TWI791138B - Security monitoring of serial peripheral interface flash - Google Patents

Abstract

A security device for SPI flash includes an interface and a processor. The interface is configured for connecting to a bus that serves one or more peripheral devices, at least one of the peripheral devices being a memory device. The processor is connected to the bus in addition to the peripheral devices, and is configured to hold a definition that distinguishes between authorized and unauthorized transactions with the memory device, to identify on the bus a transaction in which a bus-master device attempts to access the memory device, and to initiate a responsive action in response to identifying that the transaction is unauthorized in accordance with the definition.

Description

Security Device for Serial Peripheral Interface Flash Memory

Cross Reference to Related Applications

This application is asserting U.S. Patent Application No. 16/568,299, filed September 12, 2019, which is a continuation-in-part of U.S. Patent Application No. 15/955,715, filed April 18, 2018, filed in 2016 A continuation-in-part of U.S. Patent Application No. 15/075,219, filed March 21, 2015, which claims priority to U.S. Provisional Application No. 62/172,298, filed June 8, 2015.

The present invention relates to an electronic system security technology, in particular to a method and system for protecting safe access to peripheral devices.

Electronic systems use various bus interfaces to communicate between host devices and peripheral devices. For example, the bus interface may include an Inter-Integrated-Circuit (I ² C) bus and a serial peripheral interface (SPI) bus. The I ² C bus is described for example in "I ² C Bus Specification and User Manual" UM10204, NXP Semiconductors, Rev. 6, April 4, 2014, which is incorporated herein by reference.

The purpose of the present invention is to provide a security device, which includes an interface and a processor. The interface is connected to a bus that serves one or more peripheral devices, at least one of which is a memory device. A processor is coupled to the bus and the one or more peripheral devices, the processor maintains definitions for distinguishing authorized and unauthorized data handling from the memory device to identify a The bus master attempts to access the data transaction of the memory device, and responds by initiating a response measure when the data transaction is identified as unauthorized according to the definition.

According to an embodiment of the present invention, the bus bar includes one or more dedicated signals and one or more shared signals, each dedicated signal is dedicated to one of the peripheral devices respectively, and the one or more shared signals are connected on the bus bar. Common among the peripheral devices being served, the processor blocks the data processing on the bus by blocking the dedicated signal associated with the memory device. According to an embodiment of the present invention, the dedicated signal associated with the memory device is a chip select signal of the memory device, and the processor selects a duration of the memory device by the chip select signal Extending beyond an actual end of the transaction to prevent the memory device from performing the transaction, thereby blocking the transaction.

According to an embodiment of the invention, the definition specifies authorized data disposals of the memory device, and wherein the response should identify that the data disposal is not specified in the definition, then the processor initiates the response .

According to an embodiment of the present invention, the processor is used to define one or more data processing groups, to maintain one or more counters respectively corresponding to the one or more data processing groups, to monitor the bus, and respond to the When a predetermined data transaction between the bus master device and the memory device on the bus is identified, the counter corresponding to the group to which the predetermined data transaction belongs is increased.

According to an embodiment of the invention, the processor recognizes one or more mode-enter data transactions on the bus that instruct the memory device to enter a predetermined mode of operation and one or more signals on the bus that instruct the memory device to leave the predetermined mode of operation. The mode-by-mode data is handled to identify whether the memory device is operating in the predetermined mode of operation. According to an embodiment of the present invention, the processor gives a first interpretation to one or more data transactions when the memory device is operating in the predetermined mode of operation, and when the memory device is not operating in the In a given mode of operation, the processor gives a second, different interpretation of the one or more data manipulations. According to an embodiment of the present invention, when the memory device operates in the predetermined operation mode, the processor stops initiating the response measures.

According to an embodiment of the present invention, the processor receives the data disposal from the bus master to verify whether the data disposal has been authorized, and upon determining that the data disposal has been authorized, the processor executes in the memory device The data processing. According to an embodiment of the invention, the processor receives the data disposal as part of a sequence of data disposals, the processor verifies whether the data disposal has been authorized as part of a common verification of the sequence of data disposals .

According to an embodiment of the present invention, the data processing is a write data processing of writing a data to the memory device by the bus master device, wherein the processor performs an encryption operation on the data, and When the operation is successful, it is determined that the data processing has been authorized.

Another object of the present invention is to provide a security device, which includes an interface and a processor. The interface is used to connect a bus that serves one or more peripheral devices, at least one of which is a memory device. A processor is connected to the bus and the one or more peripheral devices, the processor is used to identify a data transaction on the bus that a bus master device attempts to access the memory device, and to respond to the data transaction Identifying and initiating a response action instead of the memory device responding to the bus master device.

According to an embodiment of the invention, upon recognition of the data transaction, the processor blocks the data transaction on the bus, or issues an alert.

According to one embodiment of the present invention, data processing is a query of the capabilities of the memory device, and the processor responds to the bus master with a modified capability that is consistent with the actual capabilities of the memory device. Different abilities. According to an embodiment of the invention, the query includes a Serial Flash discoverable parameter read command, and wherein the processor responds to the serial Flash discoverable parameter with a modified Type flash memory can be found parameter read instruction.

According to an embodiment of the invention, prior to the query from the bus master, the processor obtains the actual capabilities of the memory device from the memory device, and the processor modifies the actual capabilities to generate the modification through the ability to respond to the bus master. According to an embodiment of the present invention, the processor adds a capability not supported by the memory device to the modified capability. According to one embodiment of the invention, the processor omits a capability supported by the memory device to generate the modified capability.

Yet another object of the present invention is to propose a security method comprising the steps of: communicating on a bus using a security device connected to the bus and one or more peripheral devices, at least one of which The peripheral device is a memory device; maintains a definition that distinguishes authorized and unauthorized data handling from the memory device; and uses the security device to identify a bus master attempting to store data on the bus. accessing the data processing of the memory device, and responding to initiating a response measure should the data processing be identified as unauthorized according to the definition.

Yet another object of the present invention is to propose a security method comprising the steps of: using a security device to communicate on a bus, the security device being connected to the bus and one or more peripheral devices, at least one of which a peripheral device is a memory device; using the security device to identify a bus master device on the bus attempting to access a data transaction of the memory device, And in response to the identification of the data handling, a response measure is initiated to respond to the bus master instead of the memory device.

Another object of the present invention is to provide a security device, which includes an interface and a processor. The interface is used to connect a bus serving at least one peripheral device. The bus includes (i) at least one dedicated signal dedicated to one of the peripheral devices respectively; (ii) at least one common signal shared by the peripheral devices served by the bus. In addition to peripheral devices, the processor is connected to the bus as an additional device, by blocking the dedicated signals associated with a given peripheral device, to block the bus-master device (bus-master device) on the bus from trying to access this Data processing of predetermined peripheral devices.

In some embodiments, the processor keeps common signals continuously transmitted on the bus while blocking data processing. In one embodiment, the interface includes (i) an input for receiving dedicated signals from the bus master; (ii) an output for sending dedicated signals to a given peripheral, and the processor is A dedicated signal received by the blocking input is output from the output to block data processing. In some embodiments, when a dedicated signal is blocked, the processor responds to the bus master instead of the intended peripheral. In an exemplary embodiment, the dedicated signal includes a chip select (CS) signal.

In an embodiment of the present disclosure, the processor monitors the bus to detect pending data transactions. In other embodiments, the processor communicates with the bus master through an auxiliary interface external to the bus to detect pending data transactions.

In one embodiment, the processor blocks dedicated signals indefinitely until the processor is reset. In another embodiment, the processor blocks dedicated signals for a finite period of time after detecting data handling. In one embodiment, the processor can cause at least one peripheral device to discard a data transaction by blocking the data transaction. In some embodiments, after blocking data processing, the processor resumes normal operation.

According to an embodiment of the present invention, the present invention further provides a security device, which includes an interface and a processor. The interface is connected to a bus serving at least one peripheral device. processor system Connect to the bus and peripheral devices, and respond to the bus master device instead of a predetermined peripheral device, thereby blocking the data processing of the bus master device trying to access the predetermined peripheral device on the bus.

In one embodiment, the bus includes (i) at least one dedicated signal, each dedicated to one of the peripheral devices; (ii) at least one common signal, shared by the peripheral devices served by the bus. The processor can block this data processing by (i) blocking dedicated signals associated with a given peripheral device, and (ii) responding to the bus master while blocking dedicated signals.

In some embodiments, the given peripheral device includes a memory device, and the processor recognizes a request from the bus master to read data from the memory device during the data transaction and responds with another data stored inside the secure device this request. In an exemplary embodiment, in response to identifying that the bus master requests access to a predefined address area in the memory device, the processor blocks data processing and responds to the bus master with another data.

In another embodiment, the processor identifies a data transaction in which the bus master attempts to access a given peripheral device based on data sent back from the given peripheral device to the bus master during the data transaction. In other embodiments, the processor uses a command code based on the data transaction to identify a data transaction in which the bus master device attempts to access a given peripheral device.

According to an embodiment of the present invention, the present invention provides a method comprising using a security device to communicate through a bus, in addition to at least one peripheral device connected to the bus, the security device is connected to the bus as an additional device, wherein the bus A row includes (i) at least one dedicated signal, each dedicated to one of the peripheral devices, and (ii) at least one common signal, shared by the peripheral devices served by the bus. A dedicated signal associated with a given peripheral device is blocked using a security device to block data transactions on the bus by a bus master device attempting to access the given peripheral device.

According to an embodiment of the present invention, the present invention further provides a method, which includes using a security device to communicate through a bus, at least one peripheral device is connected to the bus, and the security device is Connect to busbar. By using a security device instead of a given peripheral device to respond to the bus master device, data transactions on the bus that the bus master device attempts to access the given peripheral device are blocked.

In an embodiment of the present invention, a device including an interface and a processor is provided. The interface is configured to communicate via the bus, and the processor is configured to force parallel writing of one or more dummy values to at least one line of the bus to interrupt at least Part of data processing (transaction).

In one embodiment, the processor is configured to force write dummy values to the data lines on the bus to block data values received over the data lines or transmitted by peripheral devices. Additionally or alternatively, the processor is arranged to force writing of a dummy value to a clock line on the bus to interrupt the clock signal used for data processing. Further additionally or alternatively, the processor is configured to force a dummy value to be written to a die select line on the bus to interrupt a bus-master device from selecting a peripheral device.

In some embodiments, the bus comprises an open-collector bus or an open-drain bus with preset logic values, and the processor is configured to force write and A dummy value with opposite logic value is preset to at least one line on the bus.

In some embodiments, by forcing a dummy value to be written, the processor can overwrite a corresponding value written to at least one line on the bus master or peripheral. In an exemplary embodiment, the processor is configured to override the data written on the bus master or peripheral by driving at least one line having a drive strength greater than that of the bus master or peripheral. Corresponding value of at least one line. In another embodiment, the device includes at least one resistor disposed on at least one line, the resistor configured to attenuate a value written to the bus master or peripheral to a value lower than that of the processor. The dummy value written is still weak.

In some embodiments, the processor is configured to force the writing of the dummy value only over an existing line of the bus used for communication between the bus master and the peripheral. In some embodiments, the processor is configured to detect data transactions to be blocked by monitoring the bus. in an implementation In one example, the processor detects data transactions to be blocked by communicating with the bus master on an auxiliary interface external to the bus master.

In one disclosed embodiment, the processor forces the dummy value to be written indefinitely until the device is reset. In another embodiment, the processor is configured to force a dummy value to be written within a limited time when data disposal is detected. In one embodiment, the processor is configured to gracefully resume normal operation of the bus after data handling has been interrupted.

According to an embodiment of the present invention, a system including a peripheral device and a security device is also provided. Peripheral devices can access one or more bus master devices through the bus. The security device is configured to forcibly write one or more dummy values in parallel to at least one line of the bus to block at least a part of the data processing (transaction) when the bus master device is not authorized to access the peripheral device .

According to an embodiment, the present invention also provides a method comprising using a security device coupled to a bus to determine whether to interrupt data handling by a bus master device from unauthorized attempts to access a peripheral device, and by forcibly parallel writing one or A plurality of dummy values are applied to at least one line of the bus to block at least a portion of data processing.

The present invention will be more fully understood from the following detailed description of its embodiments when taken in conjunction with the accompanying drawings.

20, 70, 90, 110, 130, 132: system

24, 74: host device

28, 78: Peripheral devices

32: I ² C bus

36: Safety device

40: interface

44: Processor

48: Memory

82:SPI bus

86:Safety device

91: slave interface logic circuit

92: Interface monitoring logic circuit

94: Processor

98:Internal memory

100: resistance

134: and gate

50, 54, 58, 62, 66, 100a, 104, 108, 112, 116, 120, 140, 144, 148, 152, 156, 160, 164, 170, 174, 178, 182, 186, 190, 194: step

FIG. 1 is a schematic block diagram of a security system in which multiple devices communicate through an I ² C bus in an embodiment of the present invention.

FIG. 2 is a flowchart of a method for protecting access to peripheral devices through an I ² C bus according to an embodiment of the present invention.

3-5 are block diagrams of a security system in which multiple devices communicate via an SPI bus in an alternative embodiment of the present invention.

FIG. 6 is a schematic block diagram of a safety device according to an embodiment of the present invention.

FIG. 7 is a schematic flowchart of a method for securely booting a host device according to an embodiment of the present invention.

FIG. 8 is a schematic block diagram of a security system according to another embodiment of the present invention. In the security system, multiple devices communicate on the SPI bus.

FIG. 9 is a schematic flowchart of a method for monitoring SPI data processing using a transaction-group counter according to an embodiment of the present invention.

FIG. 10 is a schematic flowchart of a method for secure mediation (secure mediation) between the host and the SPI flash memory for writing/erasing data processing according to an embodiment of the present invention.

The above drawings are schematic and not to scale. Relative sizes and proportions in the drawings are exaggerated or reduced for accuracy and/or convenience, and the dimensions are arbitrary and not limited thereto. Like reference symbols in the drawings represent like elements.

The implementation of the present invention will be described in detail below in conjunction with the drawings and examples, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.

As used herein, the singular forms "a", "the", and "the" are intended to include the plural unless the context clearly dictates otherwise.

Embodiments of the present invention describe an improved method and apparatus for securing access to peripheral devices through a bus interface. Peripheral devices may include a cryptographic engine, a memory device storing sensitive data, or any device accessible through a bus. Some embodiments of the present invention are mainly described with a serial flash memory device, but the techniques disclosed in the present invention are not limited to any specific type of peripheral devices.

In some disclosed embodiments, a security device monitors data transactions on the bus and identifies when a host device or other bus master device attempts to access a peripheral device without authorization. Data processing can be classified as authorized or unauthorized by various suitable criteria or policies.

When unauthorized data handling is identified, the security device blocks it in parallel by forcing data or signals to a dummy value on one or more lines on the bus. Forced writing of dummy values can be performed on, for example, clock signals, data signals and/or chip-select signals.

Forcing to write a dummy value is suitable for blocking signals on a bus, such as an open-drain or open-collector bus, such as an I ² C bus or a push-pull bus, such as a serial peripheral interface (serial peripheral interface, SPI) bus. Forcing dummy writes in parallel with data processing on the bus interrupts communication with peripheral devices and/or blocks respective clock signals.

This article describes several examples of techniques for blocking unauthorized data handling on the ^I2C and SPI buses, and also describes techniques for restoring normal operation after blocking. In some embodiments, a security device may block data transactions without first detecting such data transactions on the bus, or even without monitoring the bus at all. For example, a security device may force a dummy value on a chip select (CS) line of a certain host until or unless the host is authorized.

In some embodiments, such as an SPI bus, the bus protected by this safety device includes one or more dedicated signals, each dedicated to a different peripheral device; Shared among peripheral devices. For example, the common signal can be a data signal and a clock signal. For example, the dedicated signal can be a CS signal. In some embodiments, the security device blocks data processing by blocking dedicated signals associated with protected peripherals while leaving common signals on the bus unblocked. It should be noted, however, that not all buses have dedicated signals. For example, all signals in the I ² C bus are common signals.

In other embodiments, the security device blocks data processing by responding to unauthorized hosts instead of protected peripheral devices. In an exemplary embodiment, the peripheral device includes a flash memory that includes one or more address zones for storing sensitive data, such as keys, configuration data, and/or boot code. By selectively overwriting the flash memory's CS signal, the secure device can override access to data in the flash memory, and the secure device can respond to the host with its memory data. The present invention will describe this type of secure boot process.

The techniques disclosed herein provide instant secure selective access to peripheral devices on a transaction-by-transaction level. In most of the techniques described herein, only the existing signals on the bus are used to perform the identification and blocking of data transactions. Therefore, the disclosed technique does not require additional pins or interconnections, thereby reducing overall system size and cost.

Securely access data to peripheral devices through the ^I2C bus

FIG. 1 is a schematic block diagram of a security-protected system 20 in an embodiment of the present invention. In an embodiment of the present invention, the system 20 includes a host device 24 and a peripheral device 28 , both of which are connected to the I ² C bus 32 . For brevity, herein, the host device 24 and the peripheral device 28 are also referred to as host and peripheral, and the host device 24 can also be a bus master.

Security device 36 protects data access to peripheral device 28 by monitoring data transactions on ^I2C bus 32 and prevents unauthorized attempts by host device 24 or other bus master-capable devices to access the peripheral Device 28. Security device 36 is also sometimes referred to as a control device or a trusted platform module (TPM). In an embodiment of the present invention, the security device 36 includes an interface 40, a memory 48, and a processor 44. The interface 40 is used to connect to the I ² C bus 32, and the processor 44 is used to implement the technology of the present invention. The memory 48 is used to store one or more security policies implemented by the processor 44 .

Processor 44 may classify data handling as unauthorized according to any predefined or set policy. Typically unauthorized data handling may attempt to write data to the peripheral device 28, Read data of the peripheral device 28 , set or send commands to the peripheral device 28 , or access the peripheral device 28 in other suitable ways. Policies enforced by security device 36 may include positive policies (e.g., whitelists), negative policies (e.g., blacklists), policies based on device addresses or register offsets, or any other form of Strategy.

For example, security device 36 may require a host to authenticate the host's identity before being authorized to access peripheral device 28, and attempted data handling by an unauthorized host may be considered unauthorized. Authentication can be performed, for example, through a challenge-response process between the host and the secure device. Additionally or alternatively, the host may be required to prove its identity in some other suitable manner, or to successfully complete a secure boot procedure.

Furthermore, additionally or alternatively, some types of data processing (e.g. read data processing) may be considered authorized while other types of data processing (e.g. write data processing) may be considered unauthorized of. In yet another embodiment, access to addresses of selected peripheral devices may be considered authorized, while access to other addresses may be considered unauthorized. In another example, certain bit sequences on the bus may be treated as unauthorized data.

Typically processor 44 can determine whether data handling is authorized by any suitable means. Memory 48 stores one or more policies to determine whether data handling is authorized.

The I ² C bus 32 includes a serial data (SDA) line carrying a serial data signal and a serial clock (SCL) line carrying a serial clock signal. The terms "wire", "circuit" and "signal" are used interchangeably herein. By monitoring the SDA line and the SCL line, the processor 44 is able to monitor all data transactions on the I ² C bus 32 and identify unauthorized data transactions.

After identifying an unauthorized data transaction, processor 44 blocks the data transaction by forcibly writing one or more dummy values to the SDA line and/or the SCL line on I ² C bus 32 . This mechanism is possible due to the open-drain/open-collector structure of the ^I2C bus. Usually both the SDA line and the SCL line are pulled up to a logic "1" state by default using a pull-up resistor. Any device can write a logic "0" value on the SDA line or the SCL line at any time, regardless of the value that other devices may write at the same time.

Therefore, in some embodiments, when unauthorized data handling is identified, the processor 44 in the security device 36 will force a logic value "0" on the SDA line or the SCL line of the I ² C bus 32 through the interface 40 " (opposite of default logical value "1"). A value of "0" is considered a dummy value in this paper. A forced "0" value on the SDA line will overwrite any value simultaneously sent to the peripheral device 28 by the host device 24 or read from the peripheral device 28 by the host device 24, or overwrite the default logical value "1". Forcing a "0" value on the SCL line will stop the clock signal. In either case, data processing will be blocked.

In some embodiments, processor 44 will continue to force write a "0" value until the device is reset. In other embodiments, the processor 44 allows graceful recovery from the interruption, ie, allows the host device 24 and the peripheral device 28 to recover data handling from the interruption and resume normal operation. Some hosts and/or peripherals cannot recover from clock stalls. Therefore, it is better to force-write the dummy value on the SDA line instead of the SCL line if there is a need to gracefully restore the simple host and peripheral devices later.

In one embodiment, processor 44 may generate an I ² C stop condition or an I ² C restart condition on the bus in order to resume normal operation after interrupting data handling. Herein, an ^I2C stop condition or an ^I2C restart condition may include any sequence of bus signal values that may indicate to the device that the bus is in an idle state and data transactions may begin.

Processor 44 may use various techniques to allow graceful recovery after data handling is blocked. In one embodiment, processor 44 continues to forcibly write a "0" value for a predetermined length of time, which is deemed sufficient to deter unauthorized handling of the data. Any predetermined length of time can be used. For example, the pause time defined by the SM bus is 25mS. Therefore, in applications where the SM bus is over ^I2C , it makes sense to set the predefined duration to at least 25mS in order to trigger a pause.

In another embodiment, the processor 44 continues to forcibly write a value of "0" on the SDA line for a predetermined time until a logic high value on the SCL line is detected, such as in a non-toggling condition. This condition may instruct the host to abort or discard data processing. Processor 44 may then release the SDA line, and possibly generate an ^I2C stop condition.

In yet another embodiment, it is useful to block the handling of data read from the peripheral device to configure the security device 36 as an I ² C slave device with the same address as the peripheral device 28 . Processor 44 in security device 36 responds to any unauthorized read request with a "0" data value. The peripheral device 28 will also respond to these read requests to the processor 44 in parallel, but its data value will be overwritten by the “0” value transmitted by the security device 36 . This process continues until the host ends data processing, for example via a stop condition. It should be noted that according to the I ² C specification, the I ² C slave device does not drive the ACK/NEGACK bit when sending data.

In another embodiment, it is useful for data handling to block both reads and writes by the processor 44 forcing a "0" value on the SDA line. Then, if the host device 24 does not recognize the block, the data transaction ends normally with "0" data on the bus, rather than the data sent from the peripheral device 28 . If the host device 24 detects this interrupt and aborts the data transaction, for example, because the host device 24 supports I ² C multi-master arbitration, the processor 44 can typically generate additional clock cycles on the SCL line , to take over the disposal of data discarded by the host device 24 . Processor 44 may then complete the current byte being transmitted and abort this data processing by issuing a STOP condition.

The blocking and recovery techniques described above are by way of example only. In an alternative embodiment, processor 44 of security device 36 may block data processing and/or recover from blocking via any other technique.

In the above-described embodiments, only the existing wiring of the bus is used to achieve detection, blocking and post-blocking recovery of unauthorized data handling. In an alternate embodiment, security device 36 and host device 24 are also connected through some secondary interface external to bus 32 . For example, when the safety device 36 This mechanism is possible when integrated in the same integrated circuit (IC) with the host device 24 and shares the SDA and SCL pins of the IC.

In these embodiments, the security device 36 and the host device 24 use an auxiliary interface to verify whether other host devices are accessing the peripheral device 28 . In an exemplary embodiment, when the host device 24 accesses the peripheral device 28, the host device 24 notifies the security device 36 through the auxiliary interface. In response to this notification, processor 44 does not force a dummy value "0" to be written to the bus, and allows data processing to proceed. Upon detecting a data transaction that is accessed by the peripheral device 28 but not reported on the secondary interface, the processor 44 will assume that the data transaction was issued by some unauthorized host and interrupt it by forcing a "0" value to be written.

FIG. 2 is a flowchart of a method for securing access to a peripheral device 28 through an I ² C bus 32 according to an embodiment of the present invention. The method starts at a monitoring step 50 in which the processor 44 on the security device 36 monitors data transactions on the I ² C bus 32 through the interface 40 .

At a data handle detection step 54 , the processor 44 recognizes that the host device 24 is attempting to access the data handle of the peripheral device 28 . During a check step 58, the processor 44 checks whether the data handling is authorized. For example, processor 44 may check whether the data handling violates a security policy stored in memory 48 .

If the data processing is authorized, then in an enabling step 62, the processor 44 will allow the data processing to proceed normally. Otherwise, if it is detected that the data handling is unauthorized, then in a blocking step 66, the processor 44 interrupts the process by forcing the writing of a dummy value "0" to the SCL and/or SDA lines of the I ² C bus 32. This data is disposed of.

Secure access to peripheral devices via the SPI bus

FIG. 3 is a block diagram of a secured system 70 in an alternative embodiment of the present invention. As shown in FIG. 3 , system 70 includes host device 74 , peripheral device 78 , and security device 86 , all connected to SPI bus 82 .

When the host device 74 attempts to access the peripheral device 78 without authorization, the security device 86 will identify and block this data processing. In an embodiment of the present invention, security device 86 includes interface 90, which is connected to SPI bus 82; processor 94, which is configured to perform the techniques of the present invention; memory 98, which is configured to store one or more Security policy enforced by processor 94.

The security policy for distinguishing between authorized and unauthorized data handling, and the manner in which processor 94 of security device 86 identifies unauthorized data handling, is substantially similar to that described for system 20 above. The technique described below differs from the technique described above in that the security device 86 forces the writing of dummy values on the bus 82 to block unauthorized handling of the data.

The SPI bus 82 includes a clock (CLK) line, and two data transmission lines called master-out-slave-in (MOSI) and master-in-slave-out (MISO). The CLK, MISO, and MOSI lines are common to all devices (in this embodiment, devices 74, 78, and 86). In addition, each slave device can be selected through a dedicated chip select line. In this embodiment, host device 74 uses the CS line labeled CS2# to select peripheral device 78 and uses the CS line labeled CS1# to select secure device 86 .

A host device 74 as the master device is connected to all CS lines. On the other hand, since the peripheral devices 78 are slave devices, each peripheral device 78 is only connected to its own CS line. Typically, the host device 74 initiates data handling by selecting the desired peripheral device 78 using the corresponding CS line, and then communicates with the device using the CLK, MOSI, and MISO lines. The MOSI line is used to send signals from the host device 74 to the peripheral device 78 , and the MISO line is used to send signals from the peripheral device 78 to the host device 74 .

The watchdog 86 differs from a conventional SIP slave in that it is defined as a slave but can drive all CS lines. As shown in FIG. 3 , the interface 90 of the security device 86 is configured to drive the CS2# line in parallel with the host device 74 . When the system 70 includes multiple peripheral devices 78 with corresponding CS lines, the safety device 86 is typically configured to drive any CS lines connected to the host device 74 in parallel.

In some embodiments, system 70 is designed so that when host device 74 and watchdog 86 drive the CS line with opposite logic values, the logic value driven by watchdog 86 overrides the logic value driven by host device 74. Active logical value. It can also be said that when the host device 74 and the watchdog 86 drive opposite logic values on the CS line, the peripheral device 78 will receive and execute the logic value driven by the watchdog 86 .

Overriding the CS line is another example of preventing data transactions on the bus to interrupt unauthorized data transactions between the host and peripheral device 78 . The overriding mechanism described above can be implemented in various ways. The following description refers to the CS2# line for selecting a peripheral 78, but the same mechanism should be used when multiple peripherals 78 and corresponding CS lines are used.

In one embodiment, the secure device 86 drives the CS2# line driver through the interface 90 stronger than the host device 74 drives the CS2# line driver. In an alternate embodiment, the series resistor 100 may be inserted into the CS2# line at the output of the host device 74 . Series resistor 100 attenuates the output of host device 74's line driver for CS2# line relative to the output of watchdog 86 for the CS2# line driver. Additionally, the safety device 86 may be configured to override the signal of the host device 74 driving the CS2# line in any other suitable manner.

Processor 94 of security device 86 may identify unauthorized data handling in any suitable manner by monitoring the CS, CLK, MISO, and/or MOSI lines of SPI bus 82 . In some embodiments, the processor 94 of the security device 86 de-asserts the CS line of the peripheral device 78 when it recognizes that the host device 74 has attempted to access the data processing of a peripheral device 78 without authorization. Interrupt data processing. Since the safety device 86 is set to override the drive of the CS2# line by the host device 74, the peripheral device 78 will be deselected and data processing is interrupted. On the other hand, when it is determined that the data handling is authorized, the processor 94 will stop its own CS2# line driver, so that the host computer can access the peripheral device 78 without being interrupted.

FIG. 4 is a schematic block diagram of a security system 110 in another embodiment of the present invention. System 110 is also based on SPI bus 82 , similar to system 70 of FIG. 3 . In system 110, however, security device 86 defeats unauthorized data handling by forcing the writing of dummy values on the CLK, MISO, and/or MOSI lines, rather than overwriting the CS line.

In this example, system 110 is used to cause watchdog device 86 to override the driving of CLK line, MISO line, and/or MOSI line by host device 74 . As shown, for this purpose, a series resistor 100 is inserted in the CLK line, MISO line and MOSI. Since the CS2# line is not covered in this example, there is no need to insert a series resistor.

In other embodiments, the overriding mechanism may be implemented by making the line drivers of the watchdog 86 CLK lines, MISO lines, and/or MOSI lines stronger than the line drivers of the host device 74 .

In other embodiments, a hybrid scheme of overwriting the CS lines (as shown in FIG. 3 ) and overwriting the CLK lines, MISO lines and/or MOSI lines (as shown in FIG. 4 ) is also feasible.

Override dedicated point-to-point signals to secure access to peripheral devices

The signals of the bus, such as the SPI bus, can be divided into shared signals and dedicated signals. A common signal is a signal that is connected in parallel on a bus to multiple (eg, all) peripheral devices. Examples of shared SPI signals are data (MOSI and MISO) signals and clock (CLK) signals. Dedicated signals are signals dedicated to specific peripheral devices. An example of a dedicated signal is a chip select (CS) signal. In addition, the bus can be extended with an out-of-band dedicated signal (out-of-band dedicated signal), such as a write protect (WP) signal, such as a peripheral device including a memory device, which can use the WP signal . Dedicated signals may also be referred to as point-to-point (PTP) lines.

In some embodiments, one or more dedicated signals pass through the security device 86 before being sent to peripheral devices. Instead, shared signals are routed to peripheral devices via conventional routes and do not pass through security devices. This connection mechanism enables the safety device to effectively protect the safety of peripheral devices. It will be described in detail below.

FIG. 5 is a schematic block diagram of a system 130 according to yet another embodiment of the present invention. The secured system 130 is similar to the system 70 of FIG. 3 . However, in this embodiment, the CS2# signal is not directly driven by the input of the peripheral device 78 . Instead, the CS2# line from the host device 74 is input to the safety device 86 , and the safety device 86 drives the CS2_O# signal to the peripheral device 78 .

In this embodiment, signal CS2# is used as an example of a dedicated point-to-point signal that reconnects to the protected peripheral device through the security device. As shown in FIG. 5, the common signals (MOSI, MISO, and CLK) between the host device 74 and the peripheral device 78 are not blocked.

The security device 86 blocks data processing between the host device 74 and the peripheral device 78 by selectively allowing the CS2# signal to reach the peripheral device, or preventing the CS2# signal from being transmitted to the peripheral device. In the example in FIG. 5, the above selection is performed by setting the control signal MASK_CS2# to be valid (assert) or invalid (de-assert).

FIG. 6 is a block diagram of the security device 86 of the system 130 shown in FIG. 5 in accordance with one embodiment of the present invention. In this example, the security device 86 includes an interface 90 , a processor 94 and a memory 98 . The interface 90 is connected to the SPI bus 82 . Processor 94 performs the techniques disclosed herein. Memory 98 stores one or more security policies implemented by processor 94 . The processor 94 includes a slave interface logic circuit 91 and an interface monitoring logic circuit (IML) 92 . The slave interface logic 91 handles communications between the security device 86 and the host device 74 . Interface monitoring logic 92 monitors, controls and selectively overrides host device 74 access to peripheral device 78 .

In one embodiment, the security device 86 identifies and blocks attempts by the host on the SPI bus 82 to attempt unauthorized data manipulation of the peripheral device 78 . As can be appreciated from Figures 5 and 6, any of the security features of the system shown in Figure 3 can also be implemented in the system of Figure 5.

In some embodiments, the slave interface logic 92 of the processor 94 of the security device 86 includes a set of registers or other suitable data structures for defining authorized data handling and unauthorized data handling. For example, when the peripheral device 78 is an SPI flash memory device, the above-mentioned definition may specify the commands deemed to be authorized and the related address ranges. According to the defined classification, the security device 86 allows the processing of data conforming to the specified instruction and the corresponding address range, and blocks the processing of data not conforming to the definition. In one embodiment, some commands do not enforce address range specification, such as the erase command, which does not specify an address.

In addition to blocking data processing, the interface monitoring logic 92 can send an alert to a higher software layer, or initiate any other suitable response, such as resetting the system or resetting a part of the system, taking over the flash memory device Take control and restore the golden image from another location, or even permanently halt the system and prevent any future boot actions.

In some embodiments, the specification of authorized data processing and unauthorized data processing will follow a "white list" logic, for example, the security device 86 only allows authorized data processing that is clearly specified in the interface monitoring logic circuit 92 to pass through, And refuse and block the processing of data that is not clearly stipulated.

In the embodiments described above, the safety device is connected to the busbar and acts as an additional slave device. However, in other embodiments, the security device may be connected as a master control element. For example, this implementation is applicable to a bus protocol that supports multi-master capability.

Protection against unauthorized data handling in place of peripheral devices

In another embodiment, the security device 86 may respond to the selected host's data handling instead of the peripheral device 78 . The following description mainly refers to the configurations in Fig. 5 and Fig. 6 for exemplary description. In general, the technology of the present invention is not limited to a specific system configuration, and can also be applied to any other configuration, such as the configuration shown in FIG. 3 or FIG. 4 .

In the configuration of an exemplary embodiment shown in FIG. 5 and FIG. 6, the interface monitoring logic circuit 92 detects the form of a read command in a certain address area in the address space of the peripheral device 78. A "high level signal" can be imposed on CS2_O# and serve a host read command (or part of a read command) from the internal memory 98 of the security device. The host device 74 is generally unaware that the response is not from a peripheral device. In some embodiments, this scenario also applies to the system 110 of FIG. 4, for example, a security device may overwrite the MISO signal.

In another example of this mechanism, the peripheral device 78 of the system includes an SPI flash memory device, and the security device 86 is used to overwrite a portion of the flash memory address space, thereby emulating a protected flash memory device. The address area of the memory. For example, security device 86 may include a trusted platform module (TPM), which uses the IML 92 to overwrite the address area of the flash memory that stores the initial host boot code (which is the first boot command fetched when the host is powered on). The trusted platform module can overwrite this flash memory address area with unique and authenticated initial boot code, such as this unique and authenticated initial boot code, which can verify the rest of the code before the system jumps to execution.

In some embodiments, the security device 86 further includes a host interface for the SPI flash memory device. Additionally, security device 86 may include an appropriate interface and circuitry to hold host device 74 in reset while accessing the SPI flash memory device, which may be part of the system boot process. For example, the security device 86 can be an embedded controller (EC), a super I/O (SIO) device or a baseboard management controller (BMC) device.

FIG. 7 is a schematic flowchart of a secure boot procedure according to an embodiment of the present invention. The method begins with system power-on (e.g., system power is valid). In a hold-reset step 100a, the security device 86 holds the host device 74 in a reset state, and boots up, for example, from SPI flash memory (peripheral device 78) Start booting. In an initial load step 104 (this is an optional step), the security device 86 loads a data segment from the SPI flash memory, verifies the authenticity of the data segment, and stores it in the memory 98 .

In an override step 108, the security device 86 configures the interface monitoring logic 92 to override access to at least one predefined address area of the SPI flash memory (eg, the peripheral device 78 of the present invention). The address field may include, for example, one or more keys, configuration data for the host device 74, and/or an initial boot block.

In a reset release step 112, the security device 86 releases the host from the reset state. Therefore, in a booting step 116, the host device 74 starts a booting procedure. In a region access sub-step 120, access to this predefined address region is serviced by the secure device 86 from the internal memory 98 as part of the boot process.

In this way, sensitive information such as keys, configuration data and/or initial boot codes can be securely provided by the secure device. The host device 74 is unaware that this information is provided by the secure device and not the SPI flash.

The method of FIG. 7 illustrates an example of how a secure device can override access to a predefined address area of a peripheral device. In other embodiments, any other suitable method can also be used for the method. Also, when impersonating an SPI flash device. The security device can protect the flash memory device (or other peripheral devices) by overwriting and/or blocking unauthorized data handling by any other suitable means.

Furthermore, the overwriting means for handling unauthorized data is not limited to protecting a specific pre-defined address area. For example, the overwriting method can be triggered according to the returned data of the protected peripheral device or according to the SPI instruction code. For example, a security device may enforce a security policy that disables programming, erasing, writing, status, configuration, and/or any other command or function of the flash memory device. The "SPI Flash-3V Serial Flash Memory with Dual/Quad SPI and QPI" data published by Winbond Electronics on August 24, 2015 has stipulated the example specifications of SPI flash memory instructions and commands.

In another embodiment, in the method shown in FIG. 7, the sensitive information is initially stored in the flash memory device, and as part of the boot process, the security device reads the sensitive information from the flash memory device. In other embodiments, the sensitive information may be initially stored in the secure device (in place of the flash memory, or the sensitive information may also be stored in the flash memory). In this embodiment, the security device does not need to read information from the flash memory device.

In another example, the method of FIG. 7 is used with an SPI bus. In other embodiments, the security device may use any dedicated and/or shared signals of other buses to override access to a predefined address area of a peripheral device in other buses and protocols. For example, the I ² C bus is a pull-up bidirectional bus designed to support multiple slave devices as well as multiple master components. Therefore, the protocol has an embedded mechanism to handle contention between devices. For example, when an ^I2C device detects a "0" on the SDA line and attempts to set a "1" (pull-up), the device assumes contention and releases the bus until the next data transaction. In one embodiment, an ^I2C secure device (eg, secure device 36 of FIG. 1 ) is used to overlap some addresses of another peripheral device slave (eg, secure device 28 of FIG. 1 ). space. For example, the security device may reply with the same data that another peripheral device expects. If the safety device detects that the data does not match, for example, the safety device tries to pull up to "1" but detects that the SDA line is still "0", the safety device can initiate response measures, for example, causing a stop condition, Drive a signal "0" on one or more data lines to set an infinite clock stretch or any other suitable action. This technique can use conventional I ² C slave devices to monitor the data level of the device without changing the physical layer hardware.

In yet another embodiment, the watchdog 86 (using the ILM 92) also monitors the data phase of the SPI address. When data non-compliance is identified, the security device may initiate response measures, such as disconnecting data handling, resetting the system, locking access to keys, or any other appropriate action.

In an example scenario, the secure device 86 holds a signature or digest of a certain code portion stored in SPI flash memory. The security device monitors host device 74 access to the SPI flash memory and computes a signature or hash value for this code portion in the background. If an incorrect signature, incorrect hash value, or incorrect SPI fetch sequence is detected, the security device 86 can initiate appropriate response measures.

In yet another embodiment, the security device may monitor more than one peripheral device 78 on the bus and verify that access commands to the different devices are as expected.

In yet another embodiment, the security device 86 may use one or more signals other than CS to restrict access to the peripheral device 78, or implement a system state. The types or uses of the above signals are described below, but they are only examples and not limiting the present invention.

(1) Any signal presented with the security system in Figure 4

(2) Anti-write signal of flash memory

(3) Reset control signal

(4) Power management control signal

(5) Control the power of one or more devices

(6) Disable system communication, such as disabling network interface controller (network interface controller, NIC)

(7) System reset

Additionally, the above signals or any other appropriate signals may be used to generate system alerts and/or initiate any appropriate response measures.

Block unauthorized data handling to SPI flash memory by extending CS duration

FIG. 8 is a schematic block diagram of multiple devices communicating on the SPI bus in the secured system 132 according to another embodiment of the present invention. The system 132 in FIG. 8 is similar to the system 130 in FIG. 5, except that the system 132 in FIG. 8 additionally has an AND gate 134 and a control signal MASK_LOW_CS2. In FIG. 8, peripheral device 78 is an SPI flash memory device. As illustrated in FIG. 5, the security device 86 blocks data processing between the host device 74 and the peripheral device 78 by selectively allowing the CS2# signal to reach the peripheral device or preventing the CS2# signal from reaching the peripheral device. In Fig. 5, the selection action is performed by setting the control signal MASK_CS2# to be valid or invalid.

In one embodiment, peripheral device 78 is an SPI flash memory device. In this embodiment, the flash memory device CS signal (CS2_O# shown in the figure) is set to "low level", indicating that the flash memory device is selected; otherwise, the CS signal is set to "high level", Indicates that this flash memory device is not selected.

In the example shown in FIG. 5, the security device 86 blocks data transactions between the host device 74 and the flash memory 78 by setting the MASK_CS2# signal to a high level before the data transaction is completed. place. This operation is to set the CS signal of the flash memory device to "high level" before the end of data processing, and not select the flash memory device.

However, in some cases, the aforementioned techniques may not be able to prevent some unauthorized data processing. For example, when an authorized data disposal differs from an unauthorized data disposal by only the last bit. For example, in one embodiment, instruction opcode 0x60 is authorized, but instruction opcode 0x61 is not authorized and should be blocked. In this case, a CS signal that does not select the flash device after sampling the last bit will not block data processing.

The other embodiment of Fig. 8 can overcome this problem. In the configuration in Figure 8, the MASK_LOW_CS2 signal is usually set to "high level". In response to detection of unauthorized data handling, security device 86 may set MASK_LOW_CS2 to a "low" level. This operation can extend the duration of the CS signal of the flash memory device 78 beyond the actual end time of this data transaction. Thus, flash memory device 78 may detect that a data transaction is longer than expected by one or more clock cycles and prevent the data transaction from being performed.

When using the technique shown in FIG. 8, the safety device 86 can extend the duration of the CS signal to any suitable length, e.g., by one clock cycle, several clock cycles, or an infinite number of clock cycles, e.g., until Next reset or power on.

In the exemplary embodiment of FIG. 8 (and the exemplary embodiment of FIG. 5 ), the secure device 86 is enabled to communicate with the host device 74 over the SPI bus 82 by selecting the secure device 86 using the CS1# signal. In other embodiments, it is not mandatory for the security device to have an individual CS signal. The security device may communicate directly or indirectly with the host device using any other suitable interface. In some embodiments, there may be no interface between the host device and the security device as long as the security device can monitor the SPI data handling and secure the bus without the interface.

Monitor data disposition of SPI flash memory using data disposition group counters

In some embodiments, the processor 94 of the security device 86 registers one or more groups of SPI transactions and keeps a running count of the number of SPI transactions in each group. Each SPI data handling group may contain one or more SPI data handling that meet some predefined criteria.

In one example, one data handling group may include multiple types of read data handling, while another data handling group may include multiple types of writing data handling. In another example, a data handling group may include multiple types of authorized data handling, while another data handling group may include multiple types of unauthorized data handling. Also, any other suitable data disposition classification may be used. Processor 94 may define any suitable number of groups. This group does not have to contain all possible data disposition types. This category can be user-defined.

In one embodiment, the security device 86 includes a plurality of hardware-implemented or software-implemented counters, which are transaction-group counters of the present invention. The processor 94 assigns a counter to each data handling group respectively. The software of processor 94 may reset a given counter, for example, when the system is reset or reset after power-on, reset after reading the counter, reset after the counter reaches a certain threshold value, or meet any other suitable condition Or reset after the event.

In general, a certain data treatment type can appear in more than one data treatment group, which means that one data treatment may cause multiple counters to count up. For example, consider an embodiment that includes a first group with all write data disposition types, a second group with all read data disposition types, and a third group with all unauthorized data disposition . However, in this example, some types of write data dispositions are authorized and others are not. 3 counters can be defined for 3 groups respectively. In this embodiment, the processor 94 increments the first counter and the third counter in response to identifying an unauthorized write data transaction. Also, any other count group can omit unauthorized data handling.

During normal operation, processor 94 continues to increment the counter. Therefore, at a given point in time, each data handling group counter can represent the number of occurrences of SPI data handling belonging to its group at that given time. Security device 86 or other devices may use this information to determine the operating condition of host device 74, to detect anomalous behavior of host device 74 that may be a security threat, or for any other suitable purpose. In some embodiments, processor 94 may issue an alert or trigger some other response if the counter value is characteristic of suspicious behavior of host device 74, such as an unexpectedly high number of write or erase data transactions measure.

FIG. 9 is a schematic flowchart of a method for monitoring SPI data processing using a data processing group counter according to an embodiment of the present invention. In this method, initially, in the grouping and assigning step 140, the processor 94 divides multiple types of SPI data handling areas into at least two groups, and assigns individual data handling group counters to at least one of the groups.

In a data handling identification step 144 , the processor 94 identifies the SPI data handling between the host device 74 and the SPI flash memory 78 on the SPI bus. In a classification step 148, the processor 94 identifies which SPI data handling group the data handling belongs to.

In a check authorization step 152, the processor 94 checks whether the identified SPI data handling is authorized. If authorized, a data handling acceptance step 156 is performed and the processor 94 allows the data handling execution to complete. If not authorized, a data handling blocking step 160 is performed in which the processor 94 blocks data handling.

In increment count step 164 , processor 94 increments the data handling group counter corresponding to the group identified in step 148 . Then, the method returns to step 144 where the processor 94 continues to monitor the SPI bus 82 for subsequent data processing.

The flow chart in Figure 9 is just an example to explain the concept clearly. Any other suitable procedures may be used in other embodiments. For example, in some embodiments, processor 94 need not block unauthorized data handling, but processor 94 may initiate appropriate response measures, such as triggering an alert or entering an alert mode. another fan For example, the use of the data disposal group counter mechanism does not necessarily require checking for unauthorized data disposal, eg, without determining whether any data disposal is unauthorized.

Supports SPI flash memory mode in secure device

In some embodiments, SPI flash memory device 78 supports a dedicated mode of operation. Respond to dedicated SPI commands from the host device, such as mode-entry transaction or mode-exit transaction, to enter dedicated mode or leave dedicated mode. Some SPI data transactions may have different formats or interpretations depending on whether the SPI flash memory device is in dedicated mode or not. In some embodiments, the processor 94 of the secure device 86 is aware of and supports a dedicated mode of the SPI flash memory 78 .

For example, the dedicated mode may be a "sequential read" mode, also known as XIP mode. Winbond Electronics described this term "XIP mode" in the data sheet of "W25Q257FV SPI Flash-3V 256M-Bit Serial Flash Memory with Dual/Quad SPI & QPI" published on November 13, 2015. When operating in continuous read mode, the flash memory device is only expected to receive read data transactions, so the host device does not send a read opcode with every command. Additionally, processor 94 of secure device 86 may support any other suitable special-purpose modes.

In some embodiments, processor 94 may support a specific mode by (i) recognizing SPI data from host device 74 (on SPI bus 82) that instructs flash memory device 78 to enter the specific mode Handling to enter dedicated mode; (ii) disposing of SPI data by identifying host device 74 instructing flash memory device 78 to leave dedicated mode to leave from dedicated mode; (iii) depending on whether the flash memory device is in dedicated mode Operate below to comply with safety device operation.

In some embodiments, upon recognition of entry into a special-purpose mode, processor 94 may implement the actual logic for this special-purpose mode, which is similar to the logic implemented in flash memory device 78 . In these embodiments, processor 94 continues to monitor SPI data handling in the dedicated mode and adapts the data handling interpretation to the mode definition. For example, in "sequential read" mode, processor 94 assumes that the omitted The read instruction opcode is the same as the previous read instruction opcode, and the address bits are monitored/analyzed from the start position of the data processing (the first cycle when the CS# signal goes low). In other words, the processor gives a first interpretation to one or more data transactions when the memory device is operating in the predetermined mode of operation, and when the memory device is not operating in the predetermined mode of operation , the processor gives a different second interpretation to the one or more data manipulations.

In other embodiments, upon recognition of entering the dedicated mode, processor 94 suspends monitoring of SPI data handling until leaving the dedicated mode. This is easier to implement because the processor 94 is only required to recognize entering and leaving the dedicated mode without having to implement the entire dedicated mode operation logic. This approach is suitable for dedicated modes where only authorized data processing is expected (so data processing is not blocked). For example, in one embodiment, the security device 86 is only required to guard against unauthorized write data handling, so data handling monitoring can be suspended when entering "continuous read" mode.

Operation of Serial Flash Discoverable Parameters (SFDP) of Secure Device

The Serial Flash Discoverable Parameters (SFDP) standard specifies the functionality and feature capabilities of Serial Flash devices in a standard set of internal parameter tables. Host system software can interrogate these parameter tables.

SFDP is stipulated in the JEDEC JESD216 standard series, and in the application note "Introduction-Serial Flash Discoverable Parameter Structure" published by Marconix International Co. in 2011, and in Micron Technology Inc. (Micron Technology Inc.) in 2012 All the descriptions of the technical note "Serial Flash Discovery parameter for MT25Q Family-Introduction" published in 2016.

In some embodiments, processor 94 of security device 86 may obtain the SFDP from flash memory device 78 before host device 74 communicates with the flash memory device for the first time. Processor 94 Then modify the SFDP and present (expose) this modified SFDP to the host device 74. For the sake of clarity, the following is mainly described in terms of SFDP, but the present invention is applicable to any other type of data processing that queries the capabilities of memory devices.

In some embodiments, when modifying the SFDP, processor 94 may add one or more capabilities to the SFDP that are not supported by flash memory device 78 . When a modified SFDP is proposed, the host device 74 may attempt to use added capabilities not supported by the flash memory device. Typically, processor 94 can recognize such an attempt when monitoring SPI data transactions on SPI bus 82, and security device 86 can implement this capability in place of a flash memory device. For example, the above-mentioned added capability may support replay-protected monotonic counter (RPMC), which has been disclosed in US Patent Application No. 16/503,501, titled "RPMC Flash Emulation", which discloses The contents are incorporated herein by reference. In addition, any other suitable capabilities may also be added to this SFDP.

In some embodiments, in order to hide the supported functions from the host device 74, when modifying the SFDP, the processor 94 may omit one or more capabilities in the SFDP that the flash memory device 78 can support. For example, processor 94 may hide support for modes such as dual data rate (DDR) capability, quick path interconnect (QPI) capability, sequential read (XIP) capability, or any other suitable capability. In some cases, it may be useful to hide the capabilities that the flash memory device 78 can support, for example, to simplify the implementation of the security device 86 . When a capability is hidden from the host device, the security device is not required to support this capability, but is still generally required to identify the relevant SPI data transaction, and if it is present on the bus, the security device will block it. SPI data handling.

In various embodiments, processor 94 may retrieve the actual SFDP from flash memory device 78 at different times. For example, the non-volatile memory of security device 86 may be pre-programmed with the actual SFDP of flash memory device 78 during system integration or testing. In another example, processor 94 may obtain the SFDP from flash memory device 78 during a power-up sequence before the host device accesses the device.

Subsequently, when the host device 74 sends an SFDP read data processing, the processor 94 recognizes the command operation code, then blocks the data processing, for example, the CS2_O# signal in the 5th or 8th figure is set to "high level" ”, and then supply the modified SFDP to the host device 74 on the MISO line of the bus 82, thereby completing the data processing. There is no way for the host device to detect that the SFDP is provided by the security device and not the flash memory device.

Write/erase data processing through safe mediation of security devices

In some embodiments, the security device 86 not only monitors data transactions on the SPI bus, but also mediates the host device and the flash memory device. In these embodiments, security device 86 receives a selected SPI command, such as a write command or an erase command, from host device 78 and verifies that the command has been authorized. Security device 86 will allow the data processing to complete only if the data processing has been authorized, eg, executing the command in flash memory device 78 on behalf of host device 74 .

Typically, the verification process of the secure device 86 includes evaluating data to be written to the flash memory device. In some embodiments, this evaluation includes cryptographic operations, such as verifying the signature of the data. Such verification work is usually quite computationally intensive and less suitable for immediate dynamic verification (and possibly subsequent blocking) of data handling on the bus.

FIG. 10 is a schematic flow chart for safely mediating write/erase data processing between the host and the SPI flash memory according to an embodiment of the present invention. In this method, initially, in a monitoring step 170, the processor 94 of the security device 86 monitors the transaction of data on the SPI bus.

In an identification step 174, the processor 94 identifies that the host device 74 requires a write data transaction to the flash memory device. In a blocking step 178, processor 94 blocks the required write data processing from being performed in the flash memory device. In a fetch step 182, the processor 94 retrieves the write data handling instructions and data from the host device 74 over the SPI bus or any other suitable interface between the host device and the secure device.

In an evaluation step 186, processor 94 evaluates the write data disposition. As noted above, this evaluation may include cryptographic or other operations on the data to be written. In a step 190, if the verification is successful, eg, the write data transaction has been authorized, then in a step 194, the processor performs the write data transaction in the flash memory device 78 on behalf of the host device 74. If this verification is not successful, eg, verification fails, then this write data handling is not performed, and the flow returns to step 170 .

The flow chart in Figure 10 is just an example to explain the concept clearly. Other embodiments may use any other suitable process. For example, the flow chart of Figure 10 is used to identify, block and conditionally perform single data processing. In other embodiments, multiple data manipulations may be blocked, evaluated, and performed, or all data manipulations may be denied. For example, processor 94 may sequentially identify multiple write data transactions for writing large amounts of data to memory. The processor can block such data transactions (if they point to flash memory), fetch the whole data (data of a sequence of multiple data transactions) from the host device, and evaluate the whole data. Only when all the data has been authorized, the processor 94 writes the data into the flash memory device.

In the present invention, the term "writing data processing" means various types of data processing, for example, writing flash memory (Flash-program), erasing flash memory data segment/data block/whole chip ( sector/block/chip-erase), write enable, and various other commands that change the state of the flash memory device.

Typically, to support this approach, the watchdog 86 should be able to initiate SPI data transactions on the bus 82 . A suitable interface (bus 82 or other bus) should be provided between the security device and the host device. The host device should refrain from transmitting data transactions on the SPI bus when the security device controls the bus.

The configurations of systems 20, 70, 110, 130, and 132 shown in FIGS. The configurations are merely configuration examples, and the present invention is not limited thereto. In other embodiments, the configuration uses any other suitable configuration.

For example, for clarity, only a single peripheral device and a single host device are shown in the figure. In some embodiments, the security system may include at least two peripheral devices and/or at least two host devices. In addition, the I ² C and SPI buses described in the embodiments of the present invention are only examples. In other embodiments, the technology disclosed in the present invention can be implemented in any other suitable type of busbar with necessary modifications.

For clarity, the SPI-related embodiments herein mainly refer to the single-bit SPI mode. In other embodiments, the technology disclosed in the present invention can also be used in other SPI modes, such as 2-wire SPI, 4-wire SPI, QuickPath Interconnect (QPI), or DDR mode. The techniques disclosed herein can also be applied to other modes, such as continuous read mode.

The various elements of systems 20, 70, 110, 130, and 132 may be implemented in any suitable hardware, such as using an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). In some embodiments, some components of security devices 32 and 86, such as processor 44 or 94, may be implemented in software, or a combination of hardware and software components. Memories 48 and 98 may be implemented using any suitable type of memory device, such as random access memory (RAM) or flash memory (Flash).

In some embodiments, processor 44 and/or processor 94 may comprise a general purpose programmable processor, which may be programmed with software to perform the functions disclosed herein. The software can be electronically downloaded to the processor through the network, or can be additionally or alternatively stored in non-transitory tangible media (non-transitory tangible media) such as magnetic memory, optical memory, and electronic memory.

In the above embodiments, the security device first detects unauthorized data processing by monitoring the bus, and then interrupts the data processing. In an alternative embodiment, the security device can interrupt the data transaction without first detecting the data transaction, or even monitoring the bus. For example, a security device may override a certain host's chip select (CS) line until or unless the host is authorized. Authorization can be performed in any suitable way and does not have to use the same bus.

As a non-limiting example, the methods and systems described herein can be used in various applications, such as in secure memory applications, Internet of Things (IoT) applications, embedded applications, or automotive applications, just to name a few.

Therefore, it should be understood that the above embodiments are cited by way of example, and the present invention is not limited to what has been particularly shown and described above. Rather, the scope of the present invention includes combinations and subcombinations of the various features described above, as well as undisclosed techniques that would occur to those skilled in the art upon reading the foregoing description. Documents incorporated by reference into this application are made a part of this application, and unless there is a definition of any term in these incorporated documents that conflicts with this document, either expressly or implicitly, reference should be made to the definition herein.

Although the present invention is disclosed above with the aforementioned embodiments, it is not intended to limit the present invention. Any person familiar with similar skills may make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of patent protection shall be subject to what is defined in the scope of patent application attached to this specification.

86:Safety device

90: system

91: slave interface logic circuit

92: Interface monitoring logic circuit

94: Processor

98:Internal memory

Claims (29)

A security device comprising: an interface connected to a bus serving one or more peripheral devices, at least one of which is a memory device; and a processor connected to to the bus and the one or more peripheral devices, the processor maintains definitions for distinguishing authorized and unauthorized data transactions with the memory device to identify a bus master on the bus attempting to access a data transaction of the memory device, and initiating a response in response to identifying that the data transaction is unauthorized according to the definition; wherein the bus comprises one or more dedicated signals and one or more shared signals , each of the one or more dedicated signals is dedicated to one of the peripheral devices respectively, the one or more common signals are shared among the peripheral devices served by the bus, wherein activating the response includes the processing The device blocks the data processing on the bus by blocking the dedicated signal associated with the memory device. The security device as described in claim 1, wherein the dedicated signal related to the memory device is a chip selection signal of the memory device, and the processor selects the memory device by the chip selection signal A duration extends beyond the actual end time of the data transaction to prevent the memory device from performing the data transaction, thereby blocking the data transaction. The security device as recited in claim 1, wherein the definition specifies an authorized data disposal of the memory device, and wherein the response should identify that the data disposal is not specified in the definition, the processor is activated the response measures. The security device as claimed in claim 1, wherein the processor receives the data disposal from the bus master to verify whether the data disposal has been authorized, and When determining that the data disposal is authorized, the processor executes the data disposal in the memory device. The security device of claim 4, wherein the processor receives the data processing as part of a sequence of data processing, the processor verifies whether the data processing has been authorized as part of the sequence of data processing Part of the common verification. The security device as described in claim 1, wherein the data processing is a write data processing of writing a data to the memory device by the bus master device, wherein the processor performs an encryption operation on the data, And when the encryption operation is successful, it is determined that the data processing has been authorized. A security device comprising: an interface connected to a bus serving one or more peripheral devices, at least one of which is a memory device; and a processor connected to to the bus and the one or more peripheral devices, the processor maintains definitions for distinguishing authorized and unauthorized data transactions with the memory device to identify a bus master on the bus attempting to access the data handling of the memory device, and initiating a response in response to identifying the data handling as unauthorized according to the definition; wherein the processor is used to define one or more data handling groups to maintain a or a plurality of counters respectively corresponding to the one or more data handling groups to monitor the bus, and to initiate the response measures including the processor responding to identify the bus master and the memory on the bus When a predetermined data processing is performed between devices, the count of the counter corresponding to the group to which the predetermined data processing belongs is increased. A safety device comprising: an interface for connecting to a bus serving one or more peripheral devices, at least one of which is a memory device; and a processor connected to the bus and to the one or more peripheral devices, the processor maintains definitions for distinguishing between authorized and unauthorized data transactions with the memory device to identify a bus master attempting to access the memory on the bus Data handling of the device, and initiating a response measure upon identifying that the data handling is unauthorized according to the definition; wherein initiating the response measure includes the processor identifying one or more indicators on the bus indicating the memory Mode entry data processing for the device to enter a predetermined operating mode and one or more mode exit data processing instructing the memory device to leave the predetermined operating mode to identify whether the memory device is operating in the predetermined operating mode. The security device of claim 8, wherein the processor provides a first interpretation of one or more data transactions when the memory device is operating in the predetermined mode of operation, and when the memory device is not operating in the In a given mode of operation, the processor gives a second, different interpretation of the one or more data manipulations. The security device as claimed in claim 8, wherein when the memory device operates in the predetermined operation mode, the processor suspends activation of the response measure. A security device comprising: an interface connected to a bus serving one or more peripheral devices, at least one of which is a memory device; and a processor connected to to the bus and the one or more peripheral devices, the processor for identifying a data transaction on the bus that a bus master device attempts to access the memory device, and responding to the identification of the data transaction, initiates a Response measures, instead of the memory device responding to the bus master device, wherein the data processing is a capability of the memory device The query wherein enabling the response action includes the processor responding to the bus master with a modified capability that is different from the actual capability of the memory device. The security device of claim 11, wherein, based on identifying the data transaction, the processor blocks the data transaction on the bus. The security device of claim 11, wherein the processor is configured to issue an alert based on identification of the data handling. The security device of claim 11, wherein the query includes a serial flash discoverable parameter read command, and wherein the processor responds to the string with a modified serial flash discoverable parameter The column type flash memory can find the parameter read command. The security device of claim 11, wherein prior to the query from the bus master, the processor obtains the actual capabilities of the memory device from the memory device, and the processor modifies the actual capabilities to generate the Modified capabilities to respond to the bus master. The security device as claimed in claim 11, wherein the processor adds a capability not supported by the memory device to the modified capability. The security device of claim 11, wherein the processor omits a capability supported by the memory device to generate the modified capability. A security method comprising: communicating on a bus using a security device, the security device being connected to the bus and one or more peripheral devices, at least one of which is a memory device; storing A distinction between authorized and unauthorized data transactions with the memory device and a data transaction that uses the security device to identify a bus master attempting to access the memory device on the bus, and responds to a response that is initiated when the data transaction is identified as unauthorized according to the definition measures; wherein the bus includes one or more dedicated signals and one or more shared signals, each of the one or more dedicated signals is dedicated to one of the peripheral devices respectively, and the one or more shared signals are in the shared among the peripheral devices served by the bus, wherein activating the response includes blocking dedicated signals associated with the memory device to block the data processing on the bus. The security method as described in claim 18, wherein the one or more dedicated signals are a chip select (CS) signal of the memory device, and the step of blocking the data processing comprises: by selecting the CS signal A duration of the memory device extends beyond an actual end time of the data processing to prevent the memory device from performing the data processing. The security method as described in claim 18, wherein the definition specifies the authorized data processing on the memory device, and the response should recognize that the data processing is not specified in the definition, and activate the response measure. The security method as described in claim 18, further comprising: receiving the data processing from the bus master device to verify whether the data processing has been authorized; and when it is determined that the data processing has been authorized, executing in the memory device The data processing. The security method as claimed in claim 21, wherein the step of receiving the data disposal comprises: receiving the data disposal as part of an array of a plurality of data disposals, and verifying whether the data disposal has been authorized as part of the plurality of data disposals The arrays are part of the common verification. The security method as described in claim 18, wherein the data processing is a write data processing of writing a data to the memory device by the bus master device, wherein the step of verifying whether the data processing has been authorized includes: An encryption operation is performed on the data, and when the encryption operation is successful, it is determined that the data processing is authorized. A security method comprising: communicating on a bus using a security device, the security device being connected to the bus and one or more peripheral devices, at least one of which is a memory device; storing A definition for distinguishing authorized and unauthorized data transactions by the memory device; using the security device to identify data transactions on the bus where a bus master device attempts to access the memory device, and responding to the Initiating a response measure when the data processing is identified as unauthorized according to the definition; and defining one or more data processing groups to maintain one or more counters respectively corresponding to the one or more data processing groups to monitoring the bus, wherein activating the response action includes responding when a predetermined data transaction between the bus master device and the memory device on the bus is identified, increasing the group corresponding to the predetermined data transaction The count of the counter. A security method comprising: communicating on a bus using a security device, the security device being connected to the bus and one or more peripheral devices, at least one of which is a memory device; storing a definition for distinguishing authorized and unauthorized data transactions by the memory device; A response measure shall be initiated upon identification of the data processing as unauthorized according to the definition; activating the response measure includes identifying one or more mode-entry data processing on the bus that instructs the memory device to enter a predetermined mode of operation and One or more mode-exit data processing indicating that the memory device leaves the predetermined mode of operation is used to identify whether the memory device is operating in the predetermined mode of operation. The security method of claim 25, wherein a first interpretation is given to one or more data transactions when the memory device is operating in the predetermined mode of operation, and when the memory device is not operating in the predetermined mode of operation , a different second interpretation is given to the one or more data manipulations. The security method as claimed in claim 26, wherein when the memory device operates in the predetermined operation mode, the activation of the response measure is suspended. A security method comprising: using a security device to communicate on a bus, the security device being connected to the bus and one or more peripheral devices, wherein at least one of the peripheral devices is a memory device; Using the security device to identify a data transaction on the bus where a bus master device attempts to access the memory device, and in response to identification of the data transaction, initiate a response in place of the memory device responding to the bus master device; wherein the data processing is an inquiry of the capabilities of the memory device, wherein initiating the response includes the processor responding to the bus master with a modified capability, and the modified capability is related to the The actual capabilities of memory devices vary. The security method as claimed in claim 28, wherein the step of initiating the response measures includes at least one of the following steps: blocking the data processing on the bus; and issuing an alert.

Images