Who is the assignee on this patent?

Microsoft Corp, Microsoft Technology Licensing Llc

What technology area does this patent fall under?

Primary CPC classification H04L63/0823. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jul 25 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Security certificates for system-on-chip security

US9716708B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9716708-B2
Application number	US-201314026804-A
Country	US
Kind code	B2
Filing date	Sep 13, 2013
Priority date	Sep 13, 2013
Publication date	Jul 25, 2017
Grant date	Jul 25, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A system-on-chip (SoC) includes multiple hardware modules that are implemented on a substrate. The hardware modules include a plurality of hardware and software security features and the SoC provides one or more external interfaces for accessing the security features. A validation module, implemented in the boot code of the SoC for example, manages security certificates to control access to the plurality of security features. Each security certificate includes one or more unique identifiers corresponding to one or more hardware modules in the SoC and access control settings for one or more security features of the one or more hardware modules. The security certificate additionally includes a certificate signature signed by a secure key.

First claim

Opening claim text (preview).

What is claimed is: 1. A system-on-chip, comprising: a first processor; a plurality of hardware circuits implemented on a substrate, the plurality of hardware circuits including a plurality of security features; a one-time-programmable memory containing a plurality of hardware identifiers to identify each of the plurality of hardware circuits; and a memory including processor-readable instructions for programming the first processor to access a security certificate associated with a first security feature, the security certificate including a unique identifier associated with the first security feature and a list of one or more access control settings for the unique identifier, the first processor configured by the processor-readable instructions to verify the security certificate and determine whether the unique identifier matches the hardware identifier for one of the plurality of hardware circuits, the first processor configured by the processor-readable instructions to apply an access control setting from the list to initiate a one-time action in response to the security certificate being verified and the unique identifier matching the hardware identifier for one of the hardware circuits; wherein the access control setting specifies that software initiates the one-time action to modify and lock the first security feature for the one of the hardware circuits, wherein the access control setting specifies that the one-time action is to be executed for a current boot cycle of the system-on-chip. 2. The system-on-chip of claim 1 , wherein: the security certificate includes a signature of a first digest value based on the unique identifier and the access control setting for the first security feature; the first processor configured by the processor-readable instructions to verify the signature of the security certificate using a hard-coded public key; the first processor configured by the processor-readable instructions to determine a second digest value based on the unique identifier and the access control setting of the first security feature; and the first processor configured by the processor-readable instructions to control the first security feature in accordance with the security certificate in response to the security certificate being verified, the unique identifier matching the hardware identifier for one of the hardware circuits, and the first digest value matching the second digest value. 3. The system-on-chip of claim 2 , wherein: the security certificate specifies an expiration time; and the first processor configured by the processor-readable instructions to determine a current time and control the security feature in accordance with the security certificate in response to the security certificate being verified, the unique identifier matching the hardware identifier for one of the hardware circuits, and the current time being before the expiration time. 4. The system-on-chip of claim 1 , wherein: the one-time-programmable memory contains a version number for each of the plurality of hardware circuits; and the first processor configured by the processor-readable instructions to control the first security feature in accordance with the security certificate in response to the security certificate being verified, the unique identifier matching the hardware identifier for one of the hardware circuits and a version identifier in the security certificate matching the version number for the one of the hardware circuits. 5. The system-on-chip of claim 1 , wherein: the first processor configured by the processor-readable instructions to determine that the one-time-programmable memory does not contain a hardware identifier for a first hardware circuit of the system-on-chip; and the first processor configured by the processor-readable instructions to generate a unique hardware identifier for the first hardware circuit and irreversibly program the unique hardware identifier for the first hardware circuit to the one-time-programmable memory. 6. The system-on-chip of claim 1 , further comprising: a centralized access enablement (AEB) circuit configured to control access to the plurality of security features, the centralized AEB circuit including a plurality of outputs, each output corresponding to a security feature of the hardware circuits and controlling access to the security feature, the AEB circuit configured to provide each output based on an output of a read-only-memory for an active security state. 7. The system-on-chip of claim 1 , wherein: the access control setting specifies that software initiates the one-time action to lock the first security feature as enabled for the current boot cycle. 8. The system-on-chip of claim 1 , wherein: the access control setting specifies that software may initiate the one-time action to lock the first security feature as disabled for the current boot cycle. 9. A method of operating a system-on-chip, comprising: accessing a security certificate including a unique identifier associated with a first security feature of the system-on-chip and a list of one or more access control settings for the unique identifier; verifying the security certificate using a key hard-coded in the system-on-chip; reading from a one-time programmable memory of the system-on-chip a plurality of hardware identifiers that identify each of a plurality of hardware circuits of the system-on-chip; determining that the unique identifier matches one of the hardware identifiers from the set of hardware identifiers; and applying an access control setting from the list to initiate a one-time action in response to verifying the security certificate and determining that the unique identifier matches one of the hardware identifiers for one of the hardware circuits of the system-on-chip; wherein the access control setting specifies that software initiates the one-time action to modify and lock the first security feature for the one of the hardware circuits, wherein the access control setting specifies that the one-time action is to be executed for a current boot cycle of the system-on-chip. 10. The method of claim 9 , further comprising: detecting that the plurality of hardware identifiers do not include a hardware identifier for a first hardware circuit of the system-on-chip; generating a unique hardware identifier for the first hardware circuit in response to detecting that the plurality of hardware identifiers do not include the hardware identifier for the first hardware circuit; and programming the unique hardware identifier for the first hardware circuit into a one-time-programmable memory of the system-on-chip. 11. The method of claim 10 , wherein the security certificate includes a signature based on a first digest value, the first digest value based on the unique identifier and the access control setting for the security feature, the method further comprising; calculating a second digest value by the system-on-chip using the unique identifier and the access control setting of the first security feature after verifying the security certificate; and verifying that the first digest value matches the second digest value; wherein applying the access control setting from the security certificate for the first security feature comprises applying the access control setting in response to verifying the security certificate, determining that the unique identifier matches one of the hardware identifiers, and determining that the first digest value matches the second digest value. 12. The method of claim 9 , wherein: the security certificate includes a version identifier associated with the unique identifier; reading the plurality of hardwa

Assignees

Inventors

Classifications

G06F21/6218
to a system of files or objects, e.g. local or distributed file system or database · CPC title
G06F21/71
to assure secure computing or processing of information · CPC title
G06F2221/2151
Time stamp · CPC title
H04L63/0876
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title
H04L63/0823Primary
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title

Patent family

Related publications grouped by family.

View patent family 52669273

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9716708B2 cover?: A system-on-chip (SoC) includes multiple hardware modules that are implemented on a substrate. The hardware modules include a plurality of hardware and software security features and the SoC provides one or more external interfaces for accessing the security features. A validation module, implemented in the boot code of the SoC for example, manages security certificates to control access to the…
Who is the assignee on this patent?: Microsoft Corp, Microsoft Technology Licensing Llc
What technology area does this patent fall under?: Primary CPC classification H04L63/0823. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jul 25 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).