公开(公告)号：US09183417B2

公开(公告)日：2015-11-10

申请号：US13675808

申请日：2012-11-13

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers

IPC: G06F21/81

CPC classification number: G06F21/81 ,  G06F21/755

Abstract: A system includes a security processing unit to monitor inputs from process, voltage and temperature sensors to maintain a security of the system. The security processing unit can operate at a determined clock frequency. A timing path detector can connect with the security processing unit. The timing path detector can monitor a condition near the security processing unit. The timing path detector can switch the clock frequency to a lower frequency before the security processing unit fails from the condition.

Abstract translation: 系统包括一个安全处理单元，用于监视来自过程，电压和温度传感器的输入，以保持系统的安全性。 安全处理单元可以以确定的时钟频率工作。 定时路径检测器可以与安全处理单元连接。 定时路径检测器可以监视安全处理单元附近的状况。 定时路径检测器可以在安全处理单元从该条件失败之前将时钟频率切换到较低的频率。

公开(公告)号：US09183402B2

公开(公告)日：2015-11-10

申请号：US13707023

申请日：2012-12-06

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Shashank Shekhar

IPC: G06F9/00 ,  G06F15/177 ,  G06F21/60 ,  G06F21/57

CPC classification number: G06F21/602 ,  G06F21/575

Abstract: A computing system includes a first central processing unit (CPU) and a second CPU coupled with the first CPU and with a host processor. In response to a request by the host processor to boot the second CPU, the first CPU is configured to execute secure booting of the second CPU by decrypting encrypted code to generate decrypted code executable by the second CPU but that is inaccessible by the host processor.

Abstract translation: 计算系统包括与第一CPU并与主处理器耦合的第一中央处理单元（CPU）和第二CPU。 响应于主机处理器引导第二CPU的请求，第一CPU被配置为通过解密加密代码来执行第二CPU的安全引导，以生成可由第二CPU执行但是由主机处理器无法访问的解密代码。

公开(公告)号：US20140053001A1

公开(公告)日：2014-02-20

申请号：US13707070

申请日：2012-12-06

Applicant: BROADCOM CORPORATION

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Shashank Shekhar

IPC: G06F12/14

CPC classification number: G06F12/1408 ,  G06F12/1441 ,  G06F21/00 ,  G06F21/10 ,  H04N7/1675 ,  H04N19/40 ,  H04N19/423 ,  H04N19/46 ,  H04N21/234309 ,  H04N21/4402 ,  H04N21/4408

Abstract: A method for managing a transcoder pipeline includes partitioning a memory with a numbered region; receiving an incoming media stream to be transcoded; and atomically loading, using a security central processing unit (SCPU), a decryption key, a counterpart encryption key and an associated region number of the memory into a slot of a key table, the key table providing selection of decryption and encryption keys during transcoding. The atomically loading the decryption and encryption keys and the associated numbered region ensures that the encryption key is selected to encrypt a transcoded version of the media stream when the media stream has been decrypted with the decryption key and the transcoded media stream is retrieved from the associated numbered region of the memory.

Abstract translation: 一种用于管理代码转换器流水线的方法，包括：对具有编号区域的存储器进行分区; 接收要转码的传入媒体流; 并且使用安全中央处理单元（SCPU），解密密钥，对方加密密钥和存储器的相关联的区号进行原子加载到密钥表的时隙中，所述密钥表在转码期间提供对解密和加密密钥的选择 。 原子上加载解密和加密密钥和相关联的编号区域确保了当媒体流已经用解密密钥解密并且从相关联的代码转换的媒体流被检索时，加密密钥被选择来加密媒体流的转码版本 记忆的编号区域。

公开(公告)号：US09152577B2

公开(公告)日：2015-10-06

申请号：US13707070

申请日：2012-12-06

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Shashank Shekhar

IPC: H04N21/4408 ,  H04N21/4402 ,  H04N19/40 ,  G06F12/14 ,  G06F21/00 ,  H04N21/2343 ,  H04N7/167 ,  H04N19/423 ,  H04N19/46

CPC classification number: G06F12/1408 ,  G06F12/1441 ,  G06F21/00 ,  G06F21/10 ,  H04N7/1675 ,  H04N19/40 ,  H04N19/423 ,  H04N19/46 ,  H04N21/234309 ,  H04N21/4402 ,  H04N21/4408

Abstract: A method for managing a transcoder pipeline includes partitioning a memory with a numbered region; receiving an incoming media stream to be transcoded; and atomically loading, using a security central processing unit (SCPU), a decryption key, a counterpart encryption key and an associated region number of the memory into a slot of a key table, the key table providing selection of decryption and encryption keys during transcoding. The atomically loading the decryption and encryption keys and the associated numbered region ensures that the encryption key is selected to encrypt a transcoded version of the media stream when the media stream has been decrypted with the decryption key and the transcoded media stream is retrieved from the associated numbered region of the memory.

Abstract translation: 一种用于管理代码转换器流水线的方法，包括对具有编号区域的存储器进行分区; 接收要转码的传入媒体流; 并且使用安全中央处理单元（SCPU），解密密钥，对方加密密钥和存储器的相关联的区号进行原子加载到密钥表的时隙中，所述密钥表在转码期间提供对解密和加密密钥的选择 。 原子上加载解密和加密密钥和相关联的编号区域确保了当媒体流已经用解密密钥解密并且从相关联的代码转换的媒体流被检索时，加密密钥被选择来加密媒体流的转码版本 记忆的编号区域。

公开(公告)号：US08806526B2

公开(公告)日：2014-08-12

申请号：US13675757

申请日：2012-11-13

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers

IPC: H04N7/167 ,  H04N21/418 ,  H04N21/435

CPC classification number: H04N7/167 ,  G06F21/305 ,  G06F21/71 ,  H04N21/2347 ,  H04N21/23614 ,  H04N21/266 ,  H04N21/4181 ,  H04N21/4348 ,  H04N21/435 ,  H04N21/4405 ,  H04N21/443 ,  H04N21/4623 ,  H04N21/6543

Abstract: A system includes a transport central processing unit of an information appliance device. The transport central processing unit receives a message from a head-end. The transport central processing unit provides access of the message to the security processing unit. A host central processing unit connected with the transport central processing unit is prohibited access to the message.

Abstract translation: 一种系统包括信息装置装置的传送中央处理单元。 运输中央处理单元从头端接收消息。 传输中央处理单元提供消息到安全处理单元的访问。 与传送中央处理单元连接的主机中央处理单元被禁止访问消息。

公开(公告)号：US09483626B2

公开(公告)日：2016-11-01

申请号：US14589727

申请日：2015-01-05

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Andrew Dellow

IPC: G06F21/00 ,  G06F21/12 ,  G06F21/72 ,  G06F21/74

CPC classification number: G06F21/123 ,  G06F21/72 ,  G06F21/74 ,  G06F2221/2113

Abstract: A computing system includes a first security central processing unit (SCPU) of a system-on-a-chip (SOC), the first SCPU configured to execute functions of a first security level. The computing system also includes a second SCPU of the SOC coupled with the first SCPU and coupled with a host processor, the second SCPU configured to execute functions of a second security level less secure than the first security level, and the second SCPU executing functions not executed by the first SCPU.

公开(公告)号：US20150317495A1

公开(公告)日：2015-11-05

申请号：US14530020

申请日：2014-10-31

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Shashank Shekhar ,  Flaviu Dorin Turean

IPC: G06F21/71 ,  G06F21/44 ,  G06F9/455 ,  H04L9/32 ,  G06F21/50

CPC classification number: G06F21/53 ,  G06F21/57

Abstract: A system and method for securing a hypervisor and operating systems that execute on a computing device. An encrypted hypervisor is uploaded to a hardware chip. Prior to being executed, the hypervisor is decrypted using a secure security processor and stored in an on-chip memory. When a processor on the hardware chip executes the hypervisor, at least one on-chip component continuously authenticates the hypervisor during execution. A hypervisor configures a processor with access rights associated with an operating system, where the access rights determine access of the operating system to an at least one resource. A transaction filter then uses the access rights associated with the operating system to monitor the access of the operating system to the at least one resource in real-time as the operating system executes on a processor.

Abstract translation: 一种用于保护在计算设备上执行的管理程序和操作系统的系统和方法。 加密的管理程序被上传到硬件芯片。 在执行之前，使用安全的安全处理器解密管理程序，并存储在片上存储器中。 当硬件芯片上的处理器执行虚拟机管理程序时，至少一个片上组件在执行期间连续验证管理程序。 管理程序配置具有与操作系统相关联的访问权限的处理器，其中访问权限确定操作系统对至少一个资源的访问。 然后，当操作系统在处理器上执行时，事务过滤器使用与操作系统相关联的访问权限来实时监视操作系统对至少一个资源的访问。

公开(公告)号：US20150128253A1

公开(公告)日：2015-05-07

申请号：US14589727

申请日：2015-01-05

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Andrew Dellow

IPC: G06F21/12 ,  G06F21/74

CPC classification number: G06F21/123 ,  G06F21/72 ,  G06F21/74 ,  G06F2221/2113

Abstract: A computing system includes a first security central processing unit (SCPU) of a system-on-a-chip (SOC), the first SCPU configured to execute functions of a first security level. The computing system also includes a second SCPU of the SOC coupled with the first SCPU and coupled with a host processor, the second SCPU configured to execute functions of a second security level less secure than the first security level, and the second SCPU executing functions not executed by the first SCPU.

Abstract translation: 计算系统包括片上系统（SOC）的第一安全中央处理单元（SCPU），第一SCPU被配置为执行第一安全级别的功能。 计算系统还包括与第一SCPU耦合并与主处理器耦合的SOC的第二SCPU，第二SCPU被配置为执行比第一安全级别更不安全的第二安全级别的功能，而第二SCPU执行功能不是 由第一个SCPU执行。

公开(公告)号：US08931082B2

公开(公告)日：2015-01-06

申请号：US13705991

申请日：2012-12-05

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Andrew Dellow

IPC: H04L29/06 ,  G06F21/12 ,  G06F21/74 ,  G06F21/72

CPC classification number: G06F21/123 ,  G06F21/72 ,  G06F21/74 ,  G06F2221/2113

Abstract: A computing system includes a first security central processing unit (SCPU) of a system-on-a-chip (SOC), the first SCPU configured to execute functions of a first security level. The computing system also includes a second SCPU of the SOC coupled with the first SCPU and coupled with a host processor, the second SCPU configured to execute functions of a second security level less secure than the first security level, and the second SCPU executing functions not executed by the first SCPU.

Abstract translation: 计算系统包括片上系统（SOC）的第一安全中央处理单元（SCPU），第一SCPU被配置为执行第一安全级别的功能。 计算系统还包括与第一SCPU耦合并与主处理器耦合的SOC的第二SCPU，第二SCPU被配置为执行比第一安全级别更不安全的第二安全级别的功能，而第二SCPU执行功能不是 由第一个SCPU执行。

公开(公告)号：US08694767B2

公开(公告)日：2014-04-08

申请号：US13776998

申请日：2013-02-26

Applicant: Broadcom Corporation

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen ,  Qiang Ye

IPC: G06F9/00 ,  H04L9/00 ,  G06F21/57

CPC classification number: G06F21/575 ,  G06F21/572

Abstract: A system and method that enables secure system boot up with a restricted central processing unit (CPU). The system includes a memory, a segmenting device, and a security sub-system. The memory is a NAND flash memory with a block structure that comprises a guaranteed block and non-guaranteed blocks. The guaranteed block is guaranteed to be useable. A boot code is segmented into boot code segments and the boot code segments are stored separately in the guaranteed and non-guaranteed blocks. The security sub-system is configured to locate the boot code segments stored in the non-guaranteed blocks and validate them independently based on data in the guaranteed block. The security sub-system is further configured to assemble the boot code segments into the boot code and execute the boot code.

Abstract translation: 一种使用受限制的中央处理单元（CPU）实现安全系统启动的系统和方法。 该系统包括存储器，分段设备和安全子系统。 存储器是具有块结构的NAND闪存，其包括保证块和非保证块。 保证的块被保证是可用的。 引导代码被分段为引导代码段，引导代码段分别存储在保证和无保证的块中。 安全子系统被配置为定位存储在非保证块中的引导代码段，并基于保证块中的数据独立地进行验证。 安全子系统还被配置为将引导代码段组合到引导代码中并执行引导代码。