Cryptographic authentication to control access to storage devices
US-2024333511-A1 · Oct 3, 2024 · US
Secure master and secure guest endpoint security firewall
US11501024B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11501024-B2 |
| Application number | US-201816047298-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 27, 2018 |
| Priority date | Oct 24, 2012 |
| Publication date | Nov 15, 2022 |
| Grant date | Nov 15, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed embodiments relate to a security firewall having a security hierarchy including: secure master (SM); secure guest (SG); and non-secure (NS). There is one secure master and n secure guests. The firewall includes one secure region for secure master and one secure region for secure guests. The SM region only allows access from the secure master and the SG region allows accesses from any secure transaction. Finally, the non-secure region can be implemented two ways. In a first option, non-secure regions may be accessed only upon non-secure transactions. In a second option, non-secure regions may be accessed any processing core. In this second option, the access is downgraded to a non-secure access if the security identity is secure master or secure guest. If the two security levels are not needed the secure master can unlock the SM region to allow any secure guest access to the SM region.
First claim
Opening claim text (preview).
The invention claimed is: 1. An electronic device comprising: at least one processing core that includes a plurality of master IDs; a security configuration register to store security privilege configuration information, the security configuration register including a non-secure (NS) bit, a secure master designation set of bits, and a lock/unlock (L/U) bit, wherein the secure master designation set of bits identifies one of the plurality of master IDs as a secure master, wherein the security configuration register is configured to be updated only by the secure master, and wherein in response to the secure master updating the L/U bit to unlocked, the security configuration register remains unlocked until the electronic device is reset; memory including a plurality of addressable locations defined by an address space, the address space including a secure master region, a secure guest region, and a non-secure region, wherein the non-secure region is any portion of the address space other than the secure master region and the secure guest region; and a memory endpoint controller coupled to the memory and configured to control access to the memory in response to memory access requests issued by the at least one processing core based at least partially on the NS bit and the L/U bit, wherein each memory access request includes a security indicator that is one of a secure master state, a secure guest state, or a non-secure state, and wherein the secure master state is a higher security level than the secure guest state and the secure guest state is a higher security level than the non-secure state, the memory endpoint controller controlling access to the memory in response to memory access requests by: when the NS bit is a first logical value, granting a memory access request to any of the secure master region, secure guest region, and the non-secure region regardless of the security indicator of the memory access request; when the NS bit is a second logical value and the L/U bit is the first logical value, granting a memory access request to the secure master region when the security indicator of the memory access request is the secure master state and denying the memory access request access to the secure master region when the security indicator of the memory access request is the secure guest state or the non-secure state, granting a memory access request to the secure guest region when the security indicator of the memory access request is the secure master state or the secure guest state and denying the memory access request access to the secure guest region when the security indicator of the memory access request is the non-secure state; and when the NS bit is the second logical value and the L/U bit is the second logical value, granting a memory access request to the secure master region and to the secure guest region when the security indicator of the memory access request is the secure master state or the secure guest state and denying the memory access request access to the secure master region and the secure guest region when the security indicator of the memory access request is the non-secure state. 2. The electronic device of claim 1 , wherein the memory endpoint controller includes: at least one secure master register to store a base address defining the secure master region; and at least one secure guest register to store a base address defining the secure guest region. 3. The electronic device of claim 2 , wherein the at least one secure master register includes: a first secure master register that includes a first field to store a selected number of lowest order bits of the base address defining the secure master region; and a second secure master register that includes a second field to store all remaining higher order bits of the base address defining the secure master region other than the selected number of lowest order bits of the base address defining the secure master region. 4. The electronic device of claim 3 , wherein the first secure master register includes a third field to store segment size information defining a size of the secure master region. 5. The electronic device of claim 2 , wherein the at least one secure guest register includes: a first secure guest register that includes a fourth field to store a selected number of lowest order bits of the base address defining the secure guest region; and a second secure guest register that includes a fifth field to store all remaining higher order bits of the base address defining the secure guest region other than the selected number of lowest order bits of the base address defining the secure guest region. 6. The electronic device of claim 5 , wherein the first secure guest register includes a sixth field to store segment size information that defines a size of the secure guest region. 7. An electronic device comprising: at least one processing core that includes a plurality of master IDs; memory including a plurality of addressable locations defined by an address space, the address space including a secure master region, a secure guest region, and a non-secure region, wherein the non-secure region is any portion of the address space other than the secure master region and the secure guest region; a security configuration register to store security privilege configuration information, the security configuration register including a non-secure (NS) bit, a secure master designation set of bits, and a lock/unlock (L/U) bit, wherein the secure master designation set of bits identifies one of the plurality of master IDs as a secure master, wherein the security configuration register is configured to be updated only by the secure master, and wherein in response to the secure master updating the L/U bit to unlocked, the security configuration register remains unlocked until the electronic device is reset; and a memory endpoint controller to control access to the memory by the at least one processing core based on the security configuration register, the memory endpoint controller including: at least one secure master register to store a base address defining the secure master region; at least one secure guest register to store a base address defining the secure guest region; and a comparator including at least one input to receive, from the at least one processing core, a memory access request that includes an address to be accessed and a security indicator, and an output to output a signal indicating whether access to the memory is granted, wherein the security indicator indicates a security state associated with a security level that is one of a secure master state, a secure guest state, or a non-secure state, and wherein the secure master state has a greater security level than the secure guest state and the secure guest state has a greater security level than the non-secure state; wherein, when the address of the memory access request corresponds to an address in the secure master region, the signal indicates that access to the memory is granted when the security indicator is the secure master state and indicates that access to the memory is not granted when the security indicator is the secure guest state or the non-secure state; wherein, when the address of the memory access request corresponds to an address in the secure guest region, the signal indicates that access to the memory is granted when the security indicator is the secure master state or the secure guest state and indicates that access to the memory is not granted when the security indicator is in the non-secure state; and wherein, when the address of the memory access request corresponds to an address in the non-secure region, the security state is assigned to the non-secure state when the security indicator, as received, indicat
Assignees
Inventors
Classifications
with concurrent directory accessing, i.e. handling multiple concurrent coherency transactions · CPC title
for main memory peripheral accesses (e.g. I/O or DMA) · CPC title
Energy efficient computing, e.g. low power processors, power management or thermal management · CPC title
in a hierarchical protection system, e.g. privilege levels, memory rings · CPC title
- G06F21/78Primary
to assure secure storage of data (address-based protection against unauthorised use of memory G06F12/14; record carriers for use with machines and with at least a part designed to carry digital markings G06K19/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11501024B2 cover?
- Disclosed embodiments relate to a security firewall having a security hierarchy including: secure master (SM); secure guest (SG); and non-secure (NS). There is one secure master and n secure guests. The firewall includes one secure region for secure master and one secure region for secure guests. The SM region only allows access from the secure master and the SG region allows accesses from any …
- Who is the assignee on this patent?
- Texas Instruments Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/78. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Nov 15 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).