24、74:主機裝置 24, 74: host device

28、78:周邊裝置 28, 78: peripheral devices

32:I2C匯流排 32: I 2 C bus

36、86:安全裝置 36, 86: safety device

40、90:介面 40, 90: Interface

44、94:處理器 44, 94: processor

48、98:記憶體 48, 98: Memory

50:監視步驟 50: Monitoring steps

54:檢測步驟 54: Detection steps

58:檢查步驟 58: check steps

62:准許步驟 62: Approval Step

66:中斷步驟 66: Interrupt step

82:SPI匯流排 82: SPI bus

91:從介面邏輯電路 91: Slave interface logic circuit

92:介面監視邏輯電路 92: Interface monitoring logic circuit

100:串聯電阻 100: series resistance

102:維持復位步驟 102: Maintain reset step

104:初始讀取步驟 104: Initial reading step

108:覆蓋步驟 108: Covering step

112:復位釋放步驟 112: Reset release step

116:啟動步驟 116: startup steps

120:區域存取子步驟 120: Regional access sub-step

CS1#:晶片選擇線 CS1#: Chip selection line

CS2#:晶片選擇線 CS2#: Chip selection line

CLK:時脈線 CLK: clock line

MASK_CS2#:控制訊號 MASK_CS2#: Control signal

MOSI:主輸出從輸入線 MOSI: master output and slave input line

MISO:主輸入從輸出線 MISO: main input and slave output line

第1圖係為本發明實施例中多個裝置通過12C匯流排通信的安全系統的方塊示意圖。 Figure 1 is a block diagram of a security system in which multiple devices communicate via a 12C bus in an embodiment of the present invention.

第2圖係為本發明實施例透過I2C匯流排保護對周邊裝置的存取的方法的流程圖。 Figure 2 is a flowchart of a method for protecting access to peripheral devices through an I 2 C bus according to an embodiment of the present invention.

第3圖至第5圖係為本發明的一個替代的實施例中,多個裝置透過SPI匯流排通信的安全系統的方塊示意圖。 Figures 3 to 5 are block diagrams of a security system in which multiple devices communicate via an SPI bus in an alternative embodiment of the present invention.

第6圖係為根據本發明的實施例的安全裝置的示意方塊圖。 Figure 6 is a schematic block diagram of a security device according to an embodiment of the present invention.

第7圖係為根據本發明的實施例的用於主機裝置的安全啟動(secure booting)的方法的流程圖。 FIG. 7 is a flowchart of a method for secure booting of a host device according to an embodiment of the present invention.

概述 Overview

本發明之實施例為敘述改進的方法與裝置如何透過匯流排介面保護對周邊裝置的存取。周邊裝置可包含加密引擎、儲存敏感數據的儲存裝置、或任何可通過匯流排存取的裝置。 The embodiments of the present invention describe how the improved method and device protect the access to peripheral devices through the bus interface. Peripheral devices can include encryption engines, storage devices that store sensitive data, or any devices that can be accessed via a bus.

在一些被揭露的實施例中,安全裝置監視匯流排上的數據處置,並且在主機裝置或其他匯流排主裝置試圖存取周邊裝置卻未經授權時將其識別出。數據處置可透過各種合適的標準或政策被分類為經授權或未經授權。 In some disclosed embodiments, the security device monitors the data processing on the bus and recognizes it when the host device or other bus master device tries to access the peripheral device without authorization. Data handling can be classified as authorized or unauthorized through various appropriate standards or policies.

當識別出未經授權的數據處置時,安全裝置平行的透過在匯流排上的一條或多條線上強制寫入數據或訊號至某個虛擬值以將其中斷。強制寫入虛擬值可被執行在如:時脈訊號、數據訊號及/或晶片選擇(Chip-Select)訊號。 When the unauthorized data processing is identified, the security device interrupts it by forcibly writing data or signals to a virtual value on one or more lines on the bus in parallel. The forced writing of virtual values can be performed on, for example, clock signals, data signals and/or chip-select signals.

強制寫入虛擬值適用於中斷匯流排上的訊號,例如對於有汲極開路或集極開路的匯流排,例如I2C匯流排或推挽式的匯流排,例如SPI匯流排。與匯流排上的數據處置並行地強制寫入虛擬值使與周邊裝置的通信中斷,且/或中斷各自的時脈訊號。 The forced write virtual value is suitable for interrupting the signal on the bus, for example, for a bus with an open drain or an open collector, such as an I 2 C bus or a push-pull bus, such as an SPI bus. In parallel with the data processing on the bus, forcibly writing the dummy value to interrupt the communication with the peripheral device and/or interrupt the respective clock signal.

本文描述了用於中斷I2C和SPI匯流排上的未授權數據處置的幾種技術範例,還描述了用於在中斷之後恢復正常操作的技術。在一些實施例中,安全裝置可以中斷數據處置,但不須先在匯流排上偵測到此數據處置,或者甚 至根本不監視匯流排。例如,安全裝置可以強行輸入某個主機的芯片選擇(CS)線上的虛擬值,直到或者除非該主機被授權。 This article describes several examples of techniques used to interrupt the handling of unauthorized data on the I 2 C and SPI buses. It also describes techniques used to resume normal operation after an interruption. In some embodiments, the security device can interrupt data processing without first detecting the data processing on the bus, or even not monitoring the bus at all. For example, the security device can forcibly enter a virtual value on the chip select (CS) line of a certain host until or unless the host is authorized.

在一些實施例中,例如,在SPI中,由安全裝置保護的匯流排係傳輸包含(i)一個或多個專用訊號,每個專用訊號專用於相應的周邊裝置,以及(ii)在匯流排所服務的周邊裝置之間共享的一個或多個共享訊號。共享訊號的例子是數據和時脈訊號。專用訊號的例子是CS訊號。在一些實施例中,安全裝置係透過中斷與受保護的周邊裝置相關聯的專用訊號來中斷數據處置,同時維持匯流排上的共享訊號不中斷。應注意的是,並非所有匯流排都有專用訊號。例如,在I2C匯流排中,所有訊號都是共享訊號。 In some embodiments, for example, in SPI, a bus protected by a security device transmits (i) one or more dedicated signals, each dedicated signal dedicated to a corresponding peripheral device, and (ii) on the bus One or more shared signals shared between the peripheral devices being served. Examples of shared signals are data and clock signals. An example of a dedicated signal is the CS signal. In some embodiments, the security device interrupts data processing by interrupting dedicated signals associated with protected peripheral devices, while maintaining uninterrupted shared signals on the bus. It should be noted that not all buses have dedicated signals. For example, in an I 2 C bus, all signals are shared signals.

在其他實施例中,安全裝置係透過回應未授權主機而不回應受保護周邊裝置的方式來中斷數據處置。在例示性實施例中,周邊裝置包含快閃記憶體,快閃記憶體包含被分配為用於存儲諸如密鑰、設置數據及/或啟動代碼之類的敏感數據的一個或多個地址區。藉由選擇性地驅動快閃記憶體的CS訊號,安全裝置能夠驅動對快閃記憶體處的數據的存取。相反,安全裝置使用儲存在安全裝置內部的數據來回應主機。這裡描述了這種安全啟動過程。 In other embodiments, the security device interrupts data processing by responding to unauthorized hosts and not to protected peripheral devices. In an exemplary embodiment, the peripheral device includes flash memory, and the flash memory includes one or more address areas allocated for storing sensitive data such as keys, setting data, and/or startup codes. By selectively driving the CS signal of the flash memory, the security device can drive the access to the data in the flash memory. Instead, the security device uses the data stored inside the security device to respond to the host. This safe boot process is described here.

此處揭露的技術在事務級(transaction-by-transaction level)上提供即時的安全選擇性存取至周邊裝置。在本文所描述的大多數技術中,僅使用匯流排的現有訊號來執行數據處置的識別和中斷。因此,所揭露的技術不需要額外的引腳或互連,從而減小了整個系統尺寸和成本。 The technology disclosed here provides real-time secure and selective access to peripheral devices at the transaction-by-transaction level. In most of the technologies described in this article, only the existing signal of the bus is used to perform data processing identification and interruption. Therefore, the disclosed technology does not require additional pins or interconnections, thereby reducing the overall system size and cost.

透過I2C匯流排對周邊裝置安全存取數據。 Safely access data to peripheral devices through I 2 C bus.

第1圖係為本發明實施例中安全系統20的方塊示意圖。在本發明的實施例中,系統20包含主機裝置24及周邊裝置28,且皆連接至I2C匯流排32。為了簡潔起見,主機裝置24和周邊裝置28在這裡也被稱為主機和周邊,主機裝置24亦可為匯流排主裝置。 Figure 1 is a block diagram of the security system 20 in an embodiment of the invention. In the embodiment of the present invention, the system 20 includes a host device 24 and a peripheral device 28, both of which are connected to the I 2 C bus 32. For the sake of brevity, the host device 24 and the peripheral device 28 are also referred to herein as the host and peripheral, and the host device 24 may also be a bus master device.

安全裝置36透過監視I2C匯流排32上的數據交易保護對周邊裝置28的數據存取,並避免主機裝置24或其他具有匯流排主裝置能力的裝置嘗試未經授權的存取周邊裝置28。安全裝置36有時也被稱為控制裝置或信任平台模組(TPM)。在本發明的實施例中,安全裝置36包含介面40,其用於連結至I2C匯流排32;處理器44,其係設置為執行本發明的技術;及記憶體48,其係設置為用於儲存一個或多個由處理器44所實行的安全政策。 The security device 36 protects data access to the peripheral device 28 by monitoring data transactions on the I 2 C bus 32, and prevents the host device 24 or other devices capable of the bus master device from attempting unauthorized access to the peripheral device 28 . The security device 36 is sometimes called a control device or a trusted platform module (TPM). In the embodiment of the present invention, the security device 36 includes an interface 40 for connecting to the I 2 C bus 32; a processor 44 configured to execute the technology of the present invention; and a memory 48 configured to Used to store one or more security policies implemented by the processor 44.

處理器44可依據任何預先定義或是設定政策來將數據處置分類為未經授權的。通常未經授權的數據處置可以嘗試覆寫周邊裝置28的數據、讀取周邊裝置28的數據、設置或發送命令至周邊裝置28,或是以其他合適之方式存取周邊裝置28。由安全裝置36所實施的政策可包含肯定政策(如:白名單)、否定政策(如:黑名單)、取決於裝置地址或暫存器偏移(register offset)的政策、或其他任何形式的政策。 The processor 44 can classify the data handling as unauthorized according to any predefined or set policy. Generally, unauthorized data handling can attempt to overwrite the data of the peripheral device 28, read the data of the peripheral device 28, set or send commands to the peripheral device 28, or access the peripheral device 28 in other suitable ways. The policy implemented by the security device 36 may include a positive policy (such as a whitelist), a negative policy (such as a blacklist), a policy that depends on the device address or register offset, or any other form of policy. policy.

例如,安全裝置36可以要求主機在經授權存取周邊裝置28之前,對主機裝置24的身分進行認證,由未經授權的主機所嘗試的數據處置可被視為未授權。認證可以透過如在主機與安全裝置間進行問題詢答程序(challenge-response process)來執行。另外地或可選擇地,可以要求主機以其他的某種合適方式證明其身分,或成功的完成安全開機程序。 For example, the security device 36 may require the host to authenticate the identity of the host device 24 before being authorized to access the peripheral device 28, and the data processing attempted by an unauthorized host may be regarded as unauthorized. Authentication can be performed through, for example, a challenge-response process between the host and the security device. Additionally or alternatively, the host may be required to prove its identity in some other suitable way, or successfully complete the secure boot procedure.

此外,附加的或替代的,有些類型的數據處置(如:讀取數據處置)可被視為被授權的,而其他類型的數據處置(如:寫入數據處置)可被視為未經授權的。在又另一個實施例中,對被選定的周邊裝置的地址存取可被視為被授權的,而存取其他地址則可被視為未經授權的。做為另一個實施例,匯流排上的位元序列(bit sequences)可以被顯示為未授權數據處置。 In addition, in addition or alternatively, some types of data disposal (such as read data disposal) can be considered authorized, while other types of data disposal (such as write data disposal) can be considered unauthorized of. In yet another embodiment, access to the address of the selected peripheral device may be regarded as authorized, and access to other addresses may be regarded as unauthorized. As another example, bit sequences on the bus can be displayed as unauthorized data handling.

通常處理器44可透過任何合適的方法分辨數據處置是否經授權。記憶體48儲存了一個或多個政策以分辨數據處置是否經授權。 Generally, the processor 44 can distinguish whether the data processing is authorized or not through any suitable method. The memory 48 stores one or more policies to distinguish whether the data processing is authorized.

I2C匯流排32包含帶有串列數據(SDA)訊號的串列數據線及帶有串列時脈訊號(SCL)的串列時脈線。術語"線"與"訊號"在本文中可被交互使用。透過監視SDA線及SCL線,處理器44得以監視I2C匯流排32上的所有數據處置,並辨識出未經授權的數據處置。 The I 2 C bus 32 includes a serial data line with a serial data (SDA) signal and a serial clock line with a serial clock signal (SCL). The terms "line" and "signal" can be used interchangeably in this article. By monitoring the SDA line and the SCL line, the processor 44 can monitor all data processing on the I 2 C bus 32 and identify unauthorized data processing.

在識別出未經授權數據處置後,處理器44透過強行寫入一個或多個虛擬值至I2C匯流排32上的SDA線及/或SCL線以中斷數據處置。此機制由於I2C匯流排具有汲極開路/集極開路結構而可能實現。通常SDA線與SCL線都使用上拉電阻而被預設上拉至邏輯"1"的狀態。任何裝置皆可隨時在SDA線或SCL線上寫入邏輯"0"值,而不管其他裝置可能同時寫入的值。 After identifying unauthorized data processing, the processor 44 interrupts the data processing by forcibly writing one or more dummy values to the SDA line and/or SCL line on the I 2 C bus 32. This mechanism is possible because the I 2 C bus has an open drain/open collector structure. Generally, both the SDA line and the SCL line use pull-up resistors and are pulled up to a logic "1" state by default. Any device can write a logical "0" value on the SDA line or SCL line at any time, regardless of the value that other devices may write at the same time.

因此,在一些實施例中,當識別出未經授權的數據處置時,安全裝置36中的處理器44會透過介面40在I2C匯流排32的SDA線或SCL線上強行輸入邏輯值"0"(預設邏輯值"1"的相反值)。在本文中"0"值被視為虛擬值。在SDA線上強制寫入的"0"值將改寫任何同時由主機裝置24送至周邊裝置28的值或主機裝置24從周邊裝置28讀取的值,或預設的邏輯值"1"。強制寫入"0"值在SCL線上將使時脈訊號停止,在上述任一情況之下,數據處置將被中斷。 Therefore, in some embodiments, when unauthorized data processing is identified, the processor 44 in the security device 36 will force the logic value "0" on the SDA line or SCL line of the I 2 C bus 32 through the interface 40. "(The opposite of the preset logic value "1"). The "0" value is regarded as a dummy value in this article. The value "0" that is forcibly written on the SDA line will overwrite any value simultaneously sent by the host device 24 to the peripheral device 28 or the value read by the host device 24 from the peripheral device 28, or the preset logical value "1". Forcibly writing a "0" value on the SCL line will stop the clock signal. In any of the above cases, data processing will be interrupted.

在一些實施例中,處理器44將持續強制寫入"0"值,直到裝置被重置。在其他實施例中,處理器44允許從中斷中適度回復,即允許主機裝置24和周邊裝置28從中斷中回復數據處置,並回復正常運作。一些主機及/或周邊裝置無法從計時器暫停中回復。因此,若之後需要對簡單主機及周邊裝置適度回復時,則較佳的是在SDA線上強行寫入虛擬值而非在SCL線上。 In some embodiments, the processor 44 will continue to force write the "0" value until the device is reset. In other embodiments, the processor 44 allows moderate recovery from the interrupt, that is, allows the host device 24 and the peripheral device 28 to recover the data processing from the interrupt and resume normal operation. Some hosts and/or peripheral devices cannot respond from the timer pause. Therefore, if the simple host and peripheral devices need to be properly recovered later, it is better to forcibly write the dummy value on the SDA line instead of on the SCL line.

在一個實施例中,為了在中斷數據處置後恢復正常運作,處理器44會在匯流排上生成I2C停止或I2C重新啟動條件。在本文中,I2C停止或I2C重新啟動條件可包含任何匯流排訊號值序列,其可指示該裝置匯流排處於閒置狀態且可以開始數據處置。 In one embodiment, in order to resume normal operation after interrupting data processing, the processor 44 generates an I 2 C stop or I 2 C restart condition on the bus. In this context, the I 2 C stop or I 2 C restart condition can include any sequence of bus signal values, which can indicate that the device bus is in an idle state and data processing can begin.

處理器44可使用各種技術允許數據處置被中斷後進行適度回復。在一個實施例中,處理器44在預定時間長度內持續強制寫入"0"值,其被視為足以中斷未經授權的數據處置。任何預定時間長度皆可被使用。例如,SM匯流排定義之暫停時間長度為25mS。因此,在SM匯流排於I2C的應用中,將預定義的持續時間設置為至少25mS是有意義的,以便觸發暫停。 The processor 44 can use various techniques to allow moderate recovery after data processing is interrupted. In one embodiment, the processor 44 continues to forcibly write a "0" value for a predetermined length of time, which is deemed sufficient to interrupt unauthorized data handling. Any predetermined length of time can be used. For example, the length of the pause time defined by the SM bus is 25mS. Therefore, in the application of SM bus in I 2 C, it makes sense to set the predefined duration to at least 25 mS in order to trigger the pause.

在另一個實施例中,處理器44在預定時間內持續在SDA線上強制寫入“0”值,直到檢測到SCL線為邏輯高值(即非擾動(not toggling))。此條件可以指示主機中止或捨棄數據處置。處理器44可以接著釋放SDA線,並且可能產生I2C停止條件。 In another embodiment, the processor 44 continues to forcibly write a "0" value on the SDA line for a predetermined time until it detects that the SCL line is a logic high value (ie, not toggling). This condition can instruct the host to suspend or discard data processing. The processor 44 may then release the SDA line and may generate an I 2 C stop condition.

在又另一個實施例中,對於中斷從周邊裝置讀取的數據處置有用的是,將安全裝置36設置為具有跟周邊裝置28同樣地址的I2C從裝置。安全裝置36中的處理器44使用"0"數據值來回應任何未經授權的讀取要求。周邊裝置28同樣會並行回應這些讀取要求至處理器44,但其數據值會被安全裝置36所傳的"0"值覆寫。此過程會持續至主機中止數據處置,例如透過停止條件。須注意,依據I2C規範,I2C從裝置在發送數據時並不會驅動ACK/NEGACK位元。 In yet another embodiment, it is useful to interrupt the processing of data read from the peripheral device to set the security device 36 as an I 2 C slave device with the same address as the peripheral device 28. The processor 44 in the security device 36 uses the "0" data value to respond to any unauthorized reading request. The peripheral device 28 will also respond to these read requests to the processor 44 in parallel, but its data value will be overwritten by the "0" value transmitted by the security device 36. This process will continue until the host suspends data processing, for example through a stop condition. It should be noted that according to the I 2 C specification, the I 2 C slave device does not drive the ACK/NEGACK bit when sending data.

在另一個實施例中,同時對於中斷讀及寫的數據處置有用的是由處理器44在SDA線上強制寫入"0"值。接著,若主機裝置24不識別此中斷,則此數據處置透過匯流排上的"0"數據正常中止,而非從周邊裝置28發送的數據。若主機裝置24偵測到此中斷(例如,其支持I2C多主機仲裁(multi-master arbitration))並捨棄數據處置,則處理器44則可接管主機裝置24捨棄的數據處置,通常透過在SCL線上生成額外的時脈週期。處理器44可以接著完成正在被傳送的當前字節,並透過發出停止條件來中止此數據處置。 In another embodiment, it is useful to simultaneously interrupt the read and write data handling is forcing the processor 44 to write a value of "0" on the SDA line. Then, if the host device 24 does not recognize the interruption, the data processing is normally terminated through the "0" data on the bus, instead of the data sent from the peripheral device 28. If the host device 24 detects this interrupt (for example, it supports I 2 C multi-master arbitration) and discards data processing, the processor 44 can take over the data processing discarded by the host device 24, usually by Extra clock cycles are generated on the SCL line. The processor 44 can then complete the current byte being transferred and suspend the data processing by issuing a stop condition.

上面描述的中斷和回復技術僅通過實施例來描述。在一個替代的實施例中,安全裝置36的處理器44可以透過任何其他技術來中斷數據處置及/或從中斷中進行回復。 The interruption and recovery techniques described above are only described by embodiments. In an alternative embodiment, the processor 44 of the security device 36 may interrupt data processing and/or recover from the interruption through any other technology.

在上述實施例中,僅使用匯流排的現有線路來實現對未經授權數據處置的檢測、中斷及中斷後的回復。在一個替代的實施例中,安全裝置36和主機裝置24也通過在匯流排32外部的一些輔助介面連接。例如,當安全裝置36和主機裝置24集成在同一集成電路(IC)中並且共享IC的SDA和SCL引腳時,這種機制是可行的。 In the above embodiment, only the existing lines of the bus are used to realize the detection, interruption, and response after interruption of unauthorized data handling. In an alternative embodiment, the security device 36 and the host device 24 are also connected through some auxiliary interfaces outside the bus 32. For example, this mechanism is feasible when the security device 36 and the host device 24 are integrated in the same integrated circuit (IC) and share the SDA and SCL pins of the IC.

在這些實施例中,安全裝置36和主機裝置24使用輔助介面來驗證沒有其他主機裝置存取周邊裝置28。在一個示範的實施例中,當主機裝置24存取周邊裝置28時,主機裝置24透過輔助介面通知安全裝置36。為回應該通知,處理器44不強制寫入虛擬值"0"至匯流排,並允許數據處置實行。在檢測到存取周邊裝置28但未在輔助介面上報告的數據處置時,處理器44會假定該數據處置由一些未經授權的主機發出,並且通過強制寫入“0”值來中斷它。 In these embodiments, the security device 36 and the host device 24 use an auxiliary interface to verify that no other host device accesses the peripheral device 28. In an exemplary embodiment, when the host device 24 accesses the peripheral device 28, the host device 24 notifies the security device 36 through the auxiliary interface. In response to the notification, the processor 44 does not forcibly write the virtual value "0" to the bus, and allows the data processing to be performed. When detecting data processing that accesses the peripheral device 28 but not reported on the auxiliary interface, the processor 44 assumes that the data processing is sent by some unauthorized host, and interrupts it by forcibly writing a "0" value.

第2圖為本發明實施例透過I2C匯流排32保護對周邊裝置28的存取的方法的流程圖。此方法在監視步驟50時啟動,安全裝置36上的處理器44透過介面40監視I2C匯流排32上的數據處置。 FIG. 2 is a flowchart of a method for protecting access to the peripheral device 28 through the I 2 C bus 32 according to an embodiment of the present invention. This method is started in the monitoring step 50, and the processor 44 on the security device 36 monitors the data processing on the I 2 C bus 32 through the interface 40.

在數據處置檢測步驟54時,處理器44識別出主機裝置24試圖存取周邊裝置28的數據據處置。在檢查步驟58時,處理器44檢查數據處置是否經過授權。例如,處理器44可以檢查此數據處置是否違反儲存於記憶體48的安全政策。 In the data processing detection step 54, the processor 44 recognizes that the host device 24 attempts to access the data processing of the peripheral device 28. In the checking step 58, the processor 44 checks whether the data handling is authorized. For example, the processor 44 can check whether the data handling violates the security policy stored in the memory 48.

若此數據處置被授權,則在准許步驟62,處理器44將允許數據處置正常進行否則,若檢測出此數據處置未經授權,則在中斷步驟66時處理器44會透過強制寫入虛擬值"0"至I2C匯流排32的SCL及/或SDA線以中斷此數據處置。 If the data processing is authorized, in the permission step 62, the processor 44 will allow the data processing to proceed normally. Otherwise, if it is detected that the data processing is unauthorized, the processor 44 will write the virtual value by forcibly in the interrupt step 66 "0" to the SCL and/or SDA lines of the I 2 C bus 32 to interrupt this data processing.

透過SPI匯流排安全存取周邊裝置。 Safely access peripheral devices via SPI bus.

第3圖為本發明的一個替代的實施例中,安全系統70的方塊示意圖。如第3圖所示,系統70包含主機裝置74、周邊裝置78以及安全裝置86,均連結至SPI匯流排82。 Figure 3 is a block diagram of the security system 70 in an alternative embodiment of the present invention. As shown in FIG. 3, the system 70 includes a host device 74, a peripheral device 78, and a security device 86, all of which are connected to the SPI bus 82.

在主機裝置74未經授權的嘗試存取周邊裝置78時,安全裝置86會識別並中斷此數據處置。在本發明的實施例中,安全裝置86包含介面90,其連接於SPI匯流排82;處理器94,其係設置為執行本發明的技術;記憶體98,其係設置為儲存一個或多個由處理器94所實行的安全政策。 When the host device 74 attempts to access the peripheral device 78 without authorization, the security device 86 will recognize and interrupt the data processing. In the embodiment of the present invention, the security device 86 includes an interface 90, which is connected to the SPI bus 82; a processor 94, which is configured to execute the technology of the present invention; and a memory 98, which is configured to store one or more The security policy implemented by the processor 94.

用於區分授權和未經授權之數據處置的安全政策,以及安全裝置86的處理器94識別未經授權的數據處置的方式,基本上與上述系統20所描述的相似。後述技術與上述技術之不同點在於,安全裝置86在匯流排82上強制寫入虛擬值以中斷未經授權的數據處置。 The security policy for distinguishing between authorized and unauthorized data handling, and the way the processor 94 of the security device 86 recognizes the unauthorized data handling is basically similar to that described in the aforementioned system 20. The difference between the latter technique and the above technique is that the security device 86 forcibly writes a dummy value on the bus 82 to interrupt unauthorized data processing.

SPI匯流排82包含時脈(CLK)線、及被稱為主輸出從輸入線(MOSI)和主輸入從輸出線(MISO)的兩條數據傳輸線。CLK,MISO和MOSI線對於所有裝置(在本實施例中為主機裝置74、78和86)是共用的。此外,每個從裝置可透過專用的晶片選擇線來選擇。在本實施例中,主機裝置74使用標記為CS2#的CS線來選擇周邊裝置78,並且使用標記為CS1#的CS線來選擇安全裝置86。 The SPI bus 82 includes a clock (CLK) line and two data transmission lines called a master output slave input line (MOSI) and a master input slave output line (MISO). The CLK, MISO, and MOSI lines are common to all devices (host devices 74, 78, and 86 in this embodiment). In addition, each slave device can be selected through a dedicated chip selection line. In this embodiment, the host device 74 uses the CS line labeled CS2# to select the peripheral device 78, and uses the CS line labeled CS1# to select the security device 86.

作為主控裝置的主機裝置74係連接到所有CS線。另一方面,由於周邊裝置78是從屬裝置,因此每個周邊裝置78僅連接到其自己的CS線。通常,主機裝置74通過使用相應的CS線選擇期望的周邊裝置78來啟動數據處置,然後使用CLK、MOSI和MISO線與裝置通信。MOSI線用於從主機裝置74向周邊裝置78發送訊號,MISO線則用於從周邊裝置78發送訊號至主機裝置74。 The host device 74 as the master control device is connected to all CS lines. On the other hand, since the peripheral devices 78 are slave devices, each peripheral device 78 is only connected to its own CS line. Generally, the host device 74 initiates data processing by selecting the desired peripheral device 78 using the corresponding CS line, and then communicates with the device using the CLK, MOSI, and MISO lines. The MOSI line is used to send signals from the host device 74 to the peripheral device 78, and the MISO line is used to send signals from the peripheral device 78 to the host device 74.

安全裝置86與常規SIP從裝置不同,其被定義為從裝置但能驅動所有CS線。如第3圖所示,安全裝置86的介面90係設置為與主機裝置74並行地驅 動CS2#線。當系統70包含多個具有相對應CS線之周邊裝置78時,安全裝置86通常設置為平行地驅動任何連結至主機裝置74的CS線。 The security device 86 is different from a conventional SIP slave device, which is defined as a slave device but can drive all CS lines. As shown in Figure 3, the interface 90 of the security device 86 is set to drive in parallel with the host device 74 Move the CS2# line. When the system 70 includes a plurality of peripheral devices 78 with corresponding CS lines, the safety device 86 is usually set to drive any CS lines connected to the host device 74 in parallel.

在一些實施例中,系統70被設計為當主機裝置74與安全裝置86以相反邏輯值驅動CS線時,安全裝置86所驅動的邏輯值將覆寫主機裝置74所驅動的邏輯值。也可以說,當主機裝置74與安全裝置86在CS線上驅動相反的邏輯值時,周邊裝置78會收到並執行由安全裝置86所驅動的邏輯值。 In some embodiments, the system 70 is designed such that when the host device 74 and the security device 86 drive the CS line with opposite logic values, the logic value driven by the security device 86 will overwrite the logic value driven by the host device 74. It can also be said that when the host device 74 and the safety device 86 drive opposite logic values on the CS line, the peripheral device 78 will receive and execute the logic value driven by the safety device 86.

覆蓋CS線是阻止匯流排上的數據處置以中斷主機和周邊裝置78之間的未經授權數據處置的另一種範例。上述覆蓋機制可透過各種方式實現。下面的描述涉及用於選擇周邊裝置78的CS2#線,但當使用多個周邊裝置78及多個相對應的CS線時,應使用同樣的機制。 Covering the CS line is another example of preventing data processing on the bus to interrupt unauthorized data processing between the host and peripheral device 78. The above-mentioned coverage mechanism can be implemented in various ways. The following description refers to the CS2# line used to select the peripheral device 78, but when multiple peripheral devices 78 and multiple corresponding CS lines are used, the same mechanism should be used.

在一個實施例中,安全裝置86透過介面90驅動CS2#線的線驅動器比主機裝置74驅動CS2#線的線驅動器要強。在一個替代的實施例中,串聯電阻100可以在主機裝置74的輸出處插入CS2#線中。相對於安全裝置86對CS2#的線驅動器的輸出部,串聯電阻100係減弱主機裝置74對CS2#的線驅動器的輸出。另外,安全裝置86可以設置為以其他任何合適的方式覆蓋主機裝置74驅動CS2#線的訊號。 In one embodiment, the line driver of the security device 86 that drives the CS2# line through the interface 90 is stronger than the line driver of the host device 74 that drives the CS2# line. In an alternative embodiment, the series resistor 100 may be inserted into the CS2# line at the output of the host device 74. With respect to the output of the safety device 86 to the CS2# line driver, the series resistor 100 attenuates the output of the host device 74 to the CS2# line driver. In addition, the security device 86 can be configured to cover the signal of the host device 74 driving the CS2# line in any other suitable manner.

安全裝置86的處理器94可以透過監視SPI匯流排82的CS#線、CLK、MISO及/或MOSI線,並以任何合適的方式識別未經授權的數據處置。在一些實施例中,在標識主機裝置74未授權地嘗試存取某個周邊裝置78的數據處置時,安全裝置86的處理器94透過使周邊裝置78的CS線失效來中斷數據處置。由於安全裝置86係設置為在覆寫主機裝置74對CS2#線的驅動,所以周邊裝置78將被取消選擇,且數據處置中斷。另一方面,當確定數據處置以被授權時,處理器94將停止自己的CS2#驅動器,從而使主機不被中斷的存取周邊裝置78。 The processor 94 of the security device 86 can monitor the CS# line, CLK, MISO and/or MOSI line of the SPI bus 82, and identify unauthorized data processing in any suitable manner. In some embodiments, the processor 94 of the security device 86 interrupts the data processing by disabling the CS line of the peripheral device 78 when the host device 74 is identified as an unauthorized attempt to access the data processing of a certain peripheral device 78. Since the security device 86 is set to overwrite the drive of the CS2# line by the host device 74, the peripheral device 78 will be deselected and the data processing will be interrupted. On the other hand, when it is determined that the data processing is authorized, the processor 94 will stop its CS2# drive, so that the host can access the peripheral device 78 without interruption.

第4圖為本發明另一個實施例中安全系統110之方塊示意圖。系統110同樣基於SPI匯流排82,與第3圖的系統70相似。然而,在系統110中,安全裝置86透過在CLK線、MISO線及/或MOSI線上強制寫入虛擬值來破壞未經授權的數據處置,而不是覆寫CS線。 Figure 4 is a block diagram of the security system 110 in another embodiment of the present invention. The system 110 is also based on the SPI bus 82, which is similar to the system 70 in FIG. 3. However, in the system 110, the security device 86 destroys unauthorized data processing by forcing a dummy value to be written on the CLK line, the MISO line, and/or the MOSI line instead of overwriting the CS line.

在本實施例中,系統110係設置為在安全裝置86驅動CLK線、MISO線及/或MOSI線時優先於主機裝置74。如圖所示,為達成此目的,將串聯電阻100插入CLK線、MISO線及MOSI線。由於本實施例中的CS2#線並不被覆寫,所以沒有在CS2#線插入串聯電阻100。 In this embodiment, the system 110 is configured to take priority over the host device 74 when the security device 86 drives the CLK line, MISO line, and/or MOSI line. As shown in the figure, to achieve this goal, a series resistor 100 is inserted into the CLK line, the MISO line and the MOSI line. Since the CS2# line in this embodiment is not overwritten, the series resistor 100 is not inserted in the CS2# line.

在一個替代的實施例中,可以透過使安全裝置86中對CLK線、MISO線及/或MOSI線的對應線驅動器更強,來實現覆寫機制。 In an alternative embodiment, the overwrite mechanism can be implemented by making the corresponding line drivers of the CLK line, MISO line and/or MOSI line in the security device 86 stronger.

在其他實施例中,同時使用覆寫CS線(如第3圖所示)及覆寫CLK線、MISO線及/或MOSI線(如第4圖所示)的混合方案也是可行的。 In other embodiments, a hybrid scheme that simultaneously overwrites the CS line (as shown in Figure 3) and overwrites the CLK line, MISO line and/or MOSI line (as shown in Figure 4) is also feasible.

藉由覆蓋專用的點對點訊號來保護對周邊裝置的存取 Protect access to peripheral devices by covering dedicated point-to-point signals

匯流排(例如SPI)的訊號可以分為共享訊號和專用訊號。共享訊號是與匯流排上的複數個(例如,所有)周邊裝置並聯連接的訊號。共享SPI訊號的例子是數據(MOSI和MISO)和時脈(CLK)訊號。專用訊號是專用於特定的周邊裝置的訊號。作為匯流排一部分的專用訊號的一個例子是晶片選擇(Chip-Select)訊號。另外,匯流排可以用帶外(out-of-band)專用訊號增強,例如寫入保護訊號(Write Protect signal)(當周邊裝置包含儲存設備時)。專用訊號也可以稱為點對點(point to point,PTP)線。 The signals of the bus (such as SPI) can be divided into shared signals and dedicated signals. The shared signal is a signal connected in parallel with a plurality of (for example, all) peripheral devices on the bus. Examples of shared SPI signals are data (MOSI and MISO) and clock (CLK) signals. A dedicated signal is a signal dedicated to a specific peripheral device. An example of a dedicated signal that is part of the bus is the Chip-Select signal. In addition, the bus can be enhanced with out-of-band dedicated signals, such as a Write Protect signal (when the peripheral device includes a storage device). The dedicated signal may also be called a point to point (PTP) line.

在一些實施例中,一個或多個專用訊號在到達周邊裝置之前通過安全裝置86。相反的,共享訊號通常路由到周邊裝置,並且不通過安全裝置。這種互連方案使得安全裝置能夠有效地保護周邊裝置,詳如下述。 In some embodiments, one or more dedicated signals pass through the security device 86 before reaching the peripheral device. On the contrary, shared signals are usually routed to peripheral devices and do not pass through security devices. This interconnection scheme enables the security device to effectively protect the peripheral devices, as detailed below.

第5圖是示意性地示出根據本發明的替代實施例的安全系統130的方塊圖。此系統類似於第3圖的系統70。然而,在本實施例中,CS2#訊號不直接驅動周邊裝置78的輸入部。相反的,來自主機裝置74的CS2#線被輸入到安全裝置86,並且安全裝置86又驅動表示為CS2_O#的訊號,其連接到周邊裝置78的輸入部。 Figure 5 is a block diagram schematically showing a security system 130 according to an alternative embodiment of the present invention. This system is similar to the system 70 in Figure 3. However, in this embodiment, the CS2# signal does not directly drive the input part of the peripheral device 78. Conversely, the CS2# line from the host device 74 is input to the safety device 86, and the safety device 86 in turn drives a signal denoted as CS2_O#, which is connected to the input part of the peripheral device 78.

在本實施例中,CS2#訊號用作專用PTP訊號的例子,其在途中通過安全裝置路由到被保護的周邊裝置。從圖中可以看出,共享訊號(MOSI、MISO和CLK)在主機裝置74和周邊裝置78之間是不間斷的。 In this embodiment, the CS2# signal is used as an example of a dedicated PTP signal, which is routed to a protected peripheral device through a security device on the way. It can be seen from the figure that the shared signals (MOSI, MISO, and CLK) are uninterrupted between the host device 74 and the peripheral device 78.

安全裝置86係設置為通過選擇性地使CS2#訊號到達周邊裝置或者防止CS2#訊號到達周邊裝置來中斷主機裝置74和周邊裝置78之間的數據處置。在第5圖的例子中,通過對表示為MASK_CS2#的控制訊號斷言或取消斷言來執行選擇。 The security device 86 is configured to interrupt the data processing between the host device 74 and the peripheral device 78 by selectively causing the CS2# signal to reach the peripheral device or preventing the CS2# signal from reaching the peripheral device. In the example in Figure 5, the selection is performed by asserting or de-asserting the control signal denoted as MASK_CS2#.

第6圖是根據本發明實施例的第5圖中描述的系統130的安全裝置86的方塊圖。在本例子中,安全裝置86包含用於連接到SPI匯流排82的介面90,設置為執行所公開的技術的處理器94,以及設置為儲存由處理器94強制執行的一個或多個安全策略的記憶體98。處理器94包含從介面邏輯電路(slave interface logic)91和介面監視邏輯電路(interface monitor logic,IML)92。從介面邏輯電路91處理安全裝置86和主機裝置74之間的通信。介面監視邏輯電路92監視、控制並選擇性地覆蓋主機裝置74對周邊裝置78的存取。 Figure 6 is a block diagram of the security device 86 of the system 130 described in Figure 5 according to an embodiment of the present invention. In this example, the security device 86 includes an interface 90 for connecting to the SPI bus 82, a processor 94 configured to perform the disclosed technology, and a processor 94 configured to store one or more security policies enforced by the processor 94 The memory 98. The processor 94 includes a slave interface logic (slave interface logic) 91 and an interface monitor logic (IML) 92. The slave interface logic circuit 91 handles the communication between the security device 86 and the host device 74. The interface monitoring logic circuit 92 monitors, controls, and selectively covers the access of the host device 74 to the peripheral device 78.

在一個實施例中,安全裝置86識別並中斷主機裝置74在未經授權的情況下嘗試存取SPI匯流排82上的周邊裝置78的數據處置。從第5圖和第6圖可以理解,第3圖中描述的系統中可能的任何安全特徵,也可以實現在第5圖的系統中。 In one embodiment, the security device 86 recognizes and interrupts the data processing of the host device 74 attempting to access the peripheral device 78 on the SPI bus 82 without authorization. It can be understood from Figures 5 and 6, that any security features possible in the system described in Figure 3 can also be implemented in the system of Figure 5.

在上述實施例中,安全裝置連接到匯流排,並設置為附加從設備。然而,在其他實施例中,安全裝置可以連接並設置為主裝置。例如,這種實現適用於支持多主機(multi-master)能力的匯流排協議。 In the above embodiment, the safety device is connected to the bus bar and is set as an additional slave device. However, in other embodiments, the security device may be connected and set as the master device. For example, this implementation is suitable for bus protocols that support multi-master capabilities.

藉由代表周邊裝置回應的安全裝置以對於未經授權的數據處置進行保護 Protects against unauthorized data handling with security devices that respond on behalf of peripheral devices

在另一個實施例中,安全裝置86代表周邊裝置78回應所選擇的主機數據處置。以下描述主要涉及第5圖和第6圖的設置,其單純作為舉例。通常,所揭露的技術不限於該特定系統設置,並且可以使用任何其他設置來應用,例如,上面的第3圖或第4圖的設置。 In another embodiment, the security device 86 responds to the selected host data handling on behalf of the peripheral device 78. The following description mainly relates to the settings of Figures 5 and 6, which are purely examples. Generally, the disclosed technology is not limited to this specific system setting, and can be applied using any other setting, for example, the setting of Figure 3 or Figure 4 above.

在涉及第5圖和第6圖的設置的例示性實施例中,當從周邊裝置78的地址空間內的某個地址區域檢測到讀取命令時,介面監視邏輯電路92可以強制設定CS2_O#為“高”並從安全裝置的記憶體98內部提供主機讀取命令(或讀取命令的一部分)。主機裝置74通常無從得知回應不是源自周邊裝置。在一些實施例中,該場景也適用於第4圖的系統110,例如當安全裝置覆蓋MISO訊號時。 In the exemplary embodiment involving the settings of FIGS. 5 and 6, when a read command is detected from a certain address area in the address space of the peripheral device 78, the interface monitoring logic circuit 92 may force the setting of CS2_O# to "High" and provide the host read command (or part of the read command) from the memory 98 of the security device. The host device 74 usually has no way of knowing that the response did not originate from a peripheral device. In some embodiments, this scenario is also applicable to the system 110 in FIG. 4, for example, when the security device covers the MISO signal.

這種機制的一個使用例是一種系統,其中周邊裝置78包含SPI快閃記憶體裝置,並且安全裝置86係設置為覆蓋部分快閃記憶體地址空間,並且以這種方式為地址區域提供安全的快閃記憶體仿真(emulation)。例如,安全裝置86可以包含TPM,其使用介面監視邏輯電路92來覆蓋包含初始主機啟動代碼的快閃記憶體地址區域(在啟動時由主機提取的第一啟動命令)。TPM可以使用自包含的經過身份驗證的初始啟動代碼覆蓋此快閃記憶體地址區域,例如,在跳轉到代碼之前對其餘代碼進行驗證。 An example of the use of this mechanism is a system in which the peripheral device 78 includes an SPI flash memory device, and the security device 86 is set to cover part of the flash memory address space, and in this way provides a secure address area Flash memory emulation (emulation). For example, the security device 86 may include a TPM, which uses the interface monitoring logic circuit 92 to cover the flash memory address area containing the initial host startup code (the first startup command retrieved by the host at startup). The TPM can overwrite this flash memory address area with a self-contained authenticated initial startup code, for example, to verify the rest of the code before jumping to the code.

在一些實施例中,安全裝置86還包含到SPI快閃記憶體裝置的主介面。另外,安全裝置86可以包含合適的介面和電路,以在存取SPI快閃記憶體 裝置時維持主機裝置74復位,其通常作為系統啟動過程的一部分。安全裝置86可以是例如嵌入式控制器(EC),super I/O(SIO)或基板管理控制器(BMC)裝置。 In some embodiments, the security device 86 also includes a main interface to the SPI flash memory device. In addition, the security device 86 may include appropriate interfaces and circuits to access the SPI flash memory The host device 74 is maintained to reset when the device is installed, which is usually part of the system startup process. The security device 86 may be, for example, an embedded controller (EC), super I/O (SIO) or a baseboard management controller (BMC) device.

第7圖是示意性地示出根據本發明的實施例的這種安全啟動過程的例子的流程圖。該方法從啟動開始,即斷言系統功率。在維持復位步驟102中,安全裝置86將主機裝置74維持在復位狀態並且可選地從SPI快閃記憶體(周邊裝置78)啟動。在(可選的)初始讀取步驟104中,安全裝置86從SPI快閃記憶體讀取數據塊,驗證數據塊的認證並將其儲存在記憶體98中。 Figure 7 is a flowchart schematically showing an example of such a secure boot process according to an embodiment of the present invention. The method starts from the start, that is, the system power is asserted. In the maintaining reset step 102, the security device 86 maintains the host device 74 in a reset state and optionally starts from the SPI flash memory (peripheral device 78). In the (optional) initial reading step 104, the security device 86 reads the data block from the SPI flash memory, verifies the authentication of the data block and stores it in the memory 98.

在覆蓋步驟108中,安全裝置86設置介面監視邏輯電路92以覆蓋對SPI快閃記憶體中的至少一個預定義地址區的存取(在本例子中為周邊裝置78)。所討論的地址區可以包含例如一個或多個密鑰、設置數據及/或主機裝置74的初始啟動塊。 In the covering step 108, the security device 86 sets the interface monitoring logic circuit 92 to cover the access to at least one predefined address area in the SPI flash memory (the peripheral device 78 in this example). The address area in question may include, for example, one or more keys, setting data, and/or the initial boot block of the host device 74.

在復位釋放步驟112中,安全裝置86從復位釋放主機。因此,在啟動步驟116中,主機裝置74開始其啟動過程。作為啟動過程的一部分,在區域存取子步驟120中,安全裝置86從內部記憶體98服務對預定義地址區的存取。 In the reset release step 112, the safety device 86 releases the host from reset. Therefore, in the activation step 116, the host device 74 starts its activation process. As part of the activation process, in the area access substep 120, the security device 86 services the access to the predefined address area from the internal memory 98.

以這種方式,可以從安全裝置安全地提供諸如密鑰、設置數據及/或初始啟動代碼之類的敏感資訊。主機裝置74無從得知該資訊是從安全裝置而不是從SPI快閃記憶體提供的。 In this way, sensitive information such as keys, setting data, and/or initial activation codes can be safely provided from the security device. The host device 74 has no way of knowing that the information is provided from the security device rather than from the SPI flash memory.

第7圖的方法係繪示安全裝置如何能夠覆蓋對周邊裝置的預定義地址區的存取的例子。在替代實施例中,任何其他合適的方法可用於此目的。作為SPI快閃記憶體裝置偽裝的替代方案,安全裝置可以藉由覆蓋及/或中斷任何其他合適的未授權數據處置來保護快閃記憶體裝置(或其他周邊裝置)。 The method in Figure 7 shows an example of how the security device can cover access to the predefined address area of the peripheral device. In alternative embodiments, any other suitable method may be used for this purpose. As an alternative to disguising the SPI flash memory device, the security device can protect the flash memory device (or other peripheral devices) by covering and/or interrupting any other suitable unauthorized data handling.

此外,未授權數據處置的覆蓋不限於保護特定的預定義地址區域。例如,可以基於來自受保護外部設備的回傳數據或SPI的命令代碼來觸發覆蓋。例如,安全裝置可以實施安全策略,其對快閃記憶體裝置禁用程序、抹除、 寫入啟用、狀態/設置及/或任何其他指令或功能。有關SPI快閃記憶體命令和指令的規範例由Winbond Electronics Corporation在“SPI快閃記憶體-具有雙/四SPI和QPI的3V串聯快閃記憶體(SPI Flash-3V Serial Flash Memory with Dual/Quad SPI and QPI)”中指定,發表於2015年8月24日。 In addition, the coverage of unauthorized data handling is not limited to protecting specific pre-defined address areas. For example, the coverage can be triggered based on the return data from the protected external device or the command code of the SPI. For example, a security device can implement a security policy that disables programs, erases, and erases flash memory devices. Write enable, status/settings and/or any other commands or functions. The specification examples of SPI flash memory commands and instructions were published by Winbond Electronics Corporation in "SPI Flash-3V Serial Flash Memory with Dual/Quad SPI and QPI (SPI Flash-3V Serial Flash Memory with Dual/Quad) SPI and QPI)”, published on August 24, 2015.

作為另一例子,在第7圖的方法中,敏感資訊始終存在於快閃記憶體裝置中,並且作為啟動過程的一部分由安全裝置讀取。在替代實施例中,敏感資訊可以最初儲存在安全裝置(除了快閃記憶體之外或不儲存在快閃記憶體)中。在這樣的實施例中,不需要將該資訊從快閃記憶體裝置讀取到安全裝置。 As another example, in the method of Figure 7, sensitive information always exists in the flash memory device and is read by the security device as part of the startup process. In alternative embodiments, sensitive information may be initially stored in a secure device (in addition to flash memory or not stored in flash memory). In such an embodiment, there is no need to read the information from the flash memory device to the security device.

在又一例子中,參考SPI匯流排描述第7圖的方法。在替代實施例中,安全裝置可以使用任何專用訊號(如果有的話)及/或匯流排的共享訊號來覆蓋其他匯流排和協議中的對周邊裝置的預定義地址區的存取。例如,I2C匯流排是一種上拉雙向匯流排(pull-up bidirectional bus),旨在支援多個從裝置和多個主裝置。因此,該協議具有嵌入式機制來處理設備之間的爭用(contention)。例如,當I2C設備在嘗試設置'1'(上拉)時在SDA線上檢測到“0”,裝置假定其為爭用中並釋放匯流排直到下一次數據處置。在一個實施例中,I2C安全裝置(例如,第1圖的安全裝置36)係設置為重疊(overlap)另一個外圍從設備(例如,第1圖的周邊裝置28)的一些地址空間。安全裝置可以,例如,設置為回應與其他周邊裝置相同的數據。如果安全裝置檢測到數據不匹配(例如,嘗試上拉'1'但在SDA線上偵測到'0'),則安全裝置可以發起回應動作(例如,產生停止條件,在一條或多條數據線上驅動'0',設置無限時脈拉伸(endless clock stretching),或任何其他合適的動作)。該技術可以利用傳統的I2C從設備(物理層中沒有硬體改變)來監視設備到數據等級(data level)。 In another example, the method of Figure 7 is described with reference to the SPI bus. In an alternative embodiment, the security device can use any dedicated signal (if any) and/or shared signal of the bus to cover access to the predefined address area of the peripheral device in other buses and protocols. For example, the I 2 C bus is a pull-up bidirectional bus designed to support multiple slave devices and multiple master devices. Therefore, the protocol has an embedded mechanism to deal with contention between devices. For example, when an I 2 C device detects a “0” on the SDA line while trying to set a “1” (pull up), the device assumes that it is in contention and releases the bus until the next data processing. In one embodiment, the I 2 C security device (for example, the security device 36 in Figure 1) is configured to overlap some address space of another peripheral slave device (for example, the peripheral device 28 in Figure 1). The security device can, for example, be set to respond to the same data as other peripheral devices. If the security device detects that the data does not match (for example, trying to pull up a '1' but detecting a '0' on the SDA line), the security device can initiate a response action (for example, a stop condition is generated on one or more data lines Drive '0' to set endless clock stretching (or any other suitable action). This technology can use the traditional I 2 C slave device (no hardware changes in the physical layer) to monitor the device to the data level.

在又一個實施例中,安全裝置86(使用介面監視邏輯電路92)還監視SPI地址的數據階段(data phase)。在識別出數據不匹配時,安全裝置可以啟動 回應動作,例如,通過中斷數據處置、重置系統、鎖定對密鑰的存取或任何其他合適的動作。 In yet another embodiment, the security device 86 (using the interface monitoring logic circuit 92) also monitors the data phase of the SPI address. When the data does not match, the safety device can be activated Respond actions, for example, by interrupting data handling, resetting the system, locking access to the key, or any other appropriate action.

在例示性情境中,安全裝置86保存儲存在SPI快閃記憶體中的特定代碼段的簽名或摘要。安全裝置在計算簽名或背景中此代碼部分的快取值時監視主機裝置74對SPI快閃記憶體的存取。如果檢測到錯誤的簽名、快取值或SPI獲取序列,則安全裝置86可以發起適當的回應動作。 In an exemplary scenario, the security device 86 saves the signature or summary of a specific code segment stored in the SPI flash memory. The security device monitors the access of the host device 74 to the SPI flash memory when calculating the signature or the cache value of the code portion in the background. If an incorrect signature, cache value, or SPI acquisition sequence is detected, the security device 86 can initiate an appropriate response action.

在又一個實施例中,安全裝置可以監視匯流排82上的多於一個的周邊裝置78,並且例如驗證對不同設備的存取順序是否如預期。 In yet another embodiment, the security device may monitor more than one peripheral device 78 on the bus 82 and, for example, verify whether the order of access to different devices is as expected.

在又一個實施例中,安全裝置86使用一個或多個訊號(除CS之外)來限制對周邊裝置78的存取,或在檢測到與周邊裝置78的授權數據處置時強制執行某個系統狀態。這種訊號的非限制性例子包含:如第4圖的系統說明的任何訊號。 In another embodiment, the security device 86 uses one or more signals (except CS) to restrict access to the peripheral device 78, or enforce a certain system when it detects authorized data processing with the peripheral device 78 status. Non-limiting examples of such signals include: any signal as described in the system of Figure 4.

快閃記憶體中的寫入保護訊號。 Write protection signal in flash memory.

控制復位訊號。 Control reset signal.

控制電源管理訊號。 Control the power management signal.

控制電源至一個或多個裝置。 Control power to one or more devices.

停止系統通信(例如,停止網路介面控制器)。 Stop system communication (for example, stop the network interface controller).

系統復位。 System reset.

在第1圖及第3圖至第6圖所示之系統20、70、110及130的配置,以及各種系統元件諸如安全裝置36、86及匯流排32、82皆為為了清楚描述而繪製的示意圖在一個替代的實施例中,可以使用任何其他合適的配置。 The configurations of the systems 20, 70, 110, and 130 shown in Figure 1 and Figures 3 to 6, as well as various system components such as safety devices 36, 86 and bus bars 32, 82 are drawn for clear description Schematic diagram In an alternative embodiment, any other suitable configuration may be used.

例如,為了清楚起見,附圖僅示出單個周邊裝置和單個主機裝置。在一些實施例中,系統可以包含兩個或更多個周邊裝置及/或兩個或更多個 主機裝置。此處描述之實施例參考使用I2C及SPI匯流排的範例。在一個替代的實施例中,被揭露的技術可經過必要的修改而使用於其他適合的種類的匯流排。 For example, for clarity, the drawings only show a single peripheral device and a single host device. In some embodiments, the system may include two or more peripheral devices and/or two or more host devices. The embodiment described here refers to an example using I 2 C and SPI bus. In an alternative embodiment, the disclosed technology can be applied to other suitable types of busbars with necessary modifications.

系統20、70、110及130的不同元件可以使用任何合適的硬體來執行,如特殊應用積體電路(Application-Specific Integrated Circuit,ASIC)或場可程式邏輯閘陣列(Field-Programmable Gate Array,FPGA)。在一些實施例中,安全裝置36和86的一些元件(例如處理器44或處理器94)可以使用軟體或使用硬體和軟體元件的組合來實現。記憶體48及98可以使用任何合適類型的記憶體裝置,如隨機存取記憶體(Random Access Memory,RAM)或快閃記憶體(Flash memory)。 The different components of the systems 20, 70, 110, and 130 can be implemented by any suitable hardware, such as Application-Specific Integrated Circuit (ASIC) or Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA). In some embodiments, some components of the security devices 36 and 86 (for example, the processor 44 or the processor 94) may be implemented using software or a combination of hardware and software components. The memory 48 and 98 can use any suitable type of memory device, such as Random Access Memory (RAM) or Flash memory.

在一些實施例中,處理器44及/或處理器94包含通用可編程處理器,其在軟體中編程以執行本文所述的功能。可以透過網路將軟體以電子形式下載到處理器,或者可附加的或可替換的以非暫態之有形媒體(non-transitory tangible media)如磁、光、電子記憶體儲存。 In some embodiments, the processor 44 and/or the processor 94 comprise general-purpose programmable processors, which are programmed in software to perform the functions described herein. The software can be downloaded to the processor in electronic form via the Internet, or can be stored in additional or replaceable non-transitory tangible media (non-transitory tangible media) such as magnetic, optical, and electronic memory.

在上述實施例中,安全裝置先透過監視匯流排以檢測出未經授權之數據處置,接著中斷數據處置。在一個替代的實施例中,安全裝置不須先偵測到數據處置便可以中斷數據處置,甚至不須監視匯流排。例如,安全裝置可以覆寫某個主機的晶片選擇(CS)線,直到或者除非該主機被授權。授權可以以任何合適的方式執行,並非必須使用相同的匯流排。 In the above embodiment, the security device first detects unauthorized data processing by monitoring the bus, and then interrupts the data processing. In an alternative embodiment, the security device can interrupt the data processing without first detecting the data processing, or even without monitoring the bus. For example, the security device can override the chip select (CS) line of a certain host until or unless the host is authorized. Authorization can be performed in any suitable way, and it is not necessary to use the same bus.

作為非限制性實施例,本文描述的方法和系統可用於各種應用,例如在安全記憶體應用、物聯網(IoT)應用、嵌入式應用或汽車應用中,在此僅舉幾個例子。 As a non-limiting example, the methods and systems described herein can be used in various applications, such as in secure memory applications, Internet of Things (IoT) applications, embedded applications, or automotive applications, to name just a few examples.

因此,應當理解的是,上述實施例以實施例的方式引用,並且本發明不限於上述具體示出和描述的內容。相反的,本發明的範圍包含上述各種特徵的組合及子組合,以及本領域之熟練技術者在閱讀前述描述時將想到的未 揭露的技術。通過引用併入本申請的文件為本申請的一部分,除非在這些被併入的文件中有任何術語的定義與本文明確地或隱含地與本文相衝突時,應參考本文之定義。 Therefore, it should be understood that the above-mentioned embodiments are cited as examples, and the present invention is not limited to the content specifically shown and described above. On the contrary, the scope of the present invention includes the combinations and sub-combinations of the above-mentioned various features, as well as the unintended ones that those skilled in the art will think of when reading the foregoing description. Revealed technology. The documents incorporated into this application by reference are a part of this application. Unless there are any definitions of terms in these incorporated documents that explicitly or implicitly conflict with this document, reference should be made to the definitions herein.

20:系統 20: System

24:主機裝置 24: host device

28:周邊裝置 28: Peripheral devices

32:I2C匯流排 32: I 2 C bus

36:安全裝置 36: safety device

40:介面 40: Interface

44:處理器 44: processor

48:記憶體 48: memory

Claims (34)

一種透過匯流排安全存取周邊裝置之安全裝置,包含:一介面,用於連接到服務於一個或複數個周邊裝置的一匯流排,其中該匯流排係傳輸包含(i)一個或複數個專用訊號,分別專用於相應的該一個或複數個周邊裝置,以及(ii)一個或複數個共享訊號,共享於該匯流排所服務的該一個或複數個周邊裝置之間,且該個或該複數個專用訊號經由該安全裝置傳輸至該個或該複數個周邊裝置,且該個或該複數個共享訊號不經由該安全裝置傳輸至該個或該複數個周邊裝置;以及一處理器,連接到該匯流排,並作為該一個或複數個周邊裝置之外的一附加設備,並且透過中斷與一給定周邊裝置相關聯的該專用訊號,藉此在該匯流排上中斷一匯流排主裝置試圖存取該給定周邊裝置的一數據處置(transaction)。 A security device for securely accessing peripheral devices through a bus, including: an interface for connecting to a bus serving one or more peripheral devices, wherein the bus system transmission includes (i) one or more dedicated The signals are respectively dedicated to the corresponding one or more peripheral devices, and (ii) one or more shared signals are shared between the one or more peripheral devices served by the bus, and the one or more A dedicated signal is transmitted to the peripheral device or peripheral devices via the security device, and the shared signal or shared signal is not transmitted to the peripheral device or peripheral devices via the security device; and a processor connected to The bus is used as an additional device in addition to the one or more peripheral devices, and by interrupting the dedicated signal associated with a given peripheral device, a bus master device tries to interrupt the bus on the bus. Access to a data transaction of the given peripheral device. 如請求項1所述之安全裝置,其中該處理器在中斷該數據處置時係維持該匯流排上的該共享訊號不中斷。 The security device according to claim 1, wherein the processor maintains the shared signal on the bus uninterrupted when interrupting the data processing. 如請求項1所述之安全裝置,其中該介面包含:一輸入部,用以從該匯流排主裝置接收該專用訊號;以及一輸出部,用以輸出該專用訊號至該給定周邊裝置,其中該處理器係透過防止該輸入部接收的該專用訊號被從該輸出部發送,藉此來中斷該數據處置。 The security device according to claim 1, wherein the interface includes: an input portion for receiving the dedicated signal from the bus master device; and an output portion for outputting the dedicated signal to the given peripheral device, The processor interrupts the data processing by preventing the dedicated signal received by the input unit from being sent from the output unit. 如請求項1所述之安全裝置,其中該處理器係設置為當該專用訊號被中斷時,回應該匯流排主裝置而不回應該給定周邊裝 置。 The security device according to claim 1, wherein the processor is set to respond to the bus main device instead of a given peripheral device when the dedicated signal is interrupted Set. 如請求項1所述之安全裝置,其中該專用訊號包含一晶片選擇(CS)訊號。 The security device according to claim 1, wherein the dedicated signal includes a chip select (CS) signal. 如請求項1所述之安全裝置,其中該處理器係監視該匯流排,以檢測要中斷的該數據處置。 The security device according to claim 1, wherein the processor monitors the bus to detect the data processing to be interrupted. 如請求項1所述之安全裝置,其中該處理器係透過在該匯流排外部的一輔助介面與該匯流排主裝置進行通訊,來檢測要中斷的該數據處置。 The security device according to claim 1, wherein the processor communicates with the bus master device through an auxiliary interface outside the bus to detect the data processing to be interrupted. 如請求項1所述之安全裝置,其中該處理器係設置為持續中斷該專用訊號,直到一重置訊號出現。 The security device of claim 1, wherein the processor is configured to continuously interrupt the dedicated signal until a reset signal appears. 如請求項1所述之安全裝置,其中該處理器係設置為在檢測到該數據處置後的一有限時間段內中斷該專用訊號。 The security device according to claim 1, wherein the processor is configured to interrupt the dedicated signal within a limited time period after detecting the data processing. 如請求項1所述之安全裝置,其中藉由中斷該數據處置,該處理器係設置為在該一個或複數個周邊裝置處產生一數據處置中止(transaction abort)。 The security device according to claim 1, wherein by interrupting the data processing, the processor is configured to generate a data processing abort (transaction abort) at the one or more peripheral devices. 如請求項1所述之安全裝置,其中該處理器係設置為在該數據處置中斷後恢復該匯流排的正常操作。 The security device according to claim 1, wherein the processor is configured to resume normal operation of the bus after the data processing is interrupted. 一種透過匯流排安全存取周邊裝置之安全裝置,包含:一介面,用於連接到服務於一個或複數個周邊裝置的一匯流排;以及一處理器,除了連接到該一個或複數個周邊裝置外也連接到該匯流排,並且係透過回應於一匯流排主裝置而不回應該一個或複數個周邊裝置的方式,以中斷該匯流排主 裝置嘗試存取一給定周邊裝置的一數據處置(transaction);其中該匯流排係傳輸包含(i)一個或複數個專用訊號,分別專用於相應的該一個或複數個周邊裝置,以及(ii)一個或複數個共享訊號,共享於該匯流排所服務的該一個或複數個周邊裝置之間,且該個或該複數個專用訊號經由該安全裝置傳輸至該個或該複數個周邊裝置,且該個或該複數個共享訊號不經由該安全裝置傳輸至該個或該複數個周邊裝置。 A security device for securely accessing peripheral devices through a bus, comprising: an interface for connecting to a bus serving one or more peripheral devices; and a processor except for connecting to the one or more peripheral devices The external device is also connected to the bus, and the bus master is interrupted by responding to a bus master device instead of responding to one or more peripheral devices. The device attempts to access a data transaction of a given peripheral device; wherein the bus transmission includes (i) one or more dedicated signals, respectively dedicated to the corresponding one or more peripheral devices, and (ii ) One or more shared signals are shared between the one or more peripheral devices served by the bus, and the one or more dedicated signals are transmitted to the one or more peripheral devices via the security device, And the one or the plurality of shared signals are not transmitted to the one or the plurality of peripheral devices through the security device. 如請求項12所述之安全裝置,其中該處理器係透過(i)中斷與該給定周邊裝置相關的該專用訊號,以及(ii)當該專用訊號被中斷時回應該匯流排主裝置,藉此以中斷該數據處置。 The security device according to claim 12, wherein the processor uses (i) interrupts the dedicated signal related to the given peripheral device, and (ii) responds to the bus master device when the dedicated signal is interrupted, Take this to interrupt the data processing. 如請求項12所述之安全裝置,其中該給定周邊裝置包含一記憶體裝置,其中該處理器係設置為在該數據處置中識別來自該匯流排主裝置的用以從該記憶體裝置讀取數據的一請求,以及以儲存於該安全裝置的一替代數據回應該請求。 The security device according to claim 12, wherein the given peripheral device includes a memory device, and the processor is configured to identify data from the bus master device for reading from the memory device in the data processing A request for fetching data, and responding to the request with a substitute data stored in the security device. 如請求項14所述之安全裝置,其中該處理器係設置為識別到該匯流排主裝置請求存取該記憶體裝置中的一預定義地址區時,中斷該數據處置並以該替代數據回應。 The security device according to claim 14, wherein the processor is configured to recognize that the bus master device requests to access a predefined address area in the memory device, interrupt the data processing and respond with the substitute data . 如請求項12所述之安全裝置,其中該處理器係設置為基於從該給定周邊裝置在該數據處置中回傳給該匯流排主裝置的數據,以識別該匯流排主裝置嘗試存取該給定周邊裝置的該數據處置。 The security device according to claim 12, wherein the processor is configured to identify that the bus master device attempts to access based on the data returned from the given peripheral device to the bus master device in the data processing The data handling of the given peripheral device. 如請求項12所述之安全裝置,其中該處理器係設置為基於 該數據處置中使用的指令代碼來識別該匯流排主裝置嘗試存取該給定周邊裝置的該數據處置。 The security device according to claim 12, wherein the processor is set to be based on The instruction code used in the data processing identifies the data processing of the bus master attempting to access the given peripheral device. 一種透過匯流排安全存取周邊裝置之方法,包含:使用一安全裝置經由一匯流排進行通訊,其中該安全裝置係連接到該匯流排且作為一個或複數個周邊裝置之外的一附加設備,其中該匯流排係傳輸包含(i)一個或複數個專用訊號,分別專用於相應的該一個或複數個周邊裝置,以及(ii)一個或複數個共享訊號,共享於該匯流排所服務的該一個或複數個周邊裝置之間,且該個或該複數個專用訊號經由該安全裝置傳輸至該個或該複數個周邊裝置,該個或該複數個共享訊號不經由該安全裝置傳輸至該個或該複數個周邊裝置;使用該安全裝置透過中斷與一給定周邊裝置相關聯的該專用訊號,藉此以在該匯流排上中斷一匯流排主裝置試圖存取該給定周邊裝置的一數據處置(transaction)。 A method for securely accessing peripheral devices through a bus includes: using a security device to communicate via a bus, wherein the security device is connected to the bus and used as an additional device in addition to one or more peripheral devices, The bus system transmission includes (i) one or more dedicated signals, respectively dedicated to the corresponding one or more peripheral devices, and (ii) one or more shared signals, shared with the bus served by the Between one or a plurality of peripheral devices, and the one or the plurality of dedicated signals are transmitted to the one or the plurality of peripheral devices through the security device, and the one or the plurality of shared signals are not transmitted to the one through the security device Or the plurality of peripheral devices; using the security device by interrupting the dedicated signal associated with a given peripheral device, thereby interrupting a bus master device trying to access a given peripheral device on the bus Data processing (transaction). 如請求項18所述之方法,其中中斷該數據處置包含維持該匯流排上的該共享訊號不中斷。 The method of claim 18, wherein interrupting the data processing includes maintaining the shared signal on the bus uninterrupted. 如請求項18所述之方法,其中該介面包含:一輸入部,用以從該匯流排主裝置接收該專用訊號;以及一輸出部,用以輸出該專用訊號至該給定周邊裝置;其中中斷該數據處置包含防止在該輸入部接收的該專用訊號被從該輸出部發送。 The method according to claim 18, wherein the interface includes: an input unit for receiving the dedicated signal from the bus master device; and an output unit for outputting the dedicated signal to the given peripheral device; wherein Interrupting the data processing includes preventing the dedicated signal received at the input unit from being sent from the output unit. 如請求項18所述之方法,其中中斷該數據處置包含當該專 用訊號被中斷時,回應該匯流排主裝置而不回應該給定周邊裝置。 The method according to claim 18, wherein interrupting the data processing includes when the special When the signal is interrupted, it responds to the main bus device instead of the given peripheral device. 如請求項18所述之方法,其中該專用訊號包含一晶片選擇(CS)訊號。 The method according to claim 18, wherein the dedicated signal includes a chip select (CS) signal. 如請求項18所述之方法,進一步包含藉由監控該匯流排來檢測要中斷的該數據處置。 The method of claim 18, further comprising detecting the data processing to be interrupted by monitoring the bus. 如請求項18所述之方法,進一步包含藉由在該匯流排外部的一輔助介面與該匯流排主裝置進行通訊來檢測要中斷的該數據處置。 The method according to claim 18, further comprising detecting the data processing to be interrupted by communicating with the bus main device through an auxiliary interface outside the bus. 如請求項18所述之方法,其中中斷該數據處置包含持續中斷該專用訊號,直到一重置訊號出現。 The method of claim 18, wherein interrupting the data processing includes continuously interrupting the dedicated signal until a reset signal appears. 如請求項18所述之方法,其中中斷該數據處置包含在檢測到該數據處置後的一有限時間段內中斷該專用訊號。 The method of claim 18, wherein interrupting the data processing includes interrupting the dedicated signal within a limited time period after detecting the data processing. 如請求項18所述之方法,其中中斷該數據處置包含在該一個或複數個周邊裝置處產生一數據處置中止。 The method of claim 18, wherein interrupting the data handling includes generating a data handling suspension at the one or more peripheral devices. 如請求項18所述之方法,進一步包含在該數據處置中斷後恢復該匯流排的正常操作。 The method according to claim 18, further comprising restoring the normal operation of the bus after the data processing is interrupted. 一種透過匯流排安全存取周邊裝置之方法,包含:使用一安全裝置經由一匯流排進行通訊,其中該安全裝置係連接到該匯流排且作為一個或複數個周邊裝置之外的一附加設備,其中該匯流排係傳輸包含(i)一個或複數個專用訊號,分別專用於相應的該一個或複數個周邊裝置,以及(ii)一個或複數個共享訊號,共享於該匯流 排所服務的該一個或複數個周邊裝置之間,且該個或該複數個專用訊號經由該安全裝置傳輸至該個或該複數個周邊裝置,且該個或該複數個共享訊號不經由該安全裝置傳輸至該個或該複數個周邊裝置;以及使用該安全裝置透過回應一匯流排主裝置而不回應一給定周邊裝置,藉此以在該匯流排上中斷該匯流排主裝置試圖存取該給定周邊裝置的一數據處置(transaction)。 A method for securely accessing peripheral devices through a bus includes: using a security device to communicate via a bus, wherein the security device is connected to the bus and used as an additional device in addition to one or more peripheral devices, The bus system transmission includes (i) one or more dedicated signals, respectively dedicated to the corresponding one or more peripheral devices, and (ii) one or more shared signals, shared on the bus Between the one or more peripheral devices served by the row, and the one or the plurality of dedicated signals are transmitted to the one or the plurality of peripheral devices through the security device, and the one or the plurality of shared signals do not pass through the The security device is transmitted to the peripheral device or devices; and the security device is used by responding to a bus master device without responding to a given peripheral device, thereby interrupting the bus master device’s attempt to save on the bus Take a data transaction of the given peripheral device. 如請求項29所述之方法,其中中斷該數據處置包含(i)中斷與該給定周邊裝置相關的該專用訊號,以及(ii)當該專用訊號被中斷時回應該匯流排主裝置。 The method of claim 29, wherein interrupting the data processing includes (i) interrupting the dedicated signal related to the given peripheral device, and (ii) responding to the bus master device when the dedicated signal is interrupted. 如請求項29所述之方法,其中該給定周邊裝置包含一記憶體裝置,其中中斷該數據處置包含在該數據處置中識別來自該匯流排主裝置的用以從該記憶體裝置讀取數據的一請求,以及以儲存於該安全裝置的一替代數據回應該請求。 The method of claim 29, wherein the given peripheral device includes a memory device, wherein interrupting the data processing includes identifying data from the bus master device in the data processing to read data from the memory device And respond to the request with a substitute data stored in the security device. 如請求項31所述之方法,其中識別到該匯流排主裝置請求存取該記憶體裝置中的一預定義地址區時,中斷該數據處置並以該替代數據回應。 The method according to claim 31, wherein when it is recognized that the bus master device requests to access a predefined address area in the memory device, the data processing is interrupted and the replacement data is responded. 如請求項29所述之方法,進一步包含基於從該給定周邊裝置在該數據處置中回傳給該匯流排主裝置的數據,以識別該匯流排主裝置嘗試存取該給定周邊裝置的該數據處置。 The method according to claim 29, further comprising identifying the bus master attempting to access the given peripheral device based on the data returned from the given peripheral device to the bus master device in the data processing The data is disposed of. 如請求項29所述之方法,進一步包含基於該數據處置中使用的指令代碼來識別該匯流排主裝置嘗試存取該給定周邊裝置的該數據處置。 The method of claim 29, further comprising identifying, based on the instruction code used in the data processing, that the bus master device attempts to access the data processing of the given peripheral device.
TW108108029A 2018-04-18 2019-03-11 Secure access to peripheral devices over a bus TWI698769B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/955,715 2018-04-18
US15/955,715 US10452582B2 (en) 2015-06-08 2018-04-18 Secure access to peripheral devices over a bus

Publications (2)

Publication Number Publication Date
TW201944281A TW201944281A (en) 2019-11-16
TWI698769B true TWI698769B (en) 2020-07-11

Family

ID=68284341

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108108029A TWI698769B (en) 2018-04-18 2019-03-11 Secure access to peripheral devices over a bus

Country Status (3)

Country Link
JP (1) JP7086891B2 (en)
CN (1) CN110390214B (en)
TW (1) TWI698769B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12153720B2 (en) 2019-11-01 2024-11-26 Google Llc Peripheral device comportability with security circuitry
TWI804703B (en) * 2019-12-31 2023-06-11 新唐科技股份有限公司 Computer apparatus and authority management method based on trust chain
US20240184735A1 (en) * 2021-04-23 2024-06-06 Google Llc Secure Serial Peripheral Interface Communication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130031290A1 (en) * 2011-07-27 2013-01-31 Raytheon Company System and Method for Implementing a Secure Processor Data Bus
TWI520057B (en) * 2008-05-24 2016-02-01 威盛電子股份有限公司 Apparatus and method for disabling a microprocessor that provides for a secure execution mode
TWI614638B (en) * 2015-06-08 2018-02-11 新唐科技股份有限公司 Secure access to peripheral devices over a bus

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH05204768A (en) * 1992-01-28 1993-08-13 Tokimec Inc Data storage system
JP2008524740A (en) 2004-12-21 2008-07-10 エヌエックスピー ビー ヴィ Integrated circuits with improved device security.
CN103620613B (en) * 2011-03-28 2018-06-12 迈克菲股份有限公司 Systems and methods for hypervisor-based anti-malware security
JP6586765B2 (en) 2015-04-21 2019-10-09 株式会社ソシオネクスト Access blocking circuit, semiconductor integrated circuit, and access blocking method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI520057B (en) * 2008-05-24 2016-02-01 威盛電子股份有限公司 Apparatus and method for disabling a microprocessor that provides for a secure execution mode
TWI581183B (en) * 2008-05-24 2017-05-01 威盛電子股份有限公司 Apparatus and method for isolating a secure execution mode in a microprocessor
US20130031290A1 (en) * 2011-07-27 2013-01-31 Raytheon Company System and Method for Implementing a Secure Processor Data Bus
TWI614638B (en) * 2015-06-08 2018-02-11 新唐科技股份有限公司 Secure access to peripheral devices over a bus

Also Published As

Publication number Publication date
TW201944281A (en) 2019-11-16
JP7086891B2 (en) 2022-06-20
CN110390214B (en) 2022-11-25
JP2019212293A (en) 2019-12-12
CN110390214A (en) 2019-10-29

Similar Documents

Publication Publication Date Title
TWI614638B (en) Secure access to peripheral devices over a bus
US10452582B2 (en) Secure access to peripheral devices over a bus
US10691807B2 (en) Secure system boot monitor
US10776527B2 (en) Security monitoring of SPI flash
TWI698769B (en) Secure access to peripheral devices over a bus
US20100241875A1 (en) External storage device and method of controlling the same
EP2909772A1 (en) Unauthorized access and/or instruction prevention, detection, and/or remediation, at least in part, by storage processor
US11188321B2 (en) Processing device and software execution control method
EP3631667B1 (en) Flash recovery mode
JP4947239B2 (en) Information processing apparatus having configuration change verification function and control method thereof
US11921904B1 (en) System and methods for firmware security mechanism
TWI791138B (en) Security monitoring of serial peripheral interface flash
TWI738135B (en) Monitor system booting security device and method thereof
US20190042473A1 (en) Technologies for enabling slow speed controllers to use hw crypto engine for i/o protection
CN111797440B (en) Security device, method and system
US12498912B1 (en) System and methods for firmware update mechanism