CLAIMS
What is claimed is: 1. A security subsystem comprising: a first security engine to perform a first security operation on a block of data bits; a first plurality of registers to collectively store a first descriptor of a first data object having first one or more data segments, with each of said first one or more data segments having a plurality data bits;
and a control portion coupled to said first registers and the first security engine to cause (a) said first descriptor of said first data object to be loaded into said first registers, first describing a first data segment of said first data object, and said first descriptor to be successively updated to correspondingly describe first additional data segments of said first data object, if any, one data segment at a time, and (b) data bits of each currently described one of said first data segments to be successively fetched, organized into blocks of data bits, and provided to said first security engine to have said first security operation to be successively performed on the provided blocks of data bits.
2. The security subsystem of claim 1, where said first descriptor of said first data object includes, at a first instance in time, first storage location descriptions that describe first storage locations of data bits of a first of said first data segments of said first data object.
3. The security subsystem of claim 2, where said first storage location descriptions comprise a starting storage location address and a size of the data bits of said first data segments of said first data object.
4. The security subsystem of claim 2, where said first descriptor of said first data object includes, at a second instance in time, second storage location descriptions that describe second storage locations of data bits of a second of said first data segments of said first data object.
5. The security subsystem of claim 4, where said first storage locations and said second storage locations are contiguous storage locations.
6. The security subsystem of claim 4, where said first storage locations and said second storage locations are discontiguous storage locations.
7. The security subsystem of claim 1, where said control portion further causes the results of said first security operations performed for the provided blocks of data bits to be successively returned.
8. The security subsystem of claim 7, where said first descriptor of said first data object includes, at a first instance in time, first storage location descriptions that describe first storage locations for returning first results of said first security operations performed on the provided data bits of a first of said first data segments of said first data object.
9. The security subsystem of claim 8, where said first storage location descriptions comprise a starting storage location address.
10. The security subsystem of claim 8, where said first descriptor of said first data object includes, at a second instance in time, second storage location descriptions that describe second storage locations for returning second results of said second security operations performed on the provided data bits of a second of said first data segments of said first data object.
11. The security subsystem of claim 10, where said first storage locations and said second storage locations are contiguous storage locations.
12. The security subsystem of claim 10, where said first storage locations and said second storage locations are discontiguous storage locations.
13. The security subsystem of claim 1, where said first descriptor of said first data object also describes operating parameters to be employed to perform said first security operation on each of said provided blocks of data bits of said first data object, and said control portion further causes said described operating parameters to be provided to said first security engine.
14. The security subsystem of claim 1, wherein said first security operation is a DES operation.
15. The security subsystem of claim 14, wherein said DES operation is a selected one of a DES cipher operation and a DES decipher operation.
16. The security subsystem of claim 14, wherein said DES operation is a selected one of a DES ECB operation, a DES CBC operation and a DES CFB operation.
17. The security subsystem of claim 14, wherein said first descriptor of said first data object also describes operating parameters including a first and a second key of to be employed to perform said DES operation on each of said provided blocks of data bits of said first data object, and said first control portion further causes said described operating parameters including said first and second keys of said DES operation to be provided to said first security engine.
18. The security subsystem of claim 17, wherein said operating parameters further include a third key of said DES operation.
19. The security subsystem of claim 14, wherein said DES operation is a selected one of a DES CBC operation and a
DES CFB operation; said security subsystem further comprises a data router coupled to said security engine to selectively route a current block of data bits of said first data object and a result of the selected DES security operation for a prior block of data bits to said security engine; and said control portion is further coupled to said data router to control its operation.
20. The security subsystem of claim 19, wherein < additional details on the data router > .
21. The security subsystem of claim 1, wherein said security operation is a hashing operation.
22. The security subsystem of claim 21, wherein said hashing operation is a selected one of a MD5 operation and a SHA-1 operation.
23. The security subsystem of claim 21, wherein said first descriptor of said first data object also describes operating parameters including a plurality of chaining variables to be employed to perform said hashing operation on each of said blocks of data bits of said first data object, and said first control portion further causes said described operating parameters including said chaining variables to be provided to said first security engine.
24. The security subsystem of claim 1, wherein said security subsystem further comprises a control register to facilitate a subsystem external to said security subsystem in providing one more control instructions to said control portion of said security subsystem.
25. The security subsystem of claim 24, wherein at least one of said control instructions is a selected one of instructing said control portion to start said first security operation, to interrupt said external subsystem upon completing said first security operation for all blocks of data bits of said first data segments of said first data object, to interrupt said external subsystem upon completing said first security operation for all blocks of data bits of said first data object, and to stop said security subsystem upon completing said first security operation for all blocks of data bits of said first data segments of said first data object.
26. The security subsystem of claim 1, wherein said security subsystem further comprises a status register to facilitate said control portion of said security subsystem in providing one or more status to a subsystem external to said security subsystem.
27. The security subsystem of claim 26, wherein at least one of said status is a selected one of a pending interrupt issued on completion of said first security operation for all blocks of data bits of said first data segments of said first data object, a pending interrupt issued on completion of said first security operation for all blocks of data bits of said first data object, completion of said first security operation for all blocks of data bits of said first data segments of said first data object, completion of said first security operation for all blocks of data bits of said first data object and said security subsystem being in a busy state.
28. The security subsystem of claim 1, wherein said security subsystem further comprises a second security engine to perform a second security operation on a block of data bits; a second plurality of registers to collectively store a second descriptor of a second data object having second one or more data segments, with each of said second one or more data segments having a plurality of data bits;
and said control portion is further coupled to said second registers and the second security engine to cause (a) said second descriptor of said second data object to be loaded into said second registers, first describing a second data segment of said second data object, and said second descriptor to be successively updated to correspondingly describe second additional data segments of said second data object, if any, one data segment at a time, and (b) data bits of each currently described one of said second data segments to be successively fetched, organized into blocks of data bits, and provided to said second security engine to have said second security operation to be successively performed on the provided blocks of data bits.
29. The security subsystem of claim 28, where said control portion further causes the results of said second security operations performed for the provided blocks of data bits to be successively returned.
30. The security subsystem of claim 28, where said second descriptor of said second data object also describes operating parameters to be employed to perform said second security operation for each of said blocks of data bits of said second data object, and said control portion further causes said described operating parameters to be provided to said second security engine.
31. The security subsystem of claim 28, wherein said first security operation is a DES operation and said second security operation is a hashing operation.
32. The security subsystem of claim 1, wherein said security subsystem further comprises a data transfer unit coupled to said first security engine and said control portion to retrieve and provide said data bits of said first data object for said first security engine, and return the results of said first security operations performed for said data bits of said first data object, under the control of said control portion.
33. In a security subsystem, a method of operation comprising: retrieving and storing a first descriptor describing a first data segment of a first data object; and causing first data bits of said described first data segment of the first data object to be successively retrieved, organized into blocks of data bits, provided to a first security engine of the security subsystem, have a first security operation performed by the first security engine on each of the provided blocks of data bits, and the results of the first security operations performed on the provided blocks of data bits to be returned.
34. The method of claim 33, wherein the method further comprises accepting and storing a plurality of control instructions instructing said security subsystem in its manner of operation; and stopping said security subsystem, if so instructed, upon causing said first security operation to be performed on each of said provided blocks of data bits of said first data segment of said first data object.
35. The method of claim 33, wherein the method further comprises accepting and storing a plurality of control instructions instructing said security subsystem in its manner of operation; and interrupting a subsystem external to said security subsystem, if so instructed, upon causing said first security operation to be performed on each of the provided blocks of data bits of said first data segment of said first data object.
36. The method of claim 33, wherein the method further comprises updating said first descriptor to describe a second segment of said first data object; and causing second data bits of said described second segment of the first data object to be successively retrieved, organized into blocks of data bits, provided to said first security engine of the security subsystem, have said first security operation performed by the first security engine on each of the provided blocks of data bits, and the results of the first security operations performed on the provided blocks of data bits to be returned.
37. The method of claim 36, wherein the method further comprises accepting and storing a plurality of control instructions instructing said security subsystem in its manner of operation; and interrupting a subsystem external to said security subsystem, if so instructed, upon causing said first security operation to be performed on all provided blocks of data bis of all data segments of said first data object.
38. The method of claim 36, wherein said first data blocks of said first data segment of said first data object and said second data blocks of said second data segment of said first data object are stored in contiguous storage locations.
39. The method of claim 36, wherein said first data blocks of said first data segment of said first data object and said second data blocks of said second data segment of said first data object are stored in discontiguous storage locations.
40. The method of claim 36, wherein the results of said first security operations performed on said data bits of said first data segment of said first data object and the results of said first security operations performed on said data bits of said second data segment of said first data object are returned to contiguous storage locations.
41. The method of claim 36, wherein the results of said first security operations performed on said data bits of said first data segment of said first data object and the results of said first security operations performed on said data bits of said second data segment of said first data object are stored in discontiguous storage locations.
42. The method of claim 33, wherein said first descriptor of said first data object also describes operating parameters to be employed to perform said first security operation on each of said organized blocks of data bits of said first data segment of said first data object, and the method further comprises providing the described operating parameters to said first security engine.
43. The method of claim 33, wherein said first security operation is a DES operation.
44. The method of claim 43, wherein said DES operation is a selected one of a DES cipher operation and a DES decipher operation.
45. The method of claim 43, wherein said DES operation is a selected one of a DES ECB operation, a DES CBC operation and a DES CFB operation.
46. The method of claim 43, wherein said first descriptor of said first data object also describes operating parameters including a first and a second key of to be employed to perform said DES operation on each of said first data blocks of said first data segment of said first data object, and the method further comprises providing said first and second keys of said DES operation to said first security engine.
47. The method of claim 46, wherein said operating parameters further include a third key of said DES operation.
48. The method of claim 43, wherein said DES operation is a selected one of a DES CBC operation and a
DES CFB operation; and said method further comprises causing a selected one of a current block of data bits of said first data segment and a result of the selected DES security operation for a prior block of data bits to be provided to said security engine.
49. The method of claim 48, wherein < additional details on the data router > .
50. The method of claim 33, wherein said security operation is a hashing operation.
51. The method of claim 50, wherein said hashing operation is a selected one of a MD5 operation and a SHA-1 operation.
52. The method of claim 50, wherein said first descriptor of said first data object also describes operating parameters including a plurality of chaining variables to be employed to perform said hashing operation on each of said blocks of data bits of said first data segment of said first data object, and the method further comprises providing said chaining variables to said first security engine.
53. The method of claim 33, wherein the method further comprises providing one or more status to a subsystem external to said security subsystem.
54. The method of claim 53, wherein at least one of said status is a selected one of a pending interrupt issued on completion of said first security operation for all data bits of said first data segment of said first data object, a pending interrupt issued on completion of said first security operation for all data bits of said first data object, completion of said first security operation for all data bits of said first data segment of said first data object, completion of said security operation for all data bits of said first data object and said security subsystem being in a busy state.
55. The method of claim 33, wherein the method comprises retrieving and storing a second descriptor describing a second segment of a second data object; and causing second data bits of said described second segment of the second data object to be successively retrieved, organized into blocks of data bits, and provided to a second security engine of the security subsystem, have a second security operation performed by the second security engine on each of the provided blocks of data bits, and the results of the second security operations performed on the blocks of data bits to be returned.
56. The method of claim 55, wherein the method further comprises successively returning the results of said second security operations performed for the provided blocks of data bits.
57. The method of claim 55, wherein said second descriptor of said second data object also describes operating parameters to be employed to perform said second security operation for each of said provided blocks of data bits of said second data segment of said second data object, and the method further comprises providing said described operating parameters to said second security engine.
58. The method of claim 55, wherein said first security operation is a DES operation and said second security operation is a hashing operation.
59. An apparatus comprising: a memory to store data and descriptive information of said data; a processor coupled to said memory to set up in said memory a first descriptor having first one or more parts, describing a first data object having first one or more data segments, with each of said first one or more data segments having a plurality of data bits;
and a security subsystem coupled to said memory and said processor to perform a first security operation on each of a plurality of blocks of data bits of said first one or more data segments of said first data object, responsive to a request of said processor, wherein the security subsystem is equipped to (a) first retrieve a first part of said first descriptor, and then successively updates said first descriptor with its additional parts, if applicable, (b) successively fetch the data bits of said first one or more data segments of said first data object in accordance with the successive current descriptions of the first descriptor, (c) successively organize the fetched data bits into blocks of data bits, (d) successively perform said first security operation on said organized data blocks, and (e) successively return the results of said successive first security operations.
60. The apparatus of claim 59, wherein the security subsystem comprises a first security engine to perform said first security operation for a block of data bits; a first plurality of registers to collectively store the currently retrieved part of a data object descriptor; and a control portion coupled to said first registers and the first security engine to cause (a) said first part of said first descriptor of said first data object to be loaded into said first registers, and then successively updated to .
successively describe said first one or more data segments of said first data object, (b) data bits of each currently described one of said first data segments to be successively fetched, organized into blocks of data bits, and provided to said first security engine to have said first security operation to be successively performed on the provided data blocks, and (c) the results of said successively performed first security operations to be returned.
61. The apparatus of claim 59, wherein each of said first one or more parts of said first descriptor describes storage locations of data bits of a corresponding one of said first one or more data segments of said first data object.
62. The apparatus of claim 61, wherein said first one or more data segments of said first data object comprise two or more data segments, and the storage locations of the data blocks of at least one of the data segments are discontiguous from the storage location of the data blocks of the other data segments of said first data object.
63. The apparatus of claim 59, wherein each of said first one or more parts of said first descriptor describes storage locations for returning the results of said first security operations for the data bits of a corresponding one of said first one or more data segments of said first data object.
64. The apparatus of claim 63, wherein said first one or more data segments of said first data object comprise two or more data segments, and the storage locations for returning the results of said first security operations performed for the data bits of at least one of the data segments are discontiguous from the storage location for returning the results of said first security operations performed for the data bits of the other data segments of said first data object.
65. The apparatus of claim 59, wherein at least a first part of said first descriptor of said first data object also describes operating parameters to be employed to perform said first security operation for each of said blocks of data bits of said first data object.
66. The apparatus of claim 59, wherein said first security operation is a DES operation.
67. The apparatus of claim 66, wherein said DES operation is a selected one of a DES cipher operation and a DES decipher operation.
68. The apparatus of claim 66, wherein said DES operation is a selected one of a DES ECB operation, a DES CBC operation and a DES CFB operation.
69. The apparatus of claim 66, wherein at least a first part of said first descriptor of said first data object also describes operating parameters including a first and a second key of to be employed to perform said DES operation on each of said blocks of data bits of said first data object.
70. The apparatus of claim 69, wherein said operating parameters further include a third key of said DES operation.
71. The apparatus of claim 66, wherein said DES operation is a selected one of a DES CBC operation and a
DES CFB operation; and said security subsystem is further equipped to selectively employ a current block of data bits of said first data object and a result of the selected DES security operation for a prior block of data bits to perform the selected DES operation.
72. The apparatus of claim 59, wherein said security operation is a hashing operation.
73. The apparatus of claim 72, wherein said hashing operation is a selected one of a MD5 operation and a SHA-1 operation.
74. The apparatus of claim 72, wherein at least a first part of said first descriptor of said first data object also describes operating parameters including a plurality of chaining variables to be employed to perform said hashing operation for each of said blocks of data bits of said first data object.
75. The apparatus of claim 59 wherein said security subsystem further comprises a control register to facilitate said processor in providing one more control instructions to said security subsystem.
76. The apparatus of claim 75, wherein at least one of said control instructions is a selected one of instructing said security subsystem to start said first security operation, to interrupt said processor upon completing said first security operation for all blocks of data bits of said first data segments of said first data object, to interrupt said processor upon completing said first security operation for all blocks of data bits of said first data object, and to stop said security subsystem upon completing said first security operation for all blocks of data bits of said first data segments of said first data object.
77. The apparatus of claim 59, wherein said security subsystem further comprises a status register to facilitate said security subsystem in providing one or more status to said processor.
78. The apparatus of claim 77, wherein at least one of said status is a selected one of a pending interrupt issued on completion of said first security operation for all blocks of data bits of said first data segments of said first data object, a pending interrupt issued on completion of said first security operation for all blocks of data bits of said first data object, completion of said first security operation for all blocks of data bits of said first data segments of said first data object, completion of said first security operation for all blocks of data bits of said first data object and said security subsystem being in a busy state.
79. The apparatus of claim 59, wherein said processor is also to set up in said memory a second descriptor having second one or more parts, describing a second data object having second one or more data segments, with each of said second one or more data segments having a plurality of data bits; and said security subsystem is also to perform a second security operation for data bits of said second one or more data segments of said second data object, responsive to a request of said processor, wherein the security subsystem is also equipped to (a) first retrieve a first part of said second descriptor, and then successively updates said second descriptor with its additional parts, if applicable, (b) successively fetch the data bits of said second one or more data segments of said second data object in accordance with the successive current descriptions of the second descriptor, (c)
successively organized the successively fetched data bits into blocks of data bits, (d) successively perform said second security operation on said successively organized blocks of data bits, and (d) successively return the results of said successive second security operations.
80. The apparatus of claim 79, wherein said first security operation is a DES operation and said second security operation is a hashing operation.
81. The apparatus of claim 59, wherein said apparatus is disposed on a single integrated circuit.
82. A method comprising: a processor setting up in a memory a first descriptor having first one or more parts, describing a first data object having first one or more data segments, with each of said first one or more data segments having a plurality of data bits; and a security subsystem performing a first security operation on the data bits of said first one or more data segments of said first data object, responsive to a request of said processor, by (a) first retrieving a first part of said first descriptor, and then successively updating said first descriptor with its additional parts, if applicable, (b) successively fetching the data bits of said first one or more data segments of said first data object in accordance with the successive current descriptions of the first descriptor, (c) successively organizing the fetched data bits into blocks of data bits, (d)
successively performing said first security operation on said successively organized data blocks, and (d) successively returning the results of said successive first security operations.
83. The method of claim 82, wherein each of said first one or more parts of said first descriptor describes storage locations of data bits of a corresponding one of said first one or more data segments of said first data object.
84. The method of claim 83, wherein said first one or more data segments of said first data object comprise two or more data segments, and the storage locations of the data blocks of at least one of the data segments are discontiguous from the storage location of the data blocks of the other data segments of said first data object.
85. The method of claim 82, wherein each of said first one or more parts of said first descriptor describes storage locations for returning the results of said first security operations for data bits of a corresponding one of said first one or more data segments of said first data object.
86. The method of claim 85, wherein said first one or more data segments of said first data object comprise two or more data segments, and the storage locations for returning the results of said first security operations performed for the data bits of at least one of the data segments are discontiguous from the storage location for returning the results of said first security operations performed for the data bits of the other data segments of said first data object.
87. The method of claim 82, wherein at least a first part of said first descriptor of said first data object also describes operating parameters to be employed to perform said first security operation for data bits of said first data object.
88. The method of claim 82, wherein said first security operation is a DES operation.
89. The method of claim 88, wherein said DES operation is a selected one of a DES cipher operation and a DES decipher operation.
90. The method of claim 88, wherein said DES operation is a selected one of a DES ECB operation, a DES CBC operation and a DES CFB operation.
91. The method of claim 88, wherein at least a first part of said first descriptor of said first data object also describes operating parameters including a first and a second key of to be employed to perform said DES operation on each of said data blocks of said first data object.
92. The method of claim 91, wherein said operating parameters further include a third key of said DES operation.
93. The method of claim 88, wherein said DES operation is a selected one of a DES CBC operation and a
DES CFB operation; and said method further comprises said security subsystem selectively employing a current block of data bits of said first data object and a result of the selected
DES security operation for a prior block of data bits to perform the selected
DES operation.
94. The method of claim 82, wherein said security operation is a hashing operation.
95. The method of claim 94, wherein said hashing operation is a selected one of a MD5 operation and a SHA-1 operation.
96. The method of claim 94, wherein at least a first part of said first descriptor of said first data object also describes operating parameters including a plurality of chaining variables to be employed to perform said hashing operation for each of said blocks of data bits of said first data object.
97. The method of claim 82 wherein said method further comprises said processor providing one more control instructions to said security subsystem.
98. The method of claim 97, wherein at least one of said control instructions is a selected one of instructing said security subsystem to start said first security operation, to interrupt said processor upon completing said first security operation for all data bits of one of said first data segments of said first data object, to interrupt said processor upon completing said first security operation for all data bits of said first data object, and to stop said security subsystem upon completing said first security operation for all data bits of one of said first data segments of said first data object.
99. The method of claim 82, wherein said method further comprises said security providing one or more status to said processor.
100. The method of claim 99, wherein at least one of said status is a selected one of a pending interrupt issued on completion of said first security operation for all data bits of one of said first data segments of said first data object, a pending interrupt issued on completion of said first security operation for all data bits of said first data object, completion of said first security operation for all data bits of one of said first data segments of said first data object, completion of said first security operation for all data bits of said first data object and said security subsystem being in a busy state.
101. The method of claim 82, wherein the method further comprises said processor setting up in said memory a second descriptor having second one or more parts, describing a second data object having second one or more data segments, with each of said second one or more data segments having a plurality of data bits;
and said security subsystem performing a second security operation on data bits of said second one or more data segments of said second data object, responsive to a request of said processor, by (a) first retrieving a first part of said second descriptor, and then successively updating said second descriptor with its additional parts, if applicable, (b) successively fetching the data blocks of said second one or more data segments of said second data object in accordance with the successive current descriptions of the second descriptor, (c) successively organizing the fetched data bits into blocks of data bits, (d) successively performing said second security operation for said successively organized blocks of data bits, and (e) successively returning the results of said successive second security operations. 102.
The method of claim 101, wherein said first security operation is a DES operation and said second security operation is a hashing operation.