-
公开(公告)号:US20080046762A1
公开(公告)日:2008-02-21
申请号:US11889644
申请日:2007-08-15
IPC分类号: G06F12/14
摘要: A data processing apparatus and method for protecting system control registers is provided. Processing logic is providing for executing software routines and a plurality of system control registers are used to store access control information for a plurality of system resources available to the processing logic when executing at least some of those software routines. Additionally, at least one write control register is provided, with each field of that register being associated with one or more of the system control registers. Disable control logic is used to generate a disable signal, and when that disable signal is clear access control information can be written into the system control registers, and write restriction data can be written into each of the fields of the at least one write control register. Then, when the disable control logic sets the disable signal, the at least one write control register becomes read only, and for each field that has write restriction data therein those associated system control registers indicated by the write restriction data also become read only. This mechanism provides a very flexible approach for programming which system control registers are to be treated as read only registers.
摘要翻译: 提供一种用于保护系统控制寄存器的数据处理装置和方法。 处理逻辑正在提供执行软件程序,并且当执行这些软件程序中的至少一些时,多个系统控制寄存器用于存储可用于处理逻辑的多个系统资源的访问控制信息。 此外,提供至少一个写入控制寄存器,该寄存器的每个字段与一个或多个系统控制寄存器相关联。 禁止控制逻辑用于产生禁用信号,当禁用信号清除时,访问控制信息可以写入系统控制寄存器,写入限制数据可写入至少一个写入控制寄存器的每个字段 。 然后,当禁用控制逻辑设置禁止信号时,至少一个写入控制寄存器变为只读,并且对于其中具有写入限制数据的每个字段,由写入限制数据指示的那些相关联的系统控制寄存器也变为只读。 这种机制提供了非常灵活的编程方式,哪些系统控制寄存器被视为只读寄存器。
-
公开(公告)号:US08010772B2
公开(公告)日:2011-08-30
申请号:US12068448
申请日:2008-02-06
CPC分类号: G06F9/322 , G06F9/30054 , G06F9/30076 , G06F9/30101 , G06F12/145 , G06F2212/1004
摘要: Memory address space is divided into domains and instruction access control circuitry is used to detect when the memory address from which an instruction to be executed is fetched has crossed a domain boundary and changed and in such cases to conduct a check to ensure that the instruction within the new domain is a permitted instruction of a permitted form. The permitted instruction can be arranged to be a no operation instruction other than in respect of the instruction access control circuitry, in order to assist backward compatibility.
摘要翻译: 存储器地址空间被划分为域,并且指令访问控制电路用于检测何时提取要执行的指令的存储器地址已经越过域边界并被改变,并且在这种情况下进行检查以确保在 新域名是允许的表单的允许指令。 允许的指令可以被布置为除指令访问控制电路之外的不操作指令,以便有助于向后兼容性。
-
公开(公告)号:US20070143515A1
公开(公告)日:2007-06-21
申请号:US11603091
申请日:2006-11-22
IPC分类号: G06F13/26
摘要: An interrupt controller 2 is provided with priority registers 6 storing priority values P0-P9 used to determine prioritisation between received interrupt signals I0-I9. A priority value accessing circuit 10 provides multiple mappings to the priority values stored in dependence upon the priority value manager 16, 18, seeking to make an access. In this way, a first priority value manager 18, such as a secure operating system, can be given exclusive access to the highest priority values whilst a second priority value manager 16, such as a non-secure operating system, can be given access to a range of priority values as stored which are of a lower priority and yet as written or read by the non-secure operating system appear to the non-secure operating system to have a different, such as higher, priority level.
摘要翻译: 中断控制器2设置有优先级寄存器6,优先级寄存器6存储优先级值P 0 -P 9,用于确定接收到的中断信号I 0至I 9之间的优先级。 优先级值访问电路10根据优先权值管理器16,18存储的优先权值提供多个映射,寻求进行访问。 以这种方式,诸如安全操作系统的第一优先级值管理器18可以被授予对最高优先级值的排他访问,而可以给予诸如非安全操作系统的第二优先级值管理器16访问 所存储的优先级较低的范围的优先权较低,但由非安全操作系统写入或读取,对于非安全操作系统来说,具有不同的,例如较高的优先级。
-
公开(公告)号:US07966466B2
公开(公告)日:2011-06-21
申请号:US12068449
申请日:2008-02-06
IPC分类号: G06F12/00
CPC分类号: G06F12/1483 , G06F9/30076
摘要: Access to memory address space is controlled by memory access control circuitry using access control data. The ability to change the access control data is controlled by domain control circuitry. Whether or not an instruction stored within a particular domain, being a set of memory addresses, is able to modify the access control data is dependent upon the domain concerned. Thus, the ability to change access control data can be restricted to instructions stored within particular defined locations within the memory address space thereby enhancing security. This capability allows systems to be provided in which call forwarding to an operating system can be enforced via call forwarding code and where trusted regions of the memory address space can be established into which a secure operating system may write data with increased confidence that that data will only be accessible by trusted software executing under control of a non-secure operating system.
摘要翻译: 使用访问控制数据的存储器访问控制电路控制对存储器地址空间的访问。 更改访问控制数据的能力由域控制电路控制。 作为一组存储器地址的存储在特定域内的指令是否能够修改访问控制数据取决于所涉及的域。 因此,改变访问控制数据的能力可以被限制为存储在存储器地址空间内的特定定义位置内的指令,从而增强安全性。 该功能允许提供系统,其中可以通过呼叫转移代码来实施对操作系统的呼叫转移,并且可以建立存储器地址空间的可信区域,安全操作系统可以以更高的置信度写入数据,该数据将 只能通过在非安全操作系统的控制下执行的可信软件来访问。
-
公开(公告)号:US07506091B2
公开(公告)日:2009-03-17
申请号:US11603091
申请日:2006-11-22
摘要: An interrupt controller 2 is provided with priority registers 6 storing priority values P0-P9 used to determine prioritisation between received interrupt signals I0-I9. A priority value accessing circuit 10 provides multiple mappings to the priority values stored in dependence upon the priority value manager 16, 18, seeking to make an access. In this way, a first priority value manager 18, such as a secure operating system, can be given exclusive access to the highest priority values whilst a second priority value manager 16, such as a non-secure operating system, can be given access to a range of priority values as stored which are of a lower priority and yet as written or read by the non-secure operating system appear to the non-secure operating system to have a different, such as higher, priority level.
摘要翻译: 中断控制器2设置有优先级寄存器6,优先级寄存器6存储用于确定接收的中断信号I0-I9之间的优先级的优先权值P0-P9。 优先级值访问电路10根据优先权值管理器16,18存储的优先权值提供多个映射,寻求进行访问。 以这种方式,诸如安全操作系统的第一优先级值管理器18可以被授予对最高优先级值的排他访问,而可以给予诸如非安全操作系统的第二优先级值管理器16访问 所存储的优先级较低的范围的优先权较低,但由非安全操作系统写入或读取,对于非安全操作系统来说,具有不同的,例如较高的优先级。
-
公开(公告)号:US08132254B2
公开(公告)日:2012-03-06
申请号:US11889644
申请日:2007-08-15
IPC分类号: G06F21/00
摘要: A data processing apparatus and method for protecting system control registers is provided. Processing logic is providing for executing software routines and a plurality of system control registers are used to store access control information for a plurality of system resources available to the processing logic when executing at least some of those software routines. Additionally, at least one write control register is provided, with each field of that register being associated with one or more of the system control registers. Disable control logic is used to generate a disable signal, and when that disable signal is clear access control information can be written into the system control registers, and write restriction data can be written into each of the fields of the at least one write control register. Then, when the disable control logic sets the disable signal, the at least one write control register becomes read only, and for each field that has write restriction data therein those associated system control registers indicated by the write restriction data also become read only. This mechanism provides a very flexible approach for programming which system control registers are to be treated as read only registers.
摘要翻译: 提供一种用于保护系统控制寄存器的数据处理装置和方法。 处理逻辑正在提供执行软件程序,并且当执行这些软件程序中的至少一些时,多个系统控制寄存器用于存储可用于处理逻辑的多个系统资源的访问控制信息。 此外,提供至少一个写入控制寄存器,该寄存器的每个字段与一个或多个系统控制寄存器相关联。 禁止控制逻辑用于产生禁用信号,当禁用信号清除时,访问控制信息可以写入系统控制寄存器,写入限制数据可写入至少一个写入控制寄存器的每个字段 。 然后,当禁用控制逻辑设置禁止信号时,至少一个写入控制寄存器变为只读,并且对于其中具有写入限制数据的每个字段,由写入限制数据指示的那些相关联的系统控制寄存器也变为只读。 这种机制提供了非常灵活的编程方式,哪些系统控制寄存器被视为只读寄存器。
-
公开(公告)号:US20080250217A1
公开(公告)日:2008-10-09
申请号:US12068449
申请日:2008-02-06
CPC分类号: G06F12/1483 , G06F9/30076
摘要: Access to memory address space is controlled by memory access control circuitry using access control data. The ability to change the access control data is controlled by domain control circuitry. Whether or not an instruction stored within a particular domain, being a set of memory addresses, is able to modify the access control data is dependent upon the domain concerned. Thus, the ability to change access control data can be restricted to instructions stored within particular defined locations within the memory address space thereby enhancing security. This capability allows systems to be provided in which call forwarding to an operating system can be enforced via call forwarding code and where trusted regions of the memory address space can be established into which a secure operating system may write data with increased confidence that that data will only be accessible by trusted software executing under control of a non-secure operating system.
摘要翻译: 使用访问控制数据的存储器访问控制电路控制对存储器地址空间的访问。 更改访问控制数据的能力由域控制电路控制。 作为一组存储器地址的存储在特定域内的指令是否能够修改访问控制数据取决于所涉及的域。 因此,改变访问控制数据的能力可以被限制为存储在存储器地址空间内的特定定义位置内的指令,从而增强安全性。 该功能允许提供系统,其中可以通过呼叫转移代码来实施对操作系统的呼叫转移,并且可以建立存储器地址空间的可信区域,安全操作系统可以以更高的置信度写入数据,该数据将 只能通过在非安全操作系统的控制下执行的可信软件来访问。
-
公开(公告)号:US20080250216A1
公开(公告)日:2008-10-09
申请号:US12068448
申请日:2008-02-06
CPC分类号: G06F9/322 , G06F9/30054 , G06F9/30076 , G06F9/30101 , G06F12/145 , G06F2212/1004
摘要: Memory address space is divided into domains and instruction access control circuitry is used to detect when the memory address from which an instruction to be executed is fetched has crossed a domain boundary and changed and in such cases to conduct a check to ensure that the instruction within the new domain is a permitted instruction of a permitted form. The permitted instruction can be arranged to be a no operation instruction other than in respect of the instruction access control circuitry, in order to assist backward compatibility.
摘要翻译: 存储器地址空间被划分为域,并且指令访问控制电路用于检测何时提取要执行的指令的存储器地址已经越过域边界并被改变,并且在这种情况下进行检查以确保在 新域名是允许的表单的允许指令。 允许的指令可以被布置为除指令访问控制电路之外的不操作指令,以便有助于向后兼容性。
-
公开(公告)号:US08850041B2
公开(公告)日:2014-09-30
申请号:US12472129
申请日:2009-05-26
CPC分类号: G06F9/468
摘要: Embodiments disclosed herein extend to the use of administrative roles in a multi-tenant environment. The administrative roles define administrative tasks defining privileged operations that may be performed on the resources or data of a particular tenant. In some embodiments, the administrative tasks are a subset of administrative tasks. The administrative role also defines target objects which may be subjected to the administrative tasks. In some embodiments, the target objects are a subset of target objects. An administrator may associate a user or group of users of the particular tenant with a given administrative role. In this way, the user or group of users are delegated permission to perform the subset of administrative tasks on the subset of target objects without having to be given permission to perform all administrative tasks on all target objects.
摘要翻译: 本文公开的实施例扩展到在多租户环境中使用管理角色。 管理角色定义了可以对特定租户的资源或数据执行的特权操作的管理任务。 在一些实施例中,管理任务是管理任务的子集。 管理角色还定义了可能受到管理任务的目标对象。 在一些实施例中,目标对象是目标对象的子集。 管理员可以将特定租户的用户或一组用户与给定的管理角色相关联。 以这种方式,用户或用户组被授予在目标对象子集上执行管理任务子集的权限,而不必被授予在所有目标对象上执行所有管理任务的权限。
-
10.发明授权Protecting the security of secure data sent from a central processor for processing by a further processing device 有权保护从中央处理器发送的安全数据的安全性,以便由另外的处理设备进行处理公开(公告)号:US08775824B2
公开(公告)日:2014-07-08
申请号:US12003858
申请日:2008-01-02
CPC分类号: G06F21/53 , G06F21/74 , G06F2221/2105
摘要: A data processing apparatus comprising: a data processor for processing data in a secure and a non-secure mode, said data processor processing data in said secure mode having access to secure data that is not accessible to said data processor in said non-secure mode, and processing data in said secure mode being performed under control of a secure operating system and processing data in said non-secure mode being performed under control of a non-secure operating system; and a further processing device for performing a task in response to a request from said data processor, said task comprising processing data at least some of which is secure data; wherein said further processing device is responsive to receipt of a signal to suspend said task to initiate: processing of said secure data using a secure key; and storage of said processed secure data to a non-secure data store; and is responsive to receipt of a signal to resume said task to initiate: retrieval of said processed secure data from said non-secure data store; and restoring of said processed secure data using said secure key; wherein said secure key is securely stored such that it is not accessible to other processes operating in said non-secure mode.
摘要翻译: 一种数据处理装置,包括:用于以安全和非安全模式处理数据的数据处理器,所述数据处理器处理所述安全模式中的数据,以访问在所述非安全模式下所述数据处理器不可访问的安全数据 并且在安全操作系统的控制下执行所述安全模式中的处理数据,并且在非安全操作系统的控制下执行所述非安全模式中的数据处理; 以及用于响应于来自所述数据处理器的请求执行任务的另一处理装置,所述任务包括处理数据,其中至少一些是安全数据; 其中所述另外的处理设备响应于收到信号以暂停所述任务以启动:使用安全密钥处理所述安全数据; 以及将所述处理的安全数据存储到非安全数据存储器; 并且响应于接收到信号以恢复所述任务以启动:从所述非安全数据存储中检索所述处理的安全数据; 以及使用所述安全密钥恢复所述处理的安全数据; 其中所述安全密钥被安全地存储,使得对于在所述非安全模式中操作的其他进程是不可访问的。
-
-
-
-
-
-
-
-
-
搜索结果
65 条记录 (耗时 0.02 秒)
