Secure storage of encryption keys
By using a monotonic counter and a selection circuit to select the encryption key, which is provided to the cryptographic processor only under specific count values, the problem of insufficient security in encryption key storage is solved, and the device achieves high security and flexible adaptability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- STMICROELECTRONICS (ALPS) SAS
- Filing Date
- 2022-03-31
- Publication Date
- 2026-06-26
Smart Images

Figure CN115146290B_ABST
Abstract
Description
[0001] Cross-references to related applications
[0002] This application claims priority to French application No. 2103316, filed on March 31, 2021, the entire contents of which are incorporated herein by reference. Technical Field
[0003] This disclosure relates to the field of methods and apparatus for electronic circuit security, and more particularly to apparatus and methods for securely using encryption keys. Background Technology
[0004] Some processing devices include cryptographic processors that require the use of encryption keys that are not accessible from outside the device.
[0005] For example, a processing device is operated by executing code stored in the device's non-volatile memory, which is used throughout the circuit's lifetime. For security reasons, some of this code is stored in encrypted form, and an encryption key can be loaded to decrypt it. Summary of the Invention
[0006] There is often a need to improve the security of storing such encryption keys.
[0007] The embodiments described herein address at least in part all or some of the drawbacks of known storage methods and devices.
[0008] One embodiment provides a method for performing an encryption operation, the method comprising: generating a first count value by a monotonic counter of a processing device; transferring the first count value from the monotonic counter to a memory of the processing device; selecting a first encryption key from the memory based on the first count value; and providing the selected first encryption key to a cryptographic processor.
[0009] According to one embodiment, the selection of a first encryption key is performed by a selection circuit configured to prevent access to one or more other encryption keys stored in memory in association with other count values of a monotonic counter.
[0010] According to one embodiment, the first encryption key is also selected via a first index.
[0011] According to one embodiment, the method further includes: generating a second count value from a monotonic counter of a processing device; transferring the second count value from the monotonic counter to a memory of the processing device; selecting a second encryption key from the memory based on the second count value and the first index; and providing the selected second encryption key to the cryptographic processor.
[0012] According to one embodiment, the memory is configured to disallow access to the first encryption key based on a count value greater than a first count value.
[0013] According to one embodiment, providing the first encryption key to a cryptographic processor is performed based on the storage conditions of the first encryption key. The cryptographic processor may perform the provisioning via a bus between the memory and the cryptographic processor. Alternatively, the cryptographic processor may perform the provisioning via a processor-readable register of the processing device.
[0014] According to one embodiment, the storage condition is that the first encryption key is stored in a first address range.
[0015] According to one embodiment, the storage condition is that a first encryption key is stored in memory in association with a first value.
[0016] According to one embodiment, the bus is a bus dedicated to transferring encryption keys between the memory and the cryptographic processor.
[0017] According to one embodiment, the method further includes: selecting a third encryption key from the memory based on the first count value and the second index; and providing the selected third encryption key to the cryptographic processor.
[0018] According to one embodiment, a monotonic counter is initialized to a first count value during a first boot of the processing device, and the method further includes: initializing the monotonic counter to a second count value during a second boot of the processing device.
[0019] According to one embodiment, the method includes another boot of the processing device, during which a monotonic counter is initialized to a first count value if a device state condition is met.
[0020] According to one embodiment, the device state condition corresponds to the programming state of the memory region.
[0021] One embodiment provides a data processing apparatus including: a monotonic counter configured to generate a first count value; and a memory including selection circuitry configured to select a first encryption key stored in the memory based on the first count value, and to provide the selected first encryption key to a cryptographic processor. Attached Figure Description
[0022] The foregoing features and advantages, as well as other features and advantages, will be set forth in the following detailed description of embodiments by way of illustration rather than limitation, with reference to the accompanying drawings, in which:
[0023] Figure 1 A method for decrypting data based on an encryption key, according to an embodiment of this specification, is illustrated in a very illustrative manner.
[0024] Figure 2A An electronic device according to an embodiment of this specification is illustrated in a very schematic block diagram form;
[0025] Figure 2B This schematically illustrates one embodiment of a memory used to securely store keys;
[0026] Figure 3 A flowchart illustrating the operation of a method for selecting keys and transmitting those keys to a cryptographic processor, representing an example of an embodiment according to this specification, is shown.
[0027] Figure 4 An example of a system for decrypting encrypted data stored in a memory, according to one embodiment of this specification, is shown;
[0028] Figure 5 This describes the data and code that can be accessed during secure boot according to one embodiment of this specification;
[0029] Figure 6 A flowchart illustrating the operation of secure booting of a processing device according to an embodiment of this specification is shown; and
[0030] Figure 7 A flowchart illustrating the operation of secure booting of a processing device according to another embodiment of this specification is shown. Detailed Implementation
[0031] In the various figures, the same features are indicated by the same reference numerals. In particular, common structural and / or functional features in the various embodiments may have the same reference numerals and may have the same structure, dimensions, and material properties.
[0032] For clarity, only the operations and elements used to understand the embodiments described herein have been detailed and described. In particular, the design of the processing device is well known to those skilled in the art, and certain components are not described below.
[0033] Unless otherwise stated, when referring to two elements connected together, it means that there is no direct connection between them except for the conductor, and when referring to two elements coupled together, it means that the two elements can be connected or they can be coupled through one or more other elements.
[0034] In the following disclosure, unless otherwise stated, when referring to absolute position qualifiers, such as the terms “front,” “back,” “top,” “bottom,” “left,” “right,” etc., or when referring to relative position qualifiers, such as the terms “up,” “down,” “higher,” “lower,” etc., or when referring to orientation qualifiers, such as “horizontal,” “vertical,” etc., the orientation shown in the figure is used.
[0035] Unless otherwise stated, the expressions “about,” “approximately,” “basically,” and “in the order of” indicate within 10%, preferably within 5%.
[0036] Figure 1 This is a very illustrative representation of a method for decrypting data based on an encryption key, according to one embodiment of this specification.
[0037] Input data (IN), including, for example, encrypted codes, is provided to the processing device. Figure 1 The cryptographic processor 102 (CRYPTO), not shown in the diagram, is a general-purpose processor for processing devices (also not shown in the diagram). Figure 1 (As shown in the diagram) Instructs the execution of code such as boot code. The cryptographic processor 102 is configured to decrypt input data using an encryption key and provide decrypted data (OUT) at the output of the cryptographic processor 102.
[0038] The encryption keys are stored in non-volatile memory 104 (key storage), with each key stored, for example, in association with a Time Isolation Level (TIL). For instance, memory 104 stores multiple sets of keys, and each set of keys is associated with a corresponding isolation level. TIL values are provided to memory 104, allowing the selection of one or more keys, for example, from the set of keys associated with the isolation level corresponding to the TIL value. In some cases, memory 104 is also provided with an index value that allows the selection of a given key from each set of keys.
[0039] The TIL value corresponds to that generated by the monotonic counter ( Figure 1 The count value generated (not shown in the diagram) and the key associated with the TIL value can only be accessed if the count value generated by the monotonic counter is equal to the TIL value.
[0040] An example of the contents of memory 104 is shown in Figure 1The right-hand side is shown. In this example, the non-volatile memory 104 includes a first region 108 (KEYSET0) where a first key set is stored. The memory also includes a second region 110 (KEYSET1) storing a second key set, and a third region 112 (KEYSET2) storing a third key set. For example, the first, second, and third key sets are associated with three different isolation levels. For example, the first key set is associated with isolation level TIL0, the second key set with isolation level TIL1, and the third key set with isolation level TIL2.
[0041] In memory 104, each key is represented, for example, by a key value (KEY_VALUE) and associated with an index value and a size value (KEY_SIZE), the size value indicating, for example, the length of the key in bits.
[0042] exist Figure 1 In the example shown on the right, area 108 contains 11 encryption keys associated with isolation level TIL0. These keys are also identified by indices ranging from 0 to 10. Area 110 contains two encryption keys associated with isolation level TIL1 and identified by indices 0 and 1. Area 112 contains two encryption keys associated with isolation level TIL2 and identified by indices 0 and 1. Therefore, for certain index values (values 0 and 1 in this example), the selected key depends on the TIL value. Figure 1 The key list shown is just an example; in other embodiments, there may be other numbers of key sets and other numbers of keys in each set. Furthermore, some fields associated with each key, such as index and / or size values, may be omitted.
[0043] When a key for decrypting at least one encrypted input data is selected from memory 104, a count value corresponding to the isolation level (TIL0, TIL1, or TIL2) and an index of the desired key are transferred to memory 104. The key corresponding to that isolation level and that index is then transferred to cryptographic processor 102, for example, via bus 106. In some implementations, bus 106 may be a dedicated bus. Bus 106, for example, is specifically designed to connect memory 104 to cryptographic processor 102.
[0044] Figure 2A An embodiment of an electronic device 200 including a processing device 202 is shown schematically in block diagram form.
[0045] Electronic device 200 is, for example, an electronic card such as a microcircuit card, computer hardware, microprocessor circuit, etc.
[0046] Processing device 202 includes, for example, the combination described above. Figure 1 The described cryptographic processor 102 (CRYPTO) and non-volatile memory 104 (NVMEM) are described. This memory 104 is implemented, for example, by flash memory, but other types of non-volatile memory can also be used. The memory 104 includes, for example, components relative to… Figure 1 The first, second, and third regions 108, 110, and 112 (KEYSET0, KEYSET1, and KEYSET2) are described. Memory 104 also includes, for example, a selection circuit 206 (key selection). This selection circuit 206 (e.g., a selection interface) is coupled to the output of a monotonic counter 204 (a monotonic counter machine) and receives the TIL value of that counter. For example, the selection circuit 206 is also coupled to the output of the cryptographic processor 102 and receives an index value from that output. For example, the index value is stored in a register (not shown) contained in the cryptographic processor 102, although this register may be located elsewhere in the device 202.
[0047] Monotonic counters are known in the art, and examples of such counters are described, for example, in Part 3 of “Virtual monotonic counters and count-limited objects using a TPM without a Trusted OS” by LFG Sarmenta, M. Van Dijk, CWO'Donnell, J. Rhodes and S. Devadas, which is incorporated herein by reference in its entirety. This document describes embodiments of counters implemented in hardware and / or software. For example, a monotonic counter 204 is implemented in hardware using digital circuitry such as an application-specific integrated circuit (ASIC). The monotonic counter is configured to maintain a count value accessible at the counter's output. After an increment instruction, the monotonic counter increases its count value by one or more units, but the operation is irreversible after each increment. In effect, the monotonic counter is configured such that its count value never decreases. Furthermore, between two increments, the count value is protected from any modification, such that it cannot be erased or changed. Only increment instructions allow the current value to be replaced with a new value higher than the current value.
[0048] The monotonic counter 204 is configured such that once an increment instruction is executed, no instruction is allowed to return to the previous value except when the processing device is reset to zero. When the count value is stored volatilely, the count value is lost each time the processing device is shut down, and the monotonic counter generates the initial count value again each time the device is rebooted. When the count value is stored in non-volatile memory, the initial count value is, for example, rewritten to the non-volatile memory of the monotonic counter at each boot.
[0049] Processing device 202 also includes a non-secure general-purpose processor 210 (CPU, such as a central processing unit). For example, general-purpose processor 210 is coupled via bus 214 to monotonic counter 204 and non-volatile memory (NV MEM2) 216 and non-volatile memory 104. Memory 104 and 216 are, for example, flash memory. In one example, general-purpose processor 210 provides an index value in a register (not shown) of cryptographic processor 102, from which the index value is transferred to selection circuitry 206.
[0050] The general-purpose processor 210 is also coupled to the cryptographic processor 102 and RAM (random access memory) 208 via bus 214.
[0051] In some cases, memory 104 includes register 212 (key register) accessible via bus 214.
[0052] The cryptographic processor 102 is connected to the memory 104, for example, via bus 106. For example, bus 106 is a dedicated bus that connects only the cryptographic processor 102 to the memory 104. In other words, in this example, no components other than the processor 102 and the memory 104 are connected to bus 106.
[0053] For example, non-volatile memory 216 contains encrypted boot code, while the encryption key is stored in memory 104. In some cases, the TIL value is incremented during the boot process of the processing device, and the encryption key allows decryption of the boot code. For example, at each boot of the processing device, the TIL value is initialized by monotonic counter 204 and passed to the selection circuit of memory 104. Cryptographic processor 102 passes to selection circuit 206 the index value of one or more first encryption keys associated with one or more first encrypted boot codes, the initial TIL value of the one or more first encrypted boot codes. The first key is passed to cryptographic processor 102 via bus 106, or stored in register 212 and passed to cryptographic processor 102 via bus 214. The first encrypted boot code is also passed to cryptographic processor 102 via bus 214. The decrypted boot code is then passed to general-purpose processor 210 via bus 214. In one instance, processor 210 executes the decrypted boot code and instructs the monotonic counter to increment, generating a new count value greater than the original count value. Other cryptographic boot codes associated with the next TIL value can be decrypted and executed in the same way as the first code described above.
[0054] Figure 2B An example embodiment of memory 104, and in particular selection circuit 206.
[0055] exist Figure 2BIn the example shown, the first region 108 contains the first group associated with isolation level TIL0. I M (0) Encryption key. Each key ranges from 1 to... I M The index value identifier is (0). The selection circuit 206 includes, for example, two multiplexers 218 and 220, allowing key selection based on the index value. Therefore, each of these multiplexers 218, 220 receives the index value transmitted by, for example, the cryptographic processor 102 as a control input. Multiplexer 218 is configured to route the key to the bus (key bus) 106, while multiplexer 220 is configured to route the key to a register (key register) 212. Figure 2B In the example, the range is from 0 to the value I T A subset of the keys identified by the index values is provided to the data input of multiplexer 218, while... Figure 2B The example is from the range I T +1 to I M A subset of the keys identified by the index value of (0) is provided to the data input of the multiplexer 220.
[0056] Zone 110 contains a second group associated with isolation level TIL1. I M (1) Encryption key ( Figure 2B (Not shown in the image). Similarly, the third region 112 contains a third group associated with isolation level TIL2. I M (2) Encryption key ( Figure 2B (Not shown in the image). For example, for each region 110 and 112, the selection circuit 206 also includes two multiplexers (…). Figure 2B (not shown in the image) These two multiplexers are operationally similar to multiplexers 218 and 220, used to guide the corresponding keys from each region 110, 112.
[0057] Selection circuit 206 includes, for example, two additional multiplexers 222 and 224, which are common to all regions 108, 110, and 112 and allow key selection based on TIL values. Therefore, each of these multiplexers 222 and 224 receives the TIL value transmitted by monotonic counter 204 as a control input. Multiplexer 222 includes, for example, data inputs coupled to the outputs of multiplexers 218 for each region 108, 110, and 112, and multiplexer 224 includes, for example, data inputs coupled to the outputs of multiplexers 220 for each region 108, 110, and 112. Therefore, each multiplexer 222 and 224 includes a number of data inputs equal to the number of memory regions. Figure 2B In the example, it equals 3. Multiplexers 222 and 224 prevent access to keys associated with inactive TIL values. Additionally, multiplexer 222 is configured to direct keys to bus 106, while multiplexer 224 is configured to direct keys to register 212.
[0058] In one example I T The values are different in each of the regions 108, 110, and 112. In another example, I T The value is a fixed value.
[0059] Other embodiments of memory 104 are possible. For example, instead of providing both multiplexers 218 and 220, a single multiplexer can be used to select keys based on an index, and the keys in each region are further associated with flags indicating whether they are transmitted via bus 106 or stored in register 212. For instance, the multiplexer is configured to direct the selected key to either bus 106 or register 212 based on the flags.
[0060] Figure 3 This is a flowchart illustrating an example of a method for transmitting a key to a cryptographic processor according to an embodiment of this specification. The method is implemented, for example, by a selection circuit 206 between the cryptographic processor 102 and the memory 104.
[0061] In step 301 (initializing the counter), the monotonic counter is initialized to an initial value, i.e., a natural number. In the example where the counter value is stored volatilely, each boot of the processing device initializes the counter value to, for example, 0. In another example where the counter value is stored in non-volatile storage, each boot of the processing device replaces the current counter value with a new initial counter value, for example, 0. For example, step 301 occurs after the boot of the processing device 202.
[0062] In some embodiments, the initial count value generated after booting can vary depending on the context of the processing device. For example, one or more count values correspond to an isolation level reserved for the manufacturer of device 202, and booting by an intermediary entity and / or end user between the manufacturer and the end user will trigger a count value higher than these reserved count values. For example, if a count value of 0 is reserved for the manufacturer, booting by an intermediary entity and / or end user between the manufacturer and the end user will trigger a count value equal to 1, and one or more boot codes and sensitive data associated with isolation level 0 will be inaccessible. For example, once manufacturing is complete, one or more bits stored in non-volatile memory 104 or another memory are programmed to ensure that the count value is initialized to 1. In one example, these bits correspond to a signature-protected value indicating the initial count value to be applied. For example, the signature is generated based on a cryptographic key and may correspond, for example, to a MAC (Message Authentication Code) signature. This value is provided to monotonic counter 204, for example, via bus 214. The monotonic counter 204 can then be restored to 0 (or another value) during the lifetime of the device by changing the signature-protected value.
[0063] In step 302 (Read Index), the index value, for example, stored in the cryptographic processor register 102, is read and transmitted to the selection circuit 206. In step 303 (Index Exists on TIL i?), the selection circuit 206 verifies the existence of the encryption key stored in memory 104 associated with the TIL value and identified by the index value. If this is not the case (N branch), the method terminates at step 304 (Error Signal), where the device notifies the user of an error, for example, by an audible signal or by displaying a text message.
[0064] If an encryption key exists that is associated with the current TIL value and identified by an index value (Y branch), the method continues in step 305 (accessing the key index on TIL i) after step 303. In step 305, a key identified by an index value and associated with TIL [i] is selected. For example, a key identified by an index value relative to TIL [i] is selected. Figure 2B The circuit described is in operation.
[0065] In step 306 (Will the key be transmitted on the key bus?), it is determined whether the selected key will be transmitted to the cryptographic processor 102 via bus 106. For example, step 306 follows according to the... Figure 2B The circuit described makes the selection of index values, where index 1 to index 2 of region 108 are... I T Reserved for transmission via bus 106, and indexed. I T +1 to I M(0) is reserved for storage in register 212. In another example, the decision is made based on a flag or any other means according to the indication of which component (bus 106 or register 212) the selected key should be sent to.
[0066] If the selected key is to be transmitted via bus 106 (Y branch), the method continues in step 308 (transmit key bus), where the key is transmitted to the cryptographic processor via bus 106. Otherwise (N branch at the output of step 306), the method continues in step 307 (load into register), where the selected key is stored in register 212. Once stored in register 212, the selected key can be accessed by the cryptographic processor via bus 214.
[0067] In step 309 (Read other keys?), following step 307 or 308, for example, the general-purpose processor 210 or selection circuit 206 checks whether other encrypted encryption keys associated with the current TIL value will be transmitted to the cryptographic processor. If so (Y branch), a new index value is stored in the cryptographic processor register, and the method restarts at step 302. If all encryption keys associated with the current TIL value have been decrypted (N branch), a new TIL value (the new value of TIL) is generated in step 310 by incrementing a monotonic counter. For example, the TIL value is incremented by an instruction in the opcode executed by the general-purpose processor 210. The method restarts at step 302 when the monotonic counter 204 transmits a new TIL value to the selection circuit 206.
[0068] Figure 4 A system for decrypting encrypted data according to one embodiment of this specification is illustrated. For example, encrypted data is stored in non-volatile memory 216 of processing device 202, while decrypted data is stored in memory 208, even if the encrypted data and / or decrypted data may be stored in another memory.
[0069] exist Figure 4 In the example shown, the non-volatile memory 216 includes three encryption codes, such as boot codes. For example, a monotonic counter is initialized to the value TIL0, and this TIL value is transmitted to the selection circuit 206. For example, the general-purpose processor 210 instructs the execution of decryption of the first encryption code 402a (CODE0_U). The TIL value associated with the decryption key set of the first encryption code 402a is, for example, the value 0. The first encryption code 402a is transmitted to the cryptographic processor 102 via bus 214 under the control of the general-purpose processor 210, as... Figure 4As shown by the dashed arrow in the diagram. During the decryption of the first encryption code 402a, the cryptographic processor 102, for example, determines the value associated with TIL0 according to the rhythm of the decryption operation. Figure 4 The index values of the encryption keys (KEY #1, KEY #2, and KEY #3 in the example) are transmitted to the selection circuit 206. These keys, then from storage area 108 of memory 104, are transmitted via bus 106 to the cryptographic processor 102 through the selection circuit 206. The cryptographic processor 102 decrypts the first encryption code 402a and outputs the first decryption code 402b (CODE0_C), which is stored, for example, in RAM memory 208 via bus 214. In one example, the decryption code 402b includes a monotonic counter increment instruction or incorporates a monotonic counter increment instruction. Therefore, when the general-purpose processor 210 executes this instruction, it instructs the counter value to increment, and the monotonic counter 204 transmits a new TIL value, such as 1, to the selection circuit 206.
[0070] For example, general-purpose processor 210 instructs the decryption of a second encryption code 404a (CODE1_U), such as boot code. Similar to the first encryption code 402a, the second encryption code 404a is transmitted to the cryptographic processor 102, for example, via bus 214, and the decryption operation is performed in a similar manner to that for encryption code 402a, based on the key stored in region 110 of memory 104. Cryptographic processor 102 decrypts the second encryption code 404a and outputs a second decryption code 404b (CODE1_C), which is stored, for example, in RAM memory 208 via bus 214. In one example, decryption code 404b includes a monotonic counter 204 increment instruction or a combination of monotonic counter increment instructions. Therefore, when executing this instruction, general-purpose processor 210 instructs the count value to increment, and monotonic counter 204 transmits a new TIL value, for example, 2, to selection circuit 206.
[0071] For example, general-purpose processor 210 instructs the decryption of a third encryption code 406a (CODE2_U), such as boot code. Similar to the first and second encryption codes 402a and 404a, the third encryption code 406a is transmitted to cryptographic processor 102, for example, via bus 214, and the decryption operation is performed in a similar manner to that for encryption code 402a, based on the key stored in region 112 of memory 104. Cryptographic processor 102 provides a third decryption code 406b (CODE2_C) and stores it in RAM 208. In one example, the decrypted code 406b includes an increment instruction for monotonic counter 204 or a combination of monotonic counter increment instructions. Therefore, general-purpose processor 210 instructs the count value to increment when executing this instruction. Monotonic counter 204 transmits a new TIL value, such as 3, to selection circuit 206. Since this value does not correspond to any decryption key in memory 104, selection circuit 206 prevents any access to the key stored in memory 104.
[0072] Figures 5 to 7 An embodiment of this specification is illustrated, wherein the encrypted data is boot code and / or encryption keys associated with these codes, and the TIL value is incremented at the end of each step of the boot sequence. Each TIL value further corresponds to one or more boot codes associated with each boot step; these codes become inaccessible when the current TIL value is greater than their associated TIL value.
[0073] exist Figure 5 In one example, memory regions 506, 508, and 509 store sensitive data associated with boot codes 500, 502, and 504 stored in non-volatile memory 216, respectively. Regions 506, 508, and 509 are, for example, separate from regions 500, 502, and 504, but maintain an isolation level corresponding to the boot code associated with the data. This sensitive data includes, for example, one or more encryption keys stored in each region 506, 508, and 509, and each of these regions is contained within non-volatile memory 104. According to another embodiment, each region 506, 508, and 509 is a sub-region of the corresponding region 500, 502, and 504.
[0074] In guiding Figure 5 During the first step 510 of the processing device shown at the top, the current count value is, for example, 0. Figure 5In the example, isolation level 0 is associated with a first code (CODE0) and first sensitive data (KEY0). For example, memory access control circuitry 216 (not shown) and selection circuitry 206 are configured such that the first code and the first data are exclusively accessible when the current count value is equal to 0. However, during step 510, the access control circuitry and selection circuitry allow, for example, access to all memory regions 500, 502, and 504, and all regions 506, 508, and 509. In practice, in some cases, one or more other boot codes (CODE1, CODE2) may be accessed for reading during step 510 in anticipation of, for example, subsequent steps in the boot process.
[0075] For example, once the first code CODE0 is executed, the general-purpose processor 210 indicates the first increment of the current count value via the monotonic counter 204. For example, the first code includes an instruction requesting the counter to increment. This instruction is, for example, transferred to the control register of the monotonic counter (not shown).
[0076] Following this first increment, corresponding to the second bootstrapping step 511, the current count value of the monotonic counter 204 is, for example, equal to 1. The access control circuitry and the selection circuitry receive the new current count value and are configured to prevent any access to the first code and first data associated with isolation level 0 based on this count value, which is greater than 0. In other words, memory areas 500 and 506 are locked based on any count value that is strictly greater than 0.
[0077] Isolation level 1 is associated with a second code (CODE1) contained in region 502 and second data (KEY1) contained in region 508. According to one embodiment, a third code (CODE2) associated with isolation level 2 and contained in region 504 can be used for reading based on a current count value equal to 1.
[0078] For example, once the second code CODE1 is executed, the general-purpose processor 210 indicates a second increment of the current count value via a monotonic counter 204. For example, after this second increment, corresponding to the third bootstrap step 512, the current count value of the monotonic counter 204 is equal to 2. Isolation level 2 is associated with the third code CODE2 and the third data (KEY2). The access control circuitry and selection circuitry 206 receives the new count value and is configured to prevent any access to the first and second codes and the first and second data associated with isolation levels less than or equal to 1 based on the count value being greater than 1.
[0079] According to one embodiment, when the final boot code, such as the third boot code, is executed, the general-purpose processor 210 indicates a third increment of the current count value via a monotonic counter. Then, the access control circuitry and selection circuitry 206 locks all access to the first, second, and third boot codes, as well as the first, second, and third data.
[0080] According to another embodiment, when the final boot code (e.g., the third boot code) is executed, the current count value is not incremented by the monotonic counter 204, and the access control circuit still allows access to the third boot code and the third data.
[0081] Figure 6 This is a flowchart illustrating the operation of a secure boot method for a processing device according to an example embodiment of this description. The method is, for example, performed by... Figure 2A The processing device is implemented using a general-purpose processor 210, a monotonic counter 204, and an access control circuit and a selection circuit 206.
[0082] In step 601 (startup boot sequence), the processing device 202 is started. In one example, this is the first boot of device 202 after its manufacture. In another example, it is a boot performed by an intermediary entity between the manufacturer of device 202 and its end user. In yet another example, it is a so-called operational boot of electronic device 200 performed by the end user.
[0083] In step 603 (initializing the counter) following step 601, the monotonic counter is initialized to an initial value, i.e., a natural number. In the example where the counter value is stored volatilely, each boot of the processing device causes the counter value to be initialized, for example, to 0 or 1. In another example where the counter value is stored on a non-volatile storage element, each boot of the processing device causes the current counter value to be replaced with the initial counter value, for example, equal to 0 or equal to 1.
[0084] In some embodiments, the initial count values generated after booting can vary depending on the state or context of the processing device 202. For example, this could correspond to one or more count values for one or more isolation levels reserved for the initial setup phase of device 102, including, for example, firmware installation. Data and / or code associated with these isolation levels are used, for example, for this initial setup.
[0085] For example, after manufacturing, processing device 202 has a "blank" context, and the initial count value is equal to a value reserved for setup, such as 0. Once setup is complete, the device's context becomes, for example, "setup complete". Utilizing this new context, device 102 is then booted, for example by an intermediary entity between the manufacturer and the end user and / or by the end user, a count value greater than the reserved count value will be triggered, for example, equal to 1. Therefore, the boot code associated with the isolation level corresponding to the reserved count value, as well as sensitive data, will be inaccessible.
[0086] For example, the context of a device can be detected by the presence of a voltage on its boot pin, such as by applying the voltage by adding a jumper between the boot pin and another pin at the power supply voltage. Alternatively or additionally, the context of a device can be detected by the value of one or more bits stored in memory 104 or another memory in a non-volatile, protected manner.
[0087] In one example, the general-purpose processor 210 is configured to detect the context of device 102 upon booting device 102 and configure the initial count value of monotonic counter 204 accordingly. In another example, monotonic counter 204 is configured to detect the context of device 102 and configure its own initial count value upon booting device 102.
[0088] In step 605 (reading and executing code at isolation level i) following step 603, the general-purpose processor 210 reads the data and boot code associated with isolation level i and executes the boot code associated with isolation level i. Once the code for isolation level i has been executed, in step 607, the general-purpose processor 210 compares (i = N?) the count value i to the value N, where N is the count value associated with the last step in the boot sequence, i.e., according to the embodiments described herein, the boot code for isolation level N is the last to be executed. For example, in Figure 5 In the example, N equals 2. If i is not equal to N (N branch), the method continues in step 609 (i = i + 1), where the general-purpose processor triggers the increment of the count value. For example, the count value increases from i to i + 1. The increment can also increase the value i by several units. The method then restarts in step 605.
[0089] If the count value resulting from comparison step 607 is equal to N (Y branch), the method terminates at step 611 (boot end), whereby the booting of the processing device ends. According to one embodiment, after step 611, the current count value remains equal to N. According to another embodiment, the count value is incremented in step 611, and the current count value becomes equal to N + 1. In this second case, the access control circuitry and selection circuitry are configured to prevent access to all boot codes based on this count value.
[0090] Figure 7 This is a flowchart illustrating the operation of a secure boot method for a processing device according to another example embodiment of this description. The method is, for example, by... Figure 1 The processing device is implemented using a general-purpose processor 210, a monotonic counter 204, and an access control circuit and a selection circuit 206.
[0091] Steps 701 and 703 are similar Figure 6 Steps 601 and 603 will not be described in detail hereafter.
[0092] In step 705 (code at access level i and code at execution level i+1) following step 703, the general-purpose processor 210 can access the data and boot code associated with isolation level i+1 and execute the boot code associated with isolation level i.
[0093] In one example, the data or code associated with isolation level i contains one or more encrypted or unencrypted encryption keys that will be used when executing one or more pieces of code associated with isolation level i+1. Therefore, write access is authorized, for example, on the memory region associated with isolation level i+1 to provide the keys to the code associated with isolation level i+1.
[0094] In another instance, the code associated with isolation level i contains instructions for verifying the integrity of data and / or code associated with isolation level i+1. Therefore, read access to the memory region associated with isolation level i+1 is permitted to perform this verification.
[0095] In step 707 (i = i + 1) following step 705, the count value is incremented. For example, the count value increases from i to i + 1. In other examples, the increment increases i by several units.
[0096] In step 709 (i = N?), the general-purpose processor 210 compares the count value i with the value N, where N is relative to... Figure 6 Defined as described in step 607. If the value i is not equal to N (N branch), the method returns to step 705.
[0097] If the count value is equal to N (Y branch) during comparison step 709, the method continues to step 713 (execute code at level N), where boot code associated with isolation level N is executed.
[0098] The boot process for the device ends at step 715 (boot end), which is similar to... Figure 6 Step 611 in the document will not be described in detail here.
[0099] Its implementation method is by Figure 7 This method allows for interleaved reading of the bootstrap code. In practice, when the count value is below the isolation level value, the bootstrap code associated with that isolation level is read. Figure 6 This saves time compared to the implementation of the method shown.
[0100] One advantage of the embodiment is that the encryption key is physically inaccessible to insecure general-purpose processors.
[0101] Another advantage of this embodiment is that the selection of the encryption key is based on a hardware implementation of a hardware monotonic counter. The encryption keys then receive additional protection because they are only accessible for a given TIL value.
[0102] Another advantage of the described embodiments is that they are easily adaptable to several boot architectures.
[0103] Various embodiments and variations have been described. Those skilled in the art will understand that certain features of these embodiments can be combined, and other variations will be readily apparent to them.
[0104] Finally, based on the functional description provided above, the actual implementation of the embodiments and variations described herein is within the capabilities of those skilled in the art. In particular, different types of processors can be used, the implementation of the selected circuitry, and the number of isolation levels can vary.
Claims
1. A method for performing an encryption operation, the method comprising: The first count value is generated by the monotonic counter of the processing device; The first count value is transferred from the monotonic counter to the memory of the processing device; Based on the first count value, the selection circuit selects a first encryption key from the memory; The selection circuit prevents access to any encryption key stored in the memory associated with the count value of the monotonic counter that is lower than the first count value; Provide the selected first encryption key to the cryptographic processor; The first encryption key is received from the cryptographic processor by the general-purpose processor of the processing device; as well as The general-purpose processor instructs the decryption of the encrypted data using the first encryption key.
2. The method of claim 1, wherein preventing access includes preventing access to any other encryption keys associated with a count value other than the first count value.
3. The method of claim 1, wherein the first encryption key is selected based on the first count value and the first index.
4. The method according to claim 3, further comprising: Based on the first count value and the second index, a second encryption key is selected from the memory; as well as The selected second encryption key is provided to the cryptographic processor.
5. The method according to claim 3, further comprising: The second count value is generated by the monotonic counter of the processing device; The second count value is transferred from the monotonic counter to the memory of the processing device; Based on the second count value and the first index, a second encryption key is selected from the memory; as well as The selected second encryption key is provided to the cryptographic processor.
6. The method of claim 1, wherein the memory is configured such that access to the first encryption key is not permitted based on a count value greater than the first count value.
7. The method of claim 1, wherein the first encryption key is made available to the cryptographic processor by means of a bus between the memory and the cryptographic processor or by means of a general-purpose processor-readable register of the processing device, based on the storage conditions of the first encryption key.
8. The method of claim 7, wherein the storage condition is that the first encryption key is stored in a first address range.
9. The method of claim 7, wherein the storage condition is that the first encryption key is stored in the memory in association with a first value of the flag.
10. The method of claim 7, wherein the bus is dedicated to transmitting encryption keys between the memory and the cryptographic processor.
11. The method of claim 1, wherein the monotonic counter is initialized to the first count value during a first boot of the processing device, the method further comprising initializing the monotonic counter to a second count value during a second boot of the processing device.
12. The method of claim 11, further comprising: If the device state condition is met during the third boot of the processing device, the monotonic counter is initialized to the first count value.
13. The method of claim 12, wherein the device state condition corresponds to the programming state of a region of the memory.
14. A method for performing an encryption operation, the method comprising: The first count value is generated by the monotonic counter of the processing device; The first count value is transferred from the monotonic counter to the memory of the processing device; Based on the first count value and the first index, a first encryption key is selected from the memory; Provide the selected first encryption key to the cryptographic processor; The first encryption key is received from the cryptographic processor by the general-purpose processor of the processing device; The general-purpose processor instructs the decryption of the first encrypted data using the first encryption key; Based on the first count value and the second index, a second encryption key is selected from the memory; Provide the selected second encryption key to the cryptographic processor; The second encryption key is received from the cryptographic processor by the general-purpose processor of the processing device; The general-purpose processor instructs the decryption of the second encrypted data using the second encryption key; The monotonic counter of the processing device generates a second count value that is greater than the first count value; The second count value is transferred from the monotonic counter to the memory of the processing device; Based on the second count value and the first index, a third encryption key is selected from the memory by the selection circuit; The selection circuit prevents access to the first encryption key and the second encryption key associated with the first count value; Provide the selected second encryption key to the cryptographic processor; The general-purpose processor receives the third encryption key from the cryptographic processor; as well as The general-purpose processor instructs the decryption of the third encrypted data using the third encryption key.
15. The method of claim 14, wherein the monotonic counter is initialized to the first count value during a first boot of the processing device, the method further comprising initializing the monotonic counter to the second count value during a second boot of the processing device.
16. The method of claim 15, further comprising: If the device state condition is met during the third boot of the processing device, the monotonic counter is initialized to the first count value.
17. A data processing apparatus, comprising: A monotonic counter, configured to generate a first count value; A first memory includes a selection circuit, the selection circuit being configured to: The encryption key stored in the first memory is selected based on the first count value. Prevent access to any encryption keys stored in the first memory associated with the count value of the monotonic counter that is lower than the first count value; and Provide the selected encryption key to the cryptographic processor, and The general-purpose processor is configured as follows: Receive the encryption key from the cryptographic processor, and Instructs the use of the encryption key to decrypt the encrypted data.
18. The data processing apparatus of claim 17, wherein the first memory further comprises: A first memory region, associated with a first isolation level, is where the encryption key is stored; A second memory region, which is separate from the first memory region and associated with a second isolation level; as well as A multiplexer includes a first input connected to the first memory region, a second input connected to the second memory region, a control input connected to the monotonic counter and configured to receive the first count value, and an output coupled to the cryptographic processor.
19. The data processing apparatus according to claim 17, further comprising: A first bus is connected between the cryptographic processor and the first memory, and the first bus is dedicated to transmitting encryption keys between the first memory and the cryptographic processor.
20. The data processing apparatus according to claim 19, further comprising: A second memory, coupled to the general-purpose processor and configured to store the encrypted data; as well as The second bus connects the general-purpose processor, the first memory, the second memory, and the cryptographic processor.