Secure provisioning in an untrusted environment
US-9094205-B2 · Jul 28, 2015 · US
Semiconductor device and a method of manufacturing a semiconductor device
US9436846B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9436846-B2 |
| Application number | US-201214401149-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 30, 2012 |
| Priority date | May 30, 2012 |
| Publication date | Sep 6, 2016 |
| Grant date | Sep 6, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A semiconductor device having a plurality of on-chip processors, a plurality of key RAMs, a plurality of key RAM controllers, a fuse bank, a fuse bank controller and a boot controller is described. The boot controller is arranged to, in a first programming stage, allocate a first array of fuses in the fuse bank in dependence on the size of a first device key for storing the first device key in the fuse bank and, during boot-time, provide the first device key to a first key RAM controller. The fuse bank controller is arranged to program the first array of fuses with the first device key in the first programming stage, provide the first device key to the boot controller during boot-time, and prevent access to the first device key in the fuse bank during run-time. The first key RAM controller is arranged to, during boot-time, store the first device key in the first key RAM, and, during run-time, restrict access to the first device key in the first key RAM to exclusive access by the first on-chip processor. The first on-chip processor is arranged to, during run-time, retrieve the first device key from the first key RAM ( 110 ) and use the first device key in the first key-protected processing.
First claim
Opening claim text (preview).
The invention claimed is: 1. A semiconductor device, comprising: a plurality of on-chip processors; a plurality of key RAMs; a plurality of key RAM controllers; a fuse bank, wherein the fuse bank includes a plurality of fuses; a fuse bank controller; and a boot controller, wherein the boot controller is configured to: during a first programming stage, receive a first device key for later use in a first key-protected processing by a first on-chip processor of the plurality of on-chip processors, a size of the first device key and a type of the first device key, allocate a first array of fuses in the fuse bank in dependence on the size of the first device key for storing the first device key in the fuse bank, allocate a further array of fuses of the fuse bank for storing a key directory, and control the fuse bank controller to program the first device key into the fuse bank and to register a first key information in the key directory, the first key information comprising a size and a location of the first array and the type of the first device key, and during a boot-time, control the fuse bank controller to retrieve the first key information from the key directory in the fuse bank, control the fuse bank controller to retrieve the first device key from the fuse bank in dependence on the first key information, and provide the first device key to a first key RAM controller of the plurality of key RAM controllers, associated with a first key RAM of the plurality of key RAMs; wherein the fuse bank controller is configured to: during the first programming stage, receive the first key information and the first key from the boot controller, program the first array of fuses with the first device key in dependence on the first key information, and program the first key information in the key directory in the fuse bank, during the boot-time, retrieve the first key information from the key directory under control of the boot controller, provide the first device key information to the boot controller, retrieve the first device key from the fuse bank under control of the boot controller, and provide the first device key to the boot controller, and during a run-time, prevent access to the first device key in the fuse bank; wherein the first key RAM controller is configured to: during the boot-time, receive the first device key from the boot controller and store the first device key in the first key RAM, and during the run-time, restrict access to the first device key in the first key RAM to exclusive access by the first on-chip processor; and wherein the first on-chip processor is configured to, during the run-time, retrieve the first device key from the first key RAM and use the first device key in the first key-protected processing. 2. A semiconductor device according to claim 1 , the fuse bank comprising a first lock fuse arranged to prevent changing the first device key after the first device key has been programmed. 3. A semiconductor device according to claim 1 , wherein the boot controller is configured to: during a second programming stage, receive a second device key for later use in a second key-protected processing by a second on-chip processor of the plurality of on-chip processors, a size of the second device key and a type of the second device key, allocate a second array of fuses in the fuse bank in dependence on the size of the second device key for storing the second device key in the fuse bank, and control the fuse bank controller to program the second device key into the fuse bank and to register a second key information in the key directory, the second key information comprising a size and a location of the second array and the type of the second device key, and during the boot-time, control the fuse bank controller to retrieve the second key information from the key directory in the fuse bank, control the fuse bank controller to retrieve the second device key from the fuse bank in dependence on the second key information, and provide the second device key to a second key RAM controller of the plurality of key RAM controllers, associated with a second key RAM of the plurality of key RAMs; wherein the fuse bank controller is configured to: during the second programming stage, receive the second key information and the second key from the boot controller, program the second array of fuses with the second device key in dependence on the second key information, and program the second key information in the key directory in the fuse bank, and during the boot-time, retrieve the second key information from the key directory under control of the boot controller, provide the second device key information to the boot controller, retrieve the second device key from the fuse bank under control of the boot controller, and provide the second device key to the boot controller, and during the run-time, prevent access to the second device key in the fuse bank; wherein the second key RAM controller is configured to: during the boot-time, receive the second device key from the boot controller and store the second device key in the second key RAM, and during the run-time, restrict access to the second device key in the second key RAM to exclusive access by the second on-chip processor; and wherein the second on-chip processor is configured to, during the run-time, retrieve the second device key from the second key RAM and use the second device key in the second key-protected processing. 4. A semiconductor device according to claim 3 , the fuse bank comprising a lock fuse arranged to prevent changing the second device key after the second device key has been programmed. 5. A semiconductor device according to claim 1 , comprising a cryptographic accelerator and an array of master key fuses for storing a master key, wherein the boot controller is configured to: during a master key programming stage, receive a master key and control the fuse bank controller to program the master key into the array of master key fuses, and during a second programming stage, provide a second device key to the cryptographic accelerator for encrypting the second device key with the master key from the fuse bank controller, and during the boot-time, control the cryptographic accelerator to retrieve the second device key in encrypted form and the master key from the fuse bank controller and decrypt the second device key with the master key, and receive the second device key from the cryptographic accelerator; wherein the fuse bank controller is configured to: during the master key programming stage, receive the master key from the boot controller and program the master key into the array of master key fuses, during a third programming stage, read the master key from the array of master key fuses, provide the master key to the cryptographic accelerator for encrypting the second device key provided by the boot controller with the master key, and receive the second device key in encrypted form from the cryptographic accelerator for using the second device key in encrypted form in performing the third programming stage, and during the boot-time, after having retrieved the second device key in encrypted form, provide the second device key in encrypted form and the master key to the cryptographic accelerator for decrypting the second device key with the master key to obtain the second device key; wherein the cryptographic accelerator is configured to: during a fourth programming stage, receive a third device key from the boot controller and the master key from the fuse bank controller, encrypt the third device key with the master key to obtain the third device key in encrypted form, and provide the third device key in encrypted form to the fuse bank controller, and during the boot-time, receive the third device key in encry
Assignees
Inventors
Classifications
Details relating to cryptographic hardware or logic circuitry · CPC title
using key encryption key · CPC title
in semiconductor storage media, e.g. directly-addressable memories · CPC title
- G06F21/71Primary
to assure secure computing or processing of information · CPC title
Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system (cryptographic typewriters G09C3/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9436846B2 cover?
- A semiconductor device having a plurality of on-chip processors, a plurality of key RAMs, a plurality of key RAM controllers, a fuse bank, a fuse bank controller and a boot controller is described. The boot controller is arranged to, in a first programming stage, allocate a first array of fuses in the fuse bank in dependence on the size of a first device key for storing the first device key in …
- Who is the assignee on this patent?
- Hartley David H, Korem Elkana, Freescale Semiconductor Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/71. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Sep 06 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).