公开(公告)号：US09183402B2

公开(公告)日：2015-11-10

申请号：US13707023

申请日：2012-12-06

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Shashank Shekhar

IPC: G06F9/00 ,  G06F15/177 ,  G06F21/60 ,  G06F21/57

CPC classification number: G06F21/602 ,  G06F21/575

Abstract: A computing system includes a first central processing unit (CPU) and a second CPU coupled with the first CPU and with a host processor. In response to a request by the host processor to boot the second CPU, the first CPU is configured to execute secure booting of the second CPU by decrypting encrypted code to generate decrypted code executable by the second CPU but that is inaccessible by the host processor.

Abstract translation: 计算系统包括与第一CPU并与主处理器耦合的第一中央处理单元（CPU）和第二CPU。 响应于主机处理器引导第二CPU的请求，第一CPU被配置为通过解密加密代码来执行第二CPU的安全引导，以生成可由第二CPU执行但是由主机处理器无法访问的解密代码。

公开(公告)号：US09025768B2

公开(公告)日：2015-05-05

申请号：US13856651

申请日：2013-04-04

Applicant: Broadcom Corporation

Inventor： Shashank Shekhar ,  Shee-Yen Tan ,  Andrew Dellow

IPC: H04L9/00 ,  H04L29/06 ,  G06F13/28 ,  H04L9/08

CPC classification number: H04L63/0428 ,  G06F13/28 ,  H04L9/0822 ,  H04L9/0861 ,  H04L63/0435

Abstract: A system for securing a variable length keyladder key includes a keyladder decryptor configured to alter a first layer key and to execute a keyladder algorithm to generate a content key, the keyladder algorithm to generate the content key by decrypting an encrypted second layer key with the altered first layer key. The alteration mirrors the alteration applied to encrypt the second layer key by a content server providing content data to be decrypted. The system may further include a cryptographic direct memory access controller (DMAC) coupled with the keyladder decryptor and to decrypt encrypted content data using the generated content key. The keyladder decryptor may be further configured to send the content key to be stored in the DMAC without information regarding how the first layer key was altered. The alteration may include a permutation function or other change or modification.

Abstract translation: 用于保护可变长度键盘键的系统包括键盘解码器，其配置为改变第一层密钥并执行键盘算法以生成内容密钥，所述键盘算法通过用改变的密钥解密加密的第二层密钥来生成内容密钥 第一层密钥 该改变反映了由提供要解密的内容数据的内容服务器应用于加密第二层密钥的改变。 系统还可以包括与键盘解码器耦合的加密直接存储器访问控制器（DMAC），并且使用所生成的内容密钥来解密加密的内容数据。 键盘解码器还可以被配置为发送要存储在DMAC中的内容密钥，而没有关于如何改变第一层密钥的信息。 该改变可以包括置换函数或其他改变或修改。

公开(公告)号：US20140053001A1

公开(公告)日：2014-02-20

申请号：US13707070

申请日：2012-12-06

Applicant: BROADCOM CORPORATION

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Shashank Shekhar

IPC: G06F12/14

CPC classification number: G06F12/1408 ,  G06F12/1441 ,  G06F21/00 ,  G06F21/10 ,  H04N7/1675 ,  H04N19/40 ,  H04N19/423 ,  H04N19/46 ,  H04N21/234309 ,  H04N21/4402 ,  H04N21/4408

Abstract: A method for managing a transcoder pipeline includes partitioning a memory with a numbered region; receiving an incoming media stream to be transcoded; and atomically loading, using a security central processing unit (SCPU), a decryption key, a counterpart encryption key and an associated region number of the memory into a slot of a key table, the key table providing selection of decryption and encryption keys during transcoding. The atomically loading the decryption and encryption keys and the associated numbered region ensures that the encryption key is selected to encrypt a transcoded version of the media stream when the media stream has been decrypted with the decryption key and the transcoded media stream is retrieved from the associated numbered region of the memory.

Abstract translation: 一种用于管理代码转换器流水线的方法，包括：对具有编号区域的存储器进行分区; 接收要转码的传入媒体流; 并且使用安全中央处理单元（SCPU），解密密钥，对方加密密钥和存储器的相关联的区号进行原子加载到密钥表的时隙中，所述密钥表在转码期间提供对解密和加密密钥的选择 。 原子上加载解密和加密密钥和相关联的编号区域确保了当媒体流已经用解密密钥解密并且从相关联的代码转换的媒体流被检索时，加密密钥被选择来加密媒体流的转码版本 记忆的编号区域。

公开(公告)号：US09171170B2

公开(公告)日：2015-10-27

申请号：US13707050

申请日：2012-12-06

Applicant: Broadcom Corporation

Inventor： Andrew Dellow ,  Shashank Shekhar ,  Stephane Rodgers

IPC: H04N21/4627 ,  H04L9/08 ,  G06F21/78 ,  G06F21/60 ,  H04N21/4408 ,  G06F21/57 ,  G06F21/74 ,  H04N5/44 ,  H04N21/426

CPC classification number: G06F21/60 ,  G06F21/575 ,  G06F21/602 ,  G06F21/74 ,  G06F21/78 ,  G06F2221/2107 ,  G06F2221/2113 ,  H04L9/0838 ,  H04N5/4401 ,  H04N21/426 ,  H04N21/4408 ,  H04N21/4627

Abstract: A computing system, comprising includes a first central processing unit (CPU) and a second CPU coupled with the first CPU and with a host processor. The second CPU and the host processor may both request the first CPU to generate keys that have access rights to regions of memory to access specific data. The first CPU may be configured to, in response to a request from the second CPU, generate a unique key with a unique access right to a region of memory, the unique key usable only by the second CPU, not the host processor.

Abstract translation: 一种计算系统，包括第一中央处理单元（CPU）和与第一CPU耦合的第二CPU和主机处理器。 第二CPU和主机处理器都可以请求第一CPU产生具有对存储器区域的访问权限的密钥以访问特定数据。 第一CPU可以被配置为响应于来自第二CPU的请求，生成具有对存储器区域的唯一访问权限的唯一密钥，唯一密钥仅可由第二CPU而不是主机处理器使用。

公开(公告)号：US20140052975A1

公开(公告)日：2014-02-20

申请号：US13707023

申请日：2012-12-06

Applicant: BROADCOM CORPORATION

Inventor： Stephane Rodgers ,  Shashank Shekhar

IPC: G06F21/60

CPC classification number: G06F21/602 ,  G06F21/575

Abstract: A computing system includes a first central processing unit (CPU) and a second CPU coupled with the first CPU and with a host processor. In response to a request by the host processor to boot the second CPU, the first CPU is configured to execute secure booting of the second CPU by decrypting encrypted code to generate decrypted code executable by the second CPU but that is inaccessible by the host processor.

Abstract translation: 计算系统包括与第一CPU并与主处理器耦合的第一中央处理单元（CPU）和第二CPU。 响应于主机处理器引导第二CPU的请求，第一CPU被配置为通过解密加密代码来执行第二CPU的安全引导，以生成可由第二CPU执行但是由主机处理器无法访问的解密代码。

公开(公告)号：US09152577B2

公开(公告)日：2015-10-06

申请号：US13707070

申请日：2012-12-06

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Shashank Shekhar

IPC: H04N21/4408 ,  H04N21/4402 ,  H04N19/40 ,  G06F12/14 ,  G06F21/00 ,  H04N21/2343 ,  H04N7/167 ,  H04N19/423 ,  H04N19/46

CPC classification number: G06F12/1408 ,  G06F12/1441 ,  G06F21/00 ,  G06F21/10 ,  H04N7/1675 ,  H04N19/40 ,  H04N19/423 ,  H04N19/46 ,  H04N21/234309 ,  H04N21/4402 ,  H04N21/4408

Abstract: A method for managing a transcoder pipeline includes partitioning a memory with a numbered region; receiving an incoming media stream to be transcoded; and atomically loading, using a security central processing unit (SCPU), a decryption key, a counterpart encryption key and an associated region number of the memory into a slot of a key table, the key table providing selection of decryption and encryption keys during transcoding. The atomically loading the decryption and encryption keys and the associated numbered region ensures that the encryption key is selected to encrypt a transcoded version of the media stream when the media stream has been decrypted with the decryption key and the transcoded media stream is retrieved from the associated numbered region of the memory.

Abstract translation: 一种用于管理代码转换器流水线的方法，包括对具有编号区域的存储器进行分区; 接收要转码的传入媒体流; 并且使用安全中央处理单元（SCPU），解密密钥，对方加密密钥和存储器的相关联的区号进行原子加载到密钥表的时隙中，所述密钥表在转码期间提供对解密和加密密钥的选择 。 原子上加载解密和加密密钥和相关联的编号区域确保了当媒体流已经用解密密钥解密并且从相关联的代码转换的媒体流被检索时，加密密钥被选择来加密媒体流的转码版本 记忆的编号区域。

公开(公告)号：US20150317495A1

公开(公告)日：2015-11-05

申请号：US14530020

申请日：2014-10-31

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Shashank Shekhar ,  Flaviu Dorin Turean

IPC: G06F21/71 ,  G06F21/44 ,  G06F9/455 ,  H04L9/32 ,  G06F21/50

CPC classification number: G06F21/53 ,  G06F21/57

Abstract: A system and method for securing a hypervisor and operating systems that execute on a computing device. An encrypted hypervisor is uploaded to a hardware chip. Prior to being executed, the hypervisor is decrypted using a secure security processor and stored in an on-chip memory. When a processor on the hardware chip executes the hypervisor, at least one on-chip component continuously authenticates the hypervisor during execution. A hypervisor configures a processor with access rights associated with an operating system, where the access rights determine access of the operating system to an at least one resource. A transaction filter then uses the access rights associated with the operating system to monitor the access of the operating system to the at least one resource in real-time as the operating system executes on a processor.

Abstract translation: 一种用于保护在计算设备上执行的管理程序和操作系统的系统和方法。 加密的管理程序被上传到硬件芯片。 在执行之前，使用安全的安全处理器解密管理程序，并存储在片上存储器中。 当硬件芯片上的处理器执行虚拟机管理程序时，至少一个片上组件在执行期间连续验证管理程序。 管理程序配置具有与操作系统相关联的访问权限的处理器，其中访问权限确定操作系统对至少一个资源的访问。 然后，当操作系统在处理器上执行时，事务过滤器使用与操作系统相关联的访问权限来实时监视操作系统对至少一个资源的访问。

公开(公告)号：US20140258708A1

公开(公告)日：2014-09-11

申请号：US13856651

申请日：2013-04-04

Applicant: BROADCOM CORPORATION

Inventor： Shashank Shekhar ,  Shee-Yen Tan ,  Andrew Dellow

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  G06F13/28 ,  H04L9/0822 ,  H04L9/0861 ,  H04L63/0435

Abstract: A system for securing a variable length keyladder key includes a keyladder decryptor configured to alter a first layer key and to execute a keyladder algorithm to generate a content key, the keyladder algorithm to generate the content key by decrypting an encrypted second layer key with the altered first layer key. The alteration mirrors the alteration applied to encrypt the second layer key by a content server providing content data to be decrypted. The system may further include a cryptographic direct memory access controller (DMAC) coupled with the keyladder decryptor and to decrypt encrypted content data using the generated content key. The keyladder decryptor may be further configured to send the content key to be stored in the DMAC without information regarding how the first layer key was altered. The alteration may include a permutation function or other change or modification.

Abstract translation: 用于保护可变长度键盘键的系统包括键盘解码器，其配置为改变第一层密钥并执行键盘算法以生成内容密钥，所述键盘算法通过用改变的密钥解密加密的第二层密钥来生成内容密钥 第一层密钥 该改变反映了由提供要解密的内容数据的内容服务器应用于加密第二层密钥的改变。 系统还可以包括与键盘解码器耦合的加密直接存储器访问控制器（DMAC），并且使用所生成的内容密钥来解密加密的内容数据。 键盘解码器还可以被配置为发送要存储在DMAC中的内容密钥，而没有关于如何改变第一层密钥的信息。 该改变可以包括置换函数或其他改变或修改。

公开(公告)号：US20140053278A1

公开(公告)日：2014-02-20

申请号：US13707050

申请日：2012-12-06

Applicant: BROADCOM CORPORATION

Inventor： Andrew Dellow ,  Shashank Shekhar ,  Stephane Rodgers

IPC: G06F21/60

CPC classification number: G06F21/60 ,  G06F21/575 ,  G06F21/602 ,  G06F21/74 ,  G06F21/78 ,  G06F2221/2107 ,  G06F2221/2113 ,  H04L9/0838 ,  H04N5/4401 ,  H04N21/426 ,  H04N21/4408 ,  H04N21/4627

Abstract: A computing system, comprising includes a first central processing unit (CPU) and a second CPU coupled with the first CPU and with a host processor. The second CPU and the host processor may both request the first CPU to generate keys that have access rights to regions of memory to access specific data. The first CPU may be configured to, in response to a request from the second CPU, generate a unique key with a unique access right to a region of memory, the unique key usable only by the second CPU, not the host processor.

Abstract translation: 一种计算系统，包括第一中央处理单元（CPU）和与第一CPU耦合的第二CPU和主机处理器。 第二CPU和主机处理器都可以请求第一CPU产生具有对存储器区域的访问权限的密钥以访问特定数据。 第一CPU可以被配置为响应于来自第二CPU的请求，生成具有对存储器区域的唯一访问权限的唯一密钥，唯一密钥仅可由第二CPU而不是主机处理器使用。