US 20080126728 A1
Method and apparatus for protecting internal memory from external access. A method for protecting a memory space from external access is provided. A plurality of lock bits are stored in a location in memory, each associated with a separate logical portion of the memory space and determinative as to the access thereof for a predetermined operation thereon. A request is then detected for access to a location in the memory space for operating thereon. The requested operation is then compared with the associated lock bit in the associated logical portion and then it is determined if access is allowed for the requested operation. If allowed, the requested operation is performed.
1. A method for protecting a memory space from external access, comprising the steps of:
storing in a location in memory a plurality of lock bits, each associated with a separate logical portion of the memory space and determinative as to the access thereof for a predetermined memory access operation thereon;
detecting a request for access to a desired location in the memory space for operating thereon;
comparing the requested memory access operation with the associated lock bit in the associated logical portion and determining if access is allowed for the requested memory access operation; and
if allowed, performing the requested memory access operation on the desired location in the memory space.
2. The method of
3. The method of
4. The method of
5. The method of
6. The method of
7. The method of
The present application is a Continuation of pending U.S. patent application Ser. No. 09/901,918, filed Jul. 9, 2001, and entitled “METHOD AND APPARATUS FOR PROTECTING INTERNAL MEMORY FROM EXTERNAL ACCESS” (Atty. Dkt. No. CYGL-24,692), which is a Continuation-in-Part of U.S. patent application Ser. No. 09/479,551, filed Jan. 7, 2000, and entitled “EMBEDDED MICROPROCESSOR MULTI-LEVEL SECURITY SYSTEM IN FLASH MEMORY” (Atty. Dkt. No. CYGL-24,693), issued Sep. 2, 2003 as U.S. Pat. No. 6,615,324.
The present disclosure pertains in general to memory systems and, more particularly, to a data protected memory system.
Currently available memory systems are typically interfaced with a microprocessor core, which microprocessor core is operable to access any and all locations in the memory by generating an appropriate address. The processor requires access to the memory in order to both execute instructions and also read data from an address location or write data thereto.
In some situations, certain instructions are proprietary in nature and it is the desire of a manufacturer to protect that code. It is not the execution of the code that is to be protected but, rather, the ability of a user to gain access to the code, i.e., download the code, for reverse engineering thereof to determine the functionality that is embedded within the code. In systems that have provided this protected memory to prevent access to data or programs stored in the memory, circuitry is provided for monitoring the contents of the Program Counter and generating an inhibit signal whenever the Program Counter is at a certain value. This inhibit signal inhibits access to certain portions of the memory.
Additionally, protection of the memory is also important to the “lock” the memory from external access. This has typically been facilitated by generating lock bits in predetermined locations. Once these lock bits are set, the hardware will check a lock bit prior to allowing access to a particular section of memory. If a lock bit for that memory is set, then access to the memory for a read or write, depending upon which function is locked, will be prohibited. In order to reset the lock bit, the entire memory has to be erased.
The present disclosure comprises, in one aspect thereof, a method for protecting a memory space from external access. A plurality of lock bits are stored in a location in memory, each associated with a separate logical portion of the memory space and determinative as to the access thereof for a predetermined operation thereon. A request is then detected for access to a location in the memory space for operating thereon. The requested operation is then compared with the associated lock bit in the associated logical portion and then it is determined if access is allowed for the requested operation. If allowed, the requested operation is performed.
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following description taken in conjunction with the accompanying Drawings in which:
Referring now to
Referring now to
Referring now to
The Program Counter (PC) is basically a pointer that defines an address for a particular instruction to be carried out. When this Program Counter address is generated, it is placed onto the address bus and the information at that address location extracted therefrom and routed to the processor core 204 for operations thereon. In the execution of the various instructions, the Program Counter may actually jump from the user space 308 up to the restricted space 306 to execute instructions therein. This is allowed in accordance with the embodiment herein to facilitate executing instructions in the restricted space 306 in response to a “call” instruction executed in the user space 308. However, as will be further described hereinbelow, instructions in the user space 308 cannot generate an address for the purpose of reading data from the restricted space 306 which would allow output of information stored in the restricted space from the system. The protective operation described herein is operable to prevent such an operation from occurring.
Referring now to
By executing instructions in the user portion 402 or the user portion 414 of the flowchart, the protective circuitry, as will be described hereinbelow, prohibits any instructions from accessing an addressable location within the restricted space 306 for reading of information therein or writing of information thereto. This is facilitated by examining the contents of the address bus and determining whether the contents of the address bus constitute an address for the purpose of reading or writing data or they constitute a Program Counter value for the purpose of executing an instruction. If the program is operating in the user space and the information placed on the address bus is that of an address, as opposed to a Program Counter value, then the system is restricted. However, once the program is jumped over to the restricted space 408 through the incrementing of the Program Counter to an addressable location within the restricted space and placing of that Program Counter value on the address bus, then the operation will be transferred to the restricted space. Once in the restricted space, the program in the restricted space is capable of reading information from an addressable location anywhere in the memory and writing information thereto. This, of course, will be under the control of proprietary software and not under the control of user-generated software in the user space 308.
Referring now to
The control logic block 520 is operable, when a determination is made that access is to be prohibited, to take one of a number of actions. One action could be to actually inhibit the address from being routed to the memory 14; one action could be to alter the address such that the desired location is not actually addressed, but the address is forced to the unrestricted space. Another action could be to inhibit output of data during that time or to output a preset data value such as an eight bit value of 00h. A further action is to inhibit the control circuitry feeding the memory. Each of these different alternatives will be described hereinbelow. However, it should be understood that any manner of preventing access to information within the memory, once it has been determined that access to the restricted space is to be denied, would be anticipated by the present disclosure.
In order to describe how the system operates with respect to the Program Counter and the contents of the address register which can selectively be placed on the address bus, reference is made to the following Table 1.
In Table 1, it can be seen that there is provided the content of the memory location being addressed, the value of the Program Counter, the value actually placed on the address bus and the contents of the address bus. In the first line, the Program Counter is initiated at a value of 0001h representing the first instructions which are initiated at the first location in the memory. By example, this is a move command which is operable to control information to the access from the memory and move to a register, such an accumulator or another location. This is referred to as the command “MOVEC.” This constitutes the Opcode. The second part of the instruction will be the Operand, which, in this instance, will be output when the Program Counter changes to 0002h. This results in the eight-bit value CDh being output on the address bus in the next operation. Therefore, for the first two steps, it can be seen that the Program Counter value can be placed onto the address bus for the purpose of addressing the memory. The eight-bit Operand CDh constitutes an operation wherein this eight-bit value is appended onto another value, in this example, an eight-bit value of 00h to result in the overall address value of 00CDh. At this point in time, the address bus value is an address value that is output from an address register and, therefore, the contents of the Program Counter are a “don't care.” As the instructions continue, the Program Counter will be incremented up to or jumped to a value of 00F1h. The Opcode in the memory will be a long jump command, LJMP, which requires both the high and low address values to the output over the next two increments of the Program Counter. The first address will be a PC counter value of 00F2h at the value of FEh, and the next Program Counter increment of 00F3h will result in an Operand of FEh being output. These two Operands are assembled as the high and low portions of the memory address and placed into the Program Register as an address FEFEh. This constitutes a new Program Counter value which is then the subject of some command in the memory, a PUSH command in this example, although it could be any type of command, the result of the overall LJMP operation being to increment the Program Counter the value FEFEh to execute this command.
To illustrate the operation wherein a data move command is allowed within the restricted space, a third section of the code is illustrated. This is initiated at a program counter value of FEFEh as a MOVEC command. This is operable to, on the next two increments of the program counter to FEFFh and FF00h, respectively, to output the two operands FFh and FFh. This results in an address value of FFFFh being placed onto the address bus to extract data from that location in the restricted space, wherein the boundary between the restricted space and the user space is the address F000h. The system will examine the fact that the PC value on the previous operand was within the restricted space, but that it was an allowed operation, since the instruction originated within the restricted space due to the fact that the program counter exists in the restricted space.
In a fourth section of the code, originating with a MOVEC command at an address of 00FEh Program Counter value, an address attempt is made to the address location FFFFh. If the limit between the restricted and user space is an address location of F000h, then this would indicate that a command originating in the user location 00FEh was trying to attempt to place an address on the address bus that was in the restricted area, i.e., attempting to extract data therefrom. It can be seen by comparison of the last two sections of the code, that an instruction originating in the restricted space accessing information in the restricted space (or even in the user space) is allowed, wherein access to information in the restricted space in response to an instruction from the user space is not allowed.
In the operation described in Table 1, a decision would be made at the point that the commands in the memory would result in an address being placed onto the address bus. It is at this point in time that the system examines the location within the memory of the Program Counter, and then also looks at the address to determine whether the address is seeking to address information within the user space or the restricted space. As described hereinabove and as will be further described hereinbelow in more detail, if the Program Counter is in user space, addressing information in restricted space for the purpose of outputting this information or examining the contents thereof will be prohibited. Alternatively, if the Program Counter is within the restricted space, i.e., executing instructions of a proprietary nature to the chip vendor, then addressing within the restricted space or the user space will be permitted.
Referring now to
The control device 206 is operable to store the limit information and provide that on a bus 614 to the microprocessor core 204 as the Program Counter limit, represented by a phantom block 616. Internal to the microprocessor core 204, in one embodiment, the comparison operation compares the actual value of the Program Counter with the PC limit in phantom block 616. This is output by a phantom block 618 which is labeled “PC Compare.” This is output as a signal on a signal line 620 to the control block 206.
The control block 206 is operable to interface with, and include as part thereof, an address modifying the circuit, which is comprised in this example of multiplexer 622. The multiplexer 622 is operable to receive a portion of the address on an address bus 624, which address is also input to the control block 206, this operation described in more detail hereinbelow. This portion of the address can be modified and output to the multiplexer on a bus 626. The multiplexer 622 is controlled by a control line 628 such that the multiplexer can output the full address on bus 624 or a modified address on a bus 626. This modified address basically is operable to inhibit address input to the memory 202 when it is determined that this address is the result of a program instruction that is attempting to download or move data from the restricted portion of the memory space when the instruction code is derived from the user portion of the memory space. During operation of the memory 202, when program instructions are extracted from the memory 202 in response to a Program Counter value as an address being placed on the address bus 624, then program data will be output on the output bus 602 into a program data input on microprocessor 4204 via the data bus 602. Further, there is provided a register interface 630 between the control block 206 and the microprocessor core 204. This is a flash access control function provided by the control block 206 and is generally a conventional access to a flash memory. Serial data can be input to the flash memory via the input bus 610 and data read therefrom for the purpose of programming the memory initially and for programming instruction registers in the control block 206, this being a configuration operation—a conventional operation.
Referring now to
The comparator 706 is operable to compare the value of the Program Counter with the value in the user limit register. In this manner, the comparator will provide an output on a signal line 712 which will indicate whether the Program Counter is in the restricted or in the user space with a public/private signal. This signal line 712 is input to logic block 714.
The address register 704 in the microprocessor 204 is output on an address bus 720, which has a width of N. This bus has a portion of the bits thereof extracted therefrom, there being M bits extracted therefrom on a bus 722. Therefore, the bus 720 is divided into a bus 722 with M bus lines and a bus 724 with N−M bus lines. The bus 722 is input to a logic block 714, this typically representing the upper block of memory. If there is no inhibit operation on the memory 202 to be performed due to an attempt to access data in the restricted space while operating the program in the user space, then the logic 714 will pass the received bits on the bus 722 out onto a bus 730 to be combined with the bus 724 on a bus 732. The bus 730 provides the bits M′ wherein the bus 732 provides bits N′. This represents a situation wherein the bus may actually be modified by having the upper block altered. Typically, the upper block of memory addressing bits, the M bits, will be altered in the event of a positive decision on the signal line 712 that the Program Counter 702 is operating in the public area and the address output thereof is from the address register 704 and is addressing information in the private area. It should be understood that this example illustrates an address from the address register 704 where, in program situations, the information on the address bus 720 is from the Program Counter 702. This is not illustrated for simplicity purposes. However, the conduct of the address bus 720 is typically selected by a multiplexer (not shown) that selects either the output of the address register 704 or the output Program Counter 702.
Referring now to
The contents of the address bus 810 are compared with that of the user limit register 710 with a comparator 818. This comparator 818 determines whether the address is in the public or private region of the address space, i.e., the user or restricted space, respectively. The output of this comparison operation is input to a logic block 820 which also receives the signal on the signal line 814. This logic block 820 provides an output indicating a positive decision whenever it is determined that the contents of the PC register 702 are not output on the bus 810, i.e., the contents of the address register 704 output on the address bus 810 and that the address is above the limit in the limit register 710. This positive result indicates an unauthorized attempt to access the memory 202 in the restricted space. A signal is output on a line 824 to a multiplexer 826, which multiplexer 826 will select either the data output of the memory 202 or a value of 0000h, a “null” value. For a positive result, the null value is selected for input to the memory 204 on the program data input via a bus 828. Logic block 820, in the alternate operational mode in the restricted space, can determine that the Program Counter value is selected for output on the bus 810 and that the Program Counter value is in the restricted address space. This indicates a program instruction that is generated by the program in the restricted space. This is latched by the logic block 820, since the comparator 818 will indicate this as being in the private region. Therefore, an indication on the line 814 that the Program Counter 702 is selected by the multiplexer 802 and that the information on the address bus 810 is in the private or restricted space is latched such that, if a subsequent instruction indicates that the contents of the address register 704 are selected, i.e., the signal line 814 indicates that the address register is selected, and that the address is attempting to address information in the memory 202, this will be allowed due to the fact that the previous program instruction was generated by program instructions in the restricted space.
A Verilog output is provided representing the operation wherein access to data in the memory with an address that is greater than the read limit resulting from the program instruction executed in the reader space:
Referring now to
Referring now to
Referring now to
In addition to the above noted operations of the reserved space and the user space, there is also the provision for protecting all or a portion of the reserved space or the user space from reading or writing, after creation thereof. This utilizes lock bits which are stored in a reserve lock byte 1106 in the reserve space 1102 for locking all or a portion of the reserve space, and in a user lock byte 1108 in the user space 1104, which is associated with all or a portion of the user space 1104. The reserve lock bits in the lock byte 1106 each are associated with a page of the reserve space 1102. Once set to a logic “0,” this particular page and all addressable locations therein is locked and cannot be unlocked without erasure of the page. Similarly, the user lock byte contains user lock bits each associated with a page in the user space 1104. Once the lock bit has been set to a logic “0” for that page, access thereto for reading or writing/erasure is prohibited. It should be noted that the lock bit can be associated with reading or writing/erasure. It is also noted that each of the reserve lock byte 1106 and user lock byte 1108 is comprised of two bytes, one for reading and one for writing/erasing. This is illustrated a lock byte 1110 for locking read operations in select portions of the reserve space 1102 and a lock byte 1112 for locking write/erase operations in the reserve space. A lock byte 1114 is associated with locking read operations in the user space and a lock byte 1116 is associated with locking write/erase operations in the user space.
It is noted that the user lock byte 1108 is disposed at the upper portion of the user space which upper portion is defined by the user limit 1118, this being a variable location. This value is typically stored somewhere in the reserve space, typically in the upper portion of the memory in a reserve space 1102, a known location and not variable. This is typically associated with a number of different vectors defining various operations in the user space. By reading this value from the user space, the system then knows where the user limit is and subsequently, where the user lock byte resides. The user lock byte and the reserve lock byte are always located in the upper portion of the associated space.
As will be described hereinbelow, the user space lock byte is erased by erasing one logical block of memory at a time, i.e., a page, beginning at the lower end thereof until the user lock byte 1108 is erased. To erase the reserve space lock byte, the entire memory must be erased. However, a single sector or page can be erased in either section if it is not locked.
Referring now to
The control state machine can receive either a READ request, a WRITE request, a page erase request or a user space erase request, in addition to an entire memory erase command. In order to execute these commands, it is necessary to access the various lock bytes, the limit address and the such. A multiplexer 1210 is provided which is controlled by the control state machine 1206 to select various addresses. These addresses are the user limit address, which defines where the user lock bytes are stored, which is facilitated by accessing the memory 1202 at the upper address therein where the limit address is stored, reading this information and then storing this information in a user limit register 1212. It is noted that the location of the lock byte for the user space is hard coded as being at a predetermined address in the top page therein and, in the preferred embodiment, in the top two bytes therein. The reserve read and write/erase lock address is a value that is hard coded in the hardware and is provided as an input to the multiplexer 1210, this being the top of the memory space and a known and fixed value. The user lock address determined from the user limit address is provided in addition to a general user address, this being the address that a user inputs into the memory. In addition, the multiplexer 1210 receives the output of a page counter 1214 which counts pages in the user space as will be described hereinbelow.
When the lock bits are read for either the user space or the reserved space, they are stored in a register 1214 for use by the control state machine. Additionally, the user limit register 1212 is loaded initially by the control state machine by reading the upper addressable location in the memory. In order to read the lock bits, the lock bits for the reserve space are read by selecting the reserve read/write lock address with the multiplexer 1210 and, for the user space, selecting the user limit address.
When erasing the user lock byte in the user space, it is necessary to erase the lower pages of memory first, since the memory is organized in logical blocks of 512 bytes. These logical pages must be erased one at a time and, as such, one cannot erase the memory location containing the user lock byte until all lower pages or blocks have been erased. Therefore, the counter is utilized to begin erasing the lower page first up to the upper page. A comparator 1220 is provided for comparing the user limit address value with the value in the page counter, this constituting the upper address in the page. When the page counter exceeds this value, then the page counter is stopped, this being a control signal output by the comparator 1220.
Referring now to
Referring now to
Referring now to
Although the preferred embodiment has been described in detail, it should be understood that various changes, substitutions and alterations can be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims.