WO2002069115A2 - A security system with an intelligent dma controller - Google Patents

A security system with an intelligent dma controller Download PDF

Info

Publication number
WO2002069115A2
WO2002069115A2 PCT/US2002/006384 US0206384W WO02069115A2 WO 2002069115 A2 WO2002069115 A2 WO 2002069115A2 US 0206384 W US0206384 W US 0206384W WO 02069115 A2 WO02069115 A2 WO 02069115A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
security
data object
data bits
des
Prior art date
Application number
PCT/US2002/006384
Other languages
French (fr)
Other versions
WO2002069115A3 (en
Inventor
George Apostol, Jr.
Peter N. Dinh
Original Assignee
Brecis Communications Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Brecis Communications Corporation filed Critical Brecis Communications Corporation
Priority to AU2002252173A priority Critical patent/AU2002252173A1/en
Priority to US10/469,467 priority patent/US7436954B2/en
Publication of WO2002069115A2 publication Critical patent/WO2002069115A2/en
Publication of WO2002069115A3 publication Critical patent/WO2002069115A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/20Handling requests for interconnection or transfer for access to input/output bus
    • G06F13/28Handling requests for interconnection or transfer for access to input/output bus using burst mode transfer, e.g. direct memory access DMA, cycle steal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/16Handling requests for interconnection or transfer for access to memory bus
    • G06F13/1605Handling requests for interconnection or transfer for access to memory bus based on arbitration
    • G06F13/161Handling requests for interconnection or transfer for access to memory bus based on arbitration with latency improvement
    • G06F13/1621Handling requests for interconnection or transfer for access to memory bus based on arbitration with latency improvement by maintaining request order
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/16Handling requests for interconnection or transfer for access to memory bus
    • G06F13/1668Details of memory controller
    • G06F13/1673Details of memory controller using buffers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/36Handling requests for interconnection or transfer for access to common bus or bus system
    • G06F13/362Handling requests for interconnection or transfer for access to common bus or bus system with centralised access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/36Handling requests for interconnection or transfer for access to common bus or bus system
    • G06F13/362Handling requests for interconnection or transfer for access to common bus or bus system with centralised access control
    • G06F13/364Handling requests for interconnection or transfer for access to common bus or bus system with centralised access control using independent requests or grants, e.g. using separated request and grant lines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/0038System on Chip

Definitions

  • the present invention relates to the field of security. More specifically, the present invention relates to the provision of a security subsystem having an intelligent direct memory access (DMA) controller in a multi-service system-on- chip to improve operational efficiency.
  • DMA direct memory access
  • security operations and “security methods” as used in the present application include all known security operations/methods, as well as to be discovered security operations/methods that are compatible with the present invention.
  • known security operations/methods include but are not limited to Data Encryption Standard (DES) methods and operations of all types, Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and so forth, and hashing operations of all types, Message Digest (MD5), Secure HASH Algorithm (SHA- 1 ) and so forth.
  • the security methods or operations often have to be performed for data of various types, including audio, video and other data, and of various subsystems, such as the subsystem responsible for interfacing the SOC to a network, the subsystem responsible for interfacing the SOC to a telecommunication line and so forth.
  • FIG. 1 illustrates an overview of a system-on-chip including a security subsystem incorporated with the teachings of the present invention, in accordance with one embodiment
  • FIG. 2 illustrates the method of the present invention, in accordance with one embodiment
  • Figure 3 illustrates the data descriptor of the present invention in further details, in accordance with one embodiment
  • Figures 4a-4d illustrate the base and continuation portion of a data descriptor in further details, in accordance with one embodiment
  • FIG. 5 illustrates the security subsystem of the present invention in further details, in accordance with one embodiment
  • Figures 6a-6b illustrate the control and status registers of the security subsystem of Fig. 5 in further details, in accordance with one embodiment
  • Figure 7 illustrates the further provision of a data traffic router for a DES security engine to support multiple variants of DES operations, in accordance with one embodiment
  • Figure 8 illustrates the data traffic router of Fig. 7 in further details, in accordance with one embodiment.
  • Figure 9 illustrates the operational flow of the relevant aspects of the controller of the security subsystem of Fig. 5 in further details, in accordance with one embodiment.
  • the present invention includes a security subsystem equipped with an intelligent DMA controller having particular application to system-on-chips with subsystems requiring security services.
  • the security services may include encryption/decryption services/operations, such as DES based encryptions/decryptions, and/or hashing operations, such as MD5 and SHA-1.
  • the present invention advantageously improves the operational efficiency of the system-on-chip, in particular, offloading the controller processor of a system-on-chip.
  • FIG. 1 a block diagram illustrating an overview of a SOC 100 including control processor 102, memory 104, security subsystem 106 incorporated with the teachings of the present invention, and other subsystems 108, in accordance with one embodiment, is shown.
  • control processor 102, memory 104, security subsystem 106 and other subsystems 108 are coupled to each other via on- chip bus 110, and communicate with each other in accordance with a predetermined bus protocol.
  • the on-chip bus and the bus protocol is the on-chip bus described in co-pending U.S.
  • Security subsystem 106 equipped with the teachings of present invention, is employed to provide security services/operations to meet the security service/operation needs of subsystems 108.
  • security subsystem 106 includes intelligent DMA 120 of the present invention. Resultantly, unless so desired, upon requested, security subsystem 106 may service a security need of one of subsystems 108 substantially without further interactions with control processor 102 and the requesting subsystem 108, thereby improving the overall operational efficiency of SOC 100.
  • subsystems 108 may otherwise be any one of a broad range of subsystems known in the art or to be developed. Examples of such subsystems include but are not limited to voice processors, peripheral device controllers, framer processors, network media access controllers, and the like. The exact mix is application dependent and non-essential to the practice of the present invention.
  • memory 104 may otherwise be any one of a broad range of volatile or non-volatile storage units known in the art or to be developed.
  • the memory 104 is a storage unit with multiple access paths, which is the subject matter of the aforementioned co-pending and incorporated by reference U.S. patent application 'xxx.
  • Control processor 102 controls the overall operation of SOC 100.
  • the control includes instructing security system 106 to perform a security operation on a data object 116 on behalf of one of subsystems 108, which instruction may be responsive to the request of the subsystem.
  • the exact nature of the remaining control performed by control processor 102 is application dependent, and is not essential to the practice of the present invention.
  • control processor 102 is one of primary beneficiaries of the present invention.
  • control processor 102 includes instruction cache 112 and data cache 114, to facilitate performance of its control operations.
  • a subsystem 108 having a secu ⁇ ty service need for a data object first sets up in memory 104 the data object, and a descriptor describing the data object, including the security operation to be performed and the operational parameters of the security operation, block 202.
  • a data object 116 to have a security operation performed may comprise a number of data segments 116a-116n, with each data segments having a number of data bits.
  • the number of data bits in each data segment may be greater than, equal to, or less than the data bit size of an atomic block of data on which the request security operation operates.
  • a DES operation operates on 64-bit data blocks, accordingly, a data segment of a data object to have a DES operation performed may be greater than, equal to, or less than 64 bits.
  • a MD5/SHA-1 operation operates on 512-bit data blocks
  • a data segment of a data object to have a MD5/SHA-1 operation performed may be greater than, equal to, or less than 512 bits.
  • the various data segments may be stored in contiguous or discontiguous memory locations, and need not be aligned to any word boundaries.
  • a descriptor 118 describing a data object 116, the security operation to be performed, and the operation parameters, may include one or more parts, i.e.
  • a base part 118a and zero or more continuation parts 118n with the base part 118a describing the first data segment 116a, the security operation to be performed for all data segments 116a-116n and the operation parameters, and the continuation parts 118n correspondingly describing the additional data segments 116n, to be described more fully below.
  • the subsystem 108 upon setting up the data object 116 to have a security operation performed, and its descriptor 118, for the embodiment, the subsystem 108 requests control processor 102 to cause the desired security operation to be performed, block 204. Since, for the embodiment, the security operation to be performed, including the operation parameters, are described by the data descriptor 118 of the data object 116, accordingly only the location of the descriptor 118 needs to be made available to control processor 102. The information may be made available in any one of a number of manners known in the art.
  • the starting location of the descriptor may be place in a predetermined location associated with a particular interrupt, and the subsystem 108 interrupts control processor 102 accordingly, upon setting up the data object 116, its descriptor 118, and placement of the starting location of the descriptor 118 in the predetermined location.
  • the starting location of the descriptor 108 may be included as part of the security service request, and the security service request may be communicated to control processor 102 via a communication packet.
  • control processor 102 instructs security subsystem 106 to perform the requested security operation for the data object 116, including with the instruction, the starting location of the descriptor 118 of the data object 116, block 206.
  • the instruction is provided to security subsystem 106 in the form of a communication packet over bus 110.
  • security subsystem 106 first loads the base part 118a of the descriptor 118 of the data object 116, and thereafter successively updates the descriptor 118 with its continuation parts 118n, and in parallel, based on the descriptive information provided therein over time, successively fetches the data bits of the data segment 116a, organizes the data bits into the atomic data blocks of the requested security operation, provides the organized data blocks to the appropriate security engine for the requested security operation, causes the security engine to perform the security operation on the provided data blocks, and writes back the results of the security operation, block 208.
  • FIGS. 4a-4d illustrate descriptor 118 of a data object 116, in accordance with one embodiment. More specifically, Fig. 4a illustrates the base part 118a of a descriptor 118 for a DES operation for a data object 116, in accordance with one embodiment; Fig. 4b illustrates a continuation part 118b of a descriptor 118 for a DES operation for a data object 116, in accordance with one embodiment; Fig. 4c illustrates the base part 118a of a descriptor 118 for a hashing operation for a data object 116, in accordance with one embodiment; and Fig. 4d illustrates a continuation part 118b of a descriptor 118 for a hashing operation for a data object 116, in accordance with one embodiment.
  • the base part 118a of a descriptor 118 for a DES operation includes a next descriptor/part address 402 identifying the starting word location in memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored.
  • the residual unused least significant bits are employed to facilitate identification of the part as being a base part 118a of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
  • Base part 118a for a DES operation also includes a buffer size 404 and a starting address 406 (in memory 104) of the source buffer holding the base data segment 116a being described.
  • Base part 118a also includes the starting address 408 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the base data segment 116a.
  • base part 118a for a DES operation also includes mode 410 specifying the type of DES operation, i.e. ECB, CBC or CFB, to be performed, and descriptor identifier 412 of the descriptor. Further, base part 118a of a DES operation also describes up to three keys 418-420, 422-424 and 426-428 for the DES operation, and for CBC or CFB mode of operation, base part 118a also describes the initial vector 414-416 of the DES operation.
  • mode 410 specifying the type of DES operation, i.e. ECB, CBC or CFB, to be performed
  • descriptor identifier 412 of the descriptor i.e. ECB, CBC or CFB
  • base part 118a of a DES operation also describes up to three keys 418-420, 422-424 and 426-428 for the DES operation, and for CBC or CFB mode of operation, base part 118a also describes the initial vector 414-416 of the DES
  • the continuation part 118n of a descriptor 118 for a DES operation also includes a next descriptor/part address 432 identifying the starting word location of memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored.
  • the residual least significant bits are employed to facilitate identification of the part as being a continuation of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
  • a continuation part 118n of a descriptor 118 of a DES operation also includes a buffer size 434 and a starting address 436 (in memory 104) of the source buffer holding the continuation data segment 116n being described.
  • Continuation part 118n also includes the starting address 438 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the continuation data segment 116n.
  • the base part 118a of a descriptor 118 for a hashing operation includes a next descriptor/part address 442 identifying the starting word location in memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored.
  • the residual unused least significant bits are employed to facilitate identification of the part as being a base part 118a of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
  • Base part 118a for a hashing operation also includes a buffer size 444 and a starting address 446 (in memory 104) of the source buffer holding the base data segment 116a being described.
  • Base part 118a also includes the starting address 448 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the base data segment 116a.
  • base part 118a for a hashing operation also includes mode 450 specifying the type of hashing operation, e.g. MD5 or SHA-1 , to be performed, and descriptor identifier 452 of the descriptor. Further, base part 118a of a hashing operation also describes at least four chaining variable 454- 460, for the hashing operation, and for the SHA-1 mode of operation, a fifth chaining variable 462. For a MD5 hashing operation, base part 118a also describes the "must write filer data" 462-464 of the hashing operation.
  • Continuation part 118n of a descriptor 118 for a hashing operation includes a next descriptor/part address 472 identifying the starting word location of memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored.
  • the residual unused least significant bits are employed to facilitate identification of the part as being a continuation of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
  • Continuation part 118n of a descriptor 118 of a hashing operation also includes a buffer size 474 and a starting address 476 (in memory 104) of the source buffer holding the continuation data segment 116n being described.
  • Continuation part 118n also includes the starting address 478 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the continuation data segment 116n.
  • FIG. 5 illustrates security subsystem 106 of the present invention in further details, in accordance with one embodiment.
  • security subsystem 106 includes controller 502, registers 504, data transfer unit 506 and security engines 122, coupled to each other as shown.
  • Data transfer unit 506 is employed to facilitate receipt of instructions from control processor 102 to perform security operations for various data objects 116, access and receipt of the various parts of the descriptors 118 of the various data objects 116, access and receipt of the various data segments of the various data objects 116, and write back of the results of the various security operations.
  • One embodiment of data transfer unit 506 is described in the aforementioned 'xxx copending and incorporated by reference U.S. patent application. In alternate embodiments, other data interfaces may be employed instead.
  • Registers 504 include a number of collections, with each collection employed to store a fetched descriptor, e.g. one collection to store the descriptor of a DES operation to be or being performed, and another collection to store the descriptor of a hashing operation to be or being performed.
  • two collections of registers with one collection dedicated to support a DES operation, and another collection dedicated to support a hashing operation, are provided.
  • registers 504 also include a number of collections of control registers, one collection each for each security operation concurrently supported, to facilitate control processor 102 in specifying for security subsystem 106 a number of general operation parameters for performing the corresponding security operation.
  • two such collections one for a DES operation and another for a hashing operation, are supported. The content and meaning of these control parameters for one embodiment is described in further detail below referencing Fig. 6a.
  • registers 504 also include a number of collections of status registers, one collection each for each security operation concurrently supported, to facilitate appraising control processor 102 of the current status of security subsystem 106 for the corresponding security operation.
  • two such collections, one for DES operation and another for hashing operation are supported. The content and meaning of these status for one embodiment is described in further detail below referencing Fig. 6b.
  • Registers 504 may be implemented via any one of a number of techniques known in the art.
  • a multi-port addressable memory unit is employed to implement all registers 504 in a single storage unit.
  • Security engines 106 are employed to perform security operations of corresponding types.
  • one security engine coupled with a data traffic router for performing various types of DES operations, ECB, CBC and CFB (see Fig. 7 where data traffic router is shown as element 702), one security engine for performing MD5 hashing operations, and one security engine for performing SHA-1 hashing operations are provided. Any one of a number of implementations known in the art may be employed to implement the various security engine cores, i.e.
  • the security engine core for performing DEA ECB, CBC and CFB operations the security engine core for performing MD5 hashing operations
  • the security engine core for performing SHA-1 hashing operations Their exact implementations are not essential aspects of the present invention.
  • One embodiment of the data traffic router enabling a single DES security engine core to be provided for multiple modes of DES security operations will be further described below, referencing Fig. 8.
  • Controller 502 controls the operation of data transfer unit 506, registers 504 and security engines 106.
  • the relevant operational flow for one embodiment will be described in further details below, referencing Fig. 9.
  • Figure 6a-6b illustrate one each of a collection of control registers 600 and a collection of status registers 620 for a security operation concurrently supported, e.g. a DES operation, or a hashing operation.
  • Control registers 600 include register 602 for control processor 102 to globally disable or enable interrupt mode of operation for the security operation. Control registers 600 also include registers 604-608 for control processor 102 to instruct security subsystem 106 to interrupt control processor 102 upon completion of a data segment, upon completion of a data object or upon encountering an operation error while performing the security operation. Further, control registers 600 include registers 610-616 for control processor 102 to instruct security subsystem 106 to stop the security operation on completion of a data segment (including completion of a data object), halt operation altogether, to reset, or to start/continue for the security operation.
  • Status registers 620 include registers 622-623 for conveying to control processor 102 a bad write address was encountered by security subsystem 106, and the remaining byte counts of the results of the security operation. Status registers 620 also include registers 624-628 for conveying to control processor 102 an interrupt is pending, where the interrupt is issued by security system 106 upon completion of a data segment, completion of a data object or encountering an error, for the security operation. Status registers 620 also include registers 630-632 for conveying to control processor 102 that processing for a data segment or a data object has been completed for the security operation. Further, status registers 620 include registers 634-638 for conveying to control processor 102 that the subsystem is "on", its outputs are valid, or it is busy.
  • Data Traffic Router Figure 8 illustrates data traffic router 702 of Figure 7 in further details, in accordance with one embodiment.
  • data traffic router 702 includes a number of AND gates 802a-802c, a number of multiplexors 804a- 804b, and a number of XOR gates 806a-806b, coupled to each other as shown.
  • AND gate 802a receives the data block (datajn) of the security operation and control variable A as inputs, and perform a logical AND operation on the inputs.
  • the result of the logical AND operation is provided to XOR gate 806a, which also receives the output of AND gate 802b as its other input.
  • XOR gate 806a performs the logical XOR operation on its inputs, and the output is provided as input to the DES security engine core.
  • the output of AND gate 802b is generated based on the output of multiplexor 804a and control variable B.
  • the output of multiplexor 804 is either the initial vector outputted from the earlier described initial vector registers, or the result of the DES operation on a prior data block, depending on the control variable C.
  • XOR gate 806b receives the output from the DES security engine core and the output of AND gate 802c as inputs, and performs a logical XOR operation on the inputs to produce the current result of the DES security operation (data_out).
  • the output of AND gate 802c is generated based on the output of multiplexor 804c and control variable D.
  • the output of multiplexor 804 is either the initial vector outputted from the earlier described initial vector registers, or the current input data block of the DES operation, depending on the control variable E.
  • FIG. 9 illustrates the relevant operational flow of controller 502 of Fig. 5 in further details, in accordance with one embodiment.
  • controller 502 of security subsystem 106 upon instructed by control processor 102, controller 502 of security subsystem 106 causes the base portion 118a of the addressed descriptor 118 to be loaded in the appropriate descriptor registers 504 for the specified security operation, e.g. the descriptor registers 504 for a DES operation or the descriptor registers 504 for a hashing operation, block 902.
  • controller 502 causes the data bits of the base data segment to be fetched via one or more fetches (for the embodiment of Fig. 5, through data transfer unit 506, block 904. The number of fetches required depends on the size of the data bits of the data segment and the width of the data bus between memory 104 and security subsystem 106.
  • controller 502 determines if sufficient amount of data bits to form an atomic block of data bits for the security operation has been accumulated, block 906. For as long as there are insufficient amount of data bits to form an atomic block of data bits for the security operation has been accumulated, and the end of the currently described data segment has not been reached, block 912, fetching, i.e. block 904, continues.
  • controller 502 causes the data bits to be organized into a data block, and forwarded to the appropriate security engine, block 908. In due course (typically after a pre-determined number of clock cycles), the result of the security operation on the provided data block becomes available. At such time, controller 502 causes the result to be written back to the storage locations of memory 104 as specified by the corresponding part of the descriptor 118, block 910.
  • controller 502 Concurrently, once an atomic data block is provided to the security engine for operation, controller 502 also continues operation back at block 912 to determine if the end of the currently described data segment has been reached. As described earlier, if the end of the currently described data segment has not been reached, controller 502 continues operation at block 904. If the end of the currently described data segment has been reached, controller 502 further determines if all data segments of the data object has been processed or if all processed, whether security operation for a next data object is to be started, block 914. For the embodiment, controller 502 makes the determination based on the earlier described next descriptor/part address and its associated valid bit denoting whether the next descriptor/part address is valid.
  • controller 502 causes a continuation part of the current descriptor or the base part of the next descriptor to be loaded into descriptor registers 504, block 916.
  • the descriptor of the data object is updated with the data segment related information describing a new data segment.
  • controller 502 determines if all data segments of the data object has been processed, block 914. If not, controller 504 causes a continuation part of the descriptor to loaded, updating the descriptor. For the embodiment, controller 504 also saves the address and size information of the previous part of the descriptor, e.g.
  • controller 504 is equipped with 8 sets of shadow registers, enabling it to fetch as many as 8 data segments to form one atomic data block of the security operation. In other embodiments, more or less sets of shadow registers may be employed instead.
  • the residual data bits are indicative of the fact that the data object has a size that is not modulo the size of the atomic data block of the security operation (64 bits in the case of a DES operation, and 512 bits in the case of hashing operation). For the embodiment, an error is returned, block 918.

Abstract

A security subsystem is provided with at least a first security engine (106), a first set of registers (602, 604-608) and a control portion to perform a first security operation for each of a first number of data blocks of each of a first number of data segments of a first data object (116). In one embodiment, the security subsystem is provided with two security engines (106) and two sets of registers to respectively perform the first security operation and a second security operation for the first data object and a similarly constituted second data object (116). In one embodiment, the first and second security operations are DES (122a) and hashing operations. In one embodiment, the multi-method security subsystem is embodied in a multi-service system-on-chip.

Description

A Security System with an Intelligent DMA Controller
Related Application This application claims priority to U.S. Provisional Application Number 60/272,439, entitled "MULTI-SERVICE PROCESSOR INCLUDING A MULTISERVICE BUS", filed 2/28/2001 , the specification of which is hereby fully incorporated by reference.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to the field of security. More specifically, the present invention relates to the provision of a security subsystem having an intelligent direct memory access (DMA) controller in a multi-service system-on- chip to improve operational efficiency.
2. Background Information
Advances in integrated circuit technology have led to the birth and proliferation of a wide variety of integrated circuits, including but not limited to application specific integrated circuits, micro-controllers, digital signal processors, general purpose microprocessors, and network processors. Recent advances have also led to the birth of what's known as "system on a chip" or SOC.
In various SOC applications, such as telecommunications, networking and content handling, it is often necessary to perform security operations of one or more types of security methods. The terms "security operations" and "security methods" as used in the present application include all known security operations/methods, as well as to be discovered security operations/methods that are compatible with the present invention. Examples of known security operations/methods include but are not limited to Data Encryption Standard (DES) methods and operations of all types, Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and so forth, and hashing operations of all types, Message Digest (MD5), Secure HASH Algorithm (SHA- 1 ) and so forth.
Further, the security methods or operations often have to be performed for data of various types, including audio, video and other data, and of various subsystems, such as the subsystem responsible for interfacing the SOC to a network, the subsystem responsible for interfacing the SOC to a telecommunication line and so forth.
Thus, a need exists to provide or support security operations of multiple security methods or operations in an efficient manner.
BRIEF DESCRIPTION OF DRAWINGS
The present invention will be described by way of exemplary embodiments, but not limitations, illustrated in the accompanying drawings in which like references denote similar elements, and in which:
Figure 1 illustrates an overview of a system-on-chip including a security subsystem incorporated with the teachings of the present invention, in accordance with one embodiment;
Figure 2 illustrates the method of the present invention, in accordance with one embodiment;
Figure 3 illustrates the data descriptor of the present invention in further details, in accordance with one embodiment; Figures 4a-4d illustrate the base and continuation portion of a data descriptor in further details, in accordance with one embodiment;
Figure 5 illustrates the security subsystem of the present invention in further details, in accordance with one embodiment;
Figures 6a-6b illustrate the control and status registers of the security subsystem of Fig. 5 in further details, in accordance with one embodiment;
Figure 7 illustrates the further provision of a data traffic router for a DES security engine to support multiple variants of DES operations, in accordance with one embodiment;
Figure 8 illustrates the data traffic router of Fig. 7 in further details, in accordance with one embodiment; and
Figure 9 illustrates the operational flow of the relevant aspects of the controller of the security subsystem of Fig. 5 in further details, in accordance with one embodiment.
DETAILED DESCRIPTION OF THE INVENTION
The present invention includes a security subsystem equipped with an intelligent DMA controller having particular application to system-on-chips with subsystems requiring security services. The security services may include encryption/decryption services/operations, such as DES based encryptions/decryptions, and/or hashing operations, such as MD5 and SHA-1. The present invention advantageously improves the operational efficiency of the system-on-chip, in particular, offloading the controller processor of a system-on-chip.
In the following description, various features and arrangements will be described, to provide a thorough understanding of the present invention. However, the present invention may be practiced without some of the specific details or with alternate features/arrangement. In other instances, well-known features are omitted or simplified in order not to obscure the present invention.
The description to follow repeatedly uses the phrase "in one embodiment", which ordinarily does not refer to the same embodiment, although it may. The terms "comprising", "having", "including" and the like, as used in the present application, including in the claims, are synonymous.
Overview
Referring now to Figure 1 , wherein a block diagram illustrating an overview of a SOC 100 including control processor 102, memory 104, security subsystem 106 incorporated with the teachings of the present invention, and other subsystems 108, in accordance with one embodiment, is shown. As illustrated, for the embodiment, control processor 102, memory 104, security subsystem 106 and other subsystems 108 are coupled to each other via on- chip bus 110, and communicate with each other in accordance with a predetermined bus protocol. In one embodiment, the on-chip bus and the bus protocol is the on-chip bus described in co-pending U.S. application 10/xxx,xxx, contemporaneously filed, entitled "A Multi-Service System On-Chip Including On-Chip Memory with Multiple Access Paths", which specification is hereby fully incorporated by reference. In other embodiments, other bus architectures and other bus communication protocols may be employed instead.
Security subsystem 106 equipped with the teachings of present invention, is employed to provide security services/operations to meet the security service/operation needs of subsystems 108. As will be described in more details below, in addition to security engines 122 in support of various security methods, DES operations, hashing operations, and so forth, security subsystem 106 includes intelligent DMA 120 of the present invention. Resultantly, unless so desired, upon requested, security subsystem 106 may service a security need of one of subsystems 108 substantially without further interactions with control processor 102 and the requesting subsystem 108, thereby improving the overall operational efficiency of SOC 100.
The terms "security service" and "security operation" are used interchangeably in the present application, depending on which term is more instrumental in assisting in understanding the present invention. Their core meanings or the essence of their meanings are synonymous.
Except for the teachings of the present invention incorporated in subsystems 108, to allow subsystems 108 to have their security service needs met by security subsystem 106 in the aforementioned advantageous manner, subsystems 108 may otherwise be any one of a broad range of subsystems known in the art or to be developed. Examples of such subsystems include but are not limited to voice processors, peripheral device controllers, framer processors, network media access controllers, and the like. The exact mix is application dependent and non-essential to the practice of the present invention.
Except for its use for its conventional function of storing data, in particular data objects 116 to have security operations performed and data descriptors 118 of the present invention describing data objects 116 and the security operations to be performed, memory 104 may otherwise be any one of a broad range of volatile or non-volatile storage units known in the art or to be developed. In one embodiment, the memory 104 is a storage unit with multiple access paths, which is the subject matter of the aforementioned co-pending and incorporated by reference U.S. patent application 'xxx.
Control processor 102 controls the overall operation of SOC 100. In particular, for the embodiment, the control includes instructing security system 106 to perform a security operation on a data object 116 on behalf of one of subsystems 108, which instruction may be responsive to the request of the subsystem. The exact nature of the remaining control performed by control processor 102 is application dependent, and is not essential to the practice of the present invention. As alluded to earlier, control processor 102 is one of primary beneficiaries of the present invention. Further, for the illustrated embodiment, control processor 102 includes instruction cache 112 and data cache 114, to facilitate performance of its control operations.
Method
Referring now to Fig. 2, wherein a flow chart illustrating a method of the present invention, in accordance with one embodiment, is shown. As illustrated, in accordance with the present invention, a subsystem 108 having a secuπty service need for a data object, first sets up in memory 104 the data object, and a descriptor describing the data object, including the security operation to be performed and the operational parameters of the security operation, block 202.
Referring now briefly to Fig. 3, under the present invention, a data object 116 to have a security operation performed may comprise a number of data segments 116a-116n, with each data segments having a number of data bits. The number of data bits in each data segment may be greater than, equal to, or less than the data bit size of an atomic block of data on which the request security operation operates. For example, a DES operation operates on 64-bit data blocks, accordingly, a data segment of a data object to have a DES operation performed may be greater than, equal to, or less than 64 bits. Similarly, a MD5/SHA-1 operation operates on 512-bit data blocks, a data segment of a data object to have a MD5/SHA-1 operation performed may be greater than, equal to, or less than 512 bits. Further, the various data segments may be stored in contiguous or discontiguous memory locations, and need not be aligned to any word boundaries. A descriptor 118 describing a data object 116, the security operation to be performed, and the operation parameters, may include one or more parts, i.e. a base part 118a and zero or more continuation parts 118n, with the base part 118a describing the first data segment 116a, the security operation to be performed for all data segments 116a-116n and the operation parameters, and the continuation parts 118n correspondingly describing the additional data segments 116n, to be described more fully below.
Returning now to Figure 2, upon setting up the data object 116 to have a security operation performed, and its descriptor 118, for the embodiment, the subsystem 108 requests control processor 102 to cause the desired security operation to be performed, block 204. Since, for the embodiment, the security operation to be performed, including the operation parameters, are described by the data descriptor 118 of the data object 116, accordingly only the location of the descriptor 118 needs to be made available to control processor 102. The information may be made available in any one of a number of manners known in the art. For example, the starting location of the descriptor may be place in a predetermined location associated with a particular interrupt, and the subsystem 108 interrupts control processor 102 accordingly, upon setting up the data object 116, its descriptor 118, and placement of the starting location of the descriptor 118 in the predetermined location. As a further example, the starting location of the descriptor 108 may be included as part of the security service request, and the security service request may be communicated to control processor 102 via a communication packet.
Still referring to Figure 2, in response to the request, control processor 102 instructs security subsystem 106 to perform the requested security operation for the data object 116, including with the instruction, the starting location of the descriptor 118 of the data object 116, block 206. In one embodiment, the instruction is provided to security subsystem 106 in the form of a communication packet over bus 110.
In response, as will be described in more detail below, security subsystem 106 first loads the base part 118a of the descriptor 118 of the data object 116, and thereafter successively updates the descriptor 118 with its continuation parts 118n, and in parallel, based on the descriptive information provided therein over time, successively fetches the data bits of the data segment 116a, organizes the data bits into the atomic data blocks of the requested security operation, provides the organized data blocks to the appropriate security engine for the requested security operation, causes the security engine to perform the security operation on the provided data blocks, and writes back the results of the security operation, block 208.
Data Descriptor Figures 4a-4d illustrate descriptor 118 of a data object 116, in accordance with one embodiment. More specifically, Fig. 4a illustrates the base part 118a of a descriptor 118 for a DES operation for a data object 116, in accordance with one embodiment; Fig. 4b illustrates a continuation part 118b of a descriptor 118 for a DES operation for a data object 116, in accordance with one embodiment; Fig. 4c illustrates the base part 118a of a descriptor 118 for a hashing operation for a data object 116, in accordance with one embodiment; and Fig. 4d illustrates a continuation part 118b of a descriptor 118 for a hashing operation for a data object 116, in accordance with one embodiment.
As illustrated in Fig. 4a, for the embodiment, the base part 118a of a descriptor 118 for a DES operation includes a next descriptor/part address 402 identifying the starting word location in memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored. The residual unused least significant bits are employed to facilitate identification of the part as being a base part 118a of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
Base part 118a for a DES operation also includes a buffer size 404 and a starting address 406 (in memory 104) of the source buffer holding the base data segment 116a being described. Base part 118a also includes the starting address 408 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the base data segment 116a.
Additionally, base part 118a for a DES operation also includes mode 410 specifying the type of DES operation, i.e. ECB, CBC or CFB, to be performed, and descriptor identifier 412 of the descriptor. Further, base part 118a of a DES operation also describes up to three keys 418-420, 422-424 and 426-428 for the DES operation, and for CBC or CFB mode of operation, base part 118a also describes the initial vector 414-416 of the DES operation.
As illustrated in Fig. 4b, for the embodiment, the continuation part 118n of a descriptor 118 for a DES operation also includes a next descriptor/part address 432 identifying the starting word location of memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored. Similarly, the residual least significant bits are employed to facilitate identification of the part as being a continuation of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
Similar to the base part 118a of a descriptor 118 for a DES operation, a continuation part 118n of a descriptor 118 of a DES operation also includes a buffer size 434 and a starting address 436 (in memory 104) of the source buffer holding the continuation data segment 116n being described. Continuation part 118n also includes the starting address 438 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the continuation data segment 116n.
As illustrated in Fig. 4c, for the embodiment, the base part 118a of a descriptor 118 for a hashing operation includes a next descriptor/part address 442 identifying the starting word location in memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored. The residual unused least significant bits are employed to facilitate identification of the part as being a base part 118a of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
Base part 118a for a hashing operation also includes a buffer size 444 and a starting address 446 (in memory 104) of the source buffer holding the base data segment 116a being described. Base part 118a also includes the starting address 448 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the base data segment 116a.
Additionally, base part 118a for a hashing operation also includes mode 450 specifying the type of hashing operation, e.g. MD5 or SHA-1 , to be performed, and descriptor identifier 452 of the descriptor. Further, base part 118a of a hashing operation also describes at least four chaining variable 454- 460, for the hashing operation, and for the SHA-1 mode of operation, a fifth chaining variable 462. For a MD5 hashing operation, base part 118a also describes the "must write filer data" 462-464 of the hashing operation.
As illustrated in Fig. 4d, for the embodiment, the constitution of a continuation part 118n of a descriptor 118 for a hashing operation is the same as a continuation part 118n of a descriptor 118 for a hashing operation. Continuation part 118n of a descriptor 118 for a hashing operation includes a next descriptor/part address 472 identifying the starting word location of memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored. The residual unused least significant bits are employed to facilitate identification of the part as being a continuation of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
Continuation part 118n of a descriptor 118 of a hashing operation also includes a buffer size 474 and a starting address 476 (in memory 104) of the source buffer holding the continuation data segment 116n being described. Continuation part 118n also includes the starting address 478 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the continuation data segment 116n.
Security Subsystem
Figure 5 illustrates security subsystem 106 of the present invention in further details, in accordance with one embodiment. As illustrated, for the embodiment, security subsystem 106 includes controller 502, registers 504, data transfer unit 506 and security engines 122, coupled to each other as shown.
Data transfer unit 506 is employed to facilitate receipt of instructions from control processor 102 to perform security operations for various data objects 116, access and receipt of the various parts of the descriptors 118 of the various data objects 116, access and receipt of the various data segments of the various data objects 116, and write back of the results of the various security operations. One embodiment of data transfer unit 506 is described in the aforementioned 'xxx copending and incorporated by reference U.S. patent application. In alternate embodiments, other data interfaces may be employed instead.
Registers 504 include a number of collections, with each collection employed to store a fetched descriptor, e.g. one collection to store the descriptor of a DES operation to be or being performed, and another collection to store the descriptor of a hashing operation to be or being performed. In one embodiment, two collections of registers, with one collection dedicated to support a DES operation, and another collection dedicated to support a hashing operation, are provided.
For the embodiment, registers 504 also include a number of collections of control registers, one collection each for each security operation concurrently supported, to facilitate control processor 102 in specifying for security subsystem 106 a number of general operation parameters for performing the corresponding security operation. In one embodiment, two such collections, one for a DES operation and another for a hashing operation, are supported. The content and meaning of these control parameters for one embodiment is described in further detail below referencing Fig. 6a.
For the embodiment, registers 504 also include a number of collections of status registers, one collection each for each security operation concurrently supported, to facilitate appraising control processor 102 of the current status of security subsystem 106 for the corresponding security operation. In one embodiment, two such collections, one for DES operation and another for hashing operation are supported. The content and meaning of these status for one embodiment is described in further detail below referencing Fig. 6b.
Registers 504 may be implemented via any one of a number of techniques known in the art. In one embodiment, a multi-port addressable memory unit is employed to implement all registers 504 in a single storage unit. Security engines 106 are employed to perform security operations of corresponding types. In one embodiment, one security engine coupled with a data traffic router for performing various types of DES operations, ECB, CBC and CFB (see Fig. 7 where data traffic router is shown as element 702), one security engine for performing MD5 hashing operations, and one security engine for performing SHA-1 hashing operations are provided. Any one of a number of implementations known in the art may be employed to implement the various security engine cores, i.e. the security engine core for performing DEA ECB, CBC and CFB operations, the security engine core for performing MD5 hashing operations, and the security engine core for performing SHA-1 hashing operations. Their exact implementations are not essential aspects of the present invention. One embodiment of the data traffic router enabling a single DES security engine core to be provided for multiple modes of DES security operations will be further described below, referencing Fig. 8.
Controller 502 controls the operation of data transfer unit 506, registers 504 and security engines 106. The relevant operational flow for one embodiment will be described in further details below, referencing Fig. 9.
Control and Status Registers of the Security Subsystem As alluded to earlier, Figure 6a-6b illustrate one each of a collection of control registers 600 and a collection of status registers 620 for a security operation concurrently supported, e.g. a DES operation, or a hashing operation.
Control registers 600 include register 602 for control processor 102 to globally disable or enable interrupt mode of operation for the security operation. Control registers 600 also include registers 604-608 for control processor 102 to instruct security subsystem 106 to interrupt control processor 102 upon completion of a data segment, upon completion of a data object or upon encountering an operation error while performing the security operation. Further, control registers 600 include registers 610-616 for control processor 102 to instruct security subsystem 106 to stop the security operation on completion of a data segment (including completion of a data object), halt operation altogether, to reset, or to start/continue for the security operation.
Status registers 620 include registers 622-623 for conveying to control processor 102 a bad write address was encountered by security subsystem 106, and the remaining byte counts of the results of the security operation. Status registers 620 also include registers 624-628 for conveying to control processor 102 an interrupt is pending, where the interrupt is issued by security system 106 upon completion of a data segment, completion of a data object or encountering an error, for the security operation. Status registers 620 also include registers 630-632 for conveying to control processor 102 that processing for a data segment or a data object has been completed for the security operation. Further, status registers 620 include registers 634-638 for conveying to control processor 102 that the subsystem is "on", its outputs are valid, or it is busy.
Data Traffic Router Figure 8 illustrates data traffic router 702 of Figure 7 in further details, in accordance with one embodiment. As illustrated, data traffic router 702 includes a number of AND gates 802a-802c, a number of multiplexors 804a- 804b, and a number of XOR gates 806a-806b, coupled to each other as shown. More specifically, AND gate 802a receives the data block (datajn) of the security operation and control variable A as inputs, and perform a logical AND operation on the inputs. The result of the logical AND operation is provided to XOR gate 806a, which also receives the output of AND gate 802b as its other input. XOR gate 806a performs the logical XOR operation on its inputs, and the output is provided as input to the DES security engine core.
The output of AND gate 802b is generated based on the output of multiplexor 804a and control variable B. The output of multiplexor 804 is either the initial vector outputted from the earlier described initial vector registers, or the result of the DES operation on a prior data block, depending on the control variable C.
In like manner, XOR gate 806b receives the output from the DES security engine core and the output of AND gate 802c as inputs, and performs a logical XOR operation on the inputs to produce the current result of the DES security operation (data_out).
The output of AND gate 802c is generated based on the output of multiplexor 804c and control variable D. The output of multiplexor 804 is either the initial vector outputted from the earlier described initial vector registers, or the current input data block of the DES operation, depending on the control variable E.
The setting of the control variables A through E, for the various modes of DES operations are given in the following table:
Figure imgf000017_0001
where X stands for "don't care" Controller
Figure 9 illustrates the relevant operational flow of controller 502 of Fig. 5 in further details, in accordance with one embodiment. As shown, upon instructed by control processor 102, controller 502 of security subsystem 106 causes the base portion 118a of the addressed descriptor 118 to be loaded in the appropriate descriptor registers 504 for the specified security operation, e.g. the descriptor registers 504 for a DES operation or the descriptor registers 504 for a hashing operation, block 902. Next in accordance with the starting address location of the base data segment (and its size), controller 502 causes the data bits of the base data segment to be fetched via one or more fetches (for the embodiment of Fig. 5, through data transfer unit 506, block 904. The number of fetches required depends on the size of the data bits of the data segment and the width of the data bus between memory 104 and security subsystem 106.
As the data bits successively arrive, controller 502 determines if sufficient amount of data bits to form an atomic block of data bits for the security operation has been accumulated, block 906. For as long as there are insufficient amount of data bits to form an atomic block of data bits for the security operation has been accumulated, and the end of the currently described data segment has not been reached, block 912, fetching, i.e. block 904, continues.
Once sufficient amount of data bits to form an atomic block of data bits for the security operation has been accumulated, controller 502 causes the data bits to be organized into a data block, and forwarded to the appropriate security engine, block 908. In due course (typically after a pre-determined number of clock cycles), the result of the security operation on the provided data block becomes available. At such time, controller 502 causes the result to be written back to the storage locations of memory 104 as specified by the corresponding part of the descriptor 118, block 910.
Concurrently, once an atomic data block is provided to the security engine for operation, controller 502 also continues operation back at block 912 to determine if the end of the currently described data segment has been reached. As described earlier, if the end of the currently described data segment has not been reached, controller 502 continues operation at block 904. If the end of the currently described data segment has been reached, controller 502 further determines if all data segments of the data object has been processed or if all processed, whether security operation for a next data object is to be started, block 914. For the embodiment, controller 502 makes the determination based on the earlier described next descriptor/part address and its associated valid bit denoting whether the next descriptor/part address is valid. If not all data segments of the data object has been processed or processing for a new data object is to be started, controller 502 causes a continuation part of the current descriptor or the base part of the next descriptor to be loaded into descriptor registers 504, block 916. In the former case, the descriptor of the data object is updated with the data segment related information describing a new data segment. Upon updating or reloading descriptor registers 504, controller 502 continues operation at block 904.
Recall that the number of data bits of a data segment may be less than, equal to or greater than the size of the atomic block of the security operation, thus in the course of operation, at times, at block 912, after fetching all the data bits of a data segment in accordance to the starting address and the buffer size currently stored in descriptor registers 504, a quantity of data bits less than the size of the atomic data block of the security operation may remain. At such time, as described earlier, controller 502 determines if all data segments of the data object has been processed, block 914. If not, controller 504 causes a continuation part of the descriptor to loaded, updating the descriptor. For the embodiment, controller 504 also saves the address and size information of the previous part of the descriptor, e.g. in corresponding shadow registers (not shown). In one embodiment, controller 504 is equipped with 8 sets of shadow registers, enabling it to fetch as many as 8 data segments to form one atomic data block of the security operation. In other embodiments, more or less sets of shadow registers may be employed instead.
Back at block 914, if indeed all data segments of the data object has been processed, the residual data bits are indicative of the fact that the data object has a size that is not modulo the size of the atomic data block of the security operation (64 bits in the case of a DES operation, and 512 bits in the case of hashing operation). For the embodiment, an error is returned, block 918.
Conclusion and Epilogue Thus, it can be seen from the above descriptions, an improved method and apparatus for performing security services/operations for subsystems of a SOC has been described. The novel scheme advantageously offloads the control processor of the SOC and enables the SOC to operate more efficiently. While the present invention has been described in terms of the foregoing embodiments, those skilled in the art will recognize that the invention is not limited to these embodiments. The present invention may be practiced with modification and alteration within the spirit and scope of the appended claims. Thus, the description is to be regarded as illustrative instead of restrictive on the present invention.

Claims

CLAIMSWhat is claimed is:
1. A security subsystem comprising: a first security engine to perform a first security operation on a block of data bits; a first plurality of registers to collectively store a first descriptor of a first data object having first one or more data segments, with each of said first one or more data segments having a plurality data bits; and a control portion coupled to said first registers and the first security engine to cause
(a) said first descriptor of said first data object to be loaded into said first registers, first describing a first data segment of said first data object, and said first descriptor to be successively updated to correspondingly describe first additional data segments of said first data object, if any, one data segment at a time, and
(b) data bits of each currently described one of said first data segments to be successively fetched, organized into blocks of data bits, and provided to said first security engine to have said first security operation to be successively performed on the provided blocks of data bits.
2. The security subsystem of claim 1 , where said first descriptor of said first data object includes, at a first instance in time, first storage location descriptions that describe first storage locations of data bits of a first of said first data segments of said first data object.
3. The security subsystem of claim 2, where said first storage location descriptions comprise a starting storage location address and a size of the data bits of said first data segments of said first data object.
4. The security subsystem of claim 2, where said first descriptor of said first data object includes, at a second instance in time, second storage location descriptions that describe second storage locations of data bits of a second of said first data segments of said first data object.
5. The security subsystem of claim 4, where said first storage locations and said second storage locations are contiguous storage locations.
6. The security subsystem of claim 4, where said first storage locations and said second storage locations are discontiguous storage locations.
7. The security subsystem of claim 1 , where said control portion further causes the results of said first security operations performed for the provided blocks of data bits to be successively returned.
8. The security subsystem of claim 7, where said first descriptor of said first data object includes, at a first instance in time, first storage location descriptions that describe first storage locations for returning first results of said first security operations performed on the provided data bits of a first of said first data segments of said first data object.
9. The security subsystem of claim 8, where said first storage location descriptions comprise a starting storage location address.
10. The security subsystem of claim 8, where said first descriptor of said first data object includes, at a second instance in time, second storage location descriptions that describe second storage locations for returning second results of said second security operations performed on the provided data bits of a second of said first data segments of said first data object.
11. The security subsystem of claim 10, where said first storage locations and said second storage locations are contiguous storage locations.
12. The security subsystem of claim 10, where said first storage locations and said second storage locations are discontiguous storage locations.
13. The security subsystem of claim 1 , where said first descriptor of said first data object also describes operating parameters to be employed to perform said first security operation on each of said provided blocks of data bits of said first data object, and said control portion further causes said described operating parameters to be provided to said first security engine.
14. The security subsystem of claim 1 , wherein said first security operation is a DES operation.
15. The security subsystem of claim 14, wherein said DES operation is a selected one of a DES cipher operation and a DES decipher operation.
16. The security subsystem of claim 14, wherein said DES operation is a selected one of a DES ECB operation, a DES CBC operation and a DES CFB operation.
17. The security subsystem of claim 14, wherein said first descriptor of said first data object also describes operating parameters including a first and a second key of to be employed to perform said DES operation on each of said provided blocks of data bits of said first data object, and said first control portion further causes said described operating parameters including said first and second keys of said DES operation to be provided to said first security engine.
18. The security subsystem of claim 17, wherein said operating parameters further include a third key of said DES operation.
19. The security subsystem of claim 14, wherein said DES operation is a selected one of a DES CBC operation and a DES CFB operation; said security subsystem further comprises a data router coupled to said security engine to selectively route a current block of data bits of said first data object and a result of the selected DES security operation for a prior block of data bits to said security engine; and said control portion is further coupled to said data router to control its operation.
20. The security subsystem of claim 19, wherein <additional details on the data router>.
21. The security subsystem of claim 1 , wherein said security operation is a hashing operation.
22. The security subsystem of claim 21 , wherein said hashing operation is a selected one of a MD5 operation and a SHA-1 operation.
23. The security subsystem of claim 21 , wherein said first descriptor of said first data object also describes operating parameters including a plurality of chaining variables to be employed to perform said hashing operation on each of said blocks of data bits of said first data object, and said first control portion further causes said described operating parameters including said chaining variables to be provided to said first security engine.
24. The security subsystem of claim 1 , wherein said security subsystem further comprises a control register to facilitate a subsystem external to said security subsystem in providing one more control instructions to said control portion of said security subsystem.
25. The security subsystem of claim 24, wherein at least one of said control instructions is a selected one of instructing said control portion to start said first security operation, to interrupt said external subsystem upon completing said first security operation for all blocks of data bits of said first data segments of said first data object, to interrupt said external subsystem upon completing said first security operation for all blocks of data bits of said first data object, and to stop said security subsystem upon completing said first security operation for all blocks of data bits of said first data segments of said first data object.
26. The security subsystem of claim 1 , wherein said security subsystem further comprises a status register to facilitate said control portion of said security subsystem in providing one or more status to a subsystem external to said security subsystem.
27. The security subsystem of claim 26, wherein at least one of said status is a selected one of a pending interrupt issued on completion of said first security operation for all blocks of data bits of said first data segments of said first data object, a pending interrupt issued on completion of said first security operation for all blocks of data bits of said first data object, completion of said first security operation for all blocks of data bits of said first data segments of said first data object, completion of said first security operation for all blocks of data bits of said first data object and said security subsystem being in a busy state.
28. The security subsystem of claim 1 , wherein said security subsystem further comprises a second security engine to perform a second security operation on a block of data bits; a second plurality of registers to collectively store a second descriptor of a second data object having second one or more data segments, with each of said second one or more data segments having a plurality of data bits; and said control portion is further coupled to said second registers and the second security engine to cause
(a) said second descriptor of said second data object to be loaded into said second registers, first describing a second data segment of said second data object, and said second descriptor to be successively updated to correspondingly describe second additional data segments of said second data object, if any, one data segment at a time, and
(b) data bits of each currently described one of said second data segments to be successively fetched, organized into blocks of data bits, and provided to said second security engine to have said second security operation to be successively performed on the provided blocks of data bits.
29. The security subsystem of claim 28, where said control portion further causes the results of said second security operations performed for the provided blocks of data bits to be successively returned.
30. The security subsystem of claim 28, where said second descriptor of said second data object also describes operating parameters to be employed to perform said second security operation for each of said blocks of data bits of said second data object, and said control portion further causes said described operating parameters to be provided to said second security engine.
31. The security subsystem of claim 28, wherein said first security operation is a DES operation and said second security operation is a hashing operation.
32. The security subsystem of claim 1 , wherein said security subsystem further comprises a data transfer unit coupled to said first security engine and said control portion to retrieve and provide said data bits of said first data object for said first security engine, and return the results of said first security operations performed for said data bits of said first data object, under the control of said control portion.
33. In a security subsystem, a method of operation comprising: retrieving and storing a first descriptor describing a first data segment of a first data object; and causing first data bits of said described first data segment of the first data object to be successively retrieved, organized into blocks of data bits, provided to a first security engine of the security subsystem, have a first security operation performed by the first security engine on each of the provided blocks of data bits, and the results of the first security operations performed on the provided blocks of data bits to be returned.
34. The method of claim 33, wherein the method further comprises accepting and storing a plurality of control instructions instructing said security subsystem in its manner of operation; and stopping said security subsystem, if so instructed, upon causing said first security operation to be performed on each of said provided blocks of data bits of said first data segment of said first data object.
35. The method of claim 33, wherein the method further comprises accepting and storing a plurality of control instructions instructing said security subsystem in its manner of operation; and interrupting a subsystem external to said security subsystem, if so instructed, upon causing said first security operation to be performed on each of the provided blocks of data bits of said first data segment of said first data object.
36. The method of claim 33, wherein the method further comprises updating said first descriptor to describe a second segment of said first data object; and causing second data bits of said described second segment of the first data object to be successively retrieved, organized into blocks of data bits, provided to said first security engine of the security subsystem, have said first security operation performed by the first security engine on each of the provided blocks of data bits, and the results of the first security operations performed on the provided blocks of data bits to be returned.
37. The method of claim 36, wherein the method further comprises accepting and storing a plurality of control instructions instructing said security subsystem in its manner of operation; and interrupting a subsystem external to said security subsystem, if so instructed, upon causing said first security operation to be performed on all provided blocks of data bis of all data segments of said first data object.
38. The method of claim 36, wherein said first data blocks of said first data segment of said first data object and said second data blocks of said second data segment of said first data object are stored in contiguous storage locations.
39. The method of claim 36, wherein said first data blocks of said first data segment of said first data object and said second data blocks of said second data segment of said first data object are stored in discontiguous storage locations.
40. The method of claim 36, wherein the results of said first security operations performed on said data bits of said first data segment of said first data object and the results of said first security operations performed on said data bits of said second data segment of said first data object are returned to contiguous storage locations.
41. The method of claim 36, wherein the results of said first security operations performed on said data bits of said first data segment of said first data object and the results of said first security operations performed on said data bits of said second data segment of said first data object are stored in discontiguous storage locations.
42. The method of claim 33, wherein said first descriptor of said first data object also describes operating parameters to be employed to perform said first security operation on each of said organized blocks of data bits of said first data segment of said first data object, and the method further comprises providing the described operating parameters to said first security engine.
43. The method of claim 33, wherein said first security operation is a DES operation.
44. The method of claim 43, wherein said DES operation is a selected one of a DES cipher operation and a DES decipher operation.
45. The method of claim 43, wherein said DES operation is a selected one of a DES ECB operation, a DES CBC operation and a DES CFB operation.
46. The method of claim 43, wherein said first descriptor of said first data object also describes operating parameters including a first and a second key of to be employed to perform said DES operation on each of said first data blocks of said first data segment of said first data object, and the method further comprises providing said first and second keys of said DES operation to said first security engine.
47. The method of claim 46, wherein said operating parameters further include a third key of said DES operation.
48. The method of claim 43, wherein said DES operation is a selected one of a DES CBC operation and a DES CFB operation; and said method further comprises causing a selected one of a current block of data bits of said first data segment and a result of the selected DES security operation for a prior block of data bits to be provided to said security engine.
49. The method of claim 48, wherein <additional details on the data router>.
50. The method of claim 33, wherein said security operation is a hashing operation.
51. The method of claim 50, wherein said hashing operation is a selected one of a MD5 operation and a SHA-1 operation.
52. The method of claim 50, wherein said first descriptor of said first data object also describes operating parameters including a plurality of chaining variables to be employed to perform said hashing operation on each of said blocks of data bits of said first data segment of said first data object, and the method further comprises providing said chaining variables to said first security engine.
53. The method of claim 33, wherein the method further comprises providing one or more status to a subsystem external to said security subsystem.
54. The method of claim 53, wherein at least one of said status is a selected one of a pending interrupt issued on completion of said first security operation for all data bits of said first data segment of said first data object, a pending interrupt issued on completion of said first security operation for all data bits of said first data object, completion of said first security operation for all data bits of said first data segment of said first data object, completion of said security operation for all data bits of said first data object and said security subsystem being in a busy state.
55. The method of claim 33, wherein the method comprises retrieving and storing a second descriptor describing a second segment of a second data object; and causing second data bits of said described second segment of the second data object to be successively retrieved, organized into blocks of data bits, and provided to a second security engine of the security subsystem, have a second security operation performed by the second security engine on each of the provided blocks of data bits, and the results of the second security operations performed on the blocks of data bits to be returned.
56. The method of claim 55, wherein the method further comprises successively returning the results of said second security operations performed for the provided blocks of data bits.
57. The method of claim 55, wherein said second descriptor of said second data object also describes operating parameters to be employed to perform said second security operation for each of said provided blocks of data bits of said second data segment of said second data object, and the method further comprises providing said described operating parameters to said second security engine.
58. The method of claim 55, wherein said first security operation is a DES operation and said second security operation is a hashing operation.
59. An apparatus comprising: a memory to store data and descriptive information of said data; a processor coupled to said memory to set up in said memory a first descriptor having first one or more parts, describing a first data object having first one or more data segments, with each of said first one or more data segments having a plurality of data bits; and a security subsystem coupled to said memory and said processor to perform a first security operation on each of a plurality of blocks of data bits of said first one or more data segments of said first data object, responsive to a request of said processor, wherein the security subsystem is equipped to (a) first retrieve a first part of said first descriptor, and then successively updates said first descriptor with its additional parts, if applicable, (b) successively fetch the data bits of said first one or more data segments of said first data object in accordance with the successive current descriptions of the first descriptor, (c) successively organize the fetched data bits into blocks of data bits, (d) successively perform said first security operation on said organized data blocks, and (e) successively return the results of said successive first security operations.
60. The apparatus of claim 59, wherein the security subsystem comprises a first security engine to perform said first security operation for a block of data bits; a first plurality of registers to collectively store the currently retrieved part of a data object descriptor; and a control portion coupled to said first registers and the first security engine to cause
(a) said first part of said first descriptor of said first data object to be loaded into said first registers, and then successively updated to . successively describe said first one or more data segments of said first data object,
(b) data bits of each currently described one of said first data segments to be successively fetched, organized into blocks of data bits, and provided to said first security engine to have said first security operation to be successively performed on the provided data blocks, and
(c) the results of said successively performed first security operations to be returned.
61. The apparatus of claim 59, wherein each of said first one or more parts of said first descriptor describes storage locations of data bits of a corresponding one of said first one or more data segments of said first data object.
62. The apparatus of claim 61 , wherein said first one or more data segments of said first data object comprise two or more data segments, and the storage locations of the data blocks of at least one of the data segments are discontiguous from the storage location of the data blocks of the other data segments of said first data object.
63. The apparatus of claim 59, wherein each of said first one or more parts of said first descriptor describes storage locations for returning the results of said first security operations for the data bits of a corresponding one of said first one or more data segments of said first data object.
64. The apparatus of claim 63, wherein said first one or more data segments of said first data object comprise two or more data segments, and the storage locations for returning the results of said first security operations performed for the data bits of at least one of the data segments are discontiguous from the storage location for returning the results of said first security operations performed for the data bits of the other data segments of said first data object.
65. The apparatus of claim 59, wherein at least a first part of said first descriptor of said first data object also describes operating parameters to be employed to perform said first security operation for each of said blocks of data bits of said first data object.
66. The apparatus of claim 59, wherein said first security operation is a DES operation.
67. The apparatus of claim 66, wherein said DES operation is a selected one of a DES cipher operation and a DES decipher operation.
68. The apparatus of claim 66, wherein said DES operation is a selected one of a DES ECB operation, a DES CBC operation and a DES CFB operation.
69. The apparatus of claim 66, wherein at least a first part of said first descriptor of said first data object also describes operating parameters including a first and a second key of to be employed to perform said DES operation on each of said blocks of data bits of said first data object.
70. The apparatus of claim 69, wherein said operating parameters further include a third key of said DES operation.
71. The apparatus of claim 66, wherein said DES operation is a selected one of a DES CBC operation and a DES CFB operation; and said security subsystem is further equipped to selectively employ a current block of data bits of said first data object and a result of the selected DES security operation for a prior block of data bits to perform the selected DES operation.
72. The apparatus of claim 59, wherein said security operation is a hashing operation.
73. The apparatus of claim 72, wherein said hashing operation is a selected one of a MD5 operation and a SHA-1 operation.
74. The apparatus of claim 72, wherein at least a first part of said first descriptor of said first data object also describes operating parameters including a plurality of chaining variables to be employed to perform said hashing operation for each of said blocks of data bits of said first data object.
75. The apparatus of claim 59 wherein said security subsystem further comprises a control register to facilitate said processor in providing one more control instructions to said security subsystem.
76. The apparatus of claim 75, wherein at least one of said control instructions is a selected one of instructing said security subsystem to start said first security operation, to interrupt said processor upon completing said first security operation for all blocks of data bits of said first data segments of said first data object, to interrupt said processor upon completing said first security operation for all blocks of data bits of said first data object, and to stop said security subsystem upon completing said first security operation for all blocks of data bits of said first data segments of said first data object.
77. The apparatus of claim 59, wherein said security subsystem further comprises a status register to facilitate said security subsystem in providing one or more status to said processor.
78. The apparatus of claim 77, wherein at least one of said status is a selected one of a pending interrupt issued on completion of said first security operation for all blocks of data bits of said first data segments of said first data object, a pending interrupt issued on completion of said first security operation for all blocks of data bits of said first data object, completion of said first security operation for all blocks of data bits of said first data segments of said first data object, completion of said first security operation for all blocks of data bits of said first data object and said security subsystem being in a busy state.
79. The apparatus of claim 59, wherein said processor is also to set up in said memory a second descriptor having second one or more parts, describing a second data object having second one or more data segments, with each of said second one or more data segments having a plurality of data bits; and said security subsystem is also to perform a second security operation for data bits of said second one or more data segments of said second data object, responsive to a request of said processor, wherein the security subsystem is also equipped to (a) first retrieve a first part of said second descriptor, and then successively updates said second descriptor with its additional parts, if applicable, (b) successively fetch the data bits of said second one or more data segments of said second data object in accordance with the successive current descriptions of the second descriptor, (c) successively organized the successively fetched data bits into blocks of data bits, (d) successively perform said second security operation on said successively organized blocks of data bits, and (d) successively return the results of said successive second security operations.
80. The apparatus of claim 79, wherein said first security operation is a DES operation and said second security operation is a hashing operation.
81. The apparatus of claim 59, wherein said apparatus is disposed on a single integrated circuit.
82. A method comprising: a processor setting up in a memory a first descriptor having first one or more parts, describing a first data object having first one or more data segments, with each of said first one or more data segments having a plurality of data bits; and a security subsystem performing a first security operation on the data bits of said first one or more data segments of said first data object, responsive to a request of said processor, by (a) first retrieving a first part of said first descriptor, and then successively updating said first descriptor with its additional parts, if applicable, (b) successively fetching the data bits of said first one or more data segments of said first data object in accordance with the successive current descriptions of the first descriptor, (c) successively organizing the fetched data bits into blocks of data bits, (d) successively performing said first security operation on said successively organized data blocks, and (d) successively returning the results of said successive first security operations.
83. The method of claim 82, wherein each of said first one or more parts of said first descriptor describes storage locations of data bits of a corresponding one of said first one or more data segments of said first data object.
84. The method of claim 83, wherein said first one or more data segments of said first data object comprise two or more data segments, and the storage locations of the data blocks of at least one of the data segments are discontiguous from the storage location of the data blocks of the other data segments of said first data object.
85. The method of claim 82, wherein each of said first one or more parts of said first descriptor describes storage locations for returning the results of said first security operations for data bits of a corresponding one of said first one or more data segments of said first data object.
86. The method of claim 85, wherein said first one or more data segments of said first data object comprise two or more data segments, and the storage locations for returning the results of said first security operations performed for the data bits of at least one of the data segments are discontiguous from the storage location for returning the results of said first security operations performed for the data bits of the other data segments of said first data object.
87. The method of claim 82, wherein at least a first part of said first descriptor of said first data object also describes operating parameters to be employed to perform said first security operation for data bits of said first data object.
88. The method of claim 82, wherein said first security operation is a DES operation.
89. The method of claim 88, wherein said DES operation is a selected one of a DES cipher operation and a DES decipher operation.
90. The method of claim 88, wherein said DES operation is a selected one of a DES ECB operation, a DES CBC operation and a DES CFB operation.
91. The method of claim 88, wherein at least a first part of said first descriptor of said first data object also describes operating parameters including a first and a second key of to be employed to perform said DES operation on each of said data blocks of said first data object.
92. The method of claim 91 , wherein said operating parameters further include a third key of said DES operation.
93. • The method of claim 88, wherein said DES operation is a selected one of a DES CBC operation and a DES CFB operation; and said method further comprises said security subsystem selectively employing a current block of data bits of said first data object and a result of the selected DES security operation for a prior block of data bits to perform the selected DES operation.
94. The method of claim 82, wherein said security operation is a hashing operation.
95. The method of claim 94, wherein said hashing operation is a selected one of a MD5 operation and a SHA-1 operation.
96. The method of claim 94, wherein at least a first part of said first descriptor of said first data object also describes operating parameters including a plurality of chaining variables to be employed to perform said hashing operation for each of said blocks of data bits of said first data object.
97. The method of claim 82 wherein said method further comprises said processor providing one more control instructions to said security subsystem.
98. The method of claim 97, wherein at least one of said control instructions is a selected one of instructing said security subsystem to start said first security operation, to interrupt said processor upon completing said first security operation for all data bits of one of said first data segments of said first data object, to interrupt said processor upon completing said first security operation for all data bits of said first data object, and to stop said security subsystem upon completing said first security operation for all data bits of one of said first data segments of said first data object.
99. The method of claim 82, wherein said method further comprises said security providing one or more status to said processor.
100. The method of claim 99, wherein at least one of said status is a selected one of a pending interrupt issued on completion of said first security operation for all data bits of one of said first data segments of said first data object, a pending interrupt issued on completion of said first security operation for all data bits of said first data object, completion of said first security operation for all data bits of one of said first data segments of said first data object, completion of said first security operation for all data bits of said first data object and said security subsystem being in a busy state.
101. The method of claim 82, wherein the method further comprises said processor setting up in said memory a second descriptor having second one or more parts, describing a second data object having second one or more data segments, with each of said second one or more data segments having a plurality of data bits; and said security subsystem performing a second security operation on data bits of said second one or more data segments of said second data object, responsive to a request of said processor, by (a) first retrieving a first part of said second descriptor, and then successively updating said second descriptor with its additional parts, if applicable, (b) successively fetching the data blocks of said second one or more data segments of said second data object in accordance with the successive current descriptions of the second descriptor, (c) successively organizing the fetched data bits into blocks of data bits, (d) successively performing said second security operation for said successively organized blocks of data bits, and (e) successively returning the results of said successive second security operations.
102. The method of claim 101 , wherein said first security operation is a DES operation and said second security operation is a hashing operation.
PCT/US2002/006384 2001-02-28 2002-02-28 A security system with an intelligent dma controller WO2002069115A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU2002252173A AU2002252173A1 (en) 2001-02-28 2002-02-28 A security system with an intelligent dma controller
US10/469,467 US7436954B2 (en) 2001-02-28 2002-02-28 Security system with an intelligent DMA controller

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US27243901P 2001-02-28 2001-02-28
US60/272,439 2001-02-28

Publications (2)

Publication Number Publication Date
WO2002069115A2 true WO2002069115A2 (en) 2002-09-06
WO2002069115A3 WO2002069115A3 (en) 2002-10-31

Family

ID=23039795

Family Applications (3)

Application Number Title Priority Date Filing Date
PCT/US2002/006384 WO2002069115A2 (en) 2001-02-28 2002-02-28 A security system with an intelligent dma controller
PCT/US2002/006383 WO2002069158A1 (en) 2001-02-28 2002-02-28 A multi-service system-on-chip
PCT/US2002/006331 WO2002069157A1 (en) 2001-02-28 2002-02-28 A subsystem boot and peripheral data transfer architecture for a subsystem of a system-on-chip

Family Applications After (2)

Application Number Title Priority Date Filing Date
PCT/US2002/006383 WO2002069158A1 (en) 2001-02-28 2002-02-28 A multi-service system-on-chip
PCT/US2002/006331 WO2002069157A1 (en) 2001-02-28 2002-02-28 A subsystem boot and peripheral data transfer architecture for a subsystem of a system-on-chip

Country Status (3)

Country Link
US (7) US7095752B2 (en)
AU (1) AU2002252173A1 (en)
WO (3) WO2002069115A2 (en)

Families Citing this family (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7095752B2 (en) * 2001-02-28 2006-08-22 Pmc-Sierra, Inc. On-chip inter-subsystem communication including concurrent data traffic routing
US6816938B2 (en) * 2001-03-27 2004-11-09 Synopsys, Inc. Method and apparatus for providing a modular system on-chip interface
US7039750B1 (en) * 2001-07-24 2006-05-02 Plx Technology, Inc. On-chip switch fabric
JP3996010B2 (en) * 2002-08-01 2007-10-24 株式会社日立製作所 Storage network system, management apparatus, management method and program
US7107381B2 (en) * 2002-11-20 2006-09-12 Pmc-Sierra, Inc. Flexible data transfer to and from external device of system-on-chip
US20040225707A1 (en) * 2003-05-09 2004-11-11 Chong Huai-Ter Victor Systems and methods for combining a slow data stream and a fast data stream into a single fast data stream
US7065602B2 (en) * 2003-07-01 2006-06-20 International Business Machines Corporation Circuit and method for pipelined insertion
DE10337699B4 (en) * 2003-08-16 2006-01-12 Phoenix Contact Gmbh & Co. Kg Method and device for transmitting data over a bus network using the broadcast principle
US7091743B2 (en) * 2003-10-07 2006-08-15 International Business Machines Corporation Data acknowledgment using impedance mismatching
TWI269165B (en) * 2004-03-30 2006-12-21 Infortrend Technology Inc Dispatching of service requests in redundant storage virtualization subsystems
JP4212508B2 (en) * 2004-04-14 2009-01-21 株式会社東芝 Packet generator
JP4222251B2 (en) * 2004-04-27 2009-02-12 ソニー株式会社 Bus arbitration apparatus and bus arbitration method
WO2006030650A1 (en) * 2004-09-16 2006-03-23 Nec Corporation Information processing device having a plurality of processing units sharing a resource
US7269682B2 (en) 2005-08-11 2007-09-11 P.A. Semi, Inc. Segmented interconnect for connecting multiple agents in a system
US7467295B2 (en) * 2005-10-07 2008-12-16 International Business Machines Corporation Determining a boot image based on a requesting client address
EP1971925A4 (en) * 2005-12-23 2009-01-07 Texas Instruments Inc Methods and systems to restrict usage of a dma channel
EP1801700B1 (en) * 2005-12-23 2013-06-26 Texas Instruments Inc. Method and systems to restrict usage of a DMA channel
US20080077720A1 (en) * 2006-09-27 2008-03-27 Blaise Fanning Isochronous memory access with variable channel priorities and timers
US8122078B2 (en) * 2006-10-06 2012-02-21 Calos Fund, LLC Processor with enhanced combined-arithmetic capability
US8094677B2 (en) * 2007-02-27 2012-01-10 Integrated Device Technology, Inc. Multi-bus structure for optimizing system performance of a serial buffer
US7870313B2 (en) * 2007-02-27 2011-01-11 Integrated Device Technology, Inc. Method and structure to support system resource access of a serial device implementating a lite-weight protocol
US20080209089A1 (en) * 2007-02-27 2008-08-28 Integrated Device Technology, Inc. Packet-Based Parallel Interface Protocol For A Serial Buffer Having A Parallel Processor Port
US8185899B2 (en) * 2007-03-07 2012-05-22 International Business Machines Corporation Prediction based priority scheduling
US8116454B2 (en) 2007-07-23 2012-02-14 Savi Technology, Inc. Method and apparatus for providing security in a radio frequency identification system
US20090055639A1 (en) * 2007-08-20 2009-02-26 Kimmo Kuusilinna Methods and system for modular device booting
IL187038A0 (en) * 2007-10-30 2008-02-09 Sandisk Il Ltd Secure data processing for unaligned data
US7966271B2 (en) * 2008-05-12 2011-06-21 Microsoft Corporation Device influenced table formatting
US20100125717A1 (en) * 2008-11-17 2010-05-20 Mois Navon Synchronization Controller For Multiple Multi-Threaded Processors
US20110093099A1 (en) * 2009-10-16 2011-04-21 Newport Controls Controller system adapted for spa
US20110179212A1 (en) * 2010-01-20 2011-07-21 Charles Andrew Hartman Bus arbitration for sideband signals
US8307138B2 (en) * 2010-07-12 2012-11-06 Arm Limited Apparatus and method for controlling issuing of transaction requests
US8904115B2 (en) 2010-09-28 2014-12-02 Texas Instruments Incorporated Cache with multiple access pipelines
GB2493340A (en) * 2011-07-28 2013-02-06 St Microelectronics Res & Dev Address mapping of boot transactions between dies in a system in package
WO2013100783A1 (en) 2011-12-29 2013-07-04 Intel Corporation Method and system for control signalling in a data path module
US9658975B2 (en) * 2012-07-31 2017-05-23 Silicon Laboratories Inc. Data transfer manager
CN103518205B (en) * 2013-03-27 2016-08-10 华为技术有限公司 Limit method and the automation equipment of operating right
US10331583B2 (en) 2013-09-26 2019-06-25 Intel Corporation Executing distributed memory operations using processing elements connected by distributed channels
US20160300232A1 (en) * 2013-11-13 2016-10-13 Rakuten, Inc. Monitoring assistance device
US9939869B2 (en) 2015-03-13 2018-04-10 Qualcomm Incorporated Methods and systems for coordination of operating states amongst multiple SOCs within a computing device
US10303631B2 (en) 2016-03-17 2019-05-28 International Business Machines Corporation Self-moderating bus arbitration architecture
US11086816B2 (en) 2017-09-28 2021-08-10 Intel Corporation Processors, methods, and systems for debugging a configurable spatial accelerator
CN110337643A (en) * 2018-01-23 2019-10-15 深圳市大疆创新科技有限公司 Chip, processor, computer system and movable equipment
JP7457654B2 (en) 2018-03-30 2024-03-28 グーグル エルエルシー Steps for implementing source-based routing within an interconnect fabric on a system-on-chip
US20190302861A1 (en) 2018-03-30 2019-10-03 Provino Technologies, Inc. Protocol level control for system on a chip (soc) agent reset and power management
US11307873B2 (en) 2018-04-03 2022-04-19 Intel Corporation Apparatus, methods, and systems for unstructured data flow in a configurable spatial accelerator with predicate propagation and merging
US10891240B2 (en) 2018-06-30 2021-01-12 Intel Corporation Apparatus, methods, and systems for low latency communication in a configurable spatial accelerator
US11200186B2 (en) * 2018-06-30 2021-12-14 Intel Corporation Apparatuses, methods, and systems for operations in a configurable spatial accelerator
US10678724B1 (en) 2018-12-29 2020-06-09 Intel Corporation Apparatuses, methods, and systems for in-network storage in a configurable spatial accelerator
US10915471B2 (en) 2019-03-30 2021-02-09 Intel Corporation Apparatuses, methods, and systems for memory interface circuit allocation in a configurable spatial accelerator
US10817291B2 (en) 2019-03-30 2020-10-27 Intel Corporation Apparatuses, methods, and systems for swizzle operations in a configurable spatial accelerator
US11037050B2 (en) 2019-06-29 2021-06-15 Intel Corporation Apparatuses, methods, and systems for memory interface circuit arbitration in a configurable spatial accelerator
CN114385528A (en) 2020-10-16 2022-04-22 瑞昱半导体股份有限公司 Direct memory access controller, electronic device using the same, and method of operating the same

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5224166A (en) * 1992-08-11 1993-06-29 International Business Machines Corporation System for seamless processing of encrypted and non-encrypted data and instructions

Family Cites Families (56)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4352952A (en) 1978-06-12 1982-10-05 Motorola Inc. Data security module
US4245306A (en) * 1978-12-21 1981-01-13 Burroughs Corporation Selection of addressed processor in a multi-processor network
US4697262A (en) * 1984-12-20 1987-09-29 Siemens Aktiengesellschaft Digital carrier channel bus interface module for a multiplexer having a cross-connect bus system
US5222223A (en) 1989-02-03 1993-06-22 Digital Equipment Corporation Method and apparatus for ordering and queueing multiple memory requests
US5185864A (en) 1989-06-16 1993-02-09 International Business Machines Corporation Interrupt handling for a computing system with logical devices and interrupt reset
US5197130A (en) 1989-12-29 1993-03-23 Supercomputer Systems Limited Partnership Cluster architecture for a highly parallel scalar/vector multiprocessor system
KR0181471B1 (en) * 1990-07-27 1999-05-15 윌리암 피.브레이든 Computer data routing system
US5353417A (en) * 1991-05-28 1994-10-04 International Business Machines Corp. Personal computer with bus interface controller coupled directly with local processor and input/output data buses and for anticipating memory control changes on arbitration for bus access
US5388261A (en) * 1992-09-30 1995-02-07 Apple Computer, Inc. Apparatus and method for handling frame overruns in a digital signal processing system
US5535417A (en) * 1993-09-27 1996-07-09 Hitachi America, Inc. On-chip DMA controller with host computer interface employing boot sequencing and address generation schemes
US5606668A (en) * 1993-12-15 1997-02-25 Checkpoint Software Technologies Ltd. System for securing inbound and outbound data packet flow in a computer network
US5799207A (en) 1995-03-28 1998-08-25 Industrial Technology Research Institute Non-blocking peripheral access architecture having a register configure to indicate a path selection for data transfer between a master, memory, and an I/O device
US5657472A (en) 1995-03-31 1997-08-12 Sun Microsystems, Inc. Memory transaction execution system and method for multiprocessor system having independent parallel transaction queues associated with each processor
US5812799A (en) * 1995-06-07 1998-09-22 Microunity Systems Engineering, Inc. Non-blocking load buffer and a multiple-priority memory system for real-time multiprocessing
US5668813A (en) * 1995-07-17 1997-09-16 Nat Semiconductor Corp Dynamic synchronization code detection window
US6317803B1 (en) 1996-03-29 2001-11-13 Intel Corporation High-throughput interconnect having pipelined and non-pipelined bus transaction modes
US6081852A (en) * 1996-04-26 2000-06-27 Texas Instruments Incorporated Packet data transferring system for autonomously operating a DMA by autonomous boot mode select signal wherein the DMA is enabled to at least one program control list
US5848367A (en) * 1996-09-13 1998-12-08 Sony Corporation System and method for sharing a non-volatile memory element as a boot device
US5905876A (en) * 1996-12-16 1999-05-18 Intel Corporation Queue ordering for memory and I/O transactions in a multiple concurrent transaction computer system
US5835741A (en) 1996-12-31 1998-11-10 Compaq Computer Corporation Bus-to-bus bridge in computer system, with fast burst memory range
US6028939A (en) 1997-01-03 2000-02-22 Redcreek Communications, Inc. Data security system and method
US6021201A (en) * 1997-01-07 2000-02-01 Intel Corporation Method and apparatus for integrated ciphering and hashing
US6058474A (en) * 1997-01-24 2000-05-02 Texas Instruments Incorporated Method and apparatus for DMA boot loading a microprocessor without an internal ROM
US5983303A (en) 1997-05-27 1999-11-09 Fusion Micromedia Corporation Bus arrangements for interconnection of discrete and/or integrated modules in a digital system and associated method
GB2326065B (en) 1997-06-05 2002-05-29 Mentor Graphics Corp A scalable processor independent on-chip bus
US5920566A (en) * 1997-06-30 1999-07-06 Sun Microsystems, Inc. Routing in a multi-layer distributed network element
US6118462A (en) 1997-07-01 2000-09-12 Memtrax Llc Computer system controller having internal memory and external memory control
US6247084B1 (en) * 1997-10-08 2001-06-12 Lsi Logic Corporation Integrated circuit with unified memory system and dual bus architecture
US6034542A (en) * 1997-10-14 2000-03-07 Xilinx, Inc. Bus structure for modularized chip with FPGA modules
US6321318B1 (en) 1997-12-31 2001-11-20 Texas Instruments Incorporated User-configurable on-chip program memory system
US6784890B1 (en) * 1998-03-02 2004-08-31 Intel Corporation Accelerated graphics port expedite cycle throttling control mechanism
US6154465A (en) * 1998-10-06 2000-11-28 Vertical Networks, Inc. Systems and methods for multiple mode voice and data communications using intelligenty bridged TDM and packet buses and methods for performing telephony and data functions using the same
GB9809183D0 (en) * 1998-04-29 1998-07-01 Sgs Thomson Microelectronics Microcomputer with interrupt packets
US6185520B1 (en) * 1998-05-22 2001-02-06 3Com Corporation Method and system for bus switching data transfers
US6219237B1 (en) 1998-08-31 2001-04-17 Micron Technology, Inc. Structure and method for an electronic assembly
US6473810B1 (en) * 1998-09-28 2002-10-29 Texas Instruments Incorporated Circuits, systems, and methods for efficient wake up of peripheral component interconnect controller
US6347344B1 (en) 1998-10-14 2002-02-12 Hitachi, Ltd. Integrated multimedia system with local processor, data transfer switch, processing modules, fixed functional unit, data streamer, interface unit and multiplexer, all integrated on multimedia processor
US6312285B1 (en) * 1999-02-25 2001-11-06 Molex Incorporated Panel mounting system for electrical connectors
US6675243B1 (en) * 1999-03-17 2004-01-06 Adaptec, Inc. Methods and apparatus for implementing a device side advanced serial protocol
US6567883B1 (en) * 1999-08-27 2003-05-20 Intel Corporation Method and apparatus for command translation and enforcement of ordering of commands
US7023833B1 (en) 1999-09-10 2006-04-04 Pulse-Link, Inc. Baseband wireless network for isochronous communication
US6681270B1 (en) * 1999-12-07 2004-01-20 Texas Instruments Incorporated Effective channel priority processing for transfer controller with hub and ports
US20010047473A1 (en) * 2000-02-03 2001-11-29 Realtime Data, Llc Systems and methods for computer initialization
US6557078B1 (en) 2000-02-21 2003-04-29 Hewlett Packard Development Company, L.P. Cache chain structure to implement high bandwidth low latency cache memory subsystem
US6988181B2 (en) * 2000-03-08 2006-01-17 Sun Microsystems, Inc. VLIW computer processing architecture having a scalable number of register files
US20010049726A1 (en) 2000-06-02 2001-12-06 Guillaume Comeau Data path engine
US6560685B1 (en) * 2000-09-27 2003-05-06 Sony Corporation System and method to improve speed and reduce memory allocation for set top box boot-up
US6560160B1 (en) * 2000-11-13 2003-05-06 Agilent Technologies, Inc. Multi-port memory that sequences port accesses
US7095752B2 (en) * 2001-02-28 2006-08-22 Pmc-Sierra, Inc. On-chip inter-subsystem communication including concurrent data traffic routing
US6677786B2 (en) * 2001-02-28 2004-01-13 Brecis Communications Corporation Multi-service processor clocking system
US6813652B2 (en) * 2001-04-11 2004-11-02 Chelsio Communications, Inc. Reduced-overhead DMA
US7035966B2 (en) * 2001-08-30 2006-04-25 Micron Technology, Inc. Processing system with direct memory transfer
US7107381B2 (en) * 2002-11-20 2006-09-12 Pmc-Sierra, Inc. Flexible data transfer to and from external device of system-on-chip
JP2004334486A (en) * 2003-05-07 2004-11-25 Internatl Business Mach Corp <Ibm> Starting system using boot code and starting method
US7206928B2 (en) * 2003-06-03 2007-04-17 Digi International Inc. System boot method
US7296143B2 (en) * 2004-06-22 2007-11-13 Lenovo (Singapore) Pte. Ltd. Method and system for loading processor boot code from serial flash memory

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5224166A (en) * 1992-08-11 1993-06-29 International Business Machines Corporation System for seamless processing of encrypted and non-encrypted data and instructions

Also Published As

Publication number Publication date
US7653763B2 (en) 2010-01-26
US20020161959A1 (en) 2002-10-31
US7096292B2 (en) 2006-08-22
US20060212632A1 (en) 2006-09-21
US20050259823A1 (en) 2005-11-24
US20020159474A1 (en) 2002-10-31
US20040186930A1 (en) 2004-09-23
US7095752B2 (en) 2006-08-22
US20060221931A1 (en) 2006-10-05
US7436954B2 (en) 2008-10-14
US7349424B2 (en) 2008-03-25
WO2002069157A1 (en) 2002-09-06
WO2002069115A3 (en) 2002-10-31
US20020161978A1 (en) 2002-10-31
AU2002252173A1 (en) 2002-09-12
US7243179B2 (en) 2007-07-10
WO2002069158A1 (en) 2002-09-06

Similar Documents

Publication Publication Date Title
US7436954B2 (en) Security system with an intelligent DMA controller
KR100437146B1 (en) Intelligent network interface device and system for accelerating communication
US8516163B2 (en) Hardware-based concurrent direct memory access (DMA) engines on serial rapid input/output SRIO interface
EP1896965B1 (en) Dma descriptor queue read and cache write pointer arrangement
JP4755390B2 (en) Method and apparatus for controlling the flow of data between data processing systems via a memory
US8321385B2 (en) Hash processing in a network communications processor architecture
US7076569B1 (en) Embedded channel adapter having transport layer configured for prioritizing selection of work descriptors based on respective virtual lane priorities
US7126952B2 (en) Multiprotocol decapsulation/encapsulation control structure and packet protocol conversion method
US6618390B1 (en) Method and apparatus for maintaining randomly accessible free buffer information for a network switch
US9280297B1 (en) Transactional memory that supports a put with low priority ring command
JP4755391B2 (en) Method and apparatus for controlling the flow of data between data processing systems via a memory
US9678866B1 (en) Transactional memory that supports put and get ring commands
US20060184753A1 (en) Full access to memory interfaces via remote request
US20030210574A1 (en) Scratchpad memory
US10216645B2 (en) Memory data transfer method and system
JP2008310832A (en) Apparatus and method for distributing signal from high level data link controller to a plurality of digital signal processor cores
US7466716B2 (en) Reducing latency in a channel adapter by accelerated I/O control block processing
US7254687B1 (en) Memory controller that tracks queue operations to detect race conditions
US9342313B2 (en) Transactional memory that supports a get from one of a set of rings command
US6574683B1 (en) External direct memory access processor implementation that includes a plurality of priority levels stored in request queue
US7069397B2 (en) Stream based memory manager with function specific hardware logic for accessing data as a stream in memory
KR20070020289A (en) Semantic processor storage server architecture
US9699107B2 (en) Packet engine that uses PPI addressing

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWE Wipo information: entry into national phase

Ref document number: 10469467

Country of ref document: US

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP