公开(公告)号：US11677541B2

公开(公告)日：2023-06-13

申请号：US17450607

申请日：2021-10-12

Applicant: NXP B.V.

Inventor： Miroslav Knezevic ,  Tuongvu Van Nguyen ,  Durgesh Pattamatta ,  Tung-Hao Huang

IPC: H04L29/06 ,  G06F21/00 ,  H04L9/06 ,  G06F21/79 ,  H04L9/08

CPC classification number: H04L9/0631 ,  G06F21/79 ,  H04L9/0637 ,  H04L9/0825

Abstract: A method is provided for securely accessing code in an external memory. In the method, plaintext code may be stored in internal memory as sets of multiple blocks, each of the multiple blocks having N-bits. The code is encrypted and stored in the external memory. A block cipher having an authenticated encryption mode is used to convert the plaintext code to ciphertext code plus an authentication tag corresponding to each set of the multiple blocks. The external memory is formatted to store the ciphertext and the authentication tag. A translated address for the ciphertext is created from a plaintext address. During a read operation, the generated authentication tag is checked with an expected authentication tag. If the check is successful, the ciphertext code is decrypted and provided to a CPU for execution as plaintext code. In one embodiment, the CPU executes the plaintext code “in place” in the external memory.

公开(公告)号：US11783057B2

公开(公告)日：2023-10-10

申请号：US17445742

申请日：2021-08-24

Applicant: NXP B.V.

Inventor： Björn Fay ,  Miroslav Knezevic ,  Durgesh Pattamatta ,  Alexander Vogt

IPC: G06F21/00 ,  G06F21/60 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  G06F8/61

CPC classification number: G06F21/602 ,  H04L9/0637 ,  H04L9/085 ,  H04L9/0861 ,  H04L9/0894 ,  H04L9/3247 ,  G06F8/61

Abstract: A method is provided for secure provisioning of a device. In the method, a plurality of integrated circuit (IC) devices is manufactured by a first entity for use in the device. The first entity provides signed provisioning software and stores in at least one provisioning IC device one or more keys used for provisioning the plurality of ICs. The provisioning device with the signed provisioning software is provided to a second entity. The second entity verifies the provisioning software using a stored key. The provisioning software encrypts provisioning assets provided by the second entity and provides the encrypted provisioning assets to the third entity. The signed provisioning software is provided to a third entity by the first entity. During manufacturing of the manufactured products by the third entity, the provisioning software verifies and decrypts the encrypted provisioning assets of the second entity to provision all the plurality of IC devices.

公开(公告)号：US20220200807A1

公开(公告)日：2022-06-23

申请号：US17125725

申请日：2020-12-17

Applicant: NXP B.V.

Inventor： Durgesh Pattamatta ,  Miroslav Knezevic

IPC: H04L9/32 ,  H04L9/06

Abstract: As may be implemented in accordance with one or more aspects of the disclosure, an apparatus and/or method involves generating, using hash circuitry, successive hash values corresponding to operational states of an apparatus using, for respective ones of the hash values, a previous one of the hash values and a current operational sate of the apparatus. The hash values may be written into a register. In response to an attestation request, one of the hash values may be retrieved from the register and signed using cryptographic circuitry. The signed hash value may be communicated to a remote circuit, therein providing attestation of an operational state of the apparatus.

公开(公告)号：US20210349990A1

公开(公告)日：2021-11-11

申请号：US16868594

申请日：2020-05-07

Applicant: NXP B.V.

Inventor： Rob COSARO ,  Miroslav Knezevic ,  Durgesh Pattamatta

IPC: G06F21/52 ,  G06F9/48 ,  G06F21/56

Abstract: A method is provided for protecting execution of a program against a fault injection attack. In one embodiment, a portion of the program includes multiple substantially logically identical conditional operations that are executed in a sequence. An attacker must successfully inject a fault at each instance of the conditional operations to cause the program execution to reach the final state. The multiple conditional operations may ask the same question differently so that the glitch will not cause the same response from both conditional operations. Also, the program portion may make advancement from one state to the next contingent on arriving at the next state from a valid previous state. The described program portions with multiple instances of a conditional operation make a program execution more resistant to a glitch type of fault injection attack.

公开(公告)号：US20230114689A1

公开(公告)日：2023-04-13

申请号：US17450607

申请日：2021-10-12

Applicant: NXP B.V.

Inventor： Miroslav Knezevic ,  Tuongvu Van Nguyen ,  Durgesh Pattamatta ,  Tung-Hao Huang

IPC: H04L9/06 ,  H04L9/08 ,  G06F21/79

Abstract: A method is provided for securely accessing code in an external memory. In the method, plaintext code may be stored in internal memory as sets of multiple blocks, each of the multiple blocks having N-bits. The code is encrypted and stored in the external memory. A block cipher having an authenticated encryption mode is used to convert the plaintext code to ciphertext code plus an authentication tag corresponding to each set of the multiple blocks. The external memory is formatted to store the ciphertext and the authentication tag. A translated address for the ciphertext is created from a plaintext address. During a read operation, the generated authentication tag is checked with an expected authentication tag. If the check is successful, the ciphertext code is decrypted and provided to a CPU for execution as plaintext code. In one embodiment, the CPU executes the plaintext code “in place” in the external memory.

公开(公告)号：US20230063743A1

公开(公告)日：2023-03-02

申请号：US17445742

申请日：2021-08-24

Applicant: NXP B.V.

Inventor： Björn Fay ,  Miroslav Knezevic ,  Durgesh Pattamatta ,  Alexander Vogt

IPC: G06F21/60 ,  H04L9/08 ,  H04L9/32 ,  H04L9/06

Abstract: A method is provided for secure provisioning of a device. In the method, a plurality of integrated circuit (IC) devices is manufactured by a first entity for use in the device. The first entity provides signed provisioning software and stores in at least one provisioning IC device one or more keys used for provisioning the plurality of ICs. The provisioning device with the signed provisioning software is provided to a second entity. The second entity verifies the provisioning software using a stored key. The provisioning software encrypts provisioning assets provided by the second entity and provides the encrypted provisioning assets to the third entity. The signed provisioning software is provided to a third entity by the first entity. During manufacturing of the manufactured products by the third entity, the provisioning software verifies and decrypts the encrypted provisioning assets of the second entity to provision all the plurality of IC devices.