TWI451255B - Microprocessor apparatus and method for precluding the use of extended jtag operations - Google Patents
Microprocessor apparatus and method for precluding the use of extended jtag operations Download PDFInfo
- Publication number
- TWI451255B TWI451255B TW100115720A TW100115720A TWI451255B TW I451255 B TWI451255 B TW I451255B TW 100115720 A TW100115720 A TW 100115720A TW 100115720 A TW100115720 A TW 100115720A TW I451255 B TWI451255 B TW I451255B
- Authority
- TW
- Taiwan
- Prior art keywords
- fuse
- jtag
- extended
- blown
- disabling
- Prior art date
Links
Landscapes
- Tests Of Electronic Circuits (AREA)
- Semiconductor Integrated Circuits (AREA)
Description
本發明係有關於一種微電子,特別是有關於一種裝置及方法,用以保護積體電路內的一可程式化保險絲陣列(programmable fuse array)。The present invention relates to a microelectronic, and more particularly to an apparatus and method for protecting a programmable fuse array in an integrated circuit.
在目前的積體電路中,大多藉由金屬或聚合物所構成的保險絲,來致能及禁能一些元件或特徵,其中保險絲係設置在積體電路的晶片上。一般而言,在工廠的製造過程中,便已燒斷某些保險絲,以生產一特定版本的裝置。舉例而言,在微處理器的一般設計中,微處理器可能具有一加密單元或其它防護特徵,其中加密單元或防護特徵均設置在晶片上,而藉由燒斷某些保險絲便可致能加密單元及防護特徵。藉由保險絲來致能或禁能特定元件或特徵,不僅可滿足製造微處理器時的成本考量,同時亦可使製造者更容易生產出具有不同性能及價格的微處理器。In the current integrated circuit, most of the components or features are enabled and disabled by a fuse made of metal or polymer, wherein the fuse is disposed on the wafer of the integrated circuit. In general, certain fuses are blown during the manufacturing process of the factory to produce a particular version of the device. For example, in a general design of a microprocessor, the microprocessor may have an encryption unit or other protection feature in which the encryption unit or guard features are placed on the wafer and can be enabled by blowing certain fuses. Encryption unit and protection features. The ability to enable or disable specific components or features by fuses not only meets the cost considerations of manufacturing microprocessors, but also makes it easier for manufacturers to produce microprocessors with different performance and price.
然而,近年來,積體電路的設計者不僅可在製造的過程中致能/禁能上述特徵,亦可在製造完成之後,藉由燒斷某些保險絲以致能/禁能實際應用上所要選擇的特徵。在多數類似的結構中,保險絲的程式化可透過從習知的聯合測試工作組(Joint Test Action Group;JTAG)的介面/協定發送特定命令和資料來實現。JTAG介面/協定存在於微處理器、行動電話、晶片或其它裝置中。藉由傳送合適的命令及資料,或藉由特定之封裝接腳上在規定範圍內的電壓,可選擇並燒斷晶片上的特定保險絲,以致能或禁能實際應用上所要選擇的特徵。However, in recent years, the designer of the integrated circuit can not only enable/disable the above features in the manufacturing process, but also can be selected by actually blowing some fuses after the manufacturing is completed. Characteristics. In most similar configurations, the stylization of fuses can be accomplished by sending specific commands and materials from the interface of the Joint Test Action Group (JTAG). The JTAG interface/protocol exists in a microprocessor, mobile phone, chip or other device. The particular fuse on the wafer can be selected and blown by transmitting appropriate commands and data, or by voltages within a specified range on a particular package pin, to enable or disable the features to be selected for the actual application.
隨著越來越多的特徵可被程式化操作,使得未被授權的使用者在未經過製造者同意下,有機會重新配置積體電路。As more and more features can be programmed, an unauthorized user has the opportunity to reconfigure the integrated circuit without the manufacturer's consent.
因此,需要一裝置及方法,用以防止未被授權地程式化保險絲以致能或禁能原本的特徵。Therefore, a need exists for a device and method for preventing unauthorized activation of a fuse to enable or disable the original features.
另外,需要一裝置及方法,用以判斷是否有一未被授權的使用者企圖竄改裝置的可程式化特徵,並且防止其竄改。In addition, a need exists for an apparatus and method for determining whether an unauthorized user attempts to tamper with the programmable features of the device and to prevent tampering.
再者,需要一種技術,使製造者可暫時性地重新致能一裝置的可程式化功能,以允許經授權的致能或禁能部分特徵。Furthermore, there is a need for a technique that allows a manufacturer to temporarily re-enable a programmatic function of a device to allow authorized enabling or disabling of partial features.
本發明的目的在於解決上述所提出的問題以及其它問題、缺點及習知的限制。It is an object of the present invention to solve the above-mentioned problems and other problems, disadvantages and limitations.
本發明提供一種較佳的技術,用以禁止在一積體電路中使用的一擴充的JTAG操作。本發明提供一種積體電路,可重新致能已被禁止的擴充的JTAG操作。本發明之積體電路包括一JTAG控制鏈、一特徵保險絲、一機器專用暫存器以及一存取控制器。JTAG控制鏈可致能/禁能擴充的JTAG操作。特徵保險絲用以表示擴充的JTAG操作是否已被禁能。機器專用暫存器用以儲存一特定值。存取控制器耦接特徵保險絲、機器專用暫存器以及JTAG控制鏈用以判斷特徵保險絲是否已被燒斷。當機器專用暫存器中的特定值符合存取控制器的一覆蓋值時,存取控制器使JTAG控制鏈重新致能被禁止的擴充的JTAG操作。The present invention provides a preferred technique for disabling an extended JTAG operation for use in an integrated circuit. The present invention provides an integrated circuit that can re-enable extended JTAG operations that have been disabled. The integrated circuit of the present invention includes a JTAG control chain, a feature fuse, a machine-specific register, and an access controller. The JTAG control chain enables/disables extended JTAG operations. A feature fuse is used to indicate if the extended JTAG operation has been disabled. A machine-specific register is used to store a specific value. The access controller is coupled to the feature fuse, the machine-specific register, and the JTAG control chain to determine if the feature fuse has been blown. When a particular value in the machine-specific scratchpad conforms to a coverage value of the access controller, the access controller causes the JTAG control chain to re-enable the disabled extended JTAG operation.
本發明另提供一種方法,用以重新致能在一積體電路中被禁止的擴充的JTAG操作。本發明的方法包括,透過燒斷一特徵保險絲,以表示擴充的JTAG操作已被禁能,其中特徵保險絲設置在積體電路中;執行一第一判斷動作,用以判斷該特徵保險絲是否已被燒斷;執行一第二判斷動作,用以判斷一特定值是否符合一覆蓋值,其中上述特定值儲存於一機器專用暫存器中;以及當特定值符合覆蓋值時,則使一JTAG控制鏈重新致能被禁止的擴充的JTAG操作。The present invention further provides a method for re-enabling extended JTAG operations that are disabled in an integrated circuit. The method of the present invention includes, by blowing a feature fuse, to indicate that the extended JTAG operation has been disabled, wherein the feature fuse is disposed in the integrated circuit; performing a first determining action to determine whether the feature fuse has been Blowing; performing a second determining action for determining whether a particular value meets a coverage value, wherein the specific value is stored in a machine-specific register; and when a specific value meets the coverage value, enabling a JTAG control Chain reactivation enables extended JTAG operations that are disabled.
本發明提供一種較佳的技術,用以禁止在一積體電路中使用的一擴充的JTAG操作。可藉由燒斷保險絲,致能/禁能擴充的JTAG操作。為達到上述目的,本發明提供一種積體電路,用以禁止擴充的JTAG操作。本發明的積體電路包括一JTAG控制鏈、一特徵保險絲以及一存取控制器。JTAG控制鏈致能/禁能擴充的JTAG操作。特徵保險絲用以表示是否已禁能擴充的JTAG操作。存取控制器耦接特徵保險絲以及JTAG控制鏈,用以判斷特徵保險絲是否已被燒斷,並使JTAG控制鏈禁能擴充的JTAG操作。The present invention provides a preferred technique for disabling an extended JTAG operation for use in an integrated circuit. The JTAG operation can be enabled/disabled by blowing the fuse. To achieve the above object, the present invention provides an integrated circuit for inhibiting extended JTAG operation. The integrated circuit of the present invention includes a JTAG control chain, a feature fuse, and an access controller. JTAG control chain enable/disable extended JTAG operation. The feature fuse is used to indicate whether the extended JTAG operation has been disabled. The access controller is coupled to the feature fuse and the JTAG control chain to determine if the feature fuse has been blown and to disable the JTAG operation of the JTAG control chain.
本發明另提供一種方法,用以禁止一積體電路內的擴充的JTAG操作。本發明的方法包括,透過燒斷一特徵保險絲,以表示是否已禁能擴充的JTAG操作,其中上述特徵保險絲設置在該積體電路中;判斷特徵保險絲是否已被燒斷;以及當上述特徵保險絲已被燒斷時,使一JTAG控制鏈禁能擴充的JTAG操作。The present invention further provides a method for inhibiting extended JTAG operations within an integrated circuit. The method of the present invention includes, by blowing a feature fuse, indicating whether the extended JTAG operation has been disabled, wherein the feature fuse is disposed in the integrated circuit; determining whether the feature fuse has been blown; and when the feature fuse is A JTAG operation that disables the expansion of a JTAG control chain when it has been blown.
本發明提供一種較佳的技術,用以禁止在一積體電路中使用的一擴充的JTAG操作。藉由燒斷保險絲,致能/禁能擴充的JTAG操作。為達到上述目的,本發明提供一種積體電路,用以禁止一擴充的JTAG操作。本發明之積體電路包括,一JTAG控制鏈、一特徵保險絲、一位準偵測器以及一存取控制器。JTAG控制鏈致能或禁能擴充的JTAG操作。特徵保險絲表示擴充的JTAG操作是否已被禁能。位準偵測器監控一外部電壓信號,用以判斷外部電壓信號是否處於一不合格電壓位準。存取控制器耦接特徵保險絲、位準偵測器以及JTAG控制鏈,並判斷特徵保險絲是否已被燒斷。只要外部電壓信號處於該不合格電壓位準,不論特徵保險絲是否已被燒斷,存取控制器使JTAG控制鏈禁能擴充的JTAG操作。The present invention provides a preferred technique for disabling an extended JTAG operation for use in an integrated circuit. Enable/disable extended JTAG operation by blowing the fuse. To achieve the above object, the present invention provides an integrated circuit for inhibiting an extended JTAG operation. The integrated circuit of the present invention includes a JTAG control chain, a feature fuse, a quasi-detector, and an access controller. The JTAG control chain enables or disables extended JTAG operations. The characteristic fuse indicates whether the extended JTAG operation has been disabled. The level detector monitors an external voltage signal to determine if the external voltage signal is at a failed voltage level. The access controller is coupled to the feature fuse, the level detector, and the JTAG control chain to determine if the feature fuse has been blown. As long as the external voltage signal is at this unacceptable voltage level, the access controller disables the JTAG operation of the JTAG control chain regardless of whether the feature fuse has been blown.
本發明另提供一種禁止方法,用以禁止一積體電路內的一擴充的JTAG操作,該禁止方法包括:透過燒斷一特徵保險絲,以表示擴充的JTAG操作已被禁能,其中特徵保險絲設置在積體電路中;執行一第一判斷動作,用以判斷一外部電壓信號是否處於一不合格電壓位準;執行一第二判斷動作,用以判斷特徵保險絲是否已被燒斷;當外部電壓信號處於該不合格電壓位準時,則使一JTAG控制鏈禁能擴充的JTAG操作;以及當外部電壓信號處於一合格電壓位準時,並且特徵保險絲已被燒斷,則使JTAG控制鏈禁能擴充的JTAG操作。The present invention further provides a disable method for disabling an extended JTAG operation in an integrated circuit, the method comprising: blowing a feature fuse to indicate that the extended JTAG operation has been disabled, wherein the feature fuse is set In the integrated circuit; performing a first determining operation for determining whether an external voltage signal is at a failed voltage level; performing a second determining operation for determining whether the characteristic fuse has been blown; when the external voltage When the signal is at the unqualified voltage level, the JTAG control chain disables the JTAG operation; and when the external voltage signal is at a qualified voltage level, and the characteristic fuse has been blown, the JTAG control chain is disabled. JTAG operation.
為讓本發明之特徵和優點能更明顯易懂,下文特舉出較佳實施例,並配合所附圖式,作詳細說明如下:In order to make the features and advantages of the present invention more comprehensible, the preferred embodiments are described below, and are described in detail with reference to the accompanying drawings.
第1圖為具有保險絲致能功能的微處理器之示意圖。如圖所示,微處理器100具有一保險絲陣列101,保險絲陣列101耦接一個或多個致能邏輯元件105。每一致能邏輯元件105提供一禁能信號DIS予對應的特徵元件102-103,如加密引擎(cryptography engine)102或其它防護特徵103。Figure 1 is a schematic diagram of a microprocessor with a fuse enable function. As shown, the microprocessor 100 has a fuse array 101 that is coupled to one or more enable logic elements 105. Each of the consistent logic elements 105 provides a disable signal DIS to a corresponding feature element 102-103, such as a cryptography engine 102 or other guard feature 103.
保險絲陣列101包含一個或多個保險絲(未顯示),可與微處理器100一同設置在一晶元的多個可存取層(accessible layers)之上。這些可存取層係為金屬或聚合物(polymer)。在微處理器100的製造過程中,可透過雷射或是利用其它任何已知的技術來燒斷保險絲。另外,保險絲陣列101透過匯流排BLOWMODE,耦接一燒斷控制器107。燒斷控制器107耦接微處理器100之封裝的一連接接腳110,用以接收一外部電壓信號FSOURCE。The fuse array 101 includes one or more fuses (not shown) that can be placed with the microprocessor 100 over a plurality of accessible layers of a die. These accessible layers are metals or polymers. During the manufacture of the microprocessor 100, the fuse can be blown through the laser or by any other known technique. In addition, the fuse array 101 is coupled to a blow controller 107 through the bus bar BLOWMODE. The burnout controller 107 is coupled to a connection pin 110 of the package of the microprocessor 100 for receiving an external voltage signal FSOURCE.
保險絲陣列101透過匯流排RDARRAY,耦接一JTAG控制鏈(JTAG control chain)108。JTAG控制鏈108耦接一JTAG匯流排介面元件109。JTAG匯流排介面元件109透過一JTAG匯流排JT[1:N]與一JTAG控制器(未顯示)進行溝通。JTAG匯流排JT[1:N]上的每一信號會被傳送到對應的微處理器之封裝的連接接腳110。The fuse array 101 is coupled to a JTAG control chain 108 via a bus bar RDARRAY. The JTAG control chain 108 is coupled to a JTAG bus interface component 109. The JTAG bus interface component 109 communicates with a JTAG controller (not shown) via a JTAG bus JT[1:N]. Each signal on the JTAG bus JT[1:N] is transferred to the connection pin 110 of the package of the corresponding microprocessor.
JTAG控制鏈108耦接微代碼儲存器106。微代碼儲存器106可能包括一暫時儲存器(如隨機存取記憶體RAM、暫存器…等等)、一非暫時儲存器(如唯讀記憶體ROM、固定可程式化邏輯單元…等等)、或是包括暫時儲存器與非暫時儲存器的組合。藉由習知的機制可將微代碼儲存器106所儲存的微代碼(或微指令)提供予微處理器100的邏輯元件,用以執行程式化順序的操作。一般的邏輯元件包括加密引擎102以及防護特徵103,但也可能包括快取記憶體、特定目的之硬體、電源管理硬體或其它可被致能或禁能的元件。邏輯元件可直接執行微代碼來進行程式化操作,或是透過聯繫元件(associated element)(未顯示)執行微代碼來操作邏輯元件。The JTAG control chain 108 is coupled to the microcode storage 106. The microcode storage 106 may include a temporary storage (such as random access memory RAM, scratchpad, etc.), a non-transitory storage (such as a read-only memory ROM, a fixed programmable logic unit, etc. ) or a combination of temporary storage and non-transitory storage. The microcode (or microinstructions) stored by the microcode storage 106 can be provided to the logic elements of the microprocessor 100 for performing the stylized sequential operations by conventional mechanisms. Typical logic elements include encryption engine 102 and protection features 103, but may also include cache memory, special purpose hardware, power management hardware, or other components that can be enabled or disabled. The logic component can directly execute the microcode to perform the programmatic operation, or execute the microcode to operate the logic component through an associated element (not shown).
如上所述,在微處理器100的製造過程中,可藉由雷射或是其它方法燒斷保險絲陣列101內的某些保險絲,以表示對應的防護特徵103及/或加密引擎102是否被禁能。因此,當微處理器100被啟動時,每一致能邏輯元件105判斷保險絲陣列101內對應的保險絲的狀態,且可觸發一對應的禁能信號DIS。禁能信號DIS用以禁能相對應的加密引擎102及防護特徵103。因此,一般而言,藉由微處理器本身的保險絲陣列101的保險絲的狀態,可定義出許多具有不同特徵的微處理器。舉例而言,當所有保險絲被燒斷以禁能對應的加密引擎102及防護特徵103時,則可定義出低效能的微處理器。相反地,當對應所有的加密引擎102及防護特徵103的保險絲未被燒斷時,則可定義出高效能的微處理器。As described above, during the manufacturing process of the microprocessor 100, some of the fuses in the fuse array 101 may be blown by laser or other means to indicate whether the corresponding guard feature 103 and/or the encryption engine 102 are banned. can. Thus, when the microprocessor 100 is activated, each of the consistent logic elements 105 determines the state of the corresponding fuse within the fuse array 101 and can trigger a corresponding disable signal DIS. The disable signal DIS is used to disable the corresponding encryption engine 102 and the protection feature 103. Thus, in general, many microprocessors having different characteristics can be defined by the state of the fuse of the fuse array 101 of the microprocessor itself. For example, when all fuses are blown to disable the corresponding encryption engine 102 and guard feature 103, a low performance microprocessor can be defined. Conversely, when the fuses corresponding to all of the encryption engine 102 and the guard feature 103 are not blown, a high performance microprocessor can be defined.
如上所述,通常在微處理器100製造的過程中(在封裝(packaging)之前),保險絲陣列101的保險絲狀態便被設定完成。然而,近來年,允許隨意地致能或禁能加密引擎102及防護特徵103的微處理器是比較受歡迎的。因此,本發明提供可程式化功能,足以滿足目前市場上的需求。舉例而言,一被燒斷的保險絲可能表示對加密引擎102及防護特徵103致能或禁能。加密引擎102或防護特徵103可能具有多個相關聯的保險絲,用以允許一定次數的致能及禁能。As noted above, typically during the manufacture of microprocessor 100 (before packaging), the fuse state of fuse array 101 is set. However, in recent years, microprocessors that allow the encryption engine 102 and the protection feature 103 to be arbitrarily enabled or disabled are relatively popular. Therefore, the present invention provides a programmable function sufficient to meet the needs of the current market. For example, a blown fuse may indicate that the encryption engine 102 and the guard feature 103 are enabled or disabled. The encryption engine 102 or guard feature 103 may have a plurality of associated fuses to allow for a certain number of enabling and disabling.
本領域人士均深知,JTAG匯流排JT[1:N]用以測試及程式化微處理器100。JTAG係為聯合測試工作組(Joint Test Action Group)的縮寫,其係為一種在本領域廣泛使用的常見的標準,用以對微處理器進行邊界掃描(boundary scan)及測試存取(test access),特別是用於微處理器的測試與評估。因此,JTAG匯流排JT[1:N]的狀態係由一測試單元、一除錯器(debugger)或是微處理器100外部的其它類似的裝置所控制。JTAG匯流排介面元件109接收由JTAG匯流排JT[1:N]傳送而來的JTAG命令(commands),並將所接收到的命令傳送至JTAG控制鏈108,其中JTAG控制鏈108耦接微處理器100內幾乎所有的可測試元件(testable element)。It is well known in the art that the JTAG bus JT[1:N] is used to test and program the microprocessor 100. JTAG is an abbreviation of Joint Test Action Group, a common standard widely used in the field for boundary scan and test access of microprocessors. ), especially for testing and evaluation of microprocessors. Therefore, the state of the JTAG bus JT[1:N] is controlled by a test unit, a debugger, or other similar device external to the microprocessor 100. The JTAG bus interface component 109 receives the JTAG commands transmitted by the JTAG bus JT[1:N] and transmits the received commands to the JTAG control chain 108, wherein the JTAG control chain 108 is coupled to the microprocessor. Almost all testable elements within the device 100.
一般而言,JTAG命令用以測試微處理器100內部的電路及元件。然而,由於JTAG結構、命令及相關裝置係屬常見,因此,電路設計者近來常擴充JTAG技術的使用,用以提供測試以外的其它操作,包含微代碼儲存器106中程式化微代碼的驗證以及保險絲陣列101中程式化保險絲狀態的驗證。為了完成這些操作,相關聯的JTAG命令被傳送至JTAG控制鏈108,再透過匯流排RDCODE,傳送至微代碼儲存器106,以及透過匯流排RDARRAY傳送至保險絲陣列101。另外,再利用一外部測試單元(external test unit)(未顯示)來讀取保險絲陣列101內的保險絲狀態,以及讀取微代碼儲存器106所儲存的微代碼。In general, JTAG commands are used to test circuits and components within microprocessor 100. However, since JTAG structures, commands, and related devices are common, circuit designers have recently expanded the use of JTAG technology to provide operations other than testing, including verification of stylized microcode in microcode memory 106, and Verification of the stylized fuse state in fuse array 101. To accomplish these operations, the associated JTAG commands are passed to the JTAG control chain 108, to the microcode memory 106 via the bus RDCODE, and to the fuse array 101 via the busbar RDARRAY. In addition, an external test unit (not shown) is used to read the state of the fuses in the fuse array 101 and to read the microcode stored in the microcode storage 106.
除了讀取保險絲陣列101以及微代碼儲存器106,JTAG命令可在微處理器被製造完成後,用來燒斷保險絲陣列101內的某些保險絲。因此,燒斷資料藉由JTAG匯流排JT[1:N]傳送至JTAG控制鏈108,並透過匯流排RDARRAY傳送至保險絲陣列101。然後,藉由設定耦接至信號FSOURCE的連接接腳110上的電壓位準,便可讓燒斷控制器107來燒斷某些保險絲。為了燒斷保險絲,合適的燒斷資料會透過JTAG匯流排JT[1:N],經由匯流排RDARRAY傳送至保險絲掃描鏈,然後燒斷命令會透過JTAG匯流排JT[1:N]傳送,使晶片進入允許燒斷保險絲的狀態。信號FSOURCE的電壓位準被設定在一合適的位準,並且維持在此位準一段預設時間,燒斷控制器107便可根據信號FSOURCE的電壓位準,燒斷保險絲陣列101內的保險絲。In addition to reading the fuse array 101 and the microcode memory 106, the JTAG commands can be used to blow certain fuses within the fuse array 101 after the microprocessor is fabricated. Therefore, the blown data is transferred to the JTAG control chain 108 via the JTAG bus JT[1:N] and transmitted to the fuse array 101 through the bus bar RDARRAY. Then, by setting the voltage level on the connection pin 110 coupled to the signal FSOURCE, the controller 107 can be blown to blow some of the fuses. In order to blow the fuse, the appropriate burnout data is transmitted to the fuse scan chain via the JTAG busbar JT[1:N] via the busbar RDARRAY, and the blow command is transmitted through the JTAG busbar JT[1:N]. The wafer enters a state that allows the fuse to be blown. The voltage level of the signal FSOURCE is set to an appropriate level and maintained at this level for a predetermined period of time. The blow controller 107 can blow the fuse in the fuse array 101 according to the voltage level of the signal FSOURCE.
一般而言,在系統板(未顯示)上,信號FSOURCE的電壓位準為VSS,其中VSS通常為0V或接地位準。這個位準必須足以讓致能邏輯元件105以及JTAG控制鏈108讀取到保險絲陣列101的狀態。為了燒斷保險絲,信號FSOURCE的電壓位準會被提升至一預設位準,其由製程技術和保險絲的種類(如金屬或聚合物)所決定。當一晶片的製造係根據90nm製程技術時,則信號FSOURCE的電壓位準約為3.5V。若晶片的製造係根據65nm製程技術時,則信號FSOURCE的電壓位準約為1.7V。In general, on the system board (not shown), the voltage level of the signal FSOURCE is VSS, where VSS is typically 0V or ground. This level must be sufficient for the enable logic element 105 and the JTAG control chain 108 to read to the state of the fuse array 101. In order to blow the fuse, the voltage level of the signal FSOURCE is raised to a preset level, which is determined by the process technology and the type of fuse (eg metal or polymer). When a wafer is fabricated according to the 90 nm process technology, the voltage level of the signal FSOURCE is about 3.5V. If the wafer is fabricated according to the 65nm process technology, the voltage level of the signal FSOURCE is about 1.7V.
因此,不論是在製造或是應用的領域中,當今的微處理器100在可程式化功能上是具有相當大的彈性。這種結構上的彈性可使製造者及系統設計者更有效率地利用常見的結構,在不同的成本要求下,製造出具有不同性能的裝置。上述的結構亦可使微處理器100在電子電路板層(board level),亦即在完成製造、封裝及運送(shipped)後,可以新增所選擇執行的功能。Therefore, today's microprocessor 100 is quite flexible in terms of programmability, whether in the field of manufacturing or application. This structural flexibility allows manufacturers and system designers to more efficiently utilize common structures to create devices with different performance at different cost requirements. The above structure also allows the microprocessor 100 to add selected functions to the board level, i.e., after manufacturing, packaging, and shipping.
對於產品的遠景而言,這樣的彈性是有益的,但其缺點是產品的功能容易被未被授權的操作所竄改。也就是說,上述的結構允許被授權的使用者可直接致能/禁能特徵元件102及103。但是同時,未被授權的使用者亦可使用相同的致能方法。未被授權的使用者可透過JTAG匯流排JT[1:N]及信號FSOURCE,讀取微代碼儲存器106所儲存的微代碼,並讀取保險絲陣列101的狀態。未被授權的使用者亦可燒斷某些保險絲,用以致能或禁能某些特徵元件102及103。Such resilience is beneficial for the product's vision, but has the disadvantage that the functionality of the product is susceptible to tampering with unauthorized operations. That is, the above structure allows authorized users to directly enable/disable feature elements 102 and 103. But at the same time, unauthorized users can use the same method of enabling. The unauthorized user can read the microcode stored in the microcode storage 106 through the JTAG bus JT[1:N] and the signal FSOURCE, and read the state of the fuse array 101. Unauthorized users can also blow certain fuses to enable or disable certain feature elements 102 and 103.
在目前的積體電路中,許多功能及元件均與保險絲的致能方法有關。在本實施例中,所提供的裝置及方法可避免這種未被授權的竄改。In current integrated circuits, many of the functions and components are related to the enabling method of the fuse. In this embodiment, the apparatus and method are provided to avoid such unauthorized tampering.
本發明亦提供一種機制,用以偵測與防止未經授權的使用者執行正常邊界掃描功能之外的存取JTAG的操作,以克服目前可藉由可程式化保險絲致能/禁能一些特徵之積體電路結構的限制及缺點。稍後將透過第2-5圖,詳細說明本發明。The present invention also provides a mechanism for detecting and preventing unauthorized users from performing JTAG operations in addition to the normal boundary scan function, thereby overcoming some features that can be enabled/disabled by a programmable fuse. The limitations and disadvantages of the integrated circuit structure. The present invention will be described in detail later through Figures 2-5.
第2圖為本發明之可保護可程式化保險絲陣列的微處理器之示意圖。第2圖的微處理器200相似於第1圖的微處理器100。微處理器200具有一保險絲陣列201。保險絲陣列201耦接一個或多個致能邏輯元件205。每一致能邏輯元件205提供一禁能信號DIS予相對應的特徵元件202-203,如加密引擎202或其它的防護特徵203。Figure 2 is a schematic illustration of a microprocessor of the present invention that protects a programmable fuse array. The microprocessor 200 of Fig. 2 is similar to the microprocessor 100 of Fig. 1. Microprocessor 200 has a fuse array 201. The fuse array 201 is coupled to one or more enable logic elements 205. Each of the consistent logic elements 205 provides an disable signal DIS to a corresponding feature element 202-203, such as the encryption engine 202 or other guard feature 203.
保險絲陣列201具有一個或多個保險絲(未顯示)。保險絲與微處理器200可設置在一晶元的多個可存取層之上。上述可存取層係為金屬或聚合物。在微處理器200的製造過程中,可透過雷射或是利用其它任何已知的技術來燒斷保險絲。另外,保險絲陣列201透過匯流排BLOWMODE,耦接一燒斷控制器(blow controller)207。燒斷控制器207耦接微處理器200封裝上的一連接接腳210,用以接收一外部電壓信號FSOURCE。Fuse array 201 has one or more fuses (not shown). The fuse and microprocessor 200 can be disposed over a plurality of accessible layers of a die. The above accessible layer is a metal or a polymer. During the manufacture of microprocessor 200, the fuse can be blown through laser or by any other known technique. In addition, the fuse array 201 is coupled to a blow controller 207 through the bus bar BLOWMODE. The burnout controller 207 is coupled to a connection pin 210 on the package of the microprocessor 200 for receiving an external voltage signal FSOURCE.
保險絲陣列201透過匯流排RDARRAY,耦接一JTAG控制鏈208。JTAG控制鏈208耦接一JTAG匯流排介面元件209。JTAG匯流排介面元件209透過一JTAG匯流排JT[1:N]與一JTAG控制器(未顯示)進行溝通。JTAG匯流排JT[1:N]上的每一信號會被傳送到微處理器的一對應的連接接腳210。The fuse array 201 is coupled to a JTAG control chain 208 via a bus bar RDARRAY. The JTAG control chain 208 is coupled to a JTAG bus interface component 209. The JTAG bus interface component 209 communicates with a JTAG controller (not shown) via a JTAG bus JT[1:N]. Each signal on the JTAG bus JT[1:N] is transmitted to a corresponding connection pin 210 of the microprocessor.
JTAG控制鏈208耦接微代碼儲存器206。微代碼儲存器206可能包括一暫時性儲存器(如隨機存取記憶體RAM、暫存器…等等)、一非暫時性儲存器(如唯讀記憶體ROM、固定可程式化邏輯單元…等等)、或是包括暫時性儲存器與非暫時性儲存器的組合。藉由習知的機制可將微代碼儲存器206所儲存的微代碼(或微指令)提供予微處理器200的邏輯元件,用以執行程式化順序的操作。邏輯元件包括加密引擎202以及防護特徵203,但也可能包括快取記憶體、特定目的之硬體、電源管理硬體或其它可被致能或禁能的元件。這些邏輯元件可直接執行微代碼來進行程式化操作,或是透過聯繫元件(associated element)(未顯示)執行微代碼來操作邏輯元件。The JTAG control chain 208 is coupled to the microcode storage 206. The microcode storage 206 may include a temporary storage (such as random access memory RAM, scratchpad, etc.), a non-transitory storage (such as a read-only memory ROM, a fixed programmable logic unit... Etc.), or a combination of temporary storage and non-transitory storage. The microcode (or microinstructions) stored by the microcode storage 206 can be provided to the logic elements of the microprocessor 200 for performing the stylized sequential operations by conventional mechanisms. The logic elements include encryption engine 202 and protection features 203, but may also include cache memory, special purpose hardware, power management hardware, or other components that can be enabled or disabled. These logic elements can be directly executed by microcode to perform programmatic operations, or by executing microcodes through an associated element (not shown) to operate the logic elements.
如上所述,在微處理器200的製造過程中,可藉由雷射或其它方法燒斷保險絲陣列201內的某些保險絲,用以致能或禁能某些防護特徵203及/或加密引擎202。因此,當微處理器200被啟動或被重置時,每一致能邏輯元件205判斷保險絲陣列201的保險絲狀態,且可觸發相對應的禁能信號DIS,用以禁能相對應的加密引擎202及防護特徵203。As noted above, certain fuses within the fuse array 201 may be blown by laser or other means during the fabrication of the microprocessor 200 to enable or disable certain guard features 203 and/or encryption engine 202. . Therefore, when the microprocessor 200 is activated or reset, each of the consistent logic elements 205 determines the fuse state of the fuse array 201 and can trigger a corresponding disable signal DIS for disabling the corresponding encryption engine 202. And a protective feature 203.
一燒斷的保險絲可能表示某些特徵元件202、203被致能或是被禁能。一特徵元件202、203可能具有多個相關聯的保險絲,用以允許一定次數的致能或禁能。A blown fuse may indicate that certain feature elements 202, 203 are enabled or disabled. A feature element 202, 203 may have a plurality of associated fuses to allow a certain number of enabling or disabling.
JTAG匯流排JT[1:N]上的信號可對微處理器200進行邊界掃描及測試操作,並且JTAG匯流排JT[1:N]的狀態係由一測試單元、一除錯器或是微處理器200外部的其它類似的裝置所控制。JTAG匯流排介面元件209接收由JTAG匯流排JT[1:N]傳送而來的JTAG命令,並將所接收到的命令傳送至JTAG控制鏈208,其中JTAG控制鏈208耦接微處理器200內的幾乎所有的可測試元件。除了JTAG的掃描及測試操作外,微處理器200的結構允許其它擴充的操作,如微代碼儲存器206中程式化微代碼的驗證以及保險絲陣列201中程式化保險絲狀態的驗證。為了完成這些操作,相關聯的JTAG命令可傳送至JTAG控制鏈208,再透過匯流排RDCODE傳送至微代碼儲存器206,以及透過匯流排RDARRAY傳送至保險絲陣列201。另外,再利用一外部測試單元(未顯示)來讀取保險絲陣列201內的保險絲狀態,以及讀取微代碼儲存器206所儲存的微代碼。The signals on the JTAG bus JT[1:N] can perform boundary scan and test operations on the microprocessor 200, and the state of the JTAG bus JT[1:N] is determined by a test unit, a debugger or a micro Control is performed by other similar devices external to processor 200. The JTAG bus interface component 209 receives the JTAG command transmitted by the JTAG bus JT[1:N] and transmits the received command to the JTAG control chain 208, wherein the JTAG control chain 208 is coupled to the microprocessor 200. Almost all testable components. In addition to the JTAG scan and test operations, the microprocessor 200 architecture allows for other extended operations, such as verification of the programmed microcode in the microcode memory 206 and verification of the stylized fuse state in the fuse array 201. To accomplish these operations, the associated JTAG commands can be passed to the JTAG control chain 208, to the microcode memory 206 via the bus RDCODE, and to the fuse array 201 via the busbar RDARRAY. In addition, an external test unit (not shown) is utilized to read the state of the fuses within the fuse array 201 and to read the microcode stored by the microcode storage 206.
除了讀取保險絲陣列201以及微代碼儲存器206,JTAG命令可在微處理器200被製造完成後,用來燒斷保險絲陣列201內的某些保險絲。因此,燒斷資料藉由JTAG匯流排JT[1:N]傳送至JTAG控制鏈208,並透過匯流排RDARRAY傳送至保險絲陣列201。然後,藉由設定耦接至信號FSOURCE的連接接腳210上的電壓位準,便可控制燒斷控制器207來燒斷某些保險絲。為了燒斷保險絲,合適的燒斷資料會透過JTAG匯流排JT[1:N],經由匯流排RDARRAY傳送至保險絲掃描鏈,然後燒斷命令會透過JTAG匯流排JT[1:N]傳送,使晶片進入允許燒斷保險絲的狀態。信號FSOURCE的電壓位準被設定在一合適的位準,並且維持在此位準一段預設時間,燒斷控制器207便可根據信號FSOURCE的電壓位準,燒斷保險絲。In addition to reading fuse array 201 and microcode storage 206, JTAG commands can be used to blow certain fuses within fuse array 201 after microprocessor 200 is fabricated. Therefore, the blown data is transferred to the JTAG control chain 208 via the JTAG bus JT[1:N] and transmitted to the fuse array 201 through the bus bar RDARRAY. Then, by setting the voltage level on the connection pin 210 coupled to the signal FSOURCE, the blow controller 207 can be controlled to blow some of the fuses. In order to blow the fuse, the appropriate burnout data is transmitted to the fuse scan chain via the JTAG busbar JT[1:N] via the busbar RDARRAY, and the blow command is transmitted through the JTAG busbar JT[1:N]. The wafer enters a state that allows the fuse to be blown. The voltage level of the signal FSOURCE is set to an appropriate level and maintained at this level for a predetermined period of time. The blow controller 207 can blow the fuse according to the voltage level of the signal FSOURCE.
一般而言,在系統板(未顯示)上,信號FSOURCE的電壓位準為VSS,其中VSS通常為0V或接地位準,這個位準必須足以讓致能邏輯元件205以及JTAG控制鏈208讀取到保險絲陣列201的狀態。為了燒斷保險絲,信號FSOURCE的電壓位準會被提升至一預設位準,其由製程技術和保險絲的種類(如金屬或聚合物)所決定。當一晶片的製造係根據90nm製程技術時,則信號FSOURCE的電壓位準約為3.5V。若晶片的製造係根據65nm製程技術時,則信號FSOURCE的電壓位準約為1.7V。In general, on the system board (not shown), the voltage level of the signal FSOURCE is VSS, where VSS is typically 0V or ground level, which must be sufficient for the enable logic element 205 and the JTAG control chain 208 to read. The state to the fuse array 201. In order to blow the fuse, the voltage level of the signal FSOURCE is raised to a preset level, which is determined by the process technology and the type of fuse (eg metal or polymer). When a wafer is fabricated according to the 90 nm process technology, the voltage level of the signal FSOURCE is about 3.5V. If the wafer is fabricated according to the 65nm process technology, the voltage level of the signal FSOURCE is about 1.7V.
相較於目前的微處理器100,微處理器200提供一機制,用以防止未被授權的使用者執行除了正常邊界掃描及測試操作外的任何JTAG動作。在一可能實施例中,微處理器200具有一特徵保險絲(feature fuse)211。特徵保險絲211設置在保險絲陣列201之中。當特徵保險絲211被燒斷時,則對有害的或是未被授權的JTAG動作禁能。一存取控制器(access controller)212透過匯流排FSENSE耦接特徵保險絲211。存取控制器212接收一微處理器重置信號(RESET),並透過匯流排BSONLY耦接JTAG控制鏈208。In contrast to current microprocessor 100, microprocessor 200 provides a mechanism to prevent unauthorized users from performing any JTAG actions other than normal boundary scan and test operations. In a possible embodiment, the microprocessor 200 has a feature fuse 211. The feature fuse 211 is disposed in the fuse array 201. When the feature fuse 211 is blown, the harmful or unauthorized JTAG action is disabled. An access controller 212 couples the feature fuse 211 through the bus bar FSENSE. The access controller 212 receives a microprocessor reset signal (RESET) and couples the JTAG control chain 208 through the bus bar BSONLY.
如同保險絲陣列201內的其它保險絲(未顯示),特徵保險絲211可能為金屬或聚合物所構成,其可在微處理器200製造時,利用已知的技術來燒斷特徵保險絲211,或是製造完成後,利用上述信號FSOURCE的機制燒斷特徵保險絲211。Like other fuses (not shown) within the fuse array 201, the feature fuse 211 may be constructed of metal or polymer that can be used to blow the feature fuse 211 or to manufacture when the microprocessor 200 is manufactured using known techniques. After completion, the characteristic fuse 211 is blown by the mechanism of the above-mentioned signal FSOURCE.
操作上,當微處理器200被開啟或被重置時,重置信號RESET會被設置,並且存取控制器212透過匯流排FSENSE,偵測特徵保險絲211的狀態。若特徵保險絲211未被燒斷時,存取控制器212會透過匯流排BSONLY來控制JTAG控制鏈208允許所有JTAG操作。JTAG操作包括讀取微代碼儲存器206所儲存的微代碼,以及讀取/燒斷保險絲陣列201的保險絲。然而,如果特徵保險絲211被燒斷時,存取控制器212會透過匯流排BSONLY來控制JTAG控制鏈208禁止除了正常邊界掃描及測試操作外的所有JTAG操作。因此,當特徵保險絲211被燒斷時,若微處理器200從JTAG匯流排JT[1:N]上所接收到的命令為企圖燒斷或讀取保險絲陣列201中的保險絲或企圖讀取微代碼儲存器206所儲存的資料的命令時,這些命令將會被忽略或是被無效。Operationally, when the microprocessor 200 is turned on or reset, the reset signal RESET is set, and the access controller 212 detects the state of the feature fuse 211 through the bus bar FSENSE. If the feature fuse 211 is not blown, the access controller 212 controls the JTAG control chain 208 to allow all JTAG operations through the bus bar BSONLY. The JTAG operation includes reading the microcode stored by the microcode storage 206 and reading/blowing the fuse of the fuse array 201. However, if the feature fuse 211 is blown, the access controller 212 controls the JTAG control chain 208 to disable all JTAG operations except normal boundary scan and test operations via the bus bar BSONLY. Therefore, when the feature fuse 211 is blown, if the microprocessor 200 receives a command from the JTAG bus JT[1:N] in an attempt to blow or read the fuse in the fuse array 201 or attempt to read the micro These commands will be ignored or invalidated when commanding the data stored in the code store 206.
存取控制器212用以讀取特徵保險絲211的狀態,以及用以控制JTAG控鏈208允許/不允許上述擴充的JTAG操作。存取控制器212包含邏輯單元、電路、裝置或微代碼(如微指令或是原生指令(native instruction))、或是邏輯單元、電路、裝置及微代碼的組合、或是其它可執行本發明所述之功能的元件。執行本發明所述之功能的元件亦可與微處理器200中執行其它功能的電路、微代碼共用。在本實施例中,微代碼係為一種術語,其可代表複數微指令。一微指令(亦稱為原生指令)係為一單元執行的指令。舉例而言,微指令可藉由一精簡指令集電腦(reduced instruction set computer;RISC)微處理器來執行。針對複雜指令集電腦(complex instruction set computer;CISC)微處理器,如x86相容微處理器,x86指令會被轉譯成相關聯的微指令,並且這些相關聯的微指令可藉由CISC微處理器的一個或多個單元來執行。The access controller 212 is operative to read the state of the feature fuse 211 and to control the JTAG chain 208 to allow/disallow the extended JTAG operation. The access controller 212 includes logic units, circuits, devices or microcode (such as microinstructions or native instructions), or a combination of logic units, circuits, devices, and microcode, or other executable inventions. The functional components described. The elements that perform the functions described herein may also be shared with circuitry, microcode that performs other functions in microprocessor 200. In the present embodiment, the microcode is a term that can represent a plurality of microinstructions. A microinstruction (also known as a native instruction) is an instruction that is executed in one unit. For example, the microinstructions can be executed by a reduced instruction set computer (RISC) microprocessor. For complex instruction set computer (CISC) microprocessors, such as x86 compatible microprocessors, x86 instructions are translated into associated microinstructions, and these associated microinstructions can be processed by CISC One or more units of the device are executed.
類似地,JTAG控制鏈208用以根據存取控制器212的指示允許/不允許上述擴充的JTAG操作。JTAG控制鏈208包含邏輯單元、電路、裝置或微代碼(如微指令或是原生指令)、或是邏輯單元、電路、裝置及微代碼的組合、或是其它可執行本發明所述之功能的元件。執行本發明所述之功能的元件亦可與微處理器200中執行其它功能的電路或微代碼共用。Similarly, JTAG control chain 208 is used to allow/disallow the above-described extended JTAG operations as indicated by access controller 212. The JTAG control chain 208 includes logic elements, circuits, devices or microcode (such as microinstructions or native instructions), or a combination of logic units, circuits, devices, and microcode, or other functions that perform the functions of the present invention. element. Elements that perform the functions described herein may also be shared with circuitry or microcode that performs other functions in microprocessor 200.
在一實施例中,微處理器200包含一中央處理單元(CPU)。中央處理單元可設置在一積體電路的單一晶元中。在其它實施例中,微處理器200具有一x86相容中央處理單元,其係在一積體電路的單一晶元中,並且可為一超純量微處理器(superscalar),以管線式執行透過一系統匯流排從一記憶體中擷取出來的x86相容巨指令。In an embodiment, the microprocessor 200 includes a central processing unit (CPU). The central processing unit can be placed in a single die of an integrated circuit. In other embodiments, the microprocessor 200 has an x86 compatible central processing unit that is housed in a single die of an integrated circuit and can be a superscalar microprocessor implemented in a pipeline An x86-compatible macro instruction that is extracted from a memory through a system bus.
在其它實施例中,可利用設置在單一晶元上的積體電路來取代微處理器200。在此例中,積體電路提供上述的可程式化保險絲,並且上述防止竄改的機制亦被整合到積體電路的設計中。In other embodiments, the microprocessor 200 can be replaced with an integrated circuit disposed on a single die. In this example, the integrated circuit provides the above-described programmable fuse, and the above-described mechanism for preventing tampering is also integrated into the design of the integrated circuit.
第3圖係為本發明之微處理器之另一可能實施例。在本實施例中,微處理器300具有一保護裝置,用以避免未授權的使用者竄改保險絲陣列的保險絲狀態。微處理器300相似第2圖的微處理器200。微處理器300具有一保險絲陣列301。保險絲陣列301耦接一個或多個致能邏輯元件305。每一致能邏輯元件305提供一禁能信號DIS予相對應的特徵元件302-303,如加密引擎302或其它防護特徵303。Figure 3 is another possible embodiment of the microprocessor of the present invention. In this embodiment, the microprocessor 300 has a protection device to prevent unauthorized users from tampering with the fuse state of the fuse array. Microprocessor 300 is similar to microprocessor 200 of FIG. Microprocessor 300 has a fuse array 301. The fuse array 301 is coupled to one or more enable logic elements 305. Each of the consistent logic elements 305 provides a disable signal DIS to a corresponding feature element 302-303, such as encryption engine 302 or other guard feature 303.
保險絲陣列301具有一個或多個保險絲(未顯示)。保險絲與微處理器300可設置在一晶元的多個可存取層之上。上述可存取層係為金屬或聚合物。在微處理器300的製造過程中,可透過雷射或是利用其它任何已知的技術來燒斷保險絲。另外,保險絲陣列301透過匯流排BLOWMODE,耦接一燒斷控制器307。燒斷控制器307耦接微處理器300封裝上的一連接接腳310,用以接收一外部電壓信號FSOURCE。Fuse array 301 has one or more fuses (not shown). The fuse and microprocessor 300 can be disposed over a plurality of accessible layers of a die. The above accessible layer is a metal or a polymer. During the manufacture of microprocessor 300, the fuse can be blown through laser or by any other known technique. In addition, the fuse array 301 is coupled to a blow controller 307 through the bus bar BLOWMODE. The blow controller 307 is coupled to a connection pin 310 on the package of the microprocessor 300 for receiving an external voltage signal FSOURCE.
保險絲陣列301透過匯流排RDARRAY,耦接一JTAG控制鏈308。JTAG控制鏈308耦接一JTAG匯流排介面元件309。JTAG匯流排介面元件309透過一JTAG匯流排JT[1:N]與一JTAG控制器(未顯示)進行溝通。JTAG匯流排JT[1:N]上的每一信號會被傳送到微處理器的一對應的連接接腳310。The fuse array 301 is coupled to a JTAG control chain 308 via a bus bar RDARRAY. The JTAG control chain 308 is coupled to a JTAG bus interface component 309. The JTAG bus interface component 309 communicates with a JTAG controller (not shown) via a JTAG bus JT[1:N]. Each signal on the JTAG bus JT[1:N] is transmitted to a corresponding connection pin 310 of the microprocessor.
JTAG控制鏈308耦接微代碼儲存器306。微代碼儲存器306可能包括一暫時性儲存器(如隨機存取記憶體RAM、暫存器…等等)、一非暫時性儲存器(如唯讀記憶體ROM、固定可程式化邏輯單元…等等)、或是包括暫時性儲存器與非暫時性儲存器的組合。藉由習知的機制可將微代碼儲存器306所儲存的微代碼(或微指令)提供予微處理器300的邏輯元件,用以執行程式化順序的操作。邏輯元件包括加密引擎302以及防護特徵303,但也可能包括快取記憶體、特定目的之硬體、電源管理硬體或其它可被致能或禁能的元件。這些邏輯元件可直接執行微代碼來進行程式化操作,或是透過聯繫元件(未顯示)執行微代碼來操作邏輯元件。The JTAG control chain 308 is coupled to the microcode storage 306. The microcode storage 306 may include a temporary storage (such as random access memory RAM, scratchpad, etc.), a non-transitory storage (such as a read-only memory ROM, a fixed programmable logic unit... Etc.), or a combination of temporary storage and non-transitory storage. The microcode (or microinstructions) stored by the microcode storage 306 can be provided to the logic elements of the microprocessor 300 for performing the stylized sequential operations by conventional mechanisms. The logic elements include encryption engine 302 and protection features 303, but may also include cache memory, special purpose hardware, power management hardware, or other components that can be enabled or disabled. These logic elements can be directly executed by microcode to perform programmatic operations, or by executing microcodes through a contact component (not shown) to operate the logic components.
如上所述,在微處理器300的製造過程中,可藉由雷射或其它方法燒斷保險絲陣列301內的某些保險絲,用以致能或禁能某些防護特徵303及/或加密引擎302。因此,當微處理器300被啟動或被重置時,每一致能邏輯元件305判斷保險絲陣列301的保險絲狀態,且可觸發相對應的禁能信號DIS,用以禁能相對應的加密引擎302及防護特徵303。As noted above, during the manufacture of microprocessor 300, certain fuses within fuse array 301 may be blown by laser or other means to enable or disable certain guard features 303 and/or encryption engine 302. . Therefore, when the microprocessor 300 is activated or reset, each of the consistent logic elements 305 determines the fuse state of the fuse array 301, and can trigger a corresponding disable signal DIS for disabling the corresponding encryption engine 302. And protection feature 303.
一燒斷的保險絲可能表示某些特徵元件302-303被致能或是被禁能。一特徵元件302-303可能具有多個相關聯的保險絲,用以允許一定次數的致能或禁能。A blown fuse may indicate that certain feature elements 302-303 are enabled or disabled. A feature element 302-303 may have a plurality of associated fuses to allow for a certain number of enabling or disabling.
JTAG匯流排JT[1:N]上的信號可對微處理器300進行邊界掃描及測試操作,並且JTAG匯流排JT[1:N]的狀態係由一測試單元、一除錯器或是微處理器300外部的其它類似的裝置所控制。JTAG匯流排介面元件309接收由JTAG匯流排JT[1:N]傳送而來的JTAG命令,並將所接收到的命令傳送至JTAG控制鏈308,其中JTAG控制鏈308耦接微處理器300內的幾乎所有的可測試元件。除了JTAG的掃描及測試特性外,微處理器300的結構允許其它擴充操作,如微代碼儲存器306中程式化微代碼的驗證以及保險絲陣列301中程式化保險絲狀態的驗證。為了完成這些操作,相關聯的JTAG命令可傳送至JTAG控制鏈308,再透過匯流排RDCODE傳送至微代碼儲存器306,以及透過匯流排RDARRAY傳送至保險絲陣列301。另外,再利用一外部測試單元(未顯示)來讀取保險絲陣列301內的保險絲狀態,以及讀取微代碼儲存器306所儲存的微代碼。The signal on the JTAG bus JT[1:N] can perform boundary scan and test operations on the microprocessor 300, and the state of the JTAG bus JT[1:N] is determined by a test unit, a debugger or a micro Control is performed by other similar devices external to processor 300. The JTAG bus interface component 309 receives the JTAG command transmitted by the JTAG bus JT[1:N] and transmits the received command to the JTAG control chain 308, wherein the JTAG control chain 308 is coupled to the microprocessor 300. Almost all testable components. In addition to the scanning and testing features of JTAG, the structure of microprocessor 300 allows for other expansion operations, such as verification of the programmed microcode in microcode storage 306 and verification of the status of the programmed fuses in fuse array 301. To accomplish these operations, the associated JTAG commands can be passed to the JTAG control chain 308, transferred to the microcode storage 306 via the busbar RDCODE, and to the fuse array 301 via the busbar RDARRAY. In addition, an external test unit (not shown) is utilized to read the state of the fuses within the fuse array 301 and to read the microcode stored by the microcode storage 306.
除了讀取保險絲陣列301以及微代碼儲存器306,JTAG命令可在微處理器300被製造完成後,用來燒斷保險絲陣列301內的某些保險絲。因此,燒斷資料藉由JTAG匯流排JT[1:N]傳送至JTAG控制鏈308,並透過匯流排RDARRAY傳送至保險絲陣列301。然後,藉由設定耦接至信號FSOURCE的連接接腳310上的電壓位準,便可讓燒斷控制器307來燒斷某些保險絲。為了燒斷保險絲,合適的燒斷資料會透過JTAG匯流排JT[1:N],經由匯流排RDARRAY傳送至保險絲掃描鏈,然後燒斷命令會透過JTAG匯流排JT[1:N]傳送,使晶片進入允許燒斷保險絲的狀態。信號FSOURCE的電壓位準被設定在一合適的位準,並且維持在此位準一段預設時間。燒斷控制器307便可根據信號FSOURCE的電壓位準,燒斷保險絲。In addition to reading fuse array 301 and microcode storage 306, JTAG commands can be used to blow certain fuses within fuse array 301 after microprocessor 300 is fabricated. Therefore, the blown data is transferred to the JTAG control chain 308 via the JTAG bus JT[1:N] and transmitted to the fuse array 301 through the bus bar RDARRAY. Then, by setting the voltage level on the connection pin 310 coupled to the signal FSOURCE, the controller 307 can be blown to blow some of the fuses. In order to blow the fuse, the appropriate burnout data is transmitted to the fuse scan chain via the JTAG busbar JT[1:N] via the busbar RDARRAY, and the blow command is transmitted through the JTAG busbar JT[1:N]. The wafer enters a state that allows the fuse to be blown. The voltage level of the signal FSOURCE is set at an appropriate level and maintained at this level for a predetermined period of time. The blow controller 307 can blow the fuse according to the voltage level of the signal FSOURCE.
一般而言,在系統板(未顯示)上,信號FSOURCE的電壓位準為VSS,其中VSS通常為0V或接地位準,這個位準必須足以讓致能邏輯元件305以及JTAG控制鏈308讀取到保險絲陣列301的狀態。為了燒斷保險絲,信號FSOURCE的電壓位準會被提升至一預設位準,其由製程技術和保險絲的種類(如金屬或聚合物)所決定。當一晶片的製造係根據90nm製程技術時,則信號FSOURCE的電壓位準約為3.5V。若晶片的製造係根據65nm製程技術時,則信號FSOURCE的電壓位準約為1.7V。In general, on the system board (not shown), the voltage level of the signal FSOURCE is VSS, where VSS is typically 0V or ground level, which must be sufficient for the enable logic component 305 and the JTAG control chain 308 to read. The state to the fuse array 301. In order to blow the fuse, the voltage level of the signal FSOURCE is raised to a preset level, which is determined by the process technology and the type of fuse (eg metal or polymer). When a wafer is fabricated according to the 90 nm process technology, the voltage level of the signal FSOURCE is about 3.5V. If the wafer is fabricated according to the 65nm process technology, the voltage level of the signal FSOURCE is about 1.7V.
微處理器300提供一機制,用以防止未被授權的使用者執行除了正常邊界掃描及測試操作外的任何JTAG動作。在一可能實施例中,微處理器300具有一特徵保險絲311。特徵保險絲311設置在保險絲陣列301之中。當特徵保險絲311被燒斷時,則對有害的或是未被授權的JTAG動作禁能。一存取控制器312透過匯流排FSENSE耦接特徵保險絲311。存取控制器312接收一微處理器重置信號RESET,並透過匯流排BSONLY耦接JTAG控制鏈308。微處理器300更具有一位準偵測器(level sensor)313。位準偵測器313接收信號FSOURCE,並且透過匯流排ILLEGAL耦接存取控制器312。Microprocessor 300 provides a mechanism to prevent unauthorized users from performing any JTAG actions other than normal boundary scan and test operations. In a possible embodiment, the microprocessor 300 has a feature fuse 311. The characteristic fuse 311 is disposed in the fuse array 301. When the feature fuse 311 is blown, the harmful or unauthorized JTAG action is disabled. An access controller 312 couples the feature fuse 311 through the bus bar FSENSE. The access controller 312 receives a microprocessor reset signal RESET and is coupled to the JTAG control chain 308 via the bus bar BSONLY. The microprocessor 300 further has a level sensor 313. The level detector 313 receives the signal FSOURCE and is coupled to the access controller 312 via the bus ILLEGAL.
如同保險絲陣列301內的其它保險絲(未顯示),特徵保險絲311可能為金屬或聚合物所構成,其可在微處理器300製造時,利用已知的技術來燒斷特徵保險絲311,或是製造完成後,利用上述信號FSOURCE的機制燒斷特徵保險絲311。Like other fuses (not shown) within fuse array 301, feature fuse 311 may be constructed of metal or polymer that may be used to blow feature fuse 311 or to manufacture when microprocessor 300 is manufactured using known techniques. After completion, the characteristic fuse 311 is blown by the mechanism of the above-mentioned signal FSOURCE.
操作上,當微處理器300被開啟或被重置時,重置信號RESET會被設置,並且存取控制器312透過匯流排FSENSE,偵測特徵保險絲311的狀態。若特徵保險絲311未被燒斷時,存取控制器312會透過匯流排BSONLY來控制JTAG控制鏈308允許所有JTAG操作。JTAG操作包括讀取微代碼儲存器306所儲存的微代碼,以及讀取/燒斷保險絲陣列301的保險絲。然而,如果特徵保險絲311被燒斷時,存取控制器312會透過匯流排BSONLY來控制JTAG控制鏈308禁止除了正常邊界掃描及測試操作外的所有JTAG操作。因此,當特徵保險絲311被燒斷時,若微處理器300從JTAG匯流排JT[1:N]上所接收到的命令為企圖燒斷或讀取保險絲陣列301中的保險絲,或企圖讀取微代碼儲存器306所儲存的資料的命令時,這些命令將會被忽略或是被無效。Operationally, when the microprocessor 300 is turned on or reset, the reset signal RESET is set, and the access controller 312 detects the state of the characteristic fuse 311 through the bus bar FSENSE. If the feature fuse 311 is not blown, the access controller 312 controls the JTAG control chain 308 to allow all JTAG operations through the bus bar BSONLY. The JTAG operation includes reading the microcode stored by the microcode storage 306 and reading/blowing the fuse of the fuse array 301. However, if the feature fuse 311 is blown, the access controller 312 controls the JTAG control chain 308 to disable all JTAG operations except normal boundary scan and test operations via the bus bar BSONLY. Therefore, when the characteristic fuse 311 is blown, if the command received by the microprocessor 300 from the JTAG bus JT[1:N] is an attempt to blow or read the fuse in the fuse array 301, or attempt to read These commands will be ignored or invalidated when commands are stored in the microcode storage 306.
注意的是,在某些結構中信號FSOURCE可能被設定在VSS以外的電壓位準,用以燒斷保險絲陣列301內的保險絲,使得保險絲陣列301內的保險絲的狀態(燒斷或未燒斷)變成不是其原本真正的狀態。此情形的發生可能是一未被授權的使用者企圖藉由信號FSOURCE提供該電壓位準來竄改微處理器的特徵,使得在匯流排FSENSE上的特徵保險絲311的值指示擴充的JTAG操作是被致能的,如此便可燒斷保險絲以增加特徵元件302-303,及/或可讀取微代碼儲存器306所儲存的資料。為了解決上述問題,位準偵測器313可監控信號FSOURCE的電壓位準,並且在信號FSOURCE的電壓位準處於一不合格的電壓位準(illegal value)(例如除了VSS以外的電壓位準)時,透過匯流排ILLEGAL告知存取控制器312。因此,當存取控制器312讀取特徵保險絲311的狀態時,若信號FSOURCE處於一不合格的電壓位準,則存取控制器312將控制JTAG控制鏈308,用以禁止除了正常邊界掃描及測試操作外的所有JTAG操作。相反地,當存取控制器312讀取特徵保險絲311的狀態時,若信號FSOURCE的電壓位準為VSS,則存取控制器312將使JTAG控制鏈308根據特徵保險絲311的狀態,允許或不允許擴充的JTAG操作。Note that in some configurations the signal FSOURCE may be set to a voltage level other than VSS to blow the fuse in the fuse array 301 such that the fuse in the fuse array 301 is in a state of being blown or not blown. It is not its original state. This situation may occur when an unauthorized user attempts to tamper with the characteristics of the microprocessor by providing the voltage level by the signal FSOURCE such that the value of the characteristic fuse 311 on the bus bar FSENSE indicates that the extended JTAG operation is If enabled, the fuse can be blown to add feature elements 302-303, and/or the data stored by microcode storage 306 can be read. In order to solve the above problem, the level detector 313 can monitor the voltage level of the signal FSOURCE, and the voltage level of the signal FSOURCE is at an unacceptable voltage level (for example, a voltage level other than VSS) The access controller 312 is informed via the bus ILLEGAL. Therefore, when the access controller 312 reads the state of the feature fuse 311, if the signal FSOURCE is at a failed voltage level, the access controller 312 will control the JTAG control chain 308 to disable normal boundary scan and Test all JTAG operations outside of the operation. Conversely, when the access controller 312 reads the state of the feature fuse 311, if the voltage level of the signal FSOURCE is VSS, the access controller 312 will cause the JTAG control chain 308 to allow or not according to the state of the feature fuse 311. Allow extended JTAG operations.
在一實施例中,微處理器300包含一中央處理單元(CPU)。中央處理單元可設置在一積體電路的單一晶元中。在其它實施例中,微處理器300具有一x86相容中央處理單元,其係在一積體電路的單一晶元中,並且可為一超純量微處理器,以管線式執行透過一系統匯流排從一記憶體中擷取出來的x86相容巨指令。In one embodiment, microprocessor 300 includes a central processing unit (CPU). The central processing unit can be placed in a single die of an integrated circuit. In other embodiments, the microprocessor 300 has an x86 compatible central processing unit that is housed in a single die of an integrated circuit and can be an ultrapure microprocessor that is pipelined through a system. The x86 compatible giant instruction that the bus is extracted from a memory.
在其它實施例中,可利用設置在單一晶元上的積體電路來取代微處理器300。在此例中,積體電路提供上述的可程式化保險絲,並且上述防止竄改的機制亦被整合在積體電路的設計中。In other embodiments, the microprocessor 300 can be replaced with an integrated circuit disposed on a single die. In this example, the integrated circuit provides the above-described programmable fuse, and the above-described mechanism for preventing tampering is also integrated in the design of the integrated circuit.
第4圖為本發明之保護方法之一流程圖。本發明的保護方法可避免可程式化保險絲陣列被竄改。本發明的保護方法由步驟401開始,請配合本案第3圖的微處理器300。Figure 4 is a flow chart of one of the protection methods of the present invention. The protection method of the present invention avoids tampering with the programmable fuse array. The protection method of the present invention begins with step 401. Please cooperate with the microprocessor 300 of Fig. 3 of the present invention.
在步驟402中,判斷微處理器300是否正在執行相應於重置或電源啟動順序(power on sequence)的序列操作。若否,則繼續步驟402。若是,則執行步驟403。In step 402, it is determined whether the microprocessor 300 is performing a sequence operation corresponding to a reset or power on sequence. If no, proceed to step 402. If yes, go to step 403.
在步驟403中,判斷信號FSOURCE的電壓位準是否為一合格(VSS)或是為一不合格電壓位準。若信號FSOURCE的電壓位準係為一合格電壓位準(VSS)時,則執行步驟404。若信號FSOURCE的電壓位準為一不合格電壓位準(不為VSS)時,則執行步驟407。In step 403, it is determined whether the voltage level of the signal FSOURCE is a pass (VSS) or a failed voltage level. If the voltage level of the signal FSOURCE is a qualified voltage level (VSS), then step 404 is performed. If the voltage level of the signal FSOURCE is a failed voltage level (not VSS), then step 407 is performed.
在步驟404中,藉由存取控制器312讀取用以保護的特徵保險絲311的狀態,然後執行步驟405。In step 404, the state of the feature fuse 311 for protection is read by the access controller 312, and then step 405 is performed.
在步驟405中,判斷特徵保險絲311是否被燒斷。若特徵保險絲311被燒斷,則執行步驟407。若特徵保險絲311未被燒斷,則執行步驟406。In step 405, it is determined whether the feature fuse 311 is blown. If the feature fuse 311 is blown, step 407 is performed. If the feature fuse 311 is not blown, step 406 is performed.
在步驟406中,存取控制器312使JTAG控制鏈308致能擴充的JTAG操作,然後執行步驟408。In step 406, access controller 312 causes JTAG control chain 308 to enable extended JTAG operations, and then proceeds to step 408.
在步驟407中,存取控制器312使JTAG控制鏈308禁能擴充的JTAG操作。擴充的JTAG操作包含讀取微代碼儲存器306所儲存的微代碼,及/或讀取/燒斷保險絲陣列301的保險絲,然後執行步驟408。In step 407, access controller 312 causes JTAG control chain 308 to disable extended JTAG operations. The extended JTAG operation includes reading the microcode stored by the microcode storage 306, and/or reading/blowing the fuse of the fuse array 301, and then performing step 408.
在步驟408中,結束本方法。In step 408, the method ends.
對於具有上述可程式化保險絲以致能特徵的積體電路而言,當特徵保險絲311已被燒斷時,其還可能需要燒斷某些保險絲,用以致能或禁能某些特徵。在其它實施例中,本發明之微處理器並非永久地禁止執行擴充的JTAG操作,而是可以暫時性地取消第2-4圖的防止竄改功能。For an integrated circuit having the above-described programmable fuse to enable the feature, when the feature fuse 311 has been blown, it may also need to blow some of the fuses to enable or disable certain features. In other embodiments, the microprocessor of the present invention does not permanently disable the execution of extended JTAG operations, but may temporarily cancel the tamper-proof function of Figures 2-4.
第5圖為本發明之微處理器之另一可能實施例,本實施例的微處理器可以重新致能一具有防止竄改功能的保險絲陣列。微處理器500相似於第3圖的微處理器300。微處理器500具有一保險絲陣列501。保險絲陣列501耦接一個或多個致能邏輯元件505。每一致能邏輯元件505提供一禁能信號DIS予相對應的特徵元件502-503,如加密引擎502或其它防護特徵503。Figure 5 is another possible embodiment of the microprocessor of the present invention. The microprocessor of the present embodiment can re-enable a fuse array having a tamper-proof function. Microprocessor 500 is similar to microprocessor 300 of FIG. Microprocessor 500 has a fuse array 501. The fuse array 501 is coupled to one or more enable logic elements 505. Each of the consistent logic elements 505 provides a disable signal DIS to a corresponding feature element 502-503, such as an encryption engine 502 or other guard feature 503.
保險絲陣列501具有一個或多個保險絲(未顯示)。保險絲與微處理器500可設置在一晶元的多個可存取層之上。這些可存取層係為金屬或聚合物。在微處理器500的製造過程中,可透過雷射或是利用其它任何已知的技術來燒斷保險絲。另外,保險絲陣列501透過匯流排BLOWMODE,耦接一燒斷控制器507。燒斷控制器507耦接微處理器500封裝上的一連接接腳510,用以接收一外部電壓信號FSOURCE。Fuse array 501 has one or more fuses (not shown). The fuse and microprocessor 500 can be disposed over a plurality of accessible layers of a die. These accessible layers are metals or polymers. During the manufacture of microprocessor 500, the fuse can be blown through laser or by any other known technique. In addition, the fuse array 501 is coupled to a blow controller 507 through the bus bar BLOWMODE. The burnout controller 507 is coupled to a connection pin 510 on the package of the microprocessor 500 for receiving an external voltage signal FSOURCE.
保險絲陣列501透過匯流排RDARRAY,耦接一JTAG控制鏈508。JTAG控制鏈508耦接一JTAG匯流排介面元件509。JTAG匯流排介面元件509透過一JTAG匯流排JT[1:N]與一JTAG控制器(未顯示)進行溝通。JTAG匯流排JT[1:N]上的每一信號會被傳送到微處理器的一對應的連接接腳510。The fuse array 501 is coupled to a JTAG control chain 508 via a bus bar RDARRAY. The JTAG control chain 508 is coupled to a JTAG bus interface component 509. The JTAG bus interface component 509 communicates with a JTAG controller (not shown) via a JTAG bus JT[1:N]. Each signal on the JTAG bus JT[1:N] is transmitted to a corresponding connection pin 510 of the microprocessor.
JTAG控制鏈508耦接微代碼儲存器506。微代碼儲存器506可能包括一暫時性儲存器(如隨機存取記憶體RAM、暫存器…等等)、一非暫時性儲存器(如唯讀記憶體ROM、固定可程式化邏輯單元…等等)、或是包括暫時性儲存器與非暫時性儲存器的組合。藉由習知的機制可將微代碼儲存器506所儲存的微代碼(或微指令)提供予微處理器500的邏輯元件,用以執行程式化順序的操作。邏輯元件包括加密引擎502以及防護特徵503,但也可能包括快取記憶體、特定目的之硬體、電源管理硬體或其它可被致能或禁能的元件。這些邏輯元件可直接執行微代碼來進行程式化操作,或是透過聯繫元件(未顯示)執行微代碼來操作邏輯元件。The JTAG control chain 508 is coupled to the microcode storage 506. The microcode storage 506 may include a temporary storage (such as random access memory RAM, scratchpad, etc.), a non-transitory storage (such as a read-only memory ROM, a fixed programmable logic unit... Etc.), or a combination of temporary storage and non-transitory storage. The microcode (or microinstructions) stored by the microcode storage 506 can be provided to the logic elements of the microprocessor 500 for performing the stylized sequential operations by conventional mechanisms. The logic elements include encryption engine 502 and protection features 503, but may also include cache memory, special purpose hardware, power management hardware, or other components that can be enabled or disabled. These logic elements can be directly executed by microcode to perform programmatic operations, or by executing microcodes through a contact component (not shown) to operate the logic components.
如上所述,在微處理器500的製造過程中,可藉由雷射或其它方法燒斷保險絲陣列501內的某些保險絲,用以致能或禁能某些防護特徵503及/或加密引擎502。因此,當微處理器500被啟動或被重置時,每一致能邏輯元件505判斷保險絲陣列501的保險絲狀態,且可觸發相對應的禁能信號DIS,用以禁能相對應的加密引擎502及防護特徵503。As noted above, certain fuses within the fuse array 501 may be blown by laser or other means during the fabrication of the microprocessor 500 to enable or disable certain guard features 503 and/or encryption engine 502. . Therefore, when the microprocessor 500 is activated or reset, each of the consistent logic elements 505 determines the fuse state of the fuse array 501 and can trigger a corresponding disable signal DIS for disabling the corresponding encryption engine 502. And a protective feature 503.
一燒斷的保險絲可能表示某些特徵元件502-503被致能或是被禁能。一特徵元件502-503可能具有多個相關聯的保險絲,用以允許一定次數的致能或禁能。A blown fuse may indicate that certain feature elements 502-503 are enabled or disabled. A feature element 502-503 may have a plurality of associated fuses to allow for a certain number of enabling or disabling.
JTAG匯流排JT[1:N]上的信號可對微處理器500進行邊界掃描及測試操作,並且JTAG匯流排JT[1:N]的狀態係由一測試單元、一除錯器或是微處理器500外部的其它類似的裝置所控制。JTAG匯流排介面元件509接收由JTAG匯流排JT[1:N]傳送而來的JTAG命令,並將所接收到的命令傳送至JTAG控制鏈508,其中JTAG控制鏈508耦接微處理器500內的幾乎所有的可測試元件。除了JTAG的掃描及測試特性外,微處理器500的結構允許其它擴充的操作,如微代碼儲存器506中程式化微代碼的驗證以及保險絲陣列501中程式化保險絲狀態的驗證。為了完成這些操作,相關聯的JTAG命令可傳送至JTAG控制鏈508,再透過匯流排RDCODE傳送至微代碼儲存器506,以及透過匯流排RDARRAY傳送至保險絲陣列501。另外,再利用一外部測試單元(未顯示)來讀取保險絲陣列501內的保險絲狀態,以及讀取微代碼儲存器506所儲存的微代碼。The signal on the JTAG bus JT[1:N] can perform boundary scan and test operations on the microprocessor 500, and the state of the JTAG bus JT[1:N] is determined by a test unit, a debugger or a micro Control is performed by other similar devices external to processor 500. The JTAG bus interface component 509 receives the JTAG command transmitted by the JTAG bus JT[1:N] and transmits the received command to the JTAG control chain 508, wherein the JTAG control chain 508 is coupled to the microprocessor 500. Almost all testable components. In addition to the scanning and testing features of JTAG, the structure of microprocessor 500 allows for other extended operations, such as verification of programmed microcode in microcode storage 506 and verification of the status of programmed fuses in fuse array 501. To accomplish these operations, the associated JTAG commands can be passed to the JTAG control chain 508, to the microcode memory 506 via the bus RDCODE, and to the fuse array 501 via the busbar RDARRAY. In addition, an external test unit (not shown) is utilized to read the status of the fuses within the fuse array 501 and to read the microcode stored by the microcode storage 506.
除了讀取保險絲陣列501以及微代碼儲存器506,JTAG命令可在微處理器500被製造完成後,用來燒斷保險絲陣列501內的某些保險絲。因此,燒斷資料藉由JTAG匯流排JT[1:N]傳送至JTAG控制鏈508,並透過匯流排RDARRAY傳送至保險絲陣列501。然後,藉由設定耦接至信號FSOURCE的連接接腳510上的電壓位準,便可控制燒斷控制器507來燒斷某些保險絲。為了燒斷保險絲,合適的燒斷資料會透過JTAG匯流排JT[1:N],經由匯流排RDARRAY傳送至保險絲掃描鏈,然後燒斷命令會透過JTAG匯流排JT[1:N]傳送,使晶片進入允許燒斷保險絲的燒斷狀態。信號FSOURCE的電壓位準被設定在一合適的位準,並且維持在此位準一段預設時間,燒斷控制器507便可根據信號FSOURCE的電壓位準,燒斷保險絲。In addition to reading fuse array 501 and microcode storage 506, JTAG commands can be used to blow certain fuses within fuse array 501 after microprocessor 500 is fabricated. Therefore, the blown data is transferred to the JTAG control chain 508 via the JTAG bus JT[1:N] and transmitted to the fuse array 501 through the bus bar RDARRAY. Then, by setting the voltage level on the connection pin 510 coupled to the signal FSOURCE, the blow controller 507 can be controlled to blow some of the fuses. In order to blow the fuse, the appropriate burnout data is transmitted to the fuse scan chain via the JTAG busbar JT[1:N] via the busbar RDARRAY, and the blow command is transmitted through the JTAG busbar JT[1:N]. The wafer enters a blown state that allows the blown fuse to be blown. The voltage level of the signal FSOURCE is set to an appropriate level and maintained at this level for a predetermined period of time. The blow controller 507 can blow the fuse according to the voltage level of the signal FSOURCE.
一般而言,在系統板(未顯示)上,信號FSOURCE的電壓位準為VSS,其中VSS通常為0V或接地位準,這個位準必須足以讓致能邏輯元件505以及JTAG控制鏈508讀取到保險絲陣列501的狀態。為了燒斷保險絲,信號FSOURCE的電壓位準會被提升至一預設位準,其由製程技術和保險絲的種類(如金屬或聚合物)所決定。當一晶片的製造係根據90nm製程技術時,則信號FSOURCE的電壓位準約為3.5V。若晶片的製造係根據65nm製程技術時,則信號FSOURCE的電壓位準約為1.7V。In general, on the system board (not shown), the voltage level of the signal FSOURCE is VSS, where VSS is typically 0V or ground level, which must be sufficient for the enable logic element 505 and the JTAG control chain 508 to read. The state to the fuse array 501. In order to blow the fuse, the voltage level of the signal FSOURCE is raised to a preset level, which is determined by the process technology and the type of fuse (eg metal or polymer). When a wafer is fabricated according to the 90 nm process technology, the voltage level of the signal FSOURCE is about 3.5V. If the wafer is fabricated according to the 65nm process technology, the voltage level of the signal FSOURCE is about 1.7V.
微處理器500提供一機制,用以防止未被授權的使用者執行除了正常邊界掃描及測試操作外的任何JTAG動作。在一可能實施例中,微處理器500具有一特徵保險絲511。特徵保險絲511設置在保險絲陣列501之中。當特徵保險絲511被燒斷時,則對有害的或是未被授權的JTAG動作禁能。一存取控制器512透過匯流排FSENSE耦接特徵保險絲511。存取控制器512接收一微處理器重置信號RESET,並透過匯流排BSONLY耦接JTAG控制鏈508。微處理器500更具有一位準偵測器513。位準偵測器513接收信號FSOURCE,並且透過匯流排ILLEGAL耦接存取控制器512。Microprocessor 500 provides a mechanism to prevent unauthorized users from performing any JTAG actions other than normal boundary scan and test operations. In a possible embodiment, the microprocessor 500 has a feature fuse 511. The feature fuse 511 is disposed in the fuse array 501. When the characteristic fuse 511 is blown, the harmful or unauthorized JTAG action is disabled. An access controller 512 couples the feature fuse 511 through the bus bar FSENSE. The access controller 512 receives a microprocessor reset signal RESET and couples the JTAG control chain 508 through the bus bar BSONLY. The microprocessor 500 further has a quasi-detector 513. The level detector 513 receives the signal FSOURCE and is coupled to the access controller 512 via the bus ILLEGAL.
如同保險絲陣列501內的其它保險絲(未顯示),特徵保險絲511可能為金屬或聚合物所構成,其可在微處理器500製造時,利用已知的技術來燒斷特徵保險絲511,或是製造完成後,利用上述信號FSOURCE的機制燒斷特徵保險絲511。Like other fuses (not shown) in the fuse array 501, the feature fuse 511 may be constructed of metal or polymer that can be used to blow the feature fuse 511 or to manufacture when the microprocessor 500 is manufactured using known techniques. After completion, the characteristic fuse 511 is blown by the mechanism of the above-mentioned signal FSOURCE.
操作上,當微處理器500被開啟或被重置時,重置信號RESET會被設置,並且存取控制器512透過匯流排FSENSE,偵測特徵保險絲511的狀態。若特徵保險絲511未被燒斷時,存取控制器512會透過匯流排BSONLY來控制JTAG控制鏈508允許所有JTAG操作。JTAG操作包括讀取微代碼儲存器506所儲存的微代碼,以及讀取/燒斷保險絲陣列501的保險絲。然而,如果特徵保險絲511被燒斷時,存取控制器512會透過匯流排BSONLY來控制JTAG控制鏈508禁止除了正常邊界掃描及測試操作外的所有JTAG操作。因此,當特徵保險絲511被燒斷時,若微處理器500從JTAG匯流排JT[1:N]上所接收到的命令為企圖燒斷或讀取保險絲陣列501中的保險絲,或企圖讀取微代碼儲存器506所儲存的資料的命令時,這些命令將會被忽略或是被無效。Operationally, when the microprocessor 500 is turned on or reset, the reset signal RESET is set, and the access controller 512 detects the state of the characteristic fuse 511 through the bus bar FSENSE. If the feature fuse 511 is not blown, the access controller 512 controls the JTAG control chain 508 to allow all JTAG operations through the bus bar BSONLY. The JTAG operation includes reading the microcode stored by the microcode storage 506 and reading/blowing the fuse of the fuse array 501. However, if the feature fuse 511 is blown, the access controller 512 controls the JTAG control chain 508 to disable all JTAG operations except normal boundary scan and test operations via the bus bar BSONLY. Therefore, when the feature fuse 511 is blown, if the microprocessor 500 receives a command from the JTAG bus JT[1:N] in an attempt to blow or read the fuse in the fuse array 501, or attempts to read These commands will be ignored or invalidated when commanding the data stored by the microcode storage 506.
在某些結構中信號FSOURCE可能被設定在VSS以外的電壓位準,用以燒斷保險絲陣列501內的保險絲,使得保險絲陣列501內的保險絲的狀態(燒斷或未燒斷)變成不是其原本真正的狀態。此情形的發生可能是一未被授權的使用者企圖藉由信號FSOURCE提供該電壓位準來竄改微處理器的特徵,使得在匯流排FSENSE上的特徵保險絲511的值指示擴充的JTAG操作是被致能的,如此便可燒斷保險絲以增加特徵元件502-503,及/或可讀取微代碼儲存器506所儲存的資料。為了解決上述問題,位準偵測器513可監控信號FSOURCE的電壓位準,並且在信號FSOURCE的電壓位準處於一不合格的電壓位準(例如除了VSS以外的電壓位準)時,透過匯流排ILLEGAL告知存取控制器512。因此,當存取控制器512讀取特徵保險絲511的狀態時,若信號FSOURCE處於一不合格的電壓位準,則存取控制器512將控制JTAG控制鏈508禁止除了正常邊界掃描及測試操作外的所有JTAG操作。相反地,當存取控制器512讀取特徵保險絲511的狀態時,若信號FSOURCE的電壓位準為VSS,則存取控制器512將使JTAG控制鏈508根據特徵保險絲511的狀態,允許或不允許擴充的JTAG操作。In some configurations, the signal FSOURCE may be set to a voltage level other than VSS to blow the fuse in the fuse array 501 such that the state of the fuse in the fuse array 501 (burned or not blown) becomes not its original The real state. This situation may occur when an unauthorized user attempts to tamper with the characteristics of the microprocessor by providing the voltage level by the signal FSOURCE such that the value of the characteristic fuse 511 on the bus bar FSENSE indicates that the extended JTAG operation is If enabled, the fuse can be blown to add features 502-503, and/or the data stored by microcode storage 506 can be read. In order to solve the above problem, the level detector 513 can monitor the voltage level of the signal FSOURCE, and when the voltage level of the signal FSOURCE is at an unacceptable voltage level (for example, a voltage level other than VSS), through the confluence The row ILLEGAL informs the access controller 512. Therefore, when the access controller 512 reads the state of the feature fuse 511, if the signal FSOURCE is at a failed voltage level, the access controller 512 will control the JTAG control chain 508 to disable the normal boundary scan and test operations. All JTAG operations. Conversely, when the access controller 512 reads the state of the feature fuse 511, if the voltage level of the signal FSOURCE is VSS, the access controller 512 will cause the JTAG control chain 508 to allow or not according to the state of the feature fuse 511. Allow extended JTAG operations.
然而,在特徵保險絲511被燒斷後,仍可能需要燒斷保險絲或讀取微代碼儲存器506內的微代碼。在一可能實施例中,防止竄改功能可暫時被取消。因此,在本實施例中,微處理器500還包含一機器專用暫存器(machine specific register)521。機器專用暫存器521透過匯流排RENVAL耦接存取控制器512。當特徵保險絲511已被燒斷時,為了暫時性地重新致能擴充的JTAG操作,機器專用暫存器521中必須存在有一特定值。在一可能實施例中,只有微處理器500的製造者才會知道上述的特定值,並且將該特定值儲存在存取控制器512中。在一可能實施例中,同一批製造的微處理器500可能具有相同的特定值。在另一實施例中,該特定值可能為普遍已知的值。在其它實施例中,該特定值是一個只有微處理器500的製造者才知道的值,並且藉由加密引擎根據一特定加密演算法(prescribe encryption algorithm),利用微處理器500的一獨有的值作為一加密金鑰(encryption key),對該值進行一特定數量的加密循環However, after the feature fuse 511 is blown, it may still be necessary to blow the fuse or read the microcode within the microcode storage 506. In a possible embodiment, the tamper prevention function can be temporarily cancelled. Therefore, in the embodiment, the microprocessor 500 further includes a machine specific register 521. The machine-specific register 521 is coupled to the access controller 512 via a bus RENVAL. When the feature fuse 511 has been blown, a specific value must exist in the machine-specific register 521 in order to temporarily re-enable the extended JTAG operation. In a possible embodiment, only the manufacturer of microprocessor 500 will know the particular value described above and store the particular value in access controller 512. In one possible embodiment, microprocessors 500 of the same batch may have the same specific value. In another embodiment, the particular value may be a generally known value. In other embodiments, the particular value is a value known only to the manufacturer of the microprocessor 500, and utilizes a uniqueness of the microprocessor 500 by the encryption engine in accordance with a predetermined encryption algorithm. The value is used as an encryption key to perform a specific number of encryption cycles on the value.
當微處理器500被啟動或被重置時,存取控制器512判斷信號FSOURCE是否處於一合格電壓位準。若是,存取控制器512再判斷特徵保險絲511是否已被燒斷。若特徵保險絲511已被燒斷,則存取控制器512確認機器專用暫存器521中的值。在一可能實施例中,若機器專用暫存器521中的值符合存取控制器512中的一覆蓋值(override value)(即上述特定值)時,則存取控制器512使JTAG控制鏈508致能上述擴充的JTAG操作。在一固定的時間週期後,再次確認機器專用暫存器521中原本偵測到與該覆蓋值相同的值是否仍然存在。若是,則允許擴充的JTAG操作。然而,當在機器專用暫存器521中偵測不到與該覆蓋值相同的值時,則禁止擴充的JTAG操作。When the microprocessor 500 is activated or reset, the access controller 512 determines if the signal FSOURCE is at a qualified voltage level. If so, the access controller 512 then determines if the feature fuse 511 has been blown. If the feature fuse 511 has been blown, the access controller 512 confirms the value in the machine-specific register 521. In a possible embodiment, if the value in the machine-specific register 521 matches an override value (ie, the above-mentioned specific value) in the access controller 512, then the access controller 512 causes the JTAG control chain. 508 enables the above extended JTAG operation. After a fixed period of time, it is again confirmed whether the same value as the coverage value was originally detected in the machine-specific buffer 521. If so, the extended JTAG operation is allowed. However, when the same value as the overlay value is not detected in the machine-specific register 521, the extended JTAG operation is disabled.
在其它實施例中,存取控制器512判斷信號FSOURCE是否處於一合格電壓位準。若是,則存取控制器512再判斷特徵保險絲511是否已被燒斷。若特徵保險絲511已被燒斷,則存取控制器512確認機器專用暫存器521中的值,並且同時使加密引擎利用微處理器500之一獨有的值作為加密金鑰,對機器專用暫存器521中的值執行一特定數量的加密循環,以產生一加密值(encrypted value)。若該加密值符合一覆蓋值(即上述特定值)時,則存取控制器512使JTAG控制鏈508致能上述擴充的JTAG操作。在一固定的時間週期後,再次確認機器專用暫存器521中原本偵測到與該覆蓋值相同的加密值是否仍然存在。若是,則允許擴充的JTAG操作。然而,當在機器專用暫存器521中偵測不到與該覆蓋值相同的加密值時,則禁止擴充的JTAG操作。In other embodiments, access controller 512 determines if signal FSOURCE is at a qualified voltage level. If so, the access controller 512 then determines if the feature fuse 511 has been blown. If the feature fuse 511 has been blown, the access controller 512 confirms the value in the machine-specific register 521 and at the same time causes the encryption engine to utilize the value unique to one of the microprocessors 500 as the encryption key. The value in register 521 performs a specific number of encryption cycles to generate an encrypted value. If the encrypted value conforms to a coverage value (i.e., the particular value described above), then access controller 512 causes JTAG control chain 508 to enable the extended JTAG operation. After a fixed period of time, it is again confirmed whether the encrypted value originally detected in the machine-specific register 521 is the same as the coverage value. If so, the extended JTAG operation is allowed. However, when the same encrypted value as the overlay value is not detected in the machine-specific register 521, the extended JTAG operation is disabled.
在一實施例中,微處理器500包含一中央處理單元(CPU)。中央處理單元可設置在一積體電路的單一晶元中。在其它實施例中,微處理器500具有一x86相容中央處理單元,其係在一積體電路的單一晶元中,並且可為一超純量微處理器,以管線式執行透過一系統匯流排從一記憶體中擷取出來的x86相容巨指令。In one embodiment, microprocessor 500 includes a central processing unit (CPU). The central processing unit can be placed in a single die of an integrated circuit. In other embodiments, the microprocessor 500 has an x86 compatible central processing unit that is housed in a single die of an integrated circuit and can be a super-scalar microprocessor that is pipelined through a system. The x86 compatible giant instruction that the bus is extracted from a memory.
在其它實施例中,可利用設置在單一晶元上的積體電路來取代微處理器500。在此例中,積體電路提供上述的可程式化保險絲,並且上述防止竄改的機制亦被整合到積體電路的設計中。In other embodiments, the microprocessor 500 can be replaced with an integrated circuit disposed on a single die. In this example, the integrated circuit provides the above-described programmable fuse, and the above-described mechanism for preventing tampering is also integrated into the design of the integrated circuit.
雖然本發明已以較佳實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。Although the present invention has been disclosed in the above preferred embodiments, it is not intended to limit the invention, and any one of ordinary skill in the art can make some modifications and refinements without departing from the spirit and scope of the invention. Therefore, the scope of the invention is defined by the scope of the appended claims.
100、200、300、500‧‧‧微處理器100, 200, 300, 500‧‧‧ microprocessor
101、201、301、501‧‧‧保險絲陣列101, 201, 301, 501‧ ‧ fuse array
102、202、302、502‧‧‧加密引擎102, 202, 302, 502‧‧‧ encryption engine
103、203、303、503‧‧‧防護特徵103, 203, 303, 503‧‧‧ protective features
105、205、305、505‧‧‧致能邏輯元件105, 205, 305, 505‧‧‧ enabling logic components
106、206、306、506‧‧‧微代碼儲存器106, 206, 306, 506‧‧‧ microcode storage
107、207、307、507‧‧‧燒斷控制器107, 207, 307, 507‧‧‧Burn controller
108、208、308、508‧‧‧JTAG控制鏈108, 208, 308, 508‧‧‧JTAG control chain
109、209、309、509‧‧‧JTAG匯流排介面元件109, 209, 309, 509‧‧‧JTAG bus interface components
110、210、310、510‧‧‧連接接腳110, 210, 310, 510‧‧‧ connection pins
211、311、511‧‧‧特徵保險絲211, 311, 511‧ ‧ characteristic fuse
212、312、512‧‧‧存取控制器212, 312, 512‧‧‧ access controller
313、513‧‧‧位準偵測器313, 513‧‧ ‧ position detector
401~408‧‧‧步驟401~408‧‧‧Steps
521‧‧‧機器專用暫存器521‧‧‧ machine-specific register
第1圖為具有保險絲致能功能的微處理器之示意圖。Figure 1 is a schematic diagram of a microprocessor with a fuse enable function.
第2圖為本發明之可保護可程式化保險絲陣列的微處理器之示意圖。Figure 2 is a schematic illustration of a microprocessor of the present invention that protects a programmable fuse array.
第3圖為本發明之具有防止竄改功能之可程式化保險絲陣列的裝置之示意圖。Figure 3 is a schematic illustration of the apparatus of the present invention having a programmable fuse array for preventing tampering.
第4圖為本發明之保護方法之一流程圖。Figure 4 is a flow chart of one of the protection methods of the present invention.
第5圖為本發明之可以重新致能一具有防止竄改功能的保險絲陣列之示意圖。Figure 5 is a schematic illustration of a fuse array of the present invention that can be re-enabled and has a tamper-proof function.
200...微處理器200. . . microprocessor
201...保險絲陣列201. . . Fuse array
202...加密引擎202. . . Cryptographic engine
203...防護特徵203. . . Protective feature
205...致能邏輯元件205. . . Enable logic component
206...微代碼儲存器206. . . Microcode storage
207...燒斷控制器207. . . Burn controller
208...JTAG控制鏈208. . . JTAG control chain
209...JTAG匯流排介面元件209. . . JTAG bus interface component
210...連接接腳210. . . Connection pin
211...特徵保險絲211. . . Characteristic fuse
212...存取控制器212. . . Access controller
Claims (29)
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US12/823,345 US8429471B2 (en) | 2010-06-25 | 2010-06-25 | Microprocessor apparatus and method for securing a programmable fuse array |
| US12/823,348 US8341472B2 (en) | 2010-06-25 | 2010-06-25 | Apparatus and method for tamper protection of a microprocessor fuse array |
| US12/823,350 US8242800B2 (en) | 2010-06-25 | 2010-06-25 | Apparatus and method for override access to a secured programmable fuse array |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201201019A TW201201019A (en) | 2012-01-01 |
| TWI451255B true TWI451255B (en) | 2014-09-01 |
Family
ID=45359314
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW100115720A TWI451255B (en) | 2010-06-25 | 2011-05-05 | Microprocessor apparatus and method for precluding the use of extended jtag operations |
Country Status (2)
| Country | Link |
|---|---|
| CN (2) | CN102298960B (en) |
| TW (1) | TWI451255B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9858441B2 (en) | 2013-04-03 | 2018-01-02 | Hewlett Packard Enterprise Development Lp | Disabling counterfeit cartridges |
| TWI556158B (en) * | 2013-08-21 | 2016-11-01 | 威盛電子股份有限公司 | Processing device and method for configuration data |
| TWI552068B (en) * | 2013-08-21 | 2016-10-01 | 上海兆芯集成電路有限公司 | Processing device and method for configuration data |
| JP6869315B2 (en) * | 2019-02-19 | 2021-05-12 | 華邦電子股▲ふん▼有限公司Winbond Electronics Corp. | Electronic fuse circuit and its operation method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060136751A1 (en) * | 2004-12-17 | 2006-06-22 | International Business Machines Corporation | Using electrically programmable fuses to hide architecture, prevent reverse engineering, and make a device inoperable |
| TW200951758A (en) * | 2008-03-07 | 2009-12-16 | Qualcomm Inc | Method and apparatus for detecting unauthorized access to a computing device and securely communicating information about such unauthorized access |
| TW201011643A (en) * | 2008-09-09 | 2010-03-16 | Via Tech Inc | Apparatus and method for updating set of limited access model specific registers in a microprocessor |
| US7724022B1 (en) * | 2009-01-28 | 2010-05-25 | International Business Machines Corporation | Implementing enhanced security features in an ASIC using eFuses |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN200959233Y (en) * | 2006-06-30 | 2007-10-10 | 田正湧 | Vehicle power supply regulator and MP3 player and USB power transfer integration device |
| CN101556825B (en) * | 2009-05-20 | 2011-11-30 | 炬力集成电路设计有限公司 | Integrated circuit |
-
2011
- 2011-05-05 TW TW100115720A patent/TWI451255B/en active
- 2011-05-06 CN CN201110117356.XA patent/CN102298960B/en active Active
- 2011-05-06 CN CN201310349632.4A patent/CN103529381B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060136751A1 (en) * | 2004-12-17 | 2006-06-22 | International Business Machines Corporation | Using electrically programmable fuses to hide architecture, prevent reverse engineering, and make a device inoperable |
| TW200951758A (en) * | 2008-03-07 | 2009-12-16 | Qualcomm Inc | Method and apparatus for detecting unauthorized access to a computing device and securely communicating information about such unauthorized access |
| TW201011643A (en) * | 2008-09-09 | 2010-03-16 | Via Tech Inc | Apparatus and method for updating set of limited access model specific registers in a microprocessor |
| US7724022B1 (en) * | 2009-01-28 | 2010-05-25 | International Business Machines Corporation | Implementing enhanced security features in an ASIC using eFuses |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103529381A (en) | 2014-01-22 |
| CN102298960B (en) | 2014-04-02 |
| TW201201019A (en) | 2012-01-01 |
| CN103529381B (en) | 2015-10-28 |
| CN102298960A (en) | 2011-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8242800B2 (en) | Apparatus and method for override access to a secured programmable fuse array | |
| US7550789B2 (en) | Using electrically programmable fuses to hide architecture, prevent reverse engineering, and make a device inoperable | |
| US8341472B2 (en) | Apparatus and method for tamper protection of a microprocessor fuse array | |
| US7268577B2 (en) | Changing chip function based on fuse states | |
| JP5419776B2 (en) | Semiconductor device and data processing method | |
| KR101022639B1 (en) | Method and apparatus for providing safety to debug circuits | |
| TWI451255B (en) | Microprocessor apparatus and method for precluding the use of extended jtag operations | |
| US20080061817A1 (en) | Changing Chip Function Based on Fuse States | |
| JP2005524919A (en) | Method and device used for security of electronic devices such as cell phones | |
| US20060136858A1 (en) | Utilizing fuses to store control parameters for external system components | |
| CN110020561A (en) | The method of semiconductor device and operation semiconductor device | |
| JP7087142B2 (en) | Lifecycle state memory integrity verification with multi-threshold supply voltage detection | |
| CN114521261B (en) | Undefined lifecycle state identifier for managing the security of integrated circuit devices | |
| US9779242B2 (en) | Programmable secure bios mechanism in a trusted computing system | |
| JP4182740B2 (en) | Microcomputer | |
| US9779243B2 (en) | Fuse-enabled secure BIOS mechanism in a trusted computing system | |
| CN107784235A (en) | A kind of memory data protecting method and IC chip | |
| US8429471B2 (en) | Microprocessor apparatus and method for securing a programmable fuse array | |
| JP7005676B2 (en) | Safety devices and safety methods for monitoring system startup | |
| Peterson | Developing tamper-resistant designs with Zynq ULTRASCALE+ devices | |
| TWI504909B (en) | Switch to perform non-destructive and secure disablement of ic functionality utilizing mems and method thereof | |
| EP3316168B1 (en) | Fuse-enabled secure bios mechanism in a trusted computing system | |
| JP5761880B2 (en) | Automobile | |
| US6754606B2 (en) | Method of protecting a circuit arrangement for processing data | |
| JP5603993B2 (en) | Electrical unit and data processing method |