HK1221065B - Non-volatile memory operations - Google Patents

Description

Non-volatile memory operations

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to and is a continuation-of-patent application of U.S. non-provisional patent application No. 13/917,261, filed on June 13, 2013, entitled “NON-VOLATILE MEMORY OPERATIONS,” the entire contents of which are incorporated herein by reference.

Technical Field

The present description relates to systems and methods for the operation of non-volatile memory, including the operation of electrically erasable programmable read-only memory (EEPROM).

Background Art

Computer systems include the use of non-volatile storage devices to store data such as device configuration information and other sensitive information like serial numbers, identifiers, and cryptographic keys. Non-volatile storage devices may include non-volatile read-only memory (ROM) including electrically erasable programmable read-only memory (EEPROM), which, as mentioned above, is used to store read-only code or other read-only information. In some cases, updated or new data may be written to the non-volatile storage device. It may be desirable to prevent malicious or accidental reprogramming of the non-volatile storage device. It may also be desirable to update or write new trusted data to the non-volatile storage device.

Summary of the Invention

This document describes devices and techniques for securely controlling data in a nonvolatile storage device. In one example implementation, the nonvolatile storage device includes a nonvolatile storage module partitioned into a plurality of partitions for storing data. For example, the nonvolatile storage module may be partitioned into a first partition and a second partition. The first partition may be designated as a read-only storage area, while the second partition may be designated as a write-only partition. In this manner, data may be read only from the read-only partition. A controller controls which partition is read-only and which partition is write-only. In this manner, an external device may read only from the read-only partition.

New data can be written to the second partition by an external device, which is a write-only partition in this example. The new data may include a signature attached to the new data. The controller confirms that the new data is credible and secure by verifying the signature using a key stored in a key storage module on the non-volatile storage device. After receiving a complete copy of the new data and verifying the signature, the controller can re-designate the second partition, which now stores the new data, as a read-only partition, and re-designate the first partition as a write-only partition, where other new data can be written. In this way, new data or images written to the non-volatile storage device are first confirmed to be authenticated or trusted by verifying the signature attached to the new data before the new data can be read from the device. Incomplete or unverified new data may be discarded.

In one example implementation, the controller and the key storage module may be located on the same chip as the non-volatile storage module. In another example implementation, the controller and the key storage module may be located on a chip separate from the non-volatile storage module. In one example implementation, the key storage module may be located on the same chip as the controller, while in another example implementation, the key storage module may be located on the same chip as the non-volatile storage module, which may be separate from the chip containing the controller.

In one example implementation, the described devices and techniques can be used to program or reprogram non-volatile memory devices during the manufacturing and production processes.

According to one general aspect, an apparatus includes an interface module, a controller, a key storage module, and a non-volatile storage module, wherein the key storage module is configured to store a key and the non-volatile storage module is configured to store data. The non-volatile storage module has a first partition and a second partition, wherein the first partition is designated as a read-only storage area for data, and the second partition is designated as a write-only storage area for new data. In response to new data being written to the second partition along with a signature and the controller verifying the signature using a key stored in the key storage module, the first partition is redesignated as a write-only storage area for additional new data, and the second partition is redesignated as a read-only storage area for the new data.

In another general aspect, an apparatus includes an interface module and a key storage module configured to store a key. A controller is operably coupled to the interface module and the key storage module. The controller is configured to interface with an external non-volatile storage device for storing data. The controller is configured to partition the external non-volatile storage device into a first partition and a second partition. The first partition is designated as a read-only storage area for data, and the second partition is designated as a write-only storage area for new data received through the interface module. The controller is configured to receive new data with a signature through the interface module and write the new data to the second partition, verify the signature using a key stored in the key storage module, and, in response to verifying the signature using the key stored in the key storage module, redesignate the first partition as a write-only storage area for additional new data and redesignate the second partition as a read-only storage area for new data.

In another general aspect, a method includes partitioning a non-volatile memory device into a first partition and a second partition. The first partition is designated as a read-only storage area for data, and the second partition is designated as a write-only storage area for new data received via an interface module. The method includes receiving new data having a signature via the interface module and writing the new data into the second partition, verifying the signature via a controller using a key stored in a key storage module, and in response to verifying the signature using the key stored in the key storage module, redesignating the first partition as a write-only storage area for additional new data and redesignating the second partition as a read-only storage area for new data.

In another general aspect, an apparatus includes a device for interfacing, a device for controlling, a device for storing a key, and a device for non-volatile storage, wherein the device for storing a key is configured to store a key, and the device for non-volatile storage is configured to store data. The device for non-volatile storage has a first partition and a second partition, wherein the first partition is designated as a read-only storage area for data, and the second partition is designated as a write-only storage area for new data. In response to new data being written to the second partition along with a signature and the device for controlling verifying the signature using a key stored in the device for storing a key, the first partition is redesignated as a write-only storage area for additional new data, and the second partition is redesignated as a read-only storage area for the new data.

The details of one or more implementations are explained in detail in the following drawings and description. Other features will be apparent from the description and drawings, and from the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an example block diagram of a non-volatile memory device.

FIG. 2 is an example block diagram of a non-volatile storage device and a security device.

FIG. 3 is an example block diagram of a plurality of non-volatile storage devices and a security device of FIG. 2 .

4 is an example flow chart illustrating example operations of the devices of FIGS. 1-3 .

DETAILED DESCRIPTION

FIG1 is a block diagram of an example nonvolatile storage device 102. The nonvolatile storage device 102 includes a nonvolatile storage module 104, an interface module 106, a controller 108, a key storage module 110, and a policy module 112. Generally, the nonvolatile storage device 102 is configured to receive data through the interface module 106 and write data to the nonvolatile storage module 104. For example, a peripheral device 114 can write data to the nonvolatile storage device 102. Data can also be read from the nonvolatile storage device 102 through the interface module 106. For example, a peripheral device 114 can read data from the nonvolatile storage device 102 through the interface module 106.

Throughout this document, the nonvolatile memory device 102 may also be referred to interchangeably as the memory device 102 to refer to the same component. The nonvolatile memory device 102 may be different types of memory devices, including different types of read-only memory (ROM) devices. For example, the nonvolatile memory device 102 may be an electrically erasable programmable read-only memory (EEPROM). In other examples, the nonvolatile memory device 102 may be a flash memory, a phase change memory (PCM), a spin torque transfer (STT) memory, a memristor, and other nonvolatile memory devices.

In one example implementation, the interface module 106 can be a serial interface module. For example, the interface module 106 can be a serial interface module that supports one or more serial interfaces, including, but not limited to, a low pin count (LPC) interface, an I-squared-C ( ^I2C ) interface, a 1-wire interface, a serial peripheral interface (SPI), and a single-wire interface. Other serial interfaces can also be implemented. The read and write bus connecting the interface module 106 to the peripheral device 114 can be a bus corresponding to the interface type supported by the interface module 106. In some implementations, the interface module 106 can support more than one type of serial interface.

In one example implementation, the interface module 106 may be a parallel interface module. For example, the interface module 106 may be a parallel interface module that supports one or more parallel interfaces. The read/write bus connecting the interface module 106 to the peripheral device 114 may be a bus corresponding to the type of interface supported by the interface module 106. In some implementations, the interface module 106 may support more than one type of parallel interface.

In one example implementation, the interface module 106 may be capable of supporting both serial and parallel interfaces. For example, the interface module 106 may be capable of supporting one or more of the serial interfaces described above and one or more of the parallel interfaces described above.

The non-volatile storage module 104 in the non-volatile storage device 102 can be configured to store data. Throughout this document, the non-volatile storage module 104 may also be interchangeably referred to as the storage module 104 to refer to the same component. The storage module 104 can be implemented with different storage capacities. For example, the storage module 104 can include a storage capacity of 8K bytes, 16K bytes, 32K bytes, 64K bytes, 128K bytes, or 256K bytes. In other implementations, the storage module 104 can include a larger storage capacity.

The controller 108 may be configured to partition the memory module 104 into a plurality of partitions. In one example implementation, the controller 108 may partition the memory module 104 into a first partition 116 and a second partition 118. Although FIG1 illustrates two partitions, more than two partitions are possible. In one implementation, the controller 108 may evenly divide the memory capacity of the memory module 104 between the first partition 116 and the second partition 118. For example, if the memory capacity of the memory module 104 is 128 kilobytes, the first partition 116 may be allocated a 64 kilobyte memory area, and the second partition 118 may be allocated a 64 kilobyte memory area. In another example, if the memory capacity of the memory module 104 is 256 kilobytes, the first partition 116 may be allocated a 128 kilobyte memory area, and the second partition 118 may be allocated a 128 kilobyte memory area. In other example implementations, the controller 108 may partition the memory module 104 in unequal amounts and/or may partition the memory module 104 into more than two partitions.

The controller 108 can partition the memory module 104 by assigning one set of addresses (or memory addresses) to the first partition 116 and another set of addresses to the second partition 118. The controller 108 can assign addresses sequentially or non-sequentially. The controller 108 can use a table to track the assignment of addresses and the corresponding partitions of the memory module 104, where this table can be stored in another module, such as, for example, the key storage module 110, the policy module 112, or another table storage module (not shown). The controller 108 can use other schemes to partition the memory module 104.

In one example implementation, the controller 108 can designate one of the partitions as a read-only partition and the other partitions as write-only partitions. For example, the controller 108 can designate the first partition 116 as a read-only partition and the second partition 118 as a write-only partition. The controller 108 can control the functionality of the partitions as read-only or write-only by controlling the addresses that can be read by the peripheral device 114 or the addresses that can be written by the peripheral device 114. In this way, the controller 108 can point to the address corresponding to the read-only partition to implement a read request received from the peripheral device 114. In this way, if the first partition 116 is designated as a read-only partition, the controller 108 satisfies the read request by pointing to the address of the first partition 116, thereby reading data from the storage module 104. If the second partition 118 is designated as a write-only partition, the second partition 118 is not used to respond to the read request.

Stated another way, because controller 108 is aware of the partitioning scheme, controller 108 can perform any necessary address translation to satisfy a read request from peripheral 114. Peripheral 114 may be unaware of the partitioning scheme and, since it is controlled by controller 108, does not need to be aware of it.

In one example implementation, the data read by the peripheral device 114 from the storage device 102 may be in plain text. In other example implementations, the data read by the peripheral device 114 from the storage device 102 may be encrypted using an encryption scheme between the storage device 102 and the peripheral device 114.

In one example implementation, the data written to the storage device 102 may be written to a partition designated as a write-only partition. The write to the storage device may be a signed plaintext write and/or may be a signed encrypted write.

In one example implementation, the peripheral device 114 can write data or a new image to the storage device 102. The peripheral device 114 can write plaintext data with a signature attached to a message containing the data to the storage device 102. For example, the peripheral device 114 can calculate a cryptographic hash of the data and sign the cryptographic hash using a private key. In other implementations, a different peripheral device (not shown) other than the peripheral device 114 can calculate the cryptographic hash and sign the cryptographic hash using a private key. In another example implementation, the peripheral device 114 can calculate a cryptographic message authentication code and a secret key for the data, wherein the generated message authentication code acts as a signature. The peripheral device 114 then transmits the signed data to the storage device 102.

The storage device 102 receives the signed data via the interface module 114. The controller 108 writes the received signed data to a partition designated as a write-only partition. For example, if the second partition 118 is designated as a write-only partition, the controller causes the data to be written to the second partition 118. When the data is received, the controller 108 verifies the signature attached to the data. That is, when the data is being received, the controller 108 can calculate a cryptographic hash of the data. The controller 108 can verify the signature using a key corresponding to the key used to sign the message. The key can correspond by being the public part of a public-private key pair, or it can be the same secret key shared with the peripheral device 114. The key used by the controller 108 to verify the signature can be stored in the key storage module 110.

In one example implementation, the key storage module 110 may store one or more keys corresponding to keys held by a trusted source. The key storage module 110 may be a non-volatile storage module. In this manner, data with a signature can be verified by the controller 108 using one of the keys stored in the key storage module 110. For example, the key storage module 110 may store a public key corresponding to a private key held and used by the peripheral device 114. This public key is used by the controller 108 to verify the signature of data written to the storage device 102 by the peripheral device 114. In another example, the key storage module 110 may store a secret key corresponding to a shared secret key held and used by the peripheral device 114.

In one example implementation, the controller 108 verifies the signature attached to a received message by calculating a cryptographic hash and using the key stored in the key storage module 110 to calculate whether the signature is the result of the cryptographic hash of the exact message signed by the holder of the private key. In one example, the controller 108 can calculate the stream cryptographic hash while data is being streamed into the storage device 102 through the interface module 106. In another example, the controller 108 can receive all the data first, and then calculate the cryptographic hash after all the data has been received. In one example, the controller 108 can calculate a keyed message authentication code on the received message, and compare the calculated keyed message authentication code with the signature attached to the received message to determine whether the message is valid.

After receiving the complete copy of the data and verifying the signature, the controller 108 can re-designate the write-only partition that just received the new data as a read-only partition. The controller 108 can re-designate the read-only partition that stores the old data as a write-only partition to receive other new data (or the writing of new data) that may be sent by the peripheral device 114 through the interface module 106. This newly designated write-only partition is then configured to receive the next data write to the device, which can also be referred to as other new data.

For example, in response to receiving a complete copy of the data and verifying the signature attached to the data, the controller 108 can redesignate the second partition 118 as a read-only partition. The controller 108 can perform the redesignation by changing the pointer to one or more addresses to which read commands are directed, so that only data stored in the second partition 118 can be read. The controller 108 also redesignates the first partition 116 from a read-only partition to a write-only partition. In this manner, subsequent new data written to the storage device 102 will be stored in the first partition 116.

There may be one or more instances when controller 108 does not reassign partitions during a write process. For example, if the data received during a write is not a complete copy of the data, controller 108 will not reassign partitions 116, 118. In this manner, if storage device 102 is an EEPROM, the incomplete image written to second partition 118 will not be read from storage device 102 because the current read-only partition will remain read-only, while the write-only partition that received the incomplete or partial copy will remain write-only. Partial data that may have been written to the write-only partition may be deleted or overwritten.

In another example, if the signature of the new data cannot be verified, the controller 108 does not reassign the partitions. For example, if the cryptographic hash calculated by the controller 108 does not match the cryptographic hash attached to the data, the controller 108 does not reassign the partitions, causing the read-only partition to remain as a read-only partition and the write-only partition to remain as a write-only partition. If the signature cannot be verified using the key in the key storage module 110, the controller 108 does not reassign the partitions, causing the read-only partition to remain as a read-only partition and the write-only partition to remain as a write-only partition.

In one example implementation, a new key can be appended to a message being written to the storage device 102. The message with the new key can be signed using a private key corresponding to the key stored in the key storage module 110. When the controller 108 verifies this signature, the new key is stored in the key storage module 110 and can be activated for verifying the signature of subsequent writes to the storage device 102. In this way, the public key stored in the key storage module 110 can be updated from a trusted source in a secure manner. The new key can be deleted from the data stored in the non-volatile storage module 104 so that the new key can only be stored in the key storage module 110. In another example, a message authentication code can be appended to a message being written to the storage device and stored in the key storage module 110 for verifying the signature of the newly arrived message.

In one example implementation, the policy module 112 can store information associated with the storage device 102, including, for example, a unique identifier for the storage device 102. The policy module 112 can store a version number or other additional identifying information associated with the data stored in the read-only partition. The policy module 112 can also store other policy rules or instructions related to actions to be taken by the controller 108 upon receipt of new data. When the controller 108 verifies a signature on new data using a key in the key storage module 110, the policy and information stored in the policy module 112 can be updated with the new policy attached to the new data.

In one example implementation, a bit mask can be used in data sent to the storage device 102. The bit mask can be used to include information in the data to be stored in the policy module 112. For example, the bit mask can be used as a permission mask to include permission information stored in the policy module 112. Also, the bit mask can be used to assign a unique number to each storage device 102. For example, the peripheral device 114 can assign an Ethernet MAC address to the storage device 102 that is separate from the device serial number. In one implementation, the bit mask information can always be written to the device. In other implementations, the bit mask information can be written to the policy module 112 of the storage device 102 using a key different from the key used to verify the signature of the data. The key used to write the bit mask information can also be stored in the key storage module 110.

2 , an example block diagram illustrates a nonvolatile storage device 202 and a security device 250. The nonvolatile storage device 202 includes a nonvolatile storage module 204, which may include the same features as the nonvolatile storage module 104 of FIG1 . For example, the nonvolatile storage module 204 may be divided into a plurality of partitions 216 and 218, just as described above with respect to the storage module 104 being divided into the plurality of partitions 116 and 118.

In FIG2 , the interface module 206, the controller 208, the key storage module 210, and the policy module 212 may be implemented on a security device 250. The security device 250 is a separate chip or a device that is separate from the storage device 202. The security device 250 may communicate with the storage device 202 via an interface 260. The components on the security device 250 (i.e., the interface module 206, the controller 208, the key storage module 210, and the policy module 212) may operate in the same manner as the interface module 106, the controller 108, the key storage module 110, and the policy module 112 in FIG1 .

In this way, the security device 250 can be paired with different storage devices 202 to ensure that only encrypted, signed data that has been verified can be written to and read from the storage device 202. For example, the controller 208 can divide the storage module 204 into a first partition 216 and a second partition 218. The controller 208 can designate the first partition 216 as a read-only partition and the second partition 218 as a write-only partition. The peripheral device 214 can write new data to the storage device 202 through the security device 250. The peripheral device 214 can sign a cryptographic hash of the data using a private key, append the signature to the data, and transmit the data to the storage device 202 through the security device 250.

Interface module 206 receives the data, and controller 208 uses interface 260 to direct the data to be written to second partition 218, which is a write-only storage area. Controller 208 verifies the signature attached to the data using the key stored in key storage module 210. If the controller successfully verifies the signature, first partition 216 and second partition 218 are redesignated as write-only and read-only partitions, respectively. In this way, new data written to second partition 218 can be read by subsequently received read commands. If controller 208 cannot verify the signature or if an incomplete copy of the data is received, controller 208 will not redesignate partitions 216 and 218, and subsequent read commands will not read the new data, but will continue to read the data stored in first partition 216. Controller 208 can perform these and other additional functions, just as described above with respect to controller 108 of FIG. 1 .

In another example implementation, the key storage module 210 may be implemented on the non-volatile storage device 202 instead of on the secure device 250. In this implementation, the controller 208 may be located on the secure device 250 and may interact with the key storage module 210, which may be implemented on the non-volatile storage device 202, to verify signatures using one or more keys stored in the key storage module 210.

Referring to FIG3 , an example block diagram illustrates multiple non-volatile storage devices 302a-302c having storage modules 304a-304c and the security device 250 of FIG2 . In the example of FIG3 , a single security device 250 can control the reading and writing of data for multiple storage devices 302a-302c via corresponding interfaces 360a-360c. The security device 250 can operate similarly to the security device 250 described above in FIG2 . The controller 208 can be used to verify the signature attached to data written to one of the storage devices 302a-302c from one or more peripheral devices 314a and 314b. The controller 208 directs the data to a partition of the storage device designated as a write-only partition. When the signature is verified using the key in the key storage module 210, the controller 208 reassigns the partition for the specific storage device. If the verification fails, the controller 208 does not reassign the partition.

In the example of Figure 3, the security device 250 can include multiple interface modules 306a and 306b. The interface modules 306a and 306b can be different types of interfaces. For example, the interface module 306a can be a serial interface module and the interface module 306b can be a parallel interface module. Depending on the type of interface used between the peripheral device and the security module 250, the interface modules 306a and 306b can be compatible with some or all of the peripheral devices 314a and 314b.

3, the security device 250 is flexible because it can be coupled to multiple non-volatile storage devices 302a-302c and multiple peripheral devices 314a and 314b using different types of interfaces through the interface modules 306a and 306b. In a similar manner, the interfaces 360a-360c can be different types of interfaces (e.g., serial and parallel interfaces) that interface with different types of non-volatile storage devices 302a-302c.

Referring to FIG4 , an example flow chart illustrates a process 400. Process 400 illustrates example operations of the device described above in FIG1-3 . Process 400 includes partitioning a non-volatile storage device into a first partition and a second partition, wherein the first partition is designated as a read-only storage area for data and the second partition is designated as a write-only storage area for new data received through an interface module ( 410 ). For example, the storage device 102 includes the storage module 104, which can be partitioned into a first partition 116 and a second partition 118, wherein the first partition 116 is designated as a read-only storage area for data and the second partition 118 is designated as a write-only storage area for new data received through the interface module 112 ( 410 ).

Process 400 includes receiving, by the interface module, new data with a signature and writing the new data to the second partition (420). For example, interface module 106 may receive new data from peripheral device 114, where the data includes a signature created using a private key. The new data may be written to second partition 118 (420).

The process 400 includes verifying, by the controller, the signature using a key stored in the key storage module ( 430 ). For example, the controller 108 may verify the signature using a key stored in the key storage module 110 ( 430 ).

Process 400 includes redesignating the first partition as a write-only storage area for other new data and redesignating the second partition as a read-only storage area for new data in response to verifying the signature using the key stored in the key storage module (440). For example, the controller 108 may redesignate the first partition 116 as a write-only storage area for other new data. The controller 108 may redesignate the second partition 118 as a read-only storage area for new data in response to the controller 108 verifying the signature using the key stored in the key storage module 110 (440). If the controller 108 cannot verify the signature, the partition is not redesignated.

Implementations of the various techniques described herein may be implemented as digital circuits or computer hardware, firmware, software, or a combination thereof. Implementations may be implemented as computer program products, for example, computer programs tangibly embodied in an information carrier, such as stored in a machine-read-only storage device, for being executed by or controlling the operation of a data processing device, such as a programmable processor, a computer, or multiple computers. Computer programs, such as those described above, can be written in any form of programming language, including compiled or interpreted languages, and can be deployed in any form, including as stand-alone programs or as modules, components, subroutines, or other units suitable for use in a computing environment. Computer programs can be deployed to execute on a single computer, or on multiple computers at a site, or on multiple computers distributed across multiple sites and connected via a communications network.

Method steps may be performed by one or more programmable processors executing a computer program to perform functions by operating on input data and generating output. Method steps may also be performed by an apparatus, which may be implemented as special purpose logic circuitry, such as an FPGA (field programmable logic array) or an ASIC (application-specific integrated circuit).

Processors suitable for executing a computer program include, by way of example, general-purpose and special-purpose microprocessors, and any one or more processors of any kind of digital computer. Typically, a processor will receive instructions and data from a read-only memory or a random-access memory, or both. Elements of a computer include at least one processor for executing instructions and one or more memory devices for storing instructions and data. Typically, a computer may also include, or be operatively coupled to, receive data from or transfer data to, or both, one or more mass storage devices for storing data, such as magnetic, magneto-optical, or optical disks. Suitable information carriers for embodying computer program instructions and data include all forms of nonvolatile memory, such as semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks, such as internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and memory may be supplemented by, or incorporated in, special-purpose logic circuitry.

To provide for interaction with a user, implementations may be implemented on a computer having a display device, such as a cathode ray tube (CRT) or liquid crystal display (LCD) monitor, for displaying information to the user, and a keyboard and pointing device, such as a mouse or trackball, through which the user can provide input to the computer. Other types of devices can also be used to provide for interaction with the user; for example, feedback provided to the user can be any form of sensory feedback, such as visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, voice, or tactile input.

Implementations may be implemented in a computing system that includes a back-end component, such as a data server, or a middleware component, such as an application server, or a front-end component, such as a client computer with a graphical user interface, or a web browser through which a user can interact with an implementation, or any combination of such back-end components, middleware components, or front-end components. The components may be interconnected by any form or medium of digital data communication, such as a communication network. Examples of communication networks include local area networks (LANs) and wide area networks (WANs), such as the Internet.

Although certain features of the described implementations have been illustrated as described herein, many modifications, substitutions, changes, and equivalents will occur to those skilled in the art. It is therefore to be understood that the appended claims are intended to cover all such modifications and changes that fall within the scope of the embodiments.

Claims (28)

1. An apparatus for controlling data, comprising: Interface module; A controller, which is operatively coupled to the interface module; A key storage module, operatively coupled to the controller, configured to store keys; and A non-volatile storage module, operatively coupled to the controller and configured to store data, the non-volatile storage module having a first partition and a second partition, wherein: The first partition is designated as a read-only storage area for the data. The second partition is designated as a write-only storage area for new data received through the interface module, and In response to the new data being written to the second partition along with the signature and the controller verifying the signature using the key stored in the key storage module, the first partition is redesignated as a write-only storage area for the new data, and the second partition is redesignated as a read-only storage area for the new data. 2. The apparatus of claim 1, wherein, in response to receiving a complete copy of the new data with the signature and the controller verifying the signature using the key stored in the key storage module, the first partition is redesignated as a write-only storage area for other new data, and the second partition is redesignated as a read-only storage area for the new data. 3. The apparatus of claim 1, wherein the new data includes a new key, and the new key is stored in the key storage module and activated in response to the controller using the key stored in the key storage module to verify the signature. 4. The apparatus according to claim 3, wherein the new key is stored only in the key storage module. 5. The apparatus of claim 1, wherein, in response to the controller being unable to verify the signature using the key stored in the key storage module, the first partition is not redesignated as a write-only storage area for other new data, and the second partition is not redesignated as a read-only storage area for the new data. 6. The apparatus of claim 1, wherein, in response to receiving an incomplete write of the new data through the interface module, the first partition is not reassigned as a write-only storage area for other new data, and the second partition is not reassigned as a read-only storage area for the new data. 7. The apparatus of claim 1 or 2, wherein the new data is read as plaintext from the second partition. 8. The apparatus according to claim 1 or 2, wherein the first partition and the second partition have the same size. 9. The apparatus according to claim 1 or 2, wherein the interface module includes a serial interface module. 10. The apparatus according to claim 1 or 2, wherein the interface module includes a parallel interface module. 11. The apparatus of claim 1 or 2, wherein the apparatus is an electrically erasable programmable read-only memory (EEPROM). 12. The apparatus according to claim 1 or 2, wherein the key stored in the key storage module is a public key corresponding to a private key used to create the signature outside the apparatus. 13. The apparatus according to claim 1 or 2, wherein the key stored in the key storage module is a shared secret key corresponding to a shared secret key used to create the signature outside the apparatus. 14. An apparatus for controlling data, comprising: Interface module; A key storage module, configured to store keys; A controller, operatively coupled to the interface module and the key storage module, is configured to interface with an external non-volatile storage device for storing data, and is configured to: The external non-volatile storage device is divided into a first partition and a second partition. The first partition is designated as a read-only storage area for the data, and the second partition is designated as a write-only storage area for new data received through the interface module. The interface module receives the signed new data and writes the new data into the second partition. The signature is verified using the key stored in the key storage module. In response to verifying the signature using the key stored in the key storage module, the first partition is reassigned as a write-only storage area for other new data, and the second partition is reassigned as a read-only storage area for the new data. 15. The apparatus of claim 14, wherein the controller is configured to: in response to receiving a complete copy of the new data and in response to verifying the signature using the key stored in the key storage module, redesignate the first partition as a write-only storage area for other new data and redesignate the second partition as a read-only storage area for the new data. 16. The apparatus of claim 14, wherein the new data includes a new key, and the new key is stored in the key storage module and activated in response to the controller using the key stored in the key storage module to verify the signature. 17. The apparatus of claim 16, wherein the new key is stored only in the key storage module. 18. The apparatus of claim 14, wherein the controller is configured to: in response to the controller being unable to verify the signature using the key stored in the storage module, not to redesignate the first partition as a write-only storage area for other new data, and not to redesignate the second partition as a read-only storage area for the new data. 19. The apparatus of claim 14, wherein the controller is configured to: in response to receiving an incomplete write of the new data through the interface module, not to redesignate the first partition as a write-only storage area for the other new data, and not to redesignate the second partition as a read-only storage area for the new data. 20. The apparatus according to any one of claims 14-19, wherein the non-volatile storage device is an electrically erasable programmable read-only memory (EEPROM). 21. The apparatus according to any one of claims 14-19, wherein the interface module comprises a serial interface module. 22. The apparatus according to any one of claims 14-19, wherein the interface module includes a parallel interface module. 23. The apparatus according to any one of claims 14-19, wherein the key stored in the key storage module is a public key corresponding to a private key used to create the signature outside the apparatus. 24. The apparatus according to any one of claims 14-19, wherein the key stored in the key storage module is a shared secret key corresponding to a shared secret key used to create the signature outside the apparatus. 25. A method for controlling data, comprising: The non-volatile storage device is divided into a first partition and a second partition, wherein the first partition is designated as a read-only storage area for data and the second partition is designated as a write-only storage area for new data received through the interface module. The interface module receives the new data with a signature and writes the new data into the second partition. The signature is verified by the controller using a key stored in the key storage module; and In response to verifying the signature using the key stored in the key storage module, the first partition is reassigned as a write-only storage area for other new data, and the second partition is reassigned as a read-only storage area for the new data. 26. The method of claim 25, wherein the non-volatile storage device is an electrically erasable programmable read-only memory (EEPROM). 27. The method of claim 25, wherein the non-volatile storage device is an electrically erasable programmable read-only memory (EEPROM) located outside the controller. 28. An apparatus for controlling data, comprising: Equipment used for docking; Device for control, wherein the device for control is operatively coupled to the device for docking; A device for storing keys, the device for storing keys being operatively coupled to the device for control, wherein the device for storing keys is configured to store keys; and A device for non-volatile storage, operatively coupled to the device for control and configured to store data, the device for non-volatile storage comprising a first partition and a second partition, wherein... The first partition is designated as a read-only storage area for the data. The second partition is designated as a write-only storage area for new data received through the device used for docking, and In response to the new data being written to the second partition along with the signature and the control device using the key stored in the device for storing the key to verify the signature, the first partition is redesignated as a write-only storage area for the other new data, and the second partition is redesignated as a read-only storage area for the new data.