[go: up one dir, main page]

TWI899724B - Authentication device and method - Google Patents

Authentication device and method

Info

Publication number
TWI899724B
TWI899724B TW112146490A TW112146490A TWI899724B TW I899724 B TWI899724 B TW I899724B TW 112146490 A TW112146490 A TW 112146490A TW 112146490 A TW112146490 A TW 112146490A TW I899724 B TWI899724 B TW I899724B
Authority
TW
Taiwan
Prior art keywords
verification
volatile memory
circuit
firmware data
instruction
Prior art date
Application number
TW112146490A
Other languages
Chinese (zh)
Other versions
TW202524345A (en
Inventor
王政傑
Original Assignee
新唐科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 新唐科技股份有限公司 filed Critical 新唐科技股份有限公司
Priority to TW112146490A priority Critical patent/TWI899724B/en
Priority to CN202411398908.2A priority patent/CN120066591A/en
Publication of TW202524345A publication Critical patent/TW202524345A/en
Application granted granted Critical
Publication of TWI899724B publication Critical patent/TWI899724B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4411Configuring for operating with peripheral devices; Loading of device drivers

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

An authentication device is provided in the invention. The authentication device may include a central processing unit (CPU), a volatile memory, a non-volatile memory, a first direct memory access (DMA) circuit and an authentication circuit. When the authentication device is rebooted and reset, the CPU may enter a waiting mode. The non-volatile memory may store a plurality of commands and a non-authentication firmware data. The first DMA circuit may read a first command from the non-volatile memory, and move the non-authentication firmware data from the non-volatile memory to the volatile memory according to the first command. After the authentication circuit receives a trigger signal from the first DMA circuit, the authentication circuit may be configured to authenticate the non-authentication firmware data stored in the volatile memory.

Description

驗證裝置和方法Verification device and method

本發明之實施例主要係有關於一驗證技術,特別係有關於在一揮發性記憶體(volatile memory)進行韌體資料驗證之驗證技術。Embodiments of the present invention generally relate to an authentication technology, and more particularly to an authentication technology for performing firmware data authentication in a volatile memory.

在有非揮發性記憶體(non-volatile memory)的系統中,韌體通常都會儲存在非揮發性記憶體中,依據安全性(security)裡的硬體信任根(root of trust,RoT)的概念及實施方式,儲存在非揮發性記憶體中的韌體必需先被成功地驗證後,才能被中央處理單元(central processing unit,CPU)執行。In systems with non-volatile memory, firmware is typically stored in non-volatile memory. According to the concept and implementation of hardware root of trust (RoT) in security, firmware stored in non-volatile memory must be successfully authenticated before it can be executed by the central processing unit (CPU).

然而,在快速開機的需求下,受限於非揮發性記憶體本身的存取速度,以及中央處理單元執行驗證程式,對韌體進行驗證之低效率,開機的速度將會受到影響。However, due to the demand for fast booting, the booting speed will be affected by the limited access speed of non-volatile memory itself and the low efficiency of the central processing unit in executing the verification program and verifying the firmware.

因此,如何在裝置開機時更有效率地且快速地驗證韌體,將是個值得研究之課題。Therefore, how to verify the firmware more efficiently and quickly when the device boots up will be a topic worth studying.

有鑑於上述先前技術之問題,本發明之實施例提供了一種驗證裝置和方法。In view of the above-mentioned problems of the prior art, embodiments of the present invention provide a verification device and method.

根據本發明之一實施例提供了一種驗證裝置。上述驗證裝置包括一中央處理單元、一揮發性記憶體、一非揮發性記憶體、一第一直接記憶體存取電路,以及一驗證電路。中央處理單元可在驗證裝置開機重新設定後,進入一等待模式。非揮發性記憶體可儲存複數指令和一未驗證韌體資料。第一直接記憶體存取電路可從非揮發性記憶體讀取一第一指令,以及根據第一指令,將未驗證韌體資料從非揮發性記憶體移動到揮發性記憶體。驗證電路從第一直接記憶體存取電路接收到一觸發訊號後,可用以驗證儲存在揮發性記憶體之未驗證韌體資料。According to one embodiment of the present invention, a verification device is provided. The verification device includes a central processing unit, a volatile memory, a non-volatile memory, a first direct memory access circuit, and a verification circuit. The central processing unit can enter a standby mode after the verification device is powered on and reset. The non-volatile memory can store multiple instructions and unverified firmware data. The first direct memory access circuit can read a first instruction from the non-volatile memory and, based on the first instruction, move the unverified firmware data from the non-volatile memory to the volatile memory. After receiving a trigger signal from the first direct memory access circuit, the verification circuit can be used to verify the unverified firmware data stored in the volatile memory.

在一些實施例中,第一指令可包括上述未驗證韌體資料對應之一來源位置、一目標位置和一資料大小。In some embodiments, the first instruction may include a source location, a target location, and a data size corresponding to the unverified firmware data.

在一些實施例中,驗證電路可包括一第二直接記憶體存取電路。此外,第二直接記憶體存取電路可從非揮發性記憶體讀取一第二指令,以及根據第二指令,從揮發性記憶體讀取未驗證韌體資料。In some embodiments, the verification circuit may include a second direct memory access circuit. Furthermore, the second direct memory access circuit may read a second instruction from the non-volatile memory and, based on the second instruction, read the unverified firmware data from the volatile memory.

在一些實施例中,第二直接記憶體存取電路更可根據第二指令,取得一驗證金鑰。此外,驗證電路可根據第二指令,選取一驗證方法,並根據驗證方法和驗證金鑰,驗證揮發性記憶體中的未驗證韌體資料。In some embodiments, the second direct memory access circuit can further obtain a verification key based on the second instruction. In addition, the verification circuit can select a verification method based on the second instruction and verify the unverified firmware data in the volatile memory based on the verification method and the verification key.

在一些實施例中,當驗證電路成功地驗證未驗證韌體資料後,驗證電路可傳送一釋放訊號給中央處理單元。中央處理單元收到上述釋放訊號後,中央處理單元可執行儲存在揮發性記憶體之已驗證之上述未驗證韌體資料。In some embodiments, after the verification circuit successfully verifies the unverified firmware data, the verification circuit may send a release signal to the central processing unit. After the central processing unit receives the release signal, the central processing unit may execute the verified unverified firmware data stored in the volatile memory.

在一些實施例中,第二指令可包括未驗證韌體資料對應之一目標位置、一資料大小、一金鑰位置,以及一需選取之驗證方法。In some embodiments, the second instruction may include a target location corresponding to the unverified firmware data, a data size, a key location, and a verification method to be selected.

根據本發明之一實施例提供了一種驗證方法。上述驗證方法可適用一驗證裝置。上述驗證方法可包括下列步驟。在上驗證裝置開機重新設定後,上述驗證裝置之一中央處理單元進入一等待模式;藉由上述驗證裝置之一第一直接記憶體存取電路,從上述驗證裝置之一非揮發性記憶體讀取一第一指令;藉由上述第一直接記憶體存取電路,根據上述第一指令,將一未驗證韌體資料從上述非揮發性記憶體移動到上述驗證裝置之一揮發性記憶體;以及藉由一驗證電路,在從上述第一直接記憶體存取電路接收到一觸發訊號後,驗證儲存在上述揮發性記憶體之上述未驗證韌體資料。According to one embodiment of the present invention, a verification method is provided. The verification method can be applied to a verification device. The verification method can include the following steps. After the verification device is powered on and reset, a central processing unit of the verification device enters a standby mode; a first instruction is read from a non-volatile memory of the verification device via a first direct memory access circuit of the verification device; unverified firmware data is moved from the non-volatile memory to a volatile memory of the verification device via the first direct memory access circuit in accordance with the first instruction; and a verification circuit verifies the unverified firmware data stored in the volatile memory after receiving a trigger signal from the first direct memory access circuit.

關於本發明其他附加的特徵與優點,此領域之熟習技術人士,在不脫離本發明之精神和範圍內,當可根據本案實施方法中所揭露驗證裝置和方法,做些許的更動與潤飾而得到。Regarding other additional features and advantages of the present invention, those skilled in the art may make minor modifications and improvements based on the verification device and method disclosed in the implementation method of this case without departing from the spirit and scope of the present invention.

本章節所敘述的是實施本發明之較佳方式,目的在於說明本發明之精神而非用以限定本發明之保護範圍,本發明之保護範圍當視後附之申請專利範圍所界定者為準。This section describes the preferred methods for implementing the present invention. Its purpose is to illustrate the spirit of the present invention and is not intended to limit the scope of protection of the present invention. The scope of protection of the present invention shall be determined by the scope of the attached patent application.

第1圖係顯示根據本發明之一實施例所述之一驗證裝置100之方塊圖。如第1圖所示,驗證裝置100可包括一中央處理單元(central processing unit,CPU)110、一第一直接記憶體存取(direct memory access,DMA)電路120、一驗證電路130、一揮發性記憶體140、一非揮發性記憶體150,以及一金鑰儲存電路160。注意地是,在第1圖中所示之方塊圖,僅係為了方便說明本發明之實施例,但本發明並不以第1圖為限。驗證裝置100中亦可包含其他元件。FIG1 is a block diagram illustrating an authentication device 100 according to an embodiment of the present invention. As shown in FIG1 , the authentication device 100 may include a central processing unit (CPU) 110, a first direct memory access (DMA) circuit 120, an authentication circuit 130, a volatile memory 140, a non-volatile memory 150, and a key storage circuit 160. Note that the block diagram shown in FIG1 is merely for the purpose of illustrating the embodiment of the present invention and is not limited to FIG1 . The authentication device 100 may also include other components.

根據本發明一實施例,驗證裝置100可應用在一微控制器單元(micro controller unit,MCU)、一微處理器單元(microprocessor unit,MPU),或和驗證裝置100具有類似元件架構之裝置中。According to an embodiment of the present invention, the verification device 100 can be applied to a microcontroller unit (MCU), a microprocessor unit (MPU), or a device having a similar device architecture to the verification device 100.

根據本發明一實施例,中央處理單元110可用以執行已驗證之韌體資料。此外,當驗證裝置100開機重新設定(reset)後,中央處理單元110可先進入一等待模式。According to an embodiment of the present invention, the central processing unit 110 can be used to execute the verified firmware data. In addition, when the verification device 100 is turned on and reset, the central processing unit 110 can first enter a waiting mode.

根據本發明一實施例,第一直接記憶體存取電路120可用以根據從非揮發性記憶體150取得之指令(例如:第一指令),將未驗證之韌體(firmware)資料(例如:韌體程式碼)從非揮發性記憶體150移動到揮發性記憶體140。此外,第一直接記憶體存取電路120可觸發驗證電路130進行驗證之操作。According to one embodiment of the present invention, the first direct memory access circuit 120 can be used to move unverified firmware data (e.g., firmware code) from the non-volatile memory 150 to the volatile memory 140 based on an instruction (e.g., a first instruction) obtained from the non-volatile memory 150. In addition, the first direct memory access circuit 120 can trigger the verification circuit 130 to perform a verification operation.

根據本發明一實施例,驗證電路130可包括一第二直接記憶體存取電路131。第二直接記憶體存取電路131可根據從非揮發性記憶體150取得之指令(例如:第二指令),讀取儲存在揮發性記憶體140之未驗證韌體資料,取得儲存在金鑰儲存電路160之金鑰。驗證電路130可根據第二直接記憶體存取電路131取得之指令,對未驗證韌體資料進行驗證。According to one embodiment of the present invention, the verification circuit 130 may include a second direct memory access circuit 131. The second direct memory access circuit 131 may read the unverified firmware data stored in the volatile memory 140 based on an instruction (e.g., a second instruction) received from the non-volatile memory 150, and obtain the key stored in the key storage circuit 160. The verification circuit 130 may verify the unverified firmware data based on the instruction received by the second direct memory access circuit 131.

根據本發明一實施例,揮發性記憶體140可係一隨機存取記憶體(Random Access Memory, RAM),但本發明不以此為限。揮發性記憶體140可用以儲存來自非揮發性記憶體150之未驗證韌體資料。According to one embodiment of the present invention, the volatile memory 140 may be a random access memory (RAM), but the present invention is not limited thereto. The volatile memory 140 may be used to store unverified firmware data from the non-volatile memory 150.

根據本發明一實施例,非揮發性記憶體150可係一快閃記憶體(flash memory)、一唯讀記憶體(Read Only Memory, ROM),但本發明不以此為限。非揮發性記憶體150可用以儲存複數指令和未驗證韌體資料。According to one embodiment of the present invention, the non-volatile memory 150 may be a flash memory or a read-only memory (ROM), but the present invention is not limited thereto. The non-volatile memory 150 may be used to store a plurality of instructions and unverified firmware data.

根據本發明一實施例,金鑰儲存電路160可用以儲存驗證電路130要進行驗證操作所需之金鑰。According to one embodiment of the present invention, the key storage circuit 160 can be used to store the key required by the verification circuit 130 to perform verification operations.

根據本發明一實施例,當驗證裝置100開機重新設定(reset)後,中央處理單元110會進入一等待模式。也就是說,在本發明中,中央處理單元110可不需要去執行韌體資料之驗證的相關操作。等到韌體資料被驗證後,中央處理單元110即可執行韌體資料。According to one embodiment of the present invention, after the authentication device 100 is powered on and reset, the central processing unit 110 enters a standby mode. In other words, in the present invention, the central processing unit 110 does not need to perform operations related to firmware data verification. Once the firmware data is verified, the central processing unit 110 can execute the firmware data.

此外,當驗證裝置100開機重新設定後,第一直接記憶體存取電路120可從非揮發性記憶體150取得一第一指令,並根據第一指令將未驗證韌體資料從非揮發性記憶體150移動到揮發性記憶體140。第一指令可預先儲存在非揮發性記憶體150之一預訂的空間。也就是說,當驗證裝置100開機重新設定後,第一直接記憶體存取電路120即可從此預定空間取得第一指令。根據本發明一實施例,第一指令可包括未驗證韌體資料對應之一來源位置(即非揮發性記憶體150儲存此未驗證韌體資料之位置)、一目標位置(即揮發性記憶體140儲存此未驗證韌體資料之位置),和一資料大小(即此未驗證韌體資料之大小),但本發明不以此為限。Furthermore, after the authentication device 100 is powered on and reset, the first direct memory access circuit 120 can retrieve a first instruction from the non-volatile memory 150 and, based on the first instruction, move the unverified firmware data from the non-volatile memory 150 to the volatile memory 140. The first instruction can be pre-stored in a predetermined space in the non-volatile memory 150. In other words, after the authentication device 100 is powered on and reset, the first direct memory access circuit 120 can retrieve the first instruction from this predetermined space. According to one embodiment of the present invention, the first instruction may include a source location corresponding to the unverified firmware data (i.e., the location where the non-volatile memory 150 stores the unverified firmware data), a target location (i.e., the location where the volatile memory 140 stores the unverified firmware data), and a data size (i.e., the size of the unverified firmware data), but the present invention is not limited thereto.

此外,當第一直接記憶體存取電路120將未驗證韌體資料從非揮發性記憶體150移動到揮發性記憶體140後,第一直接記憶體存取電路120可傳送一觸發信號給驗證電路130,以觸發驗證電路130開始進行驗證之操作。In addition, after the first direct memory access circuit 120 moves the unverified firmware data from the non-volatile memory 150 to the volatile memory 140, the first direct memory access circuit 120 may send a trigger signal to the verification circuit 130 to trigger the verification circuit 130 to start the verification operation.

驗證電路130從第一直接記憶體存取電路120接收到觸發信號後,第二直接記憶體存取電路131可從非揮發性記憶體150取得一第二指令,並根據第二指令,去讀取儲存在揮發性記憶體140之未驗證韌體資料。第二指令可預先儲存在非揮發性記憶體150之一預訂的空間。也就是說,當驗證電路130接收到觸發信號後,第二直接記憶體存取電路131即可從此預定空間取得第二指令。根據本發明一實施例,第二指令可包括未驗證韌體資料對應之一目標位置(即揮發性記憶體140儲存此未驗證韌體資料之位置)、一資料大小(即此未驗證韌體資料之大小)、一金鑰位置(即金鑰儲存電路160儲存金鑰之位置),以及一需選取之驗證方法(即要驗證未驗證韌體資料之驗證方法),但本發明不以此為限。第二直接記憶體存取電路131亦可根據第二指令,從金鑰儲存電路160取得要進行驗證操作之金鑰。After verification circuit 130 receives a trigger signal from first direct memory access circuit 120, second direct memory access circuit 131 retrieves a second instruction from non-volatile memory 150 and, based on the second instruction, reads the unverified firmware data stored in volatile memory 140. The second instruction may be pre-stored in a predetermined space in non-volatile memory 150. In other words, when verification circuit 130 receives a trigger signal, second direct memory access circuit 131 retrieves the second instruction from this predetermined space. According to one embodiment of the present invention, the second instruction may include a target location corresponding to the unverified firmware data (i.e., the location where the volatile memory 140 stores the unverified firmware data), a data size (i.e., the size of the unverified firmware data), a key location (i.e., the location where the key is stored in the key storage circuit 160), and a verification method to be selected (i.e., the verification method to be used to verify the unverified firmware data), but the present invention is not limited to this. The second direct memory access circuit 131 may also obtain the key to be used for the verification operation from the key storage circuit 160 based on the second instruction.

當第二直接記憶體存取電路131讀取未驗證韌體資料和取得金鑰後,驗證電路130可根據第二指令所指示之驗證方法(例如:橢圓曲線數位簽章算法(Elliptic Curve Digital Signature Algorithm, ECDSA,但本發明不以此為限)和金鑰,對儲存在揮發性記憶體140之未驗證韌體資料進行驗證。After the second direct memory access circuit 131 reads the unverified firmware data and obtains the key, the verification circuit 130 can verify the unverified firmware data stored in the volatile memory 140 according to the verification method indicated by the second instruction (for example, Elliptic Curve Digital Signature Algorithm (ECDSA), but the present invention is not limited to this) and the key.

當驗證電路130成功地驗證儲存在揮發性記憶體140之未驗證韌體資料後,驗證電路130可傳送一釋放(release)訊號給中央處理單元110。當中央處理單元110收到釋放訊號後,中央處理單元即可離開等待模式,開始執行儲存在揮發性記憶體110之已驗證之韌體資料。After the verification circuit 130 successfully verifies the unverified firmware data stored in the volatile memory 140, the verification circuit 130 may send a release signal to the central processing unit 110. After the central processing unit 110 receives the release signal, the central processing unit 110 may leave the standby mode and start executing the verified firmware data stored in the volatile memory 110.

第2圖係根據本發明之一實施例所述之一驗證方法之流程圖。驗證方法可適用驗證裝置100。如第2圖所示,在步驟S210,在驗證裝置100開機重新設定後,驗證裝置100之一中央處理單元可進入一等待模式。FIG2 is a flow chart of an authentication method according to an embodiment of the present invention. The authentication method may be applied to the authentication device 100. As shown in FIG2, in step S210, after the authentication device 100 is powered on and reset, a central processing unit of the authentication device 100 may enter a waiting mode.

在步驟S220,驗證裝置100之一第一直接記憶體存取電路可從驗證裝置100之一非揮發性記憶體讀取一第一指令。In step S220 , a first direct memory access circuit of the verification device 100 may read a first instruction from a non-volatile memory of the verification device 100 .

在步驟S230,驗證裝置100之第一直接記憶體存取電路可根據第一指令,將一未驗證韌體資料從驗證裝置100之非揮發性記憶體移動到驗證裝置100之一揮發性記憶體。In step S230, the first direct memory access circuit of the verification device 100 may move an unverified firmware data from the non-volatile memory of the verification device 100 to a volatile memory of the verification device 100 according to the first instruction.

在步驟S240,驗證裝置100之一驗證電路在從第一直接記憶體存取電路接收到一觸發訊號後,驗證裝置100之驗證電路將驗證儲存在揮發性記憶體之未驗證韌體資料。In step S240, after receiving a trigger signal from the first direct memory access circuit, a verification circuit of the verification device 100 verifies the unverified firmware data stored in the volatile memory.

根據本發明一實施例,在驗證方法中,第一指令可包括未驗證韌體資料對應之一來源位置、一目標位置和一資料大小。According to an embodiment of the present invention, in the verification method, the first instruction may include a source location, a target location, and a data size corresponding to the unverified firmware data.

根據本發明一實施例,在驗證方法中,驗證裝置100之驗證電路之一第二直接記憶體存取電路可從驗證裝置100之非揮發性記憶體讀取一第二指令。接著,驗證裝置100之驗證電路之第二直接記憶體存取電路可根據第二指令,從驗證裝置100之揮發性記憶體讀取未驗證韌體資料。According to one embodiment of the present invention, in a verification method, a second direct memory access circuit of the verification circuit of the verification device 100 may read a second instruction from the non-volatile memory of the verification device 100. Then, the second direct memory access circuit of the verification circuit of the verification device 100 may read unverified firmware data from the volatile memory of the verification device 100 according to the second instruction.

根據本發明一實施例,在驗證方法中,驗證裝置100之驗證電路之第二直接記憶體存取電路可根據第二指令,取得一驗證金鑰。接著,驗證裝置100之驗證電路可根據第二指令,選取一驗證方法,並根據驗證方法和驗證金鑰,驗證儲存在驗證裝置100之揮發性記憶體之未驗證韌體資料。According to one embodiment of the present invention, during the verification method, the second direct memory access circuit of the verification circuit of the verification device 100 can obtain a verification key according to a second instruction. The verification circuit of the verification device 100 can then select a verification method according to the second instruction and verify unverified firmware data stored in the volatile memory of the verification device 100 based on the verification method and the verification key.

根據本發明一實施例,在驗證方法中,當驗證裝置100之驗證電路成功地驗證上述未驗證韌體資料後,驗證裝置100之驗證電路傳送一釋放訊號給驗證裝置100之中央處理單元。接著,當驗證裝置100之中央處理單元收到釋放訊號後,驗證裝置100之中央處理單元可執行儲存在揮發性記憶體之已驗證之上述未驗證韌體資料。According to one embodiment of the present invention, in the verification method, after the verification circuit of the verification device 100 successfully verifies the unverified firmware data, the verification circuit of the verification device 100 transmits a release signal to the central processing unit of the verification device 100. Then, upon receiving the release signal, the central processing unit of the verification device 100 may execute the verified unverified firmware data stored in the volatile memory.

根據本發明一實施例,在驗證方法中,第二指令可包括上述未驗證韌體資料對應之一目標位置、一資料大小、一金鑰位置,以及一需選取之驗證方法。According to an embodiment of the present invention, in the verification method, the second instruction may include a target location corresponding to the unverified firmware data, a data size, a key location, and a verification method to be selected.

根據本發明之實施例提出之驗證方法,當驗證裝置開機時,將可在驗證裝置之揮發性記憶體對未驗證韌體資料進行驗證。此外,根據本發明之實施例提出之驗證方法,驗證裝置將可不需要透過中央處理單元來進行韌體資料驗證之操作。因此,當驗證裝置開機時,本發明之實施例提出之驗證方法將可更有效率地和更快速地進行韌體資料驗證之操作,以達成快速開機之需求。According to the verification method proposed in the embodiments of the present invention, when the verification device boots up, unverified firmware data can be verified in the verification device's volatile memory. Furthermore, according to the verification method proposed in the embodiments of the present invention, the verification device no longer needs to rely on a central processing unit to perform firmware data verification operations. Therefore, when the verification device boots up, the verification method proposed in the embodiments of the present invention can perform firmware data verification operations more efficiently and quickly, achieving the requirement of fast boot-up.

本說明書中以及申請專利範圍中的序號,例如「第一」、「第二」等等,僅係為了方便說明,彼此之間並沒有順序上的先後關係。Serial numbers in this specification and in the scope of the patent application, such as "first", "second", etc., are for convenience of explanation only and have no sequential relationship with each other.

本發明之說明書所揭露之方法和演算法之步驟,可直接透過執行一處理器直接應用在硬體以及軟體模組或兩者之結合上。一軟體模組(包括執行指令和相關數據)和其它數據可儲存在數據記憶體中,像是隨機存取記憶體(RAM)、快閃記憶體(flash memory)、唯讀記憶體(ROM)、可抹除可規化唯讀記憶體(EPROM)、電子可抹除可規劃唯讀記憶體(EEPROM)、暫存器、硬碟、可攜式應碟、光碟唯讀記憶體(CD-ROM)、DVD或在此領域習之技術中任何其它電腦可讀取之儲存媒體格式。一儲存媒體可耦接至一機器裝置,舉例來說,像是電腦/處理器(爲了說明之方便,在本說明書以處理器來表示),上述處理器可透過來讀取資訊(像是程式碼),以及寫入資訊至儲存媒體。一儲存媒體可整合一處理器。一特殊應用積體電路(ASIC)包括處理器和儲存媒體。一用戶設備則包括一特殊應用積體電路。換句話說,處理器和儲存媒體以不直接連接用戶設備的方式,包含於用戶設備中。此外,在一些實施例中,任何適合電腦程序之產品包括可讀取之儲存媒體,其中可讀取之儲存媒體包括和一或多個所揭露實施例相關之程式碼。在一些實施例中,電腦程序之產品可包括封裝材料。The methods and algorithm steps disclosed in the specification of the present invention can be directly applied to hardware and software modules or a combination of the two by executing a processor. A software module (including execution instructions and related data) and other data can be stored in a data memory such as random access memory (RAM), flash memory, read-only memory (ROM), erasable programmable read-only memory (EPROM), electronically erasable programmable read-only memory (EEPROM), register, hard drive, portable hard drive, compact disc read-only memory (CD-ROM), DVD, or any other computer-readable storage medium format known in the art. A storage medium can be coupled to a machine device, for example, such as a computer/processor (for ease of explanation, referred to as a processor in this specification), through which the processor can read information (such as program code) and write information to the storage medium. A storage medium can integrate a processor. An application specific integrated circuit (ASIC) includes a processor and a storage medium. A user device includes an application specific integrated circuit. In other words, the processor and storage medium are included in the user device in a manner that is not directly connected to the user device. In addition, in some embodiments, any product suitable for a computer program includes a readable storage medium, wherein the readable storage medium includes program code related to one or more disclosed embodiments. In some embodiments, a product of a computer program may include packaging materials.

以上段落使用多種層面描述。顯然的,本文的教示可以多種方式實現,而在範例中揭露之任何特定架構或功能僅為一代表性之狀況。根據本文之教示,任何熟知此技藝之人士應理解在本文揭露之各層面可獨立實作或兩種以上之層面可以合併實作。The above paragraphs describe various aspects. Obviously, the teachings herein can be implemented in a variety of ways, and any specific architecture or functionality disclosed in the examples is merely representative. Based on the teachings herein, anyone skilled in the art will understand that each aspect disclosed herein can be implemented independently, or two or more aspects can be combined.

雖然本揭露已以實施例揭露如上,然其並非用以限定本揭露,任何熟習此技藝者,在不脫離本揭露之精神和範圍內,當可作些許之更動與潤飾,因此發明之保護範圍當視後附之申請專利範圍所界定者為準。Although the present disclosure has been disclosed above with reference to the embodiments, they are not intended to limit the present disclosure. Anyone skilled in the art may make slight changes and modifications without departing from the spirit and scope of the present disclosure. Therefore, the scope of protection of the invention shall be determined by the scope of the attached patent application.

100:驗證裝置 110:中央處理單元 120:第一DMA電路 130:驗證電路 131:第二DMA電路 140:揮發性記憶體 150:非揮發性記憶體 160:金鑰儲存電路 S210~S240:步驟 100: Authentication device 110: Central processing unit 120: First DMA circuit 130: Authentication circuit 131: Second DMA circuit 140: Volatile memory 150: Non-volatile memory 160: Key storage circuit S210-S240: Steps

第1圖係顯示根據本發明之一實施例所述之一驗證裝置100之方塊圖。 第2圖係根據本發明之一實施例所述之驗證方法之流程圖。 Figure 1 is a block diagram of an authentication device 100 according to an embodiment of the present invention. Figure 2 is a flow chart of an authentication method according to an embodiment of the present invention.

100:驗證裝置 110:中央處理單元 120:第一DMA電路 130:驗證電路 131:第二DMA電路 140:揮發性記憶體 150:非揮發性記憶體 160:金鑰儲存電路 100: Authentication device 110: Central processing unit 120: First DMA circuit 130: Authentication circuit 131: Second DMA circuit 140: Volatile memory 150: Non-volatile memory 160: Key storage circuit

Claims (10)

一種驗證裝置,包括: 一中央處理單元,在上述驗證裝置開機重新設定後,進入一等待模式; 一揮發性記憶體; 一非揮發性記憶體,儲存複數指令和一未驗證韌體資料; 一第一直接記憶體存取電路,從上述非揮發性記憶體讀取一第一指令,以及根據上述第一指令,將上述未驗證韌體資料從上述非揮發性記憶體移動到上述揮發性記憶體;以及 一驗證電路,從上述第一直接記憶體存取電路接收到一觸發訊號後,用以驗證儲存在上述揮發性記憶體之上述未驗證韌體資料。 A verification device includes: a central processing unit (CPU) that enters a standby mode after the verification device is reset upon power-up; a volatile memory; a non-volatile memory that stores a plurality of instructions and unverified firmware data; a first direct memory access circuit that reads a first instruction from the non-volatile memory and, based on the first instruction, moves the unverified firmware data from the non-volatile memory to the volatile memory; and a verification circuit that, upon receiving a trigger signal from the first direct memory access circuit, verifies the unverified firmware data stored in the volatile memory. 如請求項1之驗證裝置,其中上述第一指令包括上述未驗證韌體資料對應之一來源位置、一目標位置和一資料大小。The verification device of claim 1, wherein the first instruction includes a source location, a target location, and a data size corresponding to the unverified firmware data. 如請求項1之驗證裝置,其中上述驗證電路包括一第二直接記憶體存取電路,且其中上述第二直接記憶體存取電路從上述非揮發性記憶體讀取一第二指令,以及根據上述第二指令,從上述揮發性記憶體讀取上述未驗證韌體資料。The verification device of claim 1, wherein the verification circuit includes a second direct memory access circuit, and wherein the second direct memory access circuit reads a second instruction from the non-volatile memory, and reads the unverified firmware data from the volatile memory according to the second instruction. 如請求項3之驗證裝置,其中上述第二直接記憶體存取電路更根據上述第二指令,取得一驗證金鑰,以及其中上述驗證電路根據上述第二指令,選取一驗證方法,並根據上述驗證方法和上述驗證金鑰,驗證上述未驗證韌體資料。The verification device of claim 3, wherein the second direct memory access circuit further obtains a verification key according to the second instruction, and wherein the verification circuit selects a verification method according to the second instruction, and verifies the unverified firmware data according to the verification method and the verification key. 如請求項4之驗證裝置,其中當上述驗證電路成功驗證上述未驗證韌體資料後,上述驗證電路傳送一釋放訊號給上述中央處理單元,以及其中上述中央處理單元收到上述釋放訊號後,上述中央處理單元執行儲存在上述揮發性記憶體之已驗證之上述未驗證韌體資料。The verification device of claim 4, wherein after the verification circuit successfully verifies the unverified firmware data, the verification circuit transmits a release signal to the central processing unit, and after the central processing unit receives the release signal, the central processing unit executes the verified unverified firmware data stored in the volatile memory. 如請求項3之驗證裝置,其中上述第二指令包括上述未驗證韌體資料對應之一目標位置、一資料大小、一金鑰位置,以及一需選取之驗證方法。The verification device of claim 3, wherein the second instruction includes a target location corresponding to the unverified firmware data, a data size, a key location, and a verification method to be selected. 一種驗證方法,適用一驗證裝置,包括: 在上述驗證裝置開機重新設定後,上述驗證裝置之一中央處理單元進入一等待模式; 藉由上述驗證裝置之一第一直接記憶體存取電路,從上述驗證裝置之一非揮發性記憶體讀取一第一指令; 藉由上述第一直接記憶體存取電路,根據上述第一指令,將一未驗證韌體資料從上述非揮發性記憶體移動到上述驗證裝置之一揮發性記憶體;以及 藉由一驗證電路,在從上述第一直接記憶體存取電路接收到一觸發訊號後,驗證儲存在上述揮發性記憶體之上述未驗證韌體資料。 A verification method, applicable to a verification device, comprises: After the verification device is powered on and reset, a central processing unit of the verification device enters a standby mode; Reading a first instruction from a non-volatile memory of the verification device via a first direct memory access circuit of the verification device; Moving unverified firmware data from the non-volatile memory to a volatile memory of the verification device via the first direct memory access circuit in accordance with the first instruction; and Verifying the unverified firmware data stored in the volatile memory via a verification circuit upon receiving a trigger signal from the first direct memory access circuit. 如請求項7之驗證方法,更包括: 藉由上述驗證電路之一第二直接記憶體存取電路,從上述非揮發性記憶體讀取一第二指令;以及 藉由上述第二直接記憶體存取電路,根據上述第二指令,從上述揮發性記憶體讀取上述未驗證韌體資料。 The verification method of claim 7 further comprises: Reading a second instruction from the non-volatile memory via a second direct memory access circuit of the verification circuit; and Reading the unverified firmware data from the volatile memory via the second direct memory access circuit in accordance with the second instruction. 如請求項8之驗證方法,更包括: 藉由上述第二直接記憶體存取電路,根據上述第二指令,取得一驗證金鑰;以及 藉由上述驗證電路,根據上述第二指令,選取一驗證方法,並根據上述驗證方法和上述驗證金鑰,驗證上述未驗證韌體資料。 The verification method of claim 8 further comprises: obtaining a verification key via the second direct memory access circuit in accordance with the second instruction; and selecting a verification method via the verification circuit in accordance with the second instruction, and verifying the unverified firmware data based on the verification method and the verification key. 如請求項9之驗證方法,更包括: 當上述驗證電路成功驗證上述未驗證韌體資料後,藉由上述驗證電路傳送一釋放訊號給上述中央處理單元;以及 在上述中央處理單元收到上述釋放訊號後,藉由上述中央處理單元,執行儲存在上述揮發性記憶體之已驗證之上述未驗證韌體資料。 The verification method of claim 9 further comprises: When the verification circuit successfully verifies the unverified firmware data, transmitting a release signal to the central processing unit via the verification circuit; and After the central processing unit receives the release signal, executing the verified unverified firmware data stored in the volatile memory via the central processing unit.
TW112146490A 2023-11-30 2023-11-30 Authentication device and method TWI899724B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW112146490A TWI899724B (en) 2023-11-30 2023-11-30 Authentication device and method
CN202411398908.2A CN120066591A (en) 2023-11-30 2024-10-09 Verification device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112146490A TWI899724B (en) 2023-11-30 2023-11-30 Authentication device and method

Publications (2)

Publication Number Publication Date
TW202524345A TW202524345A (en) 2025-06-16
TWI899724B true TWI899724B (en) 2025-10-01

Family

ID=95794038

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112146490A TWI899724B (en) 2023-11-30 2023-11-30 Authentication device and method

Country Status (2)

Country Link
CN (1) CN120066591A (en)
TW (1) TWI899724B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108475319A (en) * 2015-08-10 2018-08-31 数据输入输出公司 Device birth voucher
TWI773199B (en) * 2020-08-03 2022-08-01 新唐科技股份有限公司 Secure computing device, secure computing method, verifier and device attestation method
TW202318196A (en) * 2021-10-28 2023-05-01 廣達電腦股份有限公司 System and method of firmware image checking and computer system
EP4216089A1 (en) * 2022-01-18 2023-07-26 INTEL Corporation Device security manager architecture for trusted execution environment input/output (tee-io) capable system-on-a-chip integrated devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108475319A (en) * 2015-08-10 2018-08-31 数据输入输出公司 Device birth voucher
TWI773199B (en) * 2020-08-03 2022-08-01 新唐科技股份有限公司 Secure computing device, secure computing method, verifier and device attestation method
TW202318196A (en) * 2021-10-28 2023-05-01 廣達電腦股份有限公司 System and method of firmware image checking and computer system
EP4216089A1 (en) * 2022-01-18 2023-07-26 INTEL Corporation Device security manager architecture for trusted execution environment input/output (tee-io) capable system-on-a-chip integrated devices

Also Published As

Publication number Publication date
CN120066591A (en) 2025-05-30
TW202524345A (en) 2025-06-16

Similar Documents

Publication Publication Date Title
KR102788533B1 (en) Electronic device performing firmware update based on user authentication and operating method thereof
JP5582909B2 (en) Platform integrity verification system
JP5767751B2 (en) Method, computing platform, and program for verifying BIOS
CN114064130B (en) Autonomous driving system with dual safety start
US11194586B2 (en) Secure boot override in a computing device equipped with unified-extensible firmware interface (UEFI)-compliant firmware
US8386763B1 (en) System and method for locking down a capability of a computer system
TW201220192A (en) Firmware update method and system for micro-controller unit in power supply unit
KR20080108526A (en) A computer program product comprising a processing device comprising first and second processing units, a method of booting it and computer executable program code means adapted to perform the method.
CN101236502A (en) Method of booting electronic device and method of verifying booting of electronic device
CN109992966B (en) Memory subsystem, secure client device, and authentication method thereof
TWI760752B (en) System for accelerating verification procedure for image file
CN115793507A (en) Method and system for performing a secure boot procedure using multi-level security authentication in a microcontroller of a vehicle
JP2022527759A (en) Verification of vehicle electronic control unit
KR102598510B1 (en) Method and apparatus for verify software integrity
CN113064646A (en) BIOS starting method, system and related device
TW201510767A (en) Electronic apparatus with security-approved bios, security-approved booting method and computer-accessible storage
CN101976198A (en) Method and device for controlling startup of application program in embedded system
CN119150369A (en) System on chip and method of operating a system on chip
TWI899724B (en) Authentication device and method
JP2010146384A (en) Computer startup system, computer startup method and computer startup program
US20240070285A1 (en) Method of speeding up secure boot process and electronic device using the same
TWI467408B (en) Embedded devices and control methods thereof
US11657157B2 (en) Secure boot system, method and apparatus
TWI556172B (en) Computer and booting method thereof
TWI728377B (en) Secure boot system, method and apparatus