Secure cloud storage distribution and aggregation
US-2015363611-A1 · Dec 17, 2015 · US
Subsystem firewalls
US2020120067A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2020120067-A1 |
| Application number | US-201916716132-A |
| Country | US |
| Kind code | A1 |
| Filing date | Dec 16, 2019 |
| Priority date | May 26, 2017 |
| Publication date | Apr 16, 2020 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.
First claim
Opening claim text (preview).
We claim: 1 . An apparatus, comprising: a first bus master that is configured to operate with secure code; a first input/output (IO) subsystem that is configured to control at least some input/output functions for the apparatus; and a first firewall that is configured such that communication from the first IO subsystem is blocked from a boot of the apparatus until the first firewall has been configured, and that is further configured to: receive a secure code configuration from the bus master; in response to receiving the secure code configuration from the bus master, configure the first firewall with the secure code configuration while non-secure code is prevented from configuring the first firewall; and after the configuring of the first firewall with the secure code configuration, allow the first IO subsystem to access a first range of addresses in a memory mapped address space of the apparatus. 2 . The apparatus of claim 1 , further comprising: a second IO subsystem; a second firewall that is configured such that communication from the second 10 subsystem is blocked from the boot of the apparatus until the second firewall has been configured, and that is further configured to: receive another secure code configuration; in response to receiving the other secure code configuration, configure the second firewall with the other secure code configuration while non-secure code is prevented from configuring the second firewall; and after the configuring of the second firewall, allow the second IO subsystem to access a second range of addresses in the memory mapped address space of the apparatus, wherein at least a portion of the first range of addresses in the memory mapped address space of the apparatus does not overlap with the second range of addresses in the memory mapped address space of the apparatus. 3 . The apparatus of claim 1 , wherein the first range of addresses in the memory mapped address space of the apparatus is for at least one of a static random-access memory or a flash memory. 4 . The apparatus of claim 1 , wherein the first firewall is further configured to: after the configuring of the first firewall, allow, by the first firewall, the first IO subsystem access to a second range of addresses in the memory mapped address space of the apparatus. 5 . The apparatus of claim 1 , wherein the first firewall is further configured to: after the configuring of the first firewall, allow, by the first firewall, the first IO subsystem access to a first peripheral based on a set of peripherals being configured as accessible to the first IO subsystem. 6 . The apparatus of claim 1 , wherein the bus master is further configured to: after the configuring of the first firewall, set a sticky lock bit for the first firewall, wherein the first firewall is further configured to prevent the first firewall from being reconfigured after the sticky lock bit for the first firewall is set until a reboot of the apparatus. 7 . A method, comprising: blocking, with a first firewall, communication from a first input/output (IO) subsystem of a device from a boot of the device until the first firewall has been configured with secure code; subsequent to the boot, configuring the first firewall with secure code while configuration of the first firewall by non-secure code is prevented; and after the configuring of the first firewall, selectively allowing the first IO subsystem access to a first range of addresses in a memory mapped address space based on the first range of addresses in the memory mapped address space being configured as accessible to the first IO subsystem by the secure code. 8 . The method of claim 7 , further comprising: blocking, with a second firewall, communication from a second input/output (IO) subsystem of the device from the boot of the device until the second firewall has been configured; subsequent to the boot, configuring the second firewall with other secure code while configuration of the second firewall by non-secure code is prevented; and after the configuring of the second firewall, selectively allowing the second IO subsystem access to a second range of addresses in the memory mapped address space based on the second range of addresses in the memory mapped address space being configured as accessible to the second IO subsystem by the other secure code, wherein at least the portion of the first range of addresses in the memory mapped address space does not overlap with the second range of addresses in the memory mapped address space. 9 . The method of claim 7 , wherein the first range of addresses in the memory mapped address space is for at least one of a static random-access memory or a flash memory. 10 . The method of claim 7 , wherein the first firewall is a hardware firewall. 11 . The method of claim 7 , wherein the first IO subsystem includes a microcontroller. 12 . The method of claim 7 , further comprising: after the configuring of the first firewall, selectively allowing, by the first firewall, the first IO subsystem access to a second range of addresses in the memory mapped address space based on the second range of addresses in the memory mapped address space being configured as accessible to the first IO subsystem by the secure code. 13 . The method of claim 7 , further comprising: after the configuring of the first firewall, selectively allowing, by the first firewall, the first IO subsystem access to a first peripheral based on a set of peripherals being configured as accessible to the first IO subsystem by the secure code. 14 . The method of claim 7 , further comprising: after the configuring of the first firewall, setting a sticky lock bit for the first firewall, such that after the sticky lock bit is set for the first firewall, the first firewall is prevented from being reconfigured until a reboot of the device. 15 . An apparatus, comprising: a first input/output (IO) subsystem; and a first hardware firewall that is configured such that communication from the first IO subsystem to a first range of addresses in a memory mapped address space is blocked from boot until the first hardware firewall has been configured, and wherein the first hardware firewall is functional to: be configured by secure code while non-secure code is prevented from configuring the first hardware firewall; and after configuration of the first hardware firewall, selectively allow the first IO subsystem access to the first range of addresses in the memory mapped address space based on the first range of addresses in the memory mapped address space being configured as accessible to the first IO subsystem by the configuration. 16 . The apparatus of claim 15 , further comprising: a second IO subsystem; and a second hardware firewall that is configured such that communication from the second IO subsystem of the apparatus to a second range of addresses in the memory mapped address space is blocked from boot until the second hardware firewall has been configured, and wherein the second hardware firewall is functional to: be configured by secure code subsequent to boot while non-secure code is prevented from configuring the second hardware firewall; and after configuration of the second hardware firewall, selectively allow the second IO subsystem access to the second range of addresses in the memory mapped address space based on the second range of addresses in the memory mapped address space being configured as accessible to the second IO subsystem by the configuration, wherein at least the portion of the first range of addresse
Assignees
Inventors
Classifications
using interrupt (G06F13/32 takes precedence) · CPC title
interconnection devices, e.g. bus-connected or in-line devices · CPC title
Secure boot · CPC title
Security improvement · CPC title
Globally asynchronous, locally synchronous, e.g. network on chip · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2020120067A1 cover?
- The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After config…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/02. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Apr 16 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).