A Security System with an Intelligent DMA Controller
Related Application This application claims priority to U.S. Provisional Application Number 60/272,439, entitled "MULTI-SERVICE PROCESSOR INCLUDING A MULTISERVICE BUS", filed 2/28/2001 , the specification of which is hereby fully incorporated by reference.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to the field of security. More specifically, the present invention relates to the provision of a security subsystem having an intelligent direct memory access (DMA) controller in a multi-service system-on- chip to improve operational efficiency.
2. Background Information
Advances in integrated circuit technology have led to the birth and proliferation of a wide variety of integrated circuits, including but not limited to application specific integrated circuits, micro-controllers, digital signal processors, general purpose microprocessors, and network processors. Recent advances have also led to the birth of what's known as "system on a chip" or SOC.
In various SOC applications, such as telecommunications, networking and content handling, it is often necessary to perform security operations of one or more types of security methods. The terms "security operations" and "security methods" as used in the present application include all known security
operations/methods, as well as to be discovered security operations/methods that are compatible with the present invention. Examples of known security operations/methods include but are not limited to Data Encryption Standard (DES) methods and operations of all types, Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and so forth, and hashing operations of all types, Message Digest (MD5), Secure HASH Algorithm (SHA- 1 ) and so forth.
Further, the security methods or operations often have to be performed for data of various types, including audio, video and other data, and of various subsystems, such as the subsystem responsible for interfacing the SOC to a network, the subsystem responsible for interfacing the SOC to a telecommunication line and so forth.
Thus, a need exists to provide or support security operations of multiple security methods or operations in an efficient manner.
BRIEF DESCRIPTION OF DRAWINGS
The present invention will be described by way of exemplary embodiments, but not limitations, illustrated in the accompanying drawings in which like references denote similar elements, and in which:
Figure 1 illustrates an overview of a system-on-chip including a security subsystem incorporated with the teachings of the present invention, in accordance with one embodiment;
Figure 2 illustrates the method of the present invention, in accordance with one embodiment;
Figure 3 illustrates the data descriptor of the present invention in further details, in accordance with one embodiment;
Figures 4a-4d illustrate the base and continuation portion of a data descriptor in further details, in accordance with one embodiment;
Figure 5 illustrates the security subsystem of the present invention in further details, in accordance with one embodiment;
Figures 6a-6b illustrate the control and status registers of the security subsystem of Fig. 5 in further details, in accordance with one embodiment;
Figure 7 illustrates the further provision of a data traffic router for a DES security engine to support multiple variants of DES operations, in accordance with one embodiment;
Figure 8 illustrates the data traffic router of Fig. 7 in further details, in accordance with one embodiment; and
Figure 9 illustrates the operational flow of the relevant aspects of the controller of the security subsystem of Fig. 5 in further details, in accordance with one embodiment.
DETAILED DESCRIPTION OF THE INVENTION
The present invention includes a security subsystem equipped with an intelligent DMA controller having particular application to system-on-chips with subsystems requiring security services. The security services may include encryption/decryption services/operations, such as DES based encryptions/decryptions, and/or hashing operations, such as MD5 and SHA-1. The present invention advantageously improves the operational efficiency of the system-on-chip, in particular, offloading the controller processor of a system-on-chip.
In the following description, various features and arrangements will be described, to provide a thorough understanding of the present invention. However, the present invention may be practiced without some of the specific
details or with alternate features/arrangement. In other instances, well-known features are omitted or simplified in order not to obscure the present invention.
The description to follow repeatedly uses the phrase "in one embodiment", which ordinarily does not refer to the same embodiment, although it may. The terms "comprising", "having", "including" and the like, as used in the present application, including in the claims, are synonymous.
Overview
Referring now to Figure 1 , wherein a block diagram illustrating an overview of a SOC 100 including control processor 102, memory 104, security subsystem 106 incorporated with the teachings of the present invention, and other subsystems 108, in accordance with one embodiment, is shown. As illustrated, for the embodiment, control processor 102, memory 104, security subsystem 106 and other subsystems 108 are coupled to each other via on- chip bus 110, and communicate with each other in accordance with a predetermined bus protocol. In one embodiment, the on-chip bus and the bus protocol is the on-chip bus described in co-pending U.S. application 10/xxx,xxx, contemporaneously filed, entitled "A Multi-Service System On-Chip Including On-Chip Memory with Multiple Access Paths", which specification is hereby fully incorporated by reference. In other embodiments, other bus architectures and other bus communication protocols may be employed instead.
Security subsystem 106 equipped with the teachings of present invention, is employed to provide security services/operations to meet the security service/operation needs of subsystems 108. As will be described in more details below, in addition to security engines 122 in support of various security methods, DES operations, hashing operations, and so forth, security subsystem 106 includes intelligent DMA 120 of the present invention. Resultantly, unless so desired, upon requested, security subsystem 106 may
service a security need of one of subsystems 108 substantially without further interactions with control processor 102 and the requesting subsystem 108, thereby improving the overall operational efficiency of SOC 100.
The terms "security service" and "security operation" are used interchangeably in the present application, depending on which term is more instrumental in assisting in understanding the present invention. Their core meanings or the essence of their meanings are synonymous.
Except for the teachings of the present invention incorporated in subsystems 108, to allow subsystems 108 to have their security service needs met by security subsystem 106 in the aforementioned advantageous manner, subsystems 108 may otherwise be any one of a broad range of subsystems known in the art or to be developed. Examples of such subsystems include but are not limited to voice processors, peripheral device controllers, framer processors, network media access controllers, and the like. The exact mix is application dependent and non-essential to the practice of the present invention.
Except for its use for its conventional function of storing data, in particular data objects 116 to have security operations performed and data descriptors 118 of the present invention describing data objects 116 and the security operations to be performed, memory 104 may otherwise be any one of a broad range of volatile or non-volatile storage units known in the art or to be developed. In one embodiment, the memory 104 is a storage unit with multiple access paths, which is the subject matter of the aforementioned co-pending and incorporated by reference U.S. patent application 'xxx.
Control processor 102 controls the overall operation of SOC 100. In particular, for the embodiment, the control includes instructing security system 106 to perform a security operation on a data object 116 on behalf of one of subsystems 108, which instruction may be responsive to the request of the
subsystem. The exact nature of the remaining control performed by control processor 102 is application dependent, and is not essential to the practice of the present invention. As alluded to earlier, control processor 102 is one of primary beneficiaries of the present invention. Further, for the illustrated embodiment, control processor 102 includes instruction cache 112 and data cache 114, to facilitate performance of its control operations.
Method
Referring now to Fig. 2, wherein a flow chart illustrating a method of the present invention, in accordance with one embodiment, is shown. As illustrated, in accordance with the present invention, a subsystem 108 having a secuπty service need for a data object, first sets up in memory 104 the data object, and a descriptor describing the data object, including the security operation to be performed and the operational parameters of the security operation, block 202.
Referring now briefly to Fig. 3, under the present invention, a data object 116 to have a security operation performed may comprise a number of data segments 116a-116n, with each data segments having a number of data bits. The number of data bits in each data segment may be greater than, equal to, or less than the data bit size of an atomic block of data on which the request security operation operates. For example, a DES operation operates on 64-bit data blocks, accordingly, a data segment of a data object to have a DES operation performed may be greater than, equal to, or less than 64 bits. Similarly, a MD5/SHA-1 operation operates on 512-bit data blocks, a data segment of a data object to have a MD5/SHA-1 operation performed may be greater than, equal to, or less than 512 bits. Further, the various data segments may be stored in contiguous or discontiguous memory locations, and need not be aligned to any word boundaries.
A descriptor 118 describing a data object 116, the security operation to be performed, and the operation parameters, may include one or more parts, i.e. a base part 118a and zero or more continuation parts 118n, with the base part 118a describing the first data segment 116a, the security operation to be performed for all data segments 116a-116n and the operation parameters, and the continuation parts 118n correspondingly describing the additional data segments 116n, to be described more fully below.
Returning now to Figure 2, upon setting up the data object 116 to have a security operation performed, and its descriptor 118, for the embodiment, the subsystem 108 requests control processor 102 to cause the desired security operation to be performed, block 204. Since, for the embodiment, the security operation to be performed, including the operation parameters, are described by the data descriptor 118 of the data object 116, accordingly only the location of the descriptor 118 needs to be made available to control processor 102. The information may be made available in any one of a number of manners known in the art. For example, the starting location of the descriptor may be place in a predetermined location associated with a particular interrupt, and the subsystem 108 interrupts control processor 102 accordingly, upon setting up the data object 116, its descriptor 118, and placement of the starting location of the descriptor 118 in the predetermined location. As a further example, the starting location of the descriptor 108 may be included as part of the security service request, and the security service request may be communicated to control processor 102 via a communication packet.
Still referring to Figure 2, in response to the request, control processor 102 instructs security subsystem 106 to perform the requested security operation for the data object 116, including with the instruction, the starting location of the descriptor 118 of the data object 116, block 206. In one
embodiment, the instruction is provided to security subsystem 106 in the form of a communication packet over bus 110.
In response, as will be described in more detail below, security subsystem 106 first loads the base part 118a of the descriptor 118 of the data object 116, and thereafter successively updates the descriptor 118 with its continuation parts 118n, and in parallel, based on the descriptive information provided therein over time, successively fetches the data bits of the data segment 116a, organizes the data bits into the atomic data blocks of the requested security operation, provides the organized data blocks to the appropriate security engine for the requested security operation, causes the security engine to perform the security operation on the provided data blocks, and writes back the results of the security operation, block 208.
Data Descriptor Figures 4a-4d illustrate descriptor 118 of a data object 116, in accordance with one embodiment. More specifically, Fig. 4a illustrates the base part 118a of a descriptor 118 for a DES operation for a data object 116, in accordance with one embodiment; Fig. 4b illustrates a continuation part 118b of a descriptor 118 for a DES operation for a data object 116, in accordance with one embodiment; Fig. 4c illustrates the base part 118a of a descriptor 118 for a hashing operation for a data object 116, in accordance with one embodiment; and Fig. 4d illustrates a continuation part 118b of a descriptor 118 for a hashing operation for a data object 116, in accordance with one embodiment.
As illustrated in Fig. 4a, for the embodiment, the base part 118a of a descriptor 118 for a DES operation includes a next descriptor/part address 402 identifying the starting word location in memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored.
The residual unused least significant bits are employed to facilitate identification of the part as being a base part 118a of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
Base part 118a for a DES operation also includes a buffer size 404 and a starting address 406 (in memory 104) of the source buffer holding the base data segment 116a being described. Base part 118a also includes the starting address 408 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the base data segment 116a.
Additionally, base part 118a for a DES operation also includes mode 410 specifying the type of DES operation, i.e. ECB, CBC or CFB, to be performed, and descriptor identifier 412 of the descriptor. Further, base part 118a of a DES operation also describes up to three keys 418-420, 422-424 and 426-428 for the DES operation, and for CBC or CFB mode of operation, base part 118a also describes the initial vector 414-416 of the DES operation.
As illustrated in Fig. 4b, for the embodiment, the continuation part 118n of a descriptor 118 for a DES operation also includes a next descriptor/part address 432 identifying the starting word location of memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored. Similarly, the residual least significant bits are employed to facilitate identification of the part as being a continuation of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
Similar to the base part 118a of a descriptor 118 for a DES operation, a continuation part 118n of a descriptor 118 of a DES operation also includes a buffer size 434 and a starting address 436 (in memory 104) of the source buffer holding the continuation data segment 116n being described. Continuation
part 118n also includes the starting address 438 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the continuation data segment 116n.
As illustrated in Fig. 4c, for the embodiment, the base part 118a of a descriptor 118 for a hashing operation includes a next descriptor/part address 442 identifying the starting word location in memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored. The residual unused least significant bits are employed to facilitate identification of the part as being a base part 118a of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
Base part 118a for a hashing operation also includes a buffer size 444 and a starting address 446 (in memory 104) of the source buffer holding the base data segment 116a being described. Base part 118a also includes the starting address 448 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the base data segment 116a.
Additionally, base part 118a for a hashing operation also includes mode 450 specifying the type of hashing operation, e.g. MD5 or SHA-1 , to be performed, and descriptor identifier 452 of the descriptor. Further, base part 118a of a hashing operation also describes at least four chaining variable 454- 460, for the hashing operation, and for the SHA-1 mode of operation, a fifth chaining variable 462. For a MD5 hashing operation, base part 118a also describes the "must write filer data" 462-464 of the hashing operation.
As illustrated in Fig. 4d, for the embodiment, the constitution of a continuation part 118n of a descriptor 118 for a hashing operation is the same as a continuation part 118n of a descriptor 118 for a hashing operation. Continuation part 118n of a descriptor 118 for a hashing operation includes a
next descriptor/part address 472 identifying the starting word location of memory 104 where the next part 118n of the descriptor 118 or the base part 118a of a next descriptor 118 is stored. The residual unused least significant bits are employed to facilitate identification of the part as being a continuation of a descriptor 118, and the next descriptor/part address information is valid, and may be acted on by the security subsystem 106.
Continuation part 118n of a descriptor 118 of a hashing operation also includes a buffer size 474 and a starting address 476 (in memory 104) of the source buffer holding the continuation data segment 116n being described. Continuation part 118n also includes the starting address 478 (in memory 104) for the destination buffer for writing back the results of the security operation for the corresponding data bits of the continuation data segment 116n.
Security Subsystem
Figure 5 illustrates security subsystem 106 of the present invention in further details, in accordance with one embodiment. As illustrated, for the embodiment, security subsystem 106 includes controller 502, registers 504, data transfer unit 506 and security engines 122, coupled to each other as shown.
Data transfer unit 506 is employed to facilitate receipt of instructions from control processor 102 to perform security operations for various data objects 116, access and receipt of the various parts of the descriptors 118 of the various data objects 116, access and receipt of the various data segments of the various data objects 116, and write back of the results of the various security operations. One embodiment of data transfer unit 506 is described in the aforementioned 'xxx copending and incorporated by reference U.S. patent
application. In alternate embodiments, other data interfaces may be employed instead.
Registers 504 include a number of collections, with each collection employed to store a fetched descriptor, e.g. one collection to store the descriptor of a DES operation to be or being performed, and another collection to store the descriptor of a hashing operation to be or being performed. In one embodiment, two collections of registers, with one collection dedicated to support a DES operation, and another collection dedicated to support a hashing operation, are provided.
For the embodiment, registers 504 also include a number of collections of control registers, one collection each for each security operation concurrently supported, to facilitate control processor 102 in specifying for security subsystem 106 a number of general operation parameters for performing the corresponding security operation. In one embodiment, two such collections, one for a DES operation and another for a hashing operation, are supported. The content and meaning of these control parameters for one embodiment is described in further detail below referencing Fig. 6a.
For the embodiment, registers 504 also include a number of collections of status registers, one collection each for each security operation concurrently supported, to facilitate appraising control processor 102 of the current status of security subsystem 106 for the corresponding security operation. In one embodiment, two such collections, one for DES operation and another for hashing operation are supported. The content and meaning of these status for one embodiment is described in further detail below referencing Fig. 6b.
Registers 504 may be implemented via any one of a number of techniques known in the art. In one embodiment, a multi-port addressable memory unit is employed to implement all registers 504 in a single storage unit.
Security engines 106 are employed to perform security operations of corresponding types. In one embodiment, one security engine coupled with a data traffic router for performing various types of DES operations, ECB, CBC and CFB (see Fig. 7 where data traffic router is shown as element 702), one security engine for performing MD5 hashing operations, and one security engine for performing SHA-1 hashing operations are provided. Any one of a number of implementations known in the art may be employed to implement the various security engine cores, i.e. the security engine core for performing DEA ECB, CBC and CFB operations, the security engine core for performing MD5 hashing operations, and the security engine core for performing SHA-1 hashing operations. Their exact implementations are not essential aspects of the present invention. One embodiment of the data traffic router enabling a single DES security engine core to be provided for multiple modes of DES security operations will be further described below, referencing Fig. 8.
Controller 502 controls the operation of data transfer unit 506, registers 504 and security engines 106. The relevant operational flow for one embodiment will be described in further details below, referencing Fig. 9.
Control and Status Registers of the Security Subsystem As alluded to earlier, Figure 6a-6b illustrate one each of a collection of control registers 600 and a collection of status registers 620 for a security operation concurrently supported, e.g. a DES operation, or a hashing operation.
Control registers 600 include register 602 for control processor 102 to globally disable or enable interrupt mode of operation for the security operation. Control registers 600 also include registers 604-608 for control processor 102 to instruct security subsystem 106 to interrupt control processor 102 upon
completion of a data segment, upon completion of a data object or upon encountering an operation error while performing the security operation. Further, control registers 600 include registers 610-616 for control processor 102 to instruct security subsystem 106 to stop the security operation on completion of a data segment (including completion of a data object), halt operation altogether, to reset, or to start/continue for the security operation.
Status registers 620 include registers 622-623 for conveying to control processor 102 a bad write address was encountered by security subsystem 106, and the remaining byte counts of the results of the security operation. Status registers 620 also include registers 624-628 for conveying to control processor 102 an interrupt is pending, where the interrupt is issued by security system 106 upon completion of a data segment, completion of a data object or encountering an error, for the security operation. Status registers 620 also include registers 630-632 for conveying to control processor 102 that processing for a data segment or a data object has been completed for the security operation. Further, status registers 620 include registers 634-638 for conveying to control processor 102 that the subsystem is "on", its outputs are valid, or it is busy.
Data Traffic Router Figure 8 illustrates data traffic router 702 of Figure 7 in further details, in accordance with one embodiment. As illustrated, data traffic router 702 includes a number of AND gates 802a-802c, a number of multiplexors 804a- 804b, and a number of XOR gates 806a-806b, coupled to each other as shown. More specifically, AND gate 802a receives the data block (datajn) of the security operation and control variable A as inputs, and perform a logical AND operation on the inputs. The result of the logical AND operation is provided to XOR gate 806a, which also receives the output of AND gate 802b
as its other input. XOR gate 806a performs the logical XOR operation on its inputs, and the output is provided as input to the DES security engine core.
The output of AND gate 802b is generated based on the output of multiplexor 804a and control variable B. The output of multiplexor 804 is either the initial vector outputted from the earlier described initial vector registers, or the result of the DES operation on a prior data block, depending on the control variable C.
In like manner, XOR gate 806b receives the output from the DES security engine core and the output of AND gate 802c as inputs, and performs a logical XOR operation on the inputs to produce the current result of the DES security operation (data_out).
The output of AND gate 802c is generated based on the output of multiplexor 804c and control variable D. The output of multiplexor 804 is either the initial vector outputted from the earlier described initial vector registers, or the current input data block of the DES operation, depending on the control variable E.
The setting of the control variables A through E, for the various modes of DES operations are given in the following table:
where X stands for "don't care"
Controller
Figure 9 illustrates the relevant operational flow of controller 502 of Fig. 5 in further details, in accordance with one embodiment. As shown, upon instructed by control processor 102, controller 502 of security subsystem 106 causes the base portion 118a of the addressed descriptor 118 to be loaded in the appropriate descriptor registers 504 for the specified security operation, e.g. the descriptor registers 504 for a DES operation or the descriptor registers 504 for a hashing operation, block 902. Next in accordance with the starting address location of the base data segment (and its size), controller 502 causes the data bits of the base data segment to be fetched via one or more fetches (for the embodiment of Fig. 5, through data transfer unit 506, block 904. The number of fetches required depends on the size of the data bits of the data segment and the width of the data bus between memory 104 and security subsystem 106.
As the data bits successively arrive, controller 502 determines if sufficient amount of data bits to form an atomic block of data bits for the security operation has been accumulated, block 906. For as long as there are insufficient amount of data bits to form an atomic block of data bits for the security operation has been accumulated, and the end of the currently described data segment has not been reached, block 912, fetching, i.e. block 904, continues.
Once sufficient amount of data bits to form an atomic block of data bits for the security operation has been accumulated, controller 502 causes the data bits to be organized into a data block, and forwarded to the appropriate security engine, block 908. In due course (typically after a pre-determined number of clock cycles), the result of the security operation on the provided data block becomes available. At such time, controller 502 causes the result to
be written back to the storage locations of memory 104 as specified by the corresponding part of the descriptor 118, block 910.
Concurrently, once an atomic data block is provided to the security engine for operation, controller 502 also continues operation back at block 912 to determine if the end of the currently described data segment has been reached. As described earlier, if the end of the currently described data segment has not been reached, controller 502 continues operation at block 904. If the end of the currently described data segment has been reached, controller 502 further determines if all data segments of the data object has been processed or if all processed, whether security operation for a next data object is to be started, block 914. For the embodiment, controller 502 makes the determination based on the earlier described next descriptor/part address and its associated valid bit denoting whether the next descriptor/part address is valid. If not all data segments of the data object has been processed or processing for a new data object is to be started, controller 502 causes a continuation part of the current descriptor or the base part of the next descriptor to be loaded into descriptor registers 504, block 916. In the former case, the descriptor of the data object is updated with the data segment related information describing a new data segment. Upon updating or reloading descriptor registers 504, controller 502 continues operation at block 904.
Recall that the number of data bits of a data segment may be less than, equal to or greater than the size of the atomic block of the security operation, thus in the course of operation, at times, at block 912, after fetching all the data bits of a data segment in accordance to the starting address and the buffer size currently stored in descriptor registers 504, a quantity of data bits less than the size of the atomic data block of the security operation may remain. At such time, as described earlier, controller 502 determines if all data segments of the data object has been processed, block 914. If not, controller 504 causes a
continuation part of the descriptor to loaded, updating the descriptor. For the embodiment, controller 504 also saves the address and size information of the previous part of the descriptor, e.g. in corresponding shadow registers (not shown). In one embodiment, controller 504 is equipped with 8 sets of shadow registers, enabling it to fetch as many as 8 data segments to form one atomic data block of the security operation. In other embodiments, more or less sets of shadow registers may be employed instead.
Back at block 914, if indeed all data segments of the data object has been processed, the residual data bits are indicative of the fact that the data object has a size that is not modulo the size of the atomic data block of the security operation (64 bits in the case of a DES operation, and 512 bits in the case of hashing operation). For the embodiment, an error is returned, block 918.
Conclusion and Epilogue Thus, it can be seen from the above descriptions, an improved method and apparatus for performing security services/operations for subsystems of a SOC has been described. The novel scheme advantageously offloads the control processor of the SOC and enables the SOC to operate more efficiently. While the present invention has been described in terms of the foregoing embodiments, those skilled in the art will recognize that the invention is not limited to these embodiments. The present invention may be practiced with modification and alteration within the spirit and scope of the appended claims. Thus, the description is to be regarded as illustrative instead of restrictive on the present invention.