摘要:
Under the direction of a first party, an integrated circuit (IC) device is configured to temporarily enable access to a debug interface of the IC device via authentication of the first party by a challenge/response process using a key of the IC device and a challenge value generated at the IC device. The first party then may conduct a software evaluation of the IC device via the debug interface. In response to failing to identify an issue with the IC device from the software evaluation, the first party can permanently enable open access to the debug interface while authenticated and provide the IC device to a second party. Under the direction of the second party, a hardware evaluation of the IC device is conducted via the debug interface that was permanently opened by the first party.
摘要:
Under the direction of a first party, an integrated circuit (IC) device is configured to temporarily enable access to a debug interface of the IC device via authentication of the first party by a challenge/response process using a key of the IC device and a challenge value generated at the IC device. The first party then may conduct a software evaluation of the IC device via the debug interface. In response to failing to identify an issue with the IC device from the software evaluation, the first party can permanently enable open access to the debug interface while authenticated and provide the IC device to a second party. Under the direction of the second party, a hardware evaluation of the IC device is conducted via the debug interface that was permanently opened by the first party.
摘要:
Embodiments include methods for securely provisioning copies of an electronic circuit. A first entity (e.g., a chip manufacturer) embeds one or more secret values into copies of the electronic circuit. A second entity (e.g., an OEM): 1) embeds a trust anchor in a first copy of the electronic circuit; 2) causes the electronic circuit to generate a message signing key pair using the trust anchor and the embedded secret value(s); 3) signs provisioning code using a code signing private key; and 4) sends a corresponding code signing public key, the trust anchor, and the signed provisioning code to a third entity (e.g., a product manufacturer). The third entity embeds the trust anchor in a second copy of the electronic circuit and causes the electronic circuit to: 1) generate the message signing private key; 2) verify the signature of the signed provisioning code using the code signing public key; and 3) launch the provisioning code on the electronic circuit. The electronic circuit can authenticate itself to the OEM using the message signing key pair.
摘要:
Embodiments of electronic circuits enable security of sensitive data in a design and manufacturing process that includes multiple parties. An embodiment of an electronic circuit can include a private key embedded within the electronic circuit that is derived from a plurality of components including at least one component known only to the electronic circuit and at least one immutable value cryptographically bound into messages and residing on the electronic circuit, public key generation logic that generates a public key to match the private key, and message signing logic that signs messages with the private key.
摘要:
Embodiments include methods for securely provisioning copies of an electronic circuit. A first entity embeds one or more secret values into copies of the circuit. A second entity: 1) embeds a trust anchor in a first copy of the circuit; 2) causes the circuit to generate a message signing key pair using the trust anchor and the embedded secret value(s); 3) signs provisioning code using a code signing private key; and 4) sends a corresponding code signing public key, the trust anchor, and the signed provisioning code to a third entity. The third entity embeds the trust anchor in a second copy of the circuit and causes the circuit to: 1) generate the message signing private key; 2) verify the signature of the signed provisioning code using the code signing public key; and 3) launch the provisioning code on the circuit.
摘要:
Embodiments of methods of provisioning an electronic circuit enable security of sensitive data in a design and manufacturing process that includes multiple parties. In an illustrative embodiment, a method of provisioning an electronic circuit includes generating at least one secret value, embedding the at least one secret value into the electronic circuit, programming into the electronic circuit a private key derivation function that derives the private key from the at least one secret value and a trust anchor, and programming into the electronic circuit a public key generation function that generates a public key matching the private key. The method can further include receiving for execution trust anchor-authenticated logic that contacts a predetermined actor of the plurality of distinct actors and communicates to the predetermined actor a message signed with the private key.
摘要:
A computing device (10) includes a trusted execution environment (TEE) manager (40) that manages a switchover from non-trusted software (116) to trusted software (118). The TEE manager (40) includes memory (90) configured to store password-bearing, immediate-operand instructions (54). At the point of switching between the non-trusted software (116) and the trusted software (118) the memory (90) may be accessed as instruction fetches, and its contents fetched into a CPU core (24) as instructions. Immediate-operand portions (60) of the immediate-operand instructions (54) provide passwords, which are written back into guess registers (80) within the TEE manager (40). When a predetermined relationship between the instructions (54) and guesses in guess registers (80) is identified, actual execution of the immediate-operand instructions (54) is verified, the TEE mode of operation is signaled, and security-sensitive hardware (44) is enabled for use by a privileged routine (42) portion of the trusted software (118).
摘要:
A computing device (10) includes a trusted execution environment (TEE) manager (40) that manages a switchover from non-trusted software (116) to trusted software (118). The TEE manager (40) includes memory (90) configured to store password-bearing, immediate-operand instructions (54). At the point of switching between the non-trusted software (116) and the trusted software (118) the memory (90) may be accessed as instruction fetches, and its contents fetched into a CPU core (24) as instructions. Immediate-operand portions (60) of the immediate-operand instructions (54) provide passwords, which are written back into guess registers (80) within the TEE manager (40). When a predetermined relationship between the instructions (54) and guesses in guess registers (80) is identified, actual execution of the immediate-operand instructions (54) is verified, the TEE mode of operation is signaled, and security-sensitive hardware (44) is enabled for use by a privileged routine (42) portion of the trusted software (118).
摘要:
Embodiments of information processing systems and associated components can include logic operable to perform operations in a virtualized system including a plurality of guest operating systems using descriptors. The descriptors specify a set of commands defining the operations in a plurality of security domains and specify permission to a plurality of resources selectively for the plurality of guest operating systems.
摘要:
Embodiments of electronic circuits, computer systems, and associated methods include a module that accesses memory using virtual addressing, the memory including local memory that is local to the module and nonlocal memory that is accessible via a system bus coupled to the module, the module including logic coupled to the local memory via a local bus. The logic is configured to receive a memory access specified to a virtual address, determine whether the virtual address is within the local memory, and direct the memory access either to the local memory via the local bus or to the nonlocal memory via the system bus based on the determination.