公开(公告)号：US06851056B2

公开(公告)日：2005-02-01

申请号：US10125527

申请日：2002-04-18

申请人： Edward K. Evans ,  Eric M. Foster ,  Dennis E. Franklin ,  William E. Hall

发明人： Edward K. Evans ,  Eric M. Foster ,  Dennis E. Franklin ,  William E. Hall

IPC分类号： G06F21/24 ,  G06F12/14 ,  G06F13/36 ,  G06F21/00 ,  G06F13/00 ,  H04L9/00

CPC分类号： G06F21/6218 ,  G06F12/1483 ,  G06F21/78 ,  G06F21/85 ,  G06F2221/2129 ,  G06F2221/2141 ,  G06F2221/2143

摘要： An access control function for an integrated system is provided which determines data access based on the master id of a requesting master within the system and the address of the data. The access control function can be inserted, for example, into the data transfer path between bus control logic and one or more slaves. In addition to determining whether to grant access to the data, the access control function can further qualify the access by selectively implementing encryption and decryption of data, again dependent on the data authorization level for the particular functional master initiating the request for data.

摘要翻译： 提供了一种用于集成系统的访问控制功能，其基于系统内的请求主机的主机ID和数据的地址来确定数据访问。 访问控制功能可以插入到例如总线控制逻辑和一个或多个从站之间的数据传输路径中。 除了确定是否允许对数据的访问之外，访问控制功能还可以通过选择性地实现数据的加密和解密来进一步限定访问，这又取决于启动数据请求的特定功能主体的数据授权级别。

公开(公告)号：US07266842B2

公开(公告)日：2007-09-04

申请号：US10125708

申请日：2002-04-18

申请人： Eric M. Foster ,  William E. Hall ,  Marcel-Catalin Rosu

发明人： Eric M. Foster ,  William E. Hall ,  Marcel-Catalin Rosu

IPC分类号： G06F7/04 ,  G06F7/58 ,  G06F12/00 ,  G06F12/14 ,  G06F13/00 ,  G06F17/30 ,  G06K19/00 ,  G11C7/00 ,  H04L9/32

CPC分类号： G06F21/85 ,  G06F21/64

摘要： A data authentication technique is provided for a data access control function of an integrated system. The technique includes passing a data request from a functional master of the integrated system through the data access control function, and responsive to the data request, selectively authenticating requested data. The selective authentication, which can occur transparent to the functional master initiating the data request, includes employing integrity value generation on the requested data when originally stored and when retrieved, in combination with encryption and decryption thereof to ensure the authenticity of the requested data. As an enhancement, cascading integrity values may be employed to facilitate data authentication.

摘要翻译： 为集成系统的数据访问控制功能提供数据认证技术。 该技术包括通过数据访问控制功能从集成系统的功能主机传递数据请求，并响应于数据请求，选择性地认证所请求的数据。 可以对启动数据请求的功能主机透明的选择性认证包括在原始存储时和当检索时对所请求的数据进行完整性值生成，结合其加密和解密，以确保所请求数据的真实性。 作为增强，可以采用级联完整性值来促进数据认证。

公开(公告)号：US06957335B2

公开(公告)日：2005-10-18

申请号：US10691632

申请日：2003-10-23

申请人： Eric M. Foster ,  William E. Hall ,  Marcel C. Rosu

发明人： Eric M. Foster ,  William E. Hall ,  Marcel C. Rosu

IPC分类号： G06F21/24 ,  G06F1/00 ,  G06F11/30 ,  G06F12/14 ,  G06F15/00 ,  G06F21/20 ,  G06F21/22 ,  G09C1/00 ,  H04L20060101 ,  H04L9/00 ,  H04L9/32

CPC分类号： G06F21/6218 ,  G06F21/575 ,  G06F2221/2149 ,  H04L9/0891 ,  H04L9/0894

摘要： Techniques are provided for initializing, maintaining, updating and recovering secure operation within an integrated system. The techniques, which employ a data access control function within the integrated system, include authenticating by a current level of software a next level of software within an integrated system. The authenticating occurs before control is passed to the next level of software. Further, an ability of the next level of software to modify an operational characteristic of the integrated system can be selectively limited via the data access control function. Techniques are also provided for initializing secure operation of the integrated system, for migrating data encrypted using a first key set to data encrypted using a second key set, for updating software and keys within the integrated system, and for recovering integrated system functionality following a trigger event.

摘要翻译： 提供了在集成系统中初始化，维护，更新和恢复安全操作的技术。 在集成系统中采用数据访问控制功能的技术包括通过当前软件级别来验证集成系统内的下一级软件。 认证发生在控制权转移到下一级软件之前。 此外，能够通过数据访问控制功能选择性地限制下一级软件修改集成系统的操作特性的能力。 还提供了用于初始化集成系统的安全操作的技术，用于将使用第一密钥集加密的数据迁移到使用第二密钥集加密的数据，用于更新集成系统内的软件和密钥，以及用于在触发器之后恢复集成系统功能 事件。

公开(公告)号：US06715085B2

公开(公告)日：2004-03-30

申请号：US10125803

申请日：2002-04-18

申请人： Eric M. Foster ,  William E. Hall ,  Marcel C. Rosu

发明人： Eric M. Foster ,  William E. Hall ,  Marcel C. Rosu

IPC分类号： G06F1130

CPC分类号： G06F21/6218 ,  G06F21/575 ,  G06F2221/2149 ,  H04L9/0891 ,  H04L9/0894

摘要： Techniques are provided for initializing, maintaining, updating and recovering secure operation within an integrated system. The techniques, which employ a data access control function within the integrated system, include authenticating by a current level of software a next level of software within an integrated system. The authenticating occurs before control is passed to the next level of software. Further, an ability of the next level of software to modify an operational characteristic of the integrated system can be selectively limited via the data access control function. Techniques are also provided for initializing secure operation of the integrated system, for migrating data encrypted using a first key set to data encrypted using a second key set, for updating software and keys within the integrated system, and for recovering integrated system functionality following a trigger event.

公开(公告)号：US07356707B2

公开(公告)日：2008-04-08

申请号：US10691924

申请日：2003-10-23

申请人： Eric M. Foster ,  William E. Hall ,  Marcel Catalin Rosu

发明人： Eric M. Foster ,  William E. Hall ,  Marcel Catalin Rosu

IPC分类号： G06F11/30

CPC分类号： G06F21/6218 ,  G06F21/575 ,  G06F2221/2149 ,  H04L9/0891 ,  H04L9/0894

摘要： Techniques are provided for initializing, maintaining, updating and recovering secure operation within an integrated system. The techniques, which employ a data access control function within the integrated system, include authenticating by a current level of software a next level of software within an integrated system. The authenticating occurs before control is passed to the next level of software. Further, an ability of the next level of software to modify an operational characteristic of the integrated system can be selectively limited via the data access control function. Techniques are also provided for initializing secure operation of the integrated system, for migrating data encrypted using a first key set to data encrypted using a second key set, for updating software and keys within the integrated system, and for recovering integrated system functionality following a trigger event.

摘要翻译： 提供了在集成系统中初始化，维护，更新和恢复安全操作的技术。 在集成系统中采用数据访问控制功能的技术包括通过当前软件级别来验证集成系统内的下一级软件。 认证发生在控制权转移到下一级软件之前。 此外，能够通过数据访问控制功能选择性地限制下一级软件修改集成系统的操作特性的能力。 还提供了用于初始化集成系统的安全操作的技术，用于将使用第一密钥集加密的数据迁移到使用第二密钥集加密的数据，用于更新集成系统内的软件和密钥，以及用于在触发器之后恢复集成系统功能 事件。

公开(公告)号：US07089419B2

公开(公告)日：2006-08-08

申请号：US10125115

申请日：2002-04-18

申请人： Eric M. Foster ,  William E. Hall ,  Marcel-Catalin Rosu

发明人： Eric M. Foster ,  William E. Hall ,  Marcel-Catalin Rosu

IPC分类号： H04L9/00 ,  G06F12/14

CPC分类号： G06F21/575 ,  G06F2221/2105

摘要： A technique is provided for facilitating secure operation of an integrated system. The technique includes passing a request for data through a data access controller incorporated within the integrated system, and selectively qualifying the request in accordance with a security state of the controller. The security state of the controller is one state of multiple possible security states, including a null state and a secured state. In the secured state, the controller replaces a standard boot code address associated with a request for boot code with a substitute boot code address. The substitute boot code address addresses an encrypted version of boot code, which is then decrypted by the controller employing a master key set held at the controller. When transitioning to the null state, the master key set is erased.

公开(公告)号：US09996709B2

公开(公告)日：2018-06-12

申请号：US13613708

申请日：2012-09-13

申请人： William E. Hall ,  Guerney D. H. Hunt ,  Paul A. Karger ,  Mark F. Mergen ,  David R. Safford ,  David C. Toll

发明人： William E. Hall ,  Guerney D. H. Hunt ,  Paul A. Karger ,  Mark F. Mergen ,  David R. Safford ,  David C. Toll

IPC分类号： H04J3/16 ,  G06F21/85 ,  G06F21/60

CPC分类号： G06F21/85 ,  G06F21/606

摘要： A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream.

公开(公告)号：US08286164B2

公开(公告)日：2012-10-09

申请号：US12537808

申请日：2009-08-07

申请人： William E. Hall ,  Guerney D. H. Hunt ,  Paul A. Karger ,  Suzanne K. McIntosh ,  Mark F. Mergen ,  David R. Safford ,  David C. Toll

发明人： William E. Hall ,  Guerney D. H. Hunt ,  Paul A. Karger ,  Suzanne K. McIntosh ,  Mark F. Mergen ,  David R. Safford ,  David C. Toll

IPC分类号： G06F9/455 ,  G06F21/00

CPC分类号： G06F9/45533 ,  G06F9/5077 ,  G06F21/57 ,  G06F2009/4557 ,  G06F2009/45579

摘要： A mechanism is provided for performing secure recursive virtualization of a computer system. A portion of memory is allocated by a virtual machine monitor (VMM) or an operating system (OS) to a new domain. An initial program for the new domain is loaded into the portion of memory. Secure recursive virtualization firmware (SVF) in the data processing system is called to request that the new domain be generated. A determination is made as to whether the call is from a privileged domain or a non-privileged domain. Responsive to the request being from a privileged domain, all access to the new domain is removed from any other domain in the data processing system. Responsive to receiving an indication that the new domain has been generated, an execution of the initial program is scheduled.

摘要翻译： 提供了一种用于执行计算机系统的安全递归虚拟化的机制。 内存的一部分由虚拟机监视器（VMM）或操作系统（OS）分配给新域。 新域的初始程序被加载到内存部分。 调用数据处理系统中的安全递归虚拟化固件（SVF）来请求生成新的域。 确定呼叫是来自特权域还是非特权域。 响应于来自特权域的请求，对数据处理系统中的任何其他域的所有对新域的访问都将被删除。 响应于接收到新域已被生成的指示，调度初始程序的执行。

公开(公告)号：US07461268B2

公开(公告)日：2008-12-02

申请号：US10892431

申请日：2004-07-15

申请人： Robert A. Drehmel ,  William E. Hall ,  Russell D. Hoover

发明人： Robert A. Drehmel ,  William E. Hall ,  Russell D. Hoover

IPC分类号： G06F12/14 ,  H04L9/32

CPC分类号： G06F21/72 ,  G06F21/75 ,  G11C17/16 ,  H04L9/3236

摘要： Methods and devices that may be utilized in systems to dynamically update a security version parameter used to encrypt secure data are provided. The version may be maintained in persistent storage located on a device implementing the encryption, such as a system on a chip (SOC). The persistent storage does not require battery backing and, thus, the cost and complexity associated with conventional systems utilizing battery backed storage may be reduced.

摘要翻译： 提供了可用于系统动态更新用于加密安全数据的安全版本参数的方法和设备。 该版本可以被维护在位于实现加密的设备上的持久存储器中，诸如片上系统（SOC）。 永久存储器不需要电池背衬，因此，与使用电池支持的存储器的常规系统相关联的成本和复杂度可能会降低。

公开(公告)号：US20080175381A1

公开(公告)日：2008-07-24

申请号：US12057207

申请日：2008-03-27

申请人： Robert A. Drehmel ,  William E. Hall ,  Russell D. Hoover

发明人： Robert A. Drehmel ,  William E. Hall ,  Russell D. Hoover

IPC分类号： H04K1/00 ,  H04L9/32

CPC分类号： G06F21/72 ,  G11C17/16 ,  H04L9/3236

摘要： Methods and devices that may be utilized in systems to dynamically update a security version parameter used to encrypt secure data are provided. The version may be maintained in persistent storage located on a device implementing the encryption, such as a system on a chip (SOC). The persistent storage does not require battery backing and, thus, the cost and complexity associated with conventional systems utilizing battery backed storage may be reduced.