WO2008141063A2 - Interrupt-related circuits, systems, and processes - Google Patents

Abstract

An electronic interrupt circuit includes an interrupt-related input line (4235), a security-related status input line (4236), a context-related status input line (4237), and a conversion circuit (4234A) having plural interrupt-related output lines (4245) and selectively operable in response to an interrupt-related signal on said interrupt-related input line depending on an active or inactive status of each of said security-related status input line and said context-related status input line.

Description

INTERRUPT-RELATED CIRCUITS, SYSTEMS, AND PROCESSES

Portions of this patent application contain materials that are subject to copyright protection. The copyright owner has no objection to the reproduction as part of the patent document, but otherwise reserves all copyright rights. BACKGROUND

This invention is in the field of electronic computing hardware and software and processes, circuits, devices, and systems for information and communication processing.

As computer and communications applications with security become larger and more complex, a need has arisen for technology to inexpensively handle large amounts of software program code and the data for highly disparate applications, such as for high performance and fast response given a mix of real-time and non-real-time applications, and run them more or less concurrently in a secure manner in an energy-efficient and power-efficient way. SUMMARY

Generally and in one form of the invention, an electronic interrupt circuit includes an interrupt-related input line, a security-related status input line, a context-related status input line, and a conversion circuit having plural interrupt output lines and selectively operable in response to an interrupt-related signal on the interrupt-related input line depending on an active or inactive status of each of the security-related status input line and the context- related status input line. Other forms of the invention involve processes of manufacture, processes of operation, circuits, devices, telecommunications products, wireless handsets and systems. BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of inventive compartmentalized process to support software layers and contexts. FIG. 2 is a diagram of an inventive compartmentalized process from a different perspective from that of FIG. 1 and governed by a hypervisor monitor mode, the process responsive to interrupt requests to particular execution environments EE.

FIG. 3 is a block diagram of an inventive combination of a microprocessor unit (MPU) and target hardware together with and protected by inventive security hardware (SSM) and inventive target firewall circuits for execution environments EE xx. FIG. 4 is a block diagram of an electronic system protected by an inventive security hardware (SSM) of FIG. 3 and target firewall circuits.

FIG. 5 is a partially block, partially flow diagram of an inventive combination of a multiprocessor system with power management and global interrupt handling protected by a secure state machine and operated according to a inventive process of operation.

FIG. 6 is a block diagram of an inventive circuit for expanding and converting interrupt related signals such as wait for interrupt (WFI) signals to deliver interrupts to at least one processor on a category specific basis for use in FIG. 5 and FIGS. lOA/B/C.

FIG. 7 is a block diagram of an alternative inventive circuit for converting interrupt related signals such as wait for interrupt (WFI) signals to deliver interrupts to at least one processor pertaining to a specified execution environment EE, for use in FIG. 2, 5, FIGS. 10A/B/C, and other systems.

FIG. 8 is a block diagram for combination with FIG. 7 highlighting an Interrupt Handler and Secure FIQ Pre-emptive Masking Handler with related registers in combination transforming an IRQ configuration for active EE to FIQ configuration for suspended domain and back to IRQ.

FIG. 9 is a partially block, partially flow diagram of a process of Monitor code, vectors and transitions for the inventive systems.

FIGS. lOA/lOB/lOC are three portions of a composite block diagram showing a detail of an example of inventive four-CPU hardware and software for four-core operation in a system of FIGS. 4 and 5 and using multiple instances of inventive conversion circuitry such as from FIGS. 6 and 7.

FIG. 11 is a timing diagram of an inventive process of digital signal transitions of an inventive system including master counter, and of four CPUs in an inventive four-CPU system such as in FIGS. 10A/B/C, and showing interspersed interrupt signal transitions legended for various CPUs and types of operating systems for them.

FIG. 12 is a timing diagram of an inventive process of digital signal transitions of an inventive system wherein an execution environment EE running on a processor is suspended and is replaced by another execution environment. FIG.13 is a flow diagram of an inventive boot and run-time process for use with the structures of the other Figures. FIG. 14 shows an inventive transformation process of FIQ back to a local IRQ in a diagram that represents the three operational layers, interrupt priority diagram, and rotation loop.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS TABLE 1: GLOSSARY OF SELECTED ABBREVIATIONS

DPLL Digital Phase Locked Loop

DPS Dynamic Power Switching

DVFS Dynamic Voltage Frequency Scaling

EE Execution Environment FIQ Fast Interrupt Request

INTC Interrupt Controller

INTH Interrupt Handler

IRQ Ordinary Interrupt Request

OPP Operating Performance Point PRCM Power Reset and Clock Manager

PRM Power & Reset Manager

SMI System Management Interrupt

VP Voltage Processor

VP_ACTIVE Virtual Processor Active VPl Virtual Processor

WFI Wait for Interrupt

A hypervisor is established and can control and differentiate virtually and non- virtually (non-virtual) both the non-secure and secure worlds. A monitor mode is given hardware structural support called checker circuits or checkers as in US Patent Application Publication 20070226795 (Sept. 27, 2007) to enable software operation therein as a hypervisor. Security is protected from the public world side because the SSM (secure state machine) and the checkers are used together to establish one or more classifiers or classifier control signals MreqDomain for virtual mode and non-virtual mode(s), and MreqSecure for secure mode and non-secure mode. The Monitor Mode hypervisor operates as software on top of the check hardware. A 3"74^ generation (3G/4G) wireless modem Protocol Stack and a Secure Kernel runs on processor 1400 under a real time operating system (RTOS) and is desirably isolated from one or more application high level operating systems HLOS which are not necessarily architected for real-time. Control over many contexts, categories, or execution environments EEs is provided by wait-for-interrupt WFI expansion to deliver FIQ from various HLOSs and RTOSs on a per-CPU and per-EE basis. IRQ configuration for an active EE is transformed into an FIQ configuration when the EE is suspended, and then transformed back to IRQ configuration when the EE is re-activated. Put another way, interrupt lines allocated to a given EE are transformed from FIQ to IRQ routing configuration when the EE is activated, and then transformed back to FIQ when the EE is suspended. Multiple virtual processors or EEs are used. By context- switching fully on a per-CPU, per- EE basis the MMU and processor registers and the interrupt configuration even outside the processor in interrupt handler and SSM, such embodiment places or accommodates as many different HLOS as desired. MreqDomainx qualifiers are generated when operating in a virtual category or EE in order for system interconnect firewalls to protect memories from other categories. The Monitor hypervisor can configure the interconnect hardware firewalls and SSM hardware to define EE physical and virtual address space boundaries and the full MMU settings to deny all accesses to one HLOS physical space while providing full access to other HLOSes.

Refer briefly to FIGS. 6 and 3. In FIG. 6, when in the secure mode, the processor MPU generates a bit CP15_NS = 0. SSM register bit designated VP1_NS corresponds to

CP15_NS. Any MMU page programming or any transfer retained in cache is marked with an NS qualifier equal to or responsive to CP15_NS. The NS qualifier bit is used thereafter to generate a protection signal HPROT[] on a line of a system bus. MPU2BUS interface 2665 creates the actual signal designated MreqSecure = NOT(HPROT[]). The SSM 2460 provides bit fields VP1_NS and VPl_Active. The VPl_Active bit field defines whether operations are transitioning from Monitor mode to a Non-virtual or Virtual category (VPl_Active), and the VP1_NS bit field concurrently defines whether the transition is going to Secure or Public category and in this way four categories are individually specified. Application port interfaces (APIs) in each category respond to a respective OS or kernel in each category to initiate transitions to another category mediated and controlled by an SMI handler in the hypervisor or a Secure FIQ trap in the hypervisor. A first category (00) is Public Non-virtual PN, a second category (01) is a Secure Non-virtual SN, a third category (10) is Public Virtual PV, and a fourth category (11) is Secure Virtual SV.

In FIG. 1, a hardware (HW) security architecture Monitor mode infrastructure allows execution environments EEs to run in parallel under an SSM HW-protected hypervisor in the Monitor mode. Platform Support Execution Environments (PSEE) are provided in a system example to respectively support Router (TCP/IP, IMS, Stacks), Gaming, Non-GPL device drivers and code (GPL refers to an open-source regime), Modem and wireless stacks, USB/IrDa, and Multi-Media Codec and MM Framework (MM ISP) and DRM. AU the PSEE coexist at the same time in Public mode and form a parallel architecture with each other and secure EE in Secure mode. Latency, stability and security benefit. Each PSEE is allowed to use up to a configured amount of dedicated memory (e.g., 32Mbytes) for code and data and benefits from the HLOS (UIEE) IO mapping (L4 Interconnect Core, L4 Peripheral, Physical resources, etc.). The UIEE is a form of EE, the PSEE is a form of EE, and the secure environment is a form of EE, as the symbolism EE is used herein. User Interaction Execution Environment (UIEE) includes a high-level operating system subject to the hypervisor scheduling in FIG. 1 designated HLOSl (e.g., Linux or SMP Linux for symmetric multiprocessing). A dormant substitutable operating system in memory is designated HLOSl'(e.g., a Linux variant or alternative another HLOS dedicated to games or multimedia). IOs and/or peripherals can also wake up the system or some part of it when one or more execution domains EE are idle. Thus, one or more of these execution environments EEs have associated hardware peripherals, and the phrase execution domain suggests this association of processor context with parts of the system hardware. Notice that the context can be associated with a particular processor such as a DSP and context-supporting peripherals such as joysticks and special displays for games, and modem hardware for a cell phone modem. Accordingly, the hypervisor configures the system to appropriately respond to and supply information to various context-related hardware in response to the category or EE identified in the EE-related register(s).

3-bit register fields in registers CONTROL_MREQDOMAIN_EXP1, 2, etc. secure registers, are respectively provided in FIG. 3 to specify to which EE = x an initiator

(peripheral) belongs by configuring at initiator port level a 3-bit MreqDomainx value. A lock bit is provided so that that register can only be written at boot time. Examples of peripherals are SAD2D 3520.7, IVA, USB, SGX (Graphics), etc. of FIG. 4 for as many initiators as desired to correspond to each EE. The modem is suitably provided on one integrated circuit chip that is die-to-die (D2D) coupled by a SAD2D 3520.7 communications interface to another integrated circuit chip having an application processor or combined. Interrupt scheme support with a Global interrupt controller GIC involves a GIC configuration wherein fast interrupt request lines nFIQ are dedicated to Secure world, Monitor mode, and suspended domain(s) EE. Fast interrupt requests FIQs are made not- maskable by public world, but may be masked by commands from Secure modes and Monitor mode. FIQs are trapped into Monitor mode. Active domains EE do not use FIQ, but wait for interrupt signals WFI from active domains becoming suspended or idle are converted to FIQ in some of the embodiments herein to alert the Hypervisor. Ordinary interrupt requests nIRQ are dedicated to Public world and are maskable by operations in either the Public or Secure world, are not trapped into Monitor mode, and instead are trapped locally in IRQ mode of a processor. Secure mode uses only FIQ and not IRQ, thereby providing a clean differentiation of the Public world from the Secure world.

To protect the security of transactions between a cache coherency-promoting snoop control unit SCU 5010 and cache L2$, a DSB (Drain Store Buffer) operation is used when changing from a UIEE/PSEE to another PSEE/UIEE. SSM monitors between SCU and L2 to detect and prevent one UIEE/PSEE from directly modifying or updating another

PSEE/UIEE. PSEE are checked by ETM monitoring of the SECMON bus and comparison checking against address ranges established by configuration of PSEE mapping so that PSEEs are prevented from updating each other. PSEEs are locked down in their respective memory spaces for security in order to prevent UIEE from changing any of them. PSEE TLB translation lookaside buffer mapping is locked down. Each CPU is provided with multiple TLBs that are assigned to the different EEs. UIEE suitably defines Peripherals/IVA/GFX resources and shared buffer of PSEE for PSEE access into static mapped virtual address spaces. SSM tracks execution environments EE in SSM register space (of FIGS. 6, 7) and information derived is accessible to the in-circuit emulator for debug. FIG. 2 shows public modes are arranged into eight execution environments (EE) identified by a public/secure signal NS=I and an execution environment specifier EE_Active set equal to any value xx from zero (000 binary) to seven (7 = 111 binary) in this example. At far right in FIG. 2 a secure mode execution environment is identified by a public/secure signal NS=O (secure) and the execution environment specifier EE_Active set equal to zero (000 binary). A fast interrupt request (FIQ) is captured by the hypervisor 2410 and directed to the applicable execution environment and identified as EE_xx_FIQ wherein xx identifies the particular execution environment EE. When leaving a virtual container or an EE to switch to the Monitor Mode, the Monitor Mode 2410 of FIG. 2 executes a Data Memory Synchronisation/Write Barrier (DMB_DSB/DWB) to ensure that all pending items in Data Cache belonging to the EE or Virtual Processor are written to a physical address. In FIG. 3, SSM Registers 2620 have SSM registers prefixed CPUi_ for each CPUi in the system. For each CPUi, various EE-related SSM registers are provided, such as EE_Active to identify which EE is active, and various registers or fields replicated for each index EE_xx such as EE_xx_Debug_Dis to show which EEs have debug disabled, and EE_xx_NS to show which EEs are Public/Secure. Address Boundary registers EE_xx_START and EE_xx_END identify the start/end addresses for each EE xx. WFI scheduling is supported by SSM registers 2620, see FIGS. 6, 7 for more detail.

When an initiator with Initiator Firewall 2638 initiates transfers of information performing a transaction, in-transaction classifiers or qualifiers are generated: MCMD for Read/Write qualification, and Mreqlnfo qualifiers such as MreqDomain, MreqSecure, MreqDebug, MreqType, MreqPrivilege. The qualifiers are propagated to interconnect 2640 in FIG. 3 and 3521 in FIG. 4. The interconnect 2640 generates a parameter designated ConnID to identify exactly which initiator made the transaction. Each of several configurable Target Firewalls 2645 (e.g., each L4 interconnect firewall, system memory, and each L3 interconnect firewall) respectively dedicates a memory or a peripheral in the Targets 2650 to each initiator, generates a Security Violation signal when an attempted bus-access by an initiator is inconsistent with permissions configured into a firewall, and isolates each such target among Targets 2650 from any other initiator so that corruption or attack from any other initiator is prevented.

In FIG. 3, the SSM Physical Checker 2650 includes EE Creator 2656 circuitry coupled to SSM registers of FIG. 7 and to Read bus and Write bus (in Functional buses 2655) from a CPUi 2610. EE Creator 2656 is responsive to Hypervisor Enable, EE_Active (PSEE) and UIEE_Active fields in SSM registers of FIG. 7 to identify and create MreqDomainx for a PSEE that is active within its START/END address boundaries. The EE Creator 2656 checks to see if the asserted address (except in Monitor mode) on either the Read or Write bus is in the range allocated to a particular PSEE indexed x. If so, the MreqDomainx qualifier representing that PSEE in the EE_Active register for that bus is activated. If not, then the MreqDomainx qualifier is representing the UIEE identified in register UIEE_Active since the address is outside PSEE address space. If an instruction read in a data-only space is detected, then a security violation is issued.

In FIG. 4, a system 3500 has DMA subsystems 3510.L DMA is integrated into the system 3500 in such a way that it can perform target accesses via target firewalls 2645 of FIG. 3 (see also FIG. 4 firewalls 3522.i, 3532.1, 3555) connected on the interconnects 2640. A target is a circuit block targeted or accessed by an initiator. DMA channels 3515.i are programmed with the source location of the Data to be transferred and the destination location of the Data. Data exchange between the peripheral subsystem and the memory subsystem and general system transactions from memory to memory are handled by the System SDMA 3510.1 having a DMA engine 3518.1. Data exchanges within a DSP subsystem 3520.8 are handled by the DSP DMA 3528.8 and/or by DSP DMA 3510.2. Data exchange to refresh a display is handled in display subsystem 3510.4 using a DISP DMA 3518.4 (numeral omitted). Data exchange to store camera capture is handled using a Camera DMA 3518.3 in camera subsystem 3510.3. The MPU 2610 issues bus transactions and sets some qualifiers on Interconnect 3521. SSM 2460 also provides the MreqDomain qualifier(s) as in FIG. 3. The bus transactions propagate through the L4 Interconnect 3534 and then reach a DMA Access Properties Firewall 3512.1. Transactions are coupled to a DMA engine 3518. i in each subsystem 3510. i which supplies a subsystem-specific interrupt to the Interrupt Handler 2720.

In FIG. 4, DMA access properties firewall 3512.i has configuration hardware security rules for example as follows. 1) A secure access configures a DMA channel 3515.i as Secure, i.e., the access is restricted to be a secure access to make the configuration happen. Secure accesses are able to program a DMA channel 3515.i as Public or Secure subject to compliance with the other configuration hardware security rules. 2) Setting of any DMA channel 3515.i as Virtual is restricted to occur only when the access to program the DMA channel is made by accesses initiated by the MPU 2610 in Virtual mode. For FIGS. 1 and 2, the DMA configuration rule is based on the existence of several EEs and keeps the PSEEs and UIEE from modifying DMA channel configurations of each other or among themselves, while permitting the secure environment (SE, or secure EE) to do so under supervision of the hypervisor. 3) Setting of any DMA channel 3515.i as Public Privilege is restricted to occur only when the access to program the DMA channel is made by Public Privilege, Secure User or Secure Privilege accesses to an address of the channel register DMA_CHANNELi in registers 3515.i to be programmed. Setting of any DMA channel as Secure Privilege is also restricted to occur only by Secure Privilege access. Privilege accesses are able to program a DMA channel as User or Privilege without restriction in their own Public or Secure mode, subject to compliance with the other configuration hardware security rules. Then operation of the DMA subsystem 351O.i is started and uses these Mreqlnfo qualifiers configured into the channel rights register DMA_CHANNELi 3515.i for firewall evaluation of a regular transaction issued on the interconnect. Control Module 2765 between Interconnect 3534 and DMA Firewall 3512.1 receives the Security Violation signal from DMA Firewall 3512.1. A Security Violation flag is activated in a Control_Sec_Err_Status register and is forwarded to SSM Platform _Status_Register. This flag is read on every Monitor Mode switch or otherwise frequently read, or interrupt handler 2720 generates an interrupt each time one of the Flag bits is updated or activated by the hardware. In FIG. 5, Hardware embodiments based on at least one interrupt related instruction such as the wait for interrupt (WFI) instruction optimize task scheduling of parallel operating systems running in separate MPU core categories or execution environments (EEs) in a single-core architecture or multi-core architecture of FIG. 5 or the other Figures. "WFI" is a broad term including one or more instructions that initiate a processor core idle, standby, sleep or similar state. The processor core can subsequently be re-activated or awakened by a subsequent exception such as an interrupt. "WFI" herein also refers a signal or a line indicative of the WFI execution. For instance, core executes the WFI, core clock stops and waits in a lower power state than prior to executing WFI and waits for an interrupt or other exception such as sourced from a hypervisor running on another core or, a scheduling hardware module. "Interrupt-related" pertains to an interrupt itself or to influencing the handling of an interrupt, or controlling an interrupt in some way. "Context-related" pertains to a processor context either established in the processor by context registers or by hardware and software to establish virtual categories or execution environments EEs that use, but go beyond the context registers of the processor. To go beyond the context registers, high level software for instance stores information of such environments or virtual spaces in a separate register such as the SSM or securely elsewhere.

Hypervisor may have poor visibility into what the different HLOS tasks and schedulers are doing and nevertheless allocate bandwidth to the different HLOS following a static scheme. A static scheme is a predetermined scheme insensitive to dynamic conditions of operation that involve particular categories or EEs and CPU cores. Consequently, when a HLOS is about to enter Idle mode and executes a WFI, power and reset control manager PRCM might enter a power management state (OPP) that is less than optimum for other HLOSes. High performance (0PP4) may be needed but an HLOS is in a lower performance state (e.g., 0PP2), for example. Or HLOS was in a high performance state (e.g., 0PP4) and another HLOS should be in 0PP2. Hypervisor in such case lacks full information about the exact context of each HLOS (which CPU, what world) when the WFI has been executed and therefore lacks information to appropriately and dynamically adapt. When a first HLOS has requested an Idle mode, the hardware-protected hypervisor, constrained by a static scheme, might keep some previously needed but currently unnecessary bandwidth allocated for the first HLOS that is in Idle. Bandwidth allocation is set to various percentages time for processor cycles for each category or EE. Some embodiments herein provide the CPU and world information and use it responsively to adjust the power saving and other functions of the system by a dynamic and more effective approach.

The hypervisor Monitor mode software is based on a software scheduler that is run or actuated by one or several synchronous tick timers 5085. i delivering ticks as in FIG. 1OC and FIG. 11. Each tick informs the hypervisor in Monitor mode to switch to another category or execution environment EE for execution. This scheduler allocation of CPU bandwidth for each Execution Environment EE, or execution domain, is configured at boot (e.g., as in FIGS. 5 and 13).

A solution provided herein tracks per- world per-CPU WFI status so that the hypervisor definitively has the information to know that a category or EE, such as the gaming world, has nothing to do and so that the hypervisor has the information to definitively identify that category or EE. Then the hypervisor does not blindly schedule bandwidth for that definitively identified category or execution environment EE that is idle. Instead, the scheduler software is suitably written to take account of the bandwidth needs of the various applications and operating systems that are actually active. Then the scheduler software and hypervisor perform a selected action such as 1) respond to the gaming world tick or interrupt IRQ from the local timer to dynamically and intelligently re- allocate CPU fractional bandwidth because of the WFI to another application or operating system instead, or 2) intelligently determine that the gaming world tick in fact requires no change of bandwidth allocation but because of the WFI temporarily depart from the configured allocation and then continue execution of a currently executing application or operating system or temporarily execute another one in place of the temporarily-idle EE.

FIG. 5 is a partially block, temporarily partially flow diagram of a multiprocessor system with power management 3670 and global interrupt handling 3620 protected by a secure state machine 2460 and operated according to flow steps 3605-3665 and 3690. In some embodiments, the hypervisor layer is provided in each monitor mode instance so that the hypervisor layer exists in each CPU0-n, for instance in the embodiment of FIG. 5. Different portions of the hypervisor layer may be more predominantly operative depending on the particular CPU in the system. In some systems a modem, a digital video broadcast receiving circuit, and a digital camera are coupled as in FIG. 2 to to one or more of the processor cores of FIG. 5.

In FIG. 5, a multiprocessor system operates as an electronic power management system with plural processors operable in different security and context-related modes and having respective supply voltage inputs and clock inputs. The processors have at least one interrupt input and at least one wait for interrupt output. PRCM 3670 is an example of a power control circuit that establishes different supply voltages and clock rates for the supply voltage inputs and clock inputs. In the SSM 2460, a wait for interrupt WFI expansion circuit of FIG. 6 or 7 is responsive to the at least one wait for interrupt output to provide an interrupt signal. The WFI expansion circuit facilitates tracking each WFI signal on a per-CPU per-EE or per-category basis, which is represented by the legend XX_WFI in FIG. 5. Depending on embodiment, the WFI expansion circuit and XX_WFI is physically associated for convenience more fully with each CPU in some cases or more fully with other SSM circuitry in other cases, or elsewhere, and any degree of security needed for a given architecture is suitably provided and maintained. System management interval SMI signaling is also suitably provided.

The secure state machine SSM 2460 has registers 2620 including a configuration register coupled to the processors CPUO-n and operable for configuring the power management circuit 3670 and the wait for interrupt WFI expansion circuit. At least one of the processors CPUO-n configures the power management circuit 3670 in response to one or more of the interrupt signals at interrupt input(s). In some embodiments, the wait for interrupt WFI expansion circuit in SSM 2460 is responsive to provide an interrupt signal CPUi_xx_WFI_FIQ to a different one of the interrupt inputs depending on which security and context-related mode of a given one of the processors pertains to a wait for interrupt signal therefrom. The wait for interrupt expansion circuit in SSM 2460 is responsive to the wait for interrupt WFI to supply a selected portion of an SSM register with a signal representing which of the security and context-related modes of a given one of the processors pertains to a wait for interrupt signal therefrom, and that register is coupled to at least one of the processors via a bus such as a peripheral bus. The circuitry also routes a system management interrupt between the processors.

In FIG. 5, the software has operations, which in pertinent part for the present description start with a step 3605 that configures a set of register enable bits CPUi_xx_WFI_FIQ_EN, see also FIGS. 6 and 7. A succeeding step 3610 configures the bandwidth capacity of each of the CPUi. For example, the bandwidth capacity can be configured, such as at boot-time (see also, e.g., step 5830 FIG. 13), as the MIPS (millions of instructions per second) deliverable by each processor CPUi at a clock frequency corresponding to the operating performance points that can be made available to this CPU at run-time by the PRCM 3670. A further step 3615 then allocates bandwidth, such as at runtime, to each processor CPUi so that the processors collectively can run a current mix of applications. This involves configuring the time interval durations permitted for each EE or category. These durations are described elsewhere herein in regard to FIGS. 11 and 12. The step 3615 in FIG. 5 also includes hot plug and sleep controls. A succeeding step 3625 executes DVFS, DPS, SLM, and AVS power management processes in a mixture of hardware and software wherein PRCM 3670 is appropriately controlled and operates to establish operating performance points (OPPs) on a per-CPU per EE or category basis designated CPUi_xx_OPPi. In the example of FIG. 5 CPUi_xx_OPPi signify a respective pair of values of voltage VDDi and frequency Fi for processor CPUi when operating in category xx or execution environment xx. When a transition from one OPPi to another OPPj has been ordered by software in step 3625 reconfiguring power control register space in the SSM 2460, then the PRCM 3670 responsively causes the power transition to actually be delivered to and realized at the CPUi. When the new OPPj is actually realized in the system, then PRCM 3670 provides a power management interrupt PRM_INT to global interrupt handler 3620, which causes the appropriate processor CPUi to resume or commence operations in category xx or execution environment xx.

In a step 3630, the hypervisor software controls the system and performs system maintenance functions at appropriate times. Step 3630 evaluates various conditions A, B, C, D, E, F and fulfills the maintenance functions 3640, 3645, 3650, 3655, 3660, 3665 corresponding to whichever of the conditions A, B, C, D, E, F are true. The software process then goes to a decision step 3690 to determine whether a system reset is called for or required. If Yes at step 3690, then operations loop back to configuration step 3605. If No at step 3690, then operations instead go to the run-time step 3615 again.

Regarding the system maintenance functions in FIG. 5, changing an execution environment or virtual world or category assigned to CPUi is accomplished in a step 3640. (See description of FIG. 12 elsewhere herein that shows an example related to step 3640.) The processor system is operable to execute plural high-level operating systems (HLOSes), and each processor that issues the wait for interrupt signal is in a wait for interrupt mode relative to the time interval of FIG. 11 allocated to a given EE or category until the processor is interrupted. In step 3640 one type of maintenance function includes terminating one HLOS in a particular category on a first of the processor cores and initiating another HLOS on the same processor core. In this way, at least some of the bandwidth or time interval yielded by the terminated HLOS is used by the initiated HLOS. At least one of the processor cores launches the other HLOS provided an enabling condition exists that the first processor core activates an interrupt line from the wait for interrupt expansion circuit. The result of the expansion signifies that the particular category on the first processor core is in the wait for interrupt mode. Step 3640 also is able to update the CPUi_xx_WFI_FIQ_EN at run-time, compare to step 3605.

In FIG. 5, the processor system has applications and at least one maintenance function that in some examples would interfere with the application if concurrently executed. At least one of the processor cores is operable in response to an interrupt coupled from the wait for interrupt expansion circuit to schedule a maintenance function separated in time from execution of the application. In step 3640 a first processor generates a wait for interrupt WFI signal to the wait for interrupt expansion circuit in SSM 2460 to provide an interrupt signal to a selected one of the interrupt inputs of a second processor among the processors in some embodiments, and for the second processor to transfer at least one application from the first processor onto at least a third processor and then configure the power control circuit to put the first processor into a lower power state, such as in a hot plug operation called in step 3615 for performance by step 3640. Also, in step 3640, or other appropriate step, the second processor reconfigures the power control circuit for a different clock rate for the third processor, to handle the computing load now present as a result of the transfer. In a step

3645 a memory and a direct memory access DMA process operate in a public context-related category. Hypervisor launches a memory integrity check maintenance function if public context-related category is in wait for interrupt WFI mode, to not interfere with DMA. In a step 3650, Hypervisor launches security integrity check maintenance function of secure world provided predetermined public context-related modes are in the wait for interrupt WFI mode, non-interfering to user experience. In a step 3655, control processor core CPUO launches the integrity check maintenance function on gaming on CPUi core provided public context-related category for gaming is in wait for interrupt WFI mode on CPUi core. Non- interfering operation of memory defragmentation is launched in step 3660 if all of the processor cores that use the memory element are currently in wait for interrupt WFI mode. In step 3665, maintenance operations on either virtualized or physical system portions are launched in a non-interfering manner with the non-maintenance operations or applications that use or pertain to those system portions. The maintenance portions are enabled or at least not permitted to occur unless in response to the presence of an operation specific condition involving WFI mode and context related information such as category or execution environment EE pertaining to the WFI on a per-CPU basis. Applying FIG. 6 to FIG. 5, hardware WFI conversion and expansion architecture traps in the Secure State Machine SSM 2460 the different WFI commands per-category (public/secure virtual and public/secure non- virtual) and per-CPU in multi-core systems. The Hypervisor in Monitor mode of FIG. 6 uses power management software in association with a power, resets and control management hardware block (PRCM) as in FIGS. 4 and 5. Together, the power management software and the PRCM provide an embodiment of structure and process of operation to perform any one or more of DVFS, DPS, AVS, and SLM power management. In DVFS power management, supply voltage V is scaled to a lowest adequate voltage at maximum allowed frequency F for that voltage, where each pair (V,F) is called an OPP and is sufficient for processing and system bandwidth at different moments in operation. Power management decisions are responsive to the scheduling of categories and EEs and the timer configurations ultimately under hypervisor. DVFS tends to minimize the idle time of the system while DPS, by contrast, tends to maximize this idle time. By contrast, with AVS power management the voltage is variable instead of predetermined. DPS supply voltage V is scaled to a) lowest adequate DVFS voltage in operation and b) a substantially lower leakage-reducing voltage or to zero when deep-sleep. Adaptive voltage scaling (AVS) is used to adjust and set an actual minimum appropriate voltage in the vicinity of a voltage Vn defined by DVFS for a current OPPn. AVS automatically senses on-chip delay and adapts the regulator voltage of each device individually according to its temperature and silicon performance determined by conditions of the silicon fabrication process or other semiconductor materials fabrication process. DPS is used when each task context or EE is started and thus is useful for power savings due to intelligent control of CPUi power and bandwidth. SLM switches the device into ultra-low power modes when no applications are running. DPS power management is activated if the target frequency F_target for a given process is below a threshold frequency THRESHOLD 1, 2, 3, 4 so that DPS energy savings are sufficient to justify activating DPS at the given OPP_n. If the currently- selected DVFS OPP is OPP2, and target frequency F_target is sufficiently below the frequency of OPP2 to be lower than THRESHOLD2, then DPS activation is justified. This amount below is called the DPS margin. WFI requests are recorded by all the different categories (virtual and non- virtual, each secure or public) and for all CPUi cores and then decrease or increase the bandwidth and/or change the voltage of some categories or force a transfer of activity to a greater or fewer number of cores by steps 3615 and 3640 of FIG. 5. Utilizing per-category per-CPU WFI status information, the Hypervisor with scheduler software re- schedules another HLOS and sets or augments its bandwidth while reducing bandwidth for a core that was running a newly-idled HLOS. The OPP for each CPUi and category xx is established and updated to the extent called for in steps 3615 and 3625 of FIG. 5. The hypervisor is also operable to transfer and confine activity to a fewer number of cores in a multi-core system.

In the circuitry FIGS. 6 and lOA/lOB/lOC applied to FIG. 5, each interrupt line from a set of many interrupt lines is tagged with a prefix PN_, PV_, SN_, or SV_ to designate that it respectively belongs to the Public Non- virtual PN, Public Virtual PV, Secure Non- virtual SN, or Secure Virtual SV category or world. (A prefix xx_ indicates that any particular such prefix PN_, PV_, SN_, or SV_ can be substituted.) In some embodiments, a security zone SZ allows trapping any FIQ into a Monitor Mode. There, hypervisor software called Monitor code is programmed to determine from tabular information about the particular interrupt line, or read a special SSM register as in FIG. 6 that tells to which category the FIQ belongs, or to which execution environment EE the FIQ belongs as in FIGS. 1 and 2. The Monitor code reads the Secure/Public hardware signal from Interrupt Handler INTH (secure or public FIQ) and the Non-virtual/Virtual hardware signal such as VPl_Active from the SSM 2460.

In FIG. 6, an HLOS is running a current task in one of the categories. HLOS finishes the current task, executes WFI, enters Idle mode, and awaits a re-scheduling or wake up event. When WFI is executed, hardware signal STANDB YWFI is coupled to PRCM. PCRM responds with an appropriate interrupt to power management software that issues a latest power management control pattern of signals to the system. STANDB YWFI is used by SSM 2460 to generate a WFI fast interrupt request FIQ. WFI FIQ is a Secure FIQ that forces an automatic entry to the hypervisor in Monitor Mode to 1) activate another virtual processor and/or 2) run software Monitor code using per- world per-CPU WFI execution statuses, and/or 3) re-allocate bandwidth, and/or 4) configure PRCM controls.

RTOS scheduler (FIG. 14) services the timer ticks of FIG. 11 for the SMP system, and the RTOS scheduler implements semaphore and mutex services, and need not rely on world or EE status or identifications to handle power and reset activity. The RTOS Scheduler and HLOSes generate WFI when they are idle. Accordingly, the hypervisor running in Monitor mode need not be a heavily semaphored software approach and can be relatively streamlined because it can use EE status herein to handle operations at its hypervisor level. The software, running mainly in Monitor Mode, also suitably implements power management DVFS dynamic voltage and frequency scaling functions for power saving as in step 3625, and hot plug capability support (see FIG. 5 step 3615) for SMP HLOS (symmetric multi-processing high level operating system) such as requested by clients requesting support by SMP Linux and SMP Symbian.

Hot-plug in step 3615 of FIG. 5 involves operations in a multi-core system that transfers at least one currently loaded application from a first CPU core therein onto at least one other CPU core(s) and the system, and then using step 3625 putting that first CPU core into a lower power state such as a sleep mode or powering-off the core, wherein not only is the clock stopped but also the operating voltage is substantially reduced. The per-CPU part of the WFI status information from FIG. 6, or 7 thus is recorded over time and used by the hypervisor to determine that enough bandwidth on a given CPUi has become available to accommodate all the CPU bandwidth currently being used by another CPUj. In such case, the hypervisor can transfer the software execution from CPUj to CPUi and power down CPUj. The Monitor Mode software of FIG. 6 desirably sees the per- world per-CPU WFI status information for proper hot-plug operation in step 3615. Hot plug in step 3615 is also useful if all or a sufficient number of the current execution environments on a given CPUi have generated a WFI instruction, regardless of whether the power and reset manager PRCM 3670 cuts clock and memory availability to that CPUi. Hypervisor code is uses per-world per-CPU WFI status information from circuit of FIG. 6 or 7, so that hot plug is prevented from occurring unless that status information indicates that the memory availability of CPUi local memory (MMU, Ll$) and hypervisor execution domain integrity are present on which a proper hot plug transition from another CPU to the given CPU may depend.

Some embodiments use CPUs that may have different kinds of WFI instructions that operate differently to cut clocks to different relevant portions of the CPU blocks and/or power off, put in retention, or otherwise selectively disable the CPU local memory. Accordingly, such embodiments suitably also provide register space in the SSM to identify which kind or type of WFI instruction has currently been executed in each CPU and execution environment therein. The hypervisor code suitably takes account of this information about kinds of WFI instructions by accessing the register space in the SSM. In FIG. 6, a SSM WFI Scheduling block 4230 is provided into SSM 2460. Block 4230 has a conversion circuit that is responsive to the STANDB YWFI signal, and to the security signal CP15NS from a CPU core and to VPl_Active in a register 4215 put in SSM Registers 2620. Block 4230 is responsive to generate FIQs on distinct interrupt lines on a per-category basis PN_WFI_FIQ, PV_ WFI_FIQ, SN_ WFI_FIQ, or SV_ WFI_FIQ to interrupt handler 4280 (3620, 2720) and thus provide per-category WFI status information in the interrupt process. Since all these per-category interrupt lines are physically distinct, the Monitor code can determine what category running on which CPU has executed the WFI that has ultimately sent such FIQ to the hypervisor CPU from interrupt handler 4280.

The Interrupt Handler 4280 (3620, 3720) responds to the signals on the four xx_WFI_FIQ interrupt lines from each CPU to interrupt one CPU, a selected number of CPUs, or all the CPUs depending on the configuration in the interrupt handler INTH 4280. The INTH 4280 makes an interrupt request through a dedicated HW pin or line to any CPU the (FIQ or IRQ) interrupt mode to be entered by generally asserting an active low on an nFIQ line or nIRQ line. When the CPU has entered the corresponding interrupt mode (CPSR = FIQ or CPSR = IRQ), the CPU executes the software SW associated to or pointed to by the exception vector of this CPSR mode (FIQ or IRQ). This SW calls the Interrupt Service Routine (ISR) which accesses and reads in information from the INTH registers 2725 and from registers in FIG. 8. The applicable INTH register contains the FIQ number that fired (or IRQ #). In the embodiment of FIG. 7, ISR also accesses and reads in execution environment EE information from an SSM register 4215A and proceeds to service the interrupt on the basis of the particular WFI- originating category xx. The treatment of the interrupt in some embodiments depends on whether the category is active or suspended (FIGS. 8 and 14).

In FIG. 6, the SSM WFI Scheduling block 4230 determines which category, EE or world is involved based on hardware signals CP 15NS and VPl_Active and generates a given said per-category FIQ active low provided that STANDB YWFI is active and an enabling register bit xx_WFI_FIQ_EN has been set active for that world in an

SSM_WFI_SCHEDULING register 4220. The enabling register bits xx_WFI_FIQ_EN keep track of the latest enables from boot code or Monitor code. When WFI_FIQ_EN =' 1 ' (enabled) and the SSM receives a STANDB YWFI signal, the SSM does not generate and send back IDLE_ACK to cut clocks (WFI_FIQ_EN=O disabled) but instead generates xx_WFI_FIQ of FIG. 6 or SSM_WFIFIQ of FIG. 7. Additional register 4220 bits xx_WFI_ACTIVE keep track of WFI Active states specifying which STANDB YWFI is active for a particular world xx. xx_WFI_ACTIVE is suitably HW set/SW clear. Monitor code clears the active bit when a category xx Interrupt (IRQ, FIQ) has been received and thus proves to Monitor code that the WFI mode (idle, stalling) is ended in the category or EE. Register 4220 also has per- world tracking bits xx_WFI_FIQ_ACK that track logical ANDing 4231 of per world WFI enablement and WFI Active. The per world tracking bits xx_WFI_FIQ_ACK are respectively used to trigger a corresponding low-active FIQ on the respective line xx_WFI_FIQ from WFI Scheduling block 4230 to Interrupt Handler 4280.

In FIG. 6, a WFI Active Expansion block 4234 in SSM WFI Scheduling block 4230 is responsive per TABLE 7 to the STANDB YWFI signal on an interrupt related input line 4235, and to CP15NS on a security related input line 4236 from a CPU core. Block 4234 is also responsive in TABLE 7 to context related status input line such as a VPl_Active line or lines 4237 in a register 4215 among SSM Registers 2620. Block 4234 operates as a wait for interrupt WFI expansion circuit that supplies per- world internal expansion signals xx_WFI_ACTIVE_INT on interrupt related output lines 4239. Block 4234 is selectively operable to selectively activate the interrupt related output lines 4239 in response to the STANDBYWFI signal on line 4235 from a given CPU core and the selective activation depending on an active or inactive status of each of the security related status input line 4236, from the CPU core and a context related status input line 4237 from SSM register 4215. The per- world internal expansion signals xx_WFI_ACTIVE_INT are supplied to an FIQ Generator block 4238 and to a WFI Active Bits block 4258. WFI Active Bits block 4258 is reporting hardware that operates per-world in response to xx_WFI_ACTIVE_INT signal to set respective xx_WFI_ACTIVE bits in SSM_WFI_SCHEDULING register 4220. In this way, Secure Privilege access such as from the hypervisor via a peripheral bus or by debugger access can check the registers 4215 and 4220 and thereby check operation of the hardware of FIG. 6, and software-clear the reporting bits when desired. In FIG. 6, these per-world internal expansion signals xx_WFI_ACTIVE_INT are supplied to FIQ Generator block 4238. These signals xx_WFI_ACTIVE_INT are ANDed by four NAND-gates 4231 with corresponding per-world enabling bits xx_WFI_FIQ_EN from register 4220 to produce four low-active output signals xx_WFI_FIQ_INT. Thus, an electronic interrupt circuit is provided wherein the logic circuitry has a set of four output lines xx_WFI_FIQ_INT and includes four NAND logic gate circuits, collectively designated 4231. Each of the NAND gates has a first input connected to corresponding one of the four enable lines xx_WFI_FIQ_EN, and each of the NAND gates has a second input connected to one of the interrupt-related output lines xx_WFI_ACTIVE_INT. The NAND gates in 4231 each have an output line forming a different one of the set of output lines xx_WFI_FIQ_INT of the logic circuitry. SSM register 4220 has four CPU-configurable category specific enables xx_WFI_FIQ_EN, a reporting bits field xx_WFI_ACTIVE, and another reporting bits field xx_WFI_FIQ_ACK coupled via WFI FIQ Acknowledgments block 4254 to receive signals inverted from each output line xx_WFI_FIQ_INT from the NAND gates 4231. The output signals xx_WFI_FIQ_INT represent conjunctions (logical ANDs) of WFI FIQ enables and WFI_ACTIVE_INT signals indicating that a given WFI FIQ should be generated provided it is enabled. Output signals xx_WFI_FIQ_INT from FIQ Generator 4238 are fed to corresponding inputs of a WFI FIQ Acknowledgements block 4254. WFI FIQ Acknowledgements block 4254 sets high-active acknowledge bits xx_WFI_FIQ_ACK as more reporting bits in the register 4220 and couples them back to FIQ Generator 4238. In this way, Secure Privilege access such as from the hypervisor or debugger can further check the operation of the hardware of FIG. 6 by reading the acknowledge bits xx_WFI_FIQ_ACK in register 4220 and software clear them if desired.

The CPU core is coupled via a bus such as the peripheral bus shown in FIG. 6 to the SSM registers 4215 and 4220. Notice that this coupling is separate from the coupling of the circuitry 4230 back to the CPU via the interrupt handler 4280. In this way the CPU can configure the SSM registers 4215 and 4220 via write access thereto, and the privileged supervisory code such as a hypervisor can read the SSM registers 4215 and 4220 as reporting registers so that system operations can be controlled on a security-related and context-related per-world per-CPU basis that is visible to the hypervisor. FIQ Generator 4238 has four inverters 4233 to invert each signal xx_WFI_FIQ_ACK on lines 4252 from WFI FIQ Acknowledgements block 4254. Inverters 4233 respectively produce the respective per- category low active interrupt signals on low-active FIQ lines PN_WFI_FIQ, PV_ WFI_FIQ, SN_ WFI_FIQ, and SV_ WFI_FIQ. These FIQ lines couple FIQ Generator block 4238 to Interrupt Handler 4280. Interrupt Handler 4280 in turn couples one or more active secure FIQs to an interrupt bus interface INTH BUS of the CPU to gain SFIQ interrupt access to the hypervisor.

A scan controller 4290 is combined with the WFI conversion circuitry of FIG. 6 and serially provides a multi-bit scan signal to an emulator for testing, verification and debug purposes at a scan output and receives a multi-bit scan signal from the emulator at a scan input. The configurable register circuits 4215 and 4220 enable and record signal states. The configurable register circuits 4215 and 4220 are not only coupled to the WFI conversion circuit 4250, but also the configurable register circuits 4215 and 4220 are coupled to the scan output and to the scan input of the scan controller 4290.

TABLE 5 SSM_VIRTUAL_PROCESSORS register 4215

TABLE 6 SSM_WFI_SCHEDULING register 4220 XX = SV/SN/PV/PN, four bit fields per XX

TABLE 7 #######WFI ACTIVE EXPANSION BLOCK 4234##########

SN_WFI_Active_INT

<= NOT (CP15NS) AND NOT (VPl_Active) AND STANDB YWFI;

SV_WFI_Active_INT <= NOT (CP15NS) AND VPl_Active AND STANDBYWFI;

PN_WFI_Active_INT <= CP 15NS AND NOT (VPl_Active) AND STANDBYWFI; PV_WFI_Active_INT <= CP 15NS AND VP l_Active AND STANDBYWFI;

######### FIQ GENERATOR 4238 ###### driven from Reg 4220 and from Block 4234

XX = SN/SV/PN/PV replicated to four lines

XX_WFI_FIQ_INT <= NOT ((XX_WFI_FIQ_EN) AND (XX_WFI_Active_INT));

Active LOW to Block 4254 XX_WFI_FIQ <= NOT (XX_WFI_FIQ_ACK); from Block 4254» Active LOW

TABLE 8

########WFI FIQ ACKNOWLEDGEMENTS BLOCK 4254#########

XX = SN/SV/PN/PV replicated to four blocks of IF-THEN-ENDIF;

IF XX_WFI_FIQ_INT = '0' --from FIQ Generator 4238 THEN XX_WFI_FIQ_ACK <=' 1 " ; - BW set / SW clear

- to FIQ generator 4238 and to Table 6 register 4220

ENDIF;

#######WFI ACTIVE BITS BLOCK 4258#############

IF XX_WFI_Active_INT = ' 1 ' -from WFI Active Expansion Block 4234 THEN XX_WFI_Active <=' 1 " ; - HW set / SW clear - to Table 6 register 4220 ENDIF; Turning to the circuitry of FIG. 7, and by way of comparison with FIG. 6, the Interrupt Handler 4280 responds to the signals on the single SSM_WFIFIQ interrupt line to interrupt one CPU, a selected number of CPUs, or all the CPUs depending on the configuration in the interrupt handler INTH 4280. The INTH makes a request through a dedicated HW pin or line to any CPU for the FIQ interrupt mode to be entered by generally asserting an active low on the FIQ line on the INTH bus. When the CPU has entered the interrupt mode (CPSR = FIQ) it executes the software SW associated to or pointed to by the exception vector of this CPSR mode (FIQ). This SW calls the Interrupt Service Routine (ISR) which accesses and reads in information from the INTH registers 2725 and from registers in FIG. 8. The applicable INTH register contains the FIQ #number that fired (or IRQ #).

In the embodiment of FIG. 7, ISR also accesses and reads in execution environment EE_Active and UIEE_Active information from an SSM register 4215A and proceeds to service the interrupt on the basis of the particular execution environment EE=xx that originated the WFI. Active PSEE or UIEE has its interrupts configured as IRQ and trapped in Public IRQ mode. When the EE_Active identification bits do not identify a given PSEE or UIEE, then interrupts for such inactive PSEE or UIEE are configured as Secure FIQ and trapped as SFIQ into Monitor Mode.

The electronic interrupt circuit in FIG. 7 has a plurality (e.g., nine) of enable lines xx_WFI_FIQ_EN and a logic circuitry 423 IA, 4232A having a set of nine first inputs of nine parallel NAND gates 423 IA respectively coupled to the plurality of enable lines and a set of nine second inputs respectively coupled to the plural interrupt-related output lines xx_WFI_ACTIVE_INT. The logic circuitry in this embodiment has a single NOR gate 4232A having nine low-active inputs respectively connected to the nine low active outputs of the nine NAND gates 423 IA. (Notice that NOR gate 4232A is the equivalent in Boolean logic to a nine input AND gate.) NOR gate 4232A supplies a one-line logic output SSM_WFI_FIQ_INT responsive to both the first set of inputs and the second set of inputs of the nine parallel NAND gates 423 IA. A reporting register bit SSM_WFI_FIQ_ACK is coupled to receive the one-line logic output from the logic circuit, which is first converted to high active by a block 4254A and designated WFI FIQ Acknowledgment. An inverter 4233A in FIQ generator block 4238A has its input fed by a line SSM_WFI_FIQ_ACK 4252A connected from register 4220A. Inverter 4233A with block 4254A acts as a coupling circuit having an input coupled to the one-line logic output from the logic circuitry 423 IA, 4232A. Inverter 4233A feeds interrupt output line SSM_WFIFIQ. WFI Active Bits block 4258 A buffers the nine xx_WFI_Active_INT lines and feeds register xx_WFI_ACTIVE in registers 4220A. TABLE 8A shows the design pseudocode for FIG. 7.

Interrupt Handler handles the signal SSM_WFIFIQ as a secure fast interrupt request SFIQ to which the hypervisor is able to respond. The hypervisor has an interrupt line number table to determine which of the execution environments an xx_WFI_FIQ came from in the embodiment of FIG. 7. In some other embodiments the INTH 4280 is structured with register bit fields to provide these identifications. In still other embodiments, SSM is structured with register bit fields to provide these identifications, such as in FIG. 7, where PSEE execution environment information EE_Active and UIEE information UIEE_Active are provided from SSM register 4215A and the interrupt is serviced on EE basis.

In FIG. 7, Each of the EEs have public FIQ (modem FIQ among them) interrupt- handled on an EE- specific basis using the EE_Active and UIEE_Active register Fields in registers 4215A to distinguish them. In FIG. 8, the Control Module 2765 provides Secure Interrupt registers coupled to Interrupt Handler 2720 SCR configuration registers (N registers for 32N interrupt lines). The SSM_FIQ_EE_y configuration registers are suitably N(m+1) in number for 2^m execution environments e.g. (2³=8, m=3 PSEEs plus bit for SE). Register bit fields SSM_FIQ_EE_y provide four bits of information per interrupt line in one example, so that eight interrupt lines are described by each 32-bit register y. The current FIQ belongs to the corresponding UIEE/PSEE execution environment EE (execution domain). A selected four-bit hexadecimal value 0000 through 0111 represents public EEs 0-7 respectively. A selected four-bit hexadecimal value 1000 through 1111 represents secure EEs 0-7 respectively for secure kernel or monitor mode. Public execution domain 7 (0111 binary) FIQ has a higher priority than a public execution domain FIQ of a lower binary value but a lower priority than any secure execution domain FIQ.

Some CPUs may have different kinds of WFI instructions that operate differently to cut clocks to different relevant portions of the CPU blocks and/or power off, put in retention, or otherwise selectively disable the CPU local memory. Some embodiments suitably also provide a bit field WFI_TYPE in register 4215A space identifying which Type of WFI instruction has currently been executed in each CPUi and execution environment EE=xx therein. This bit field WFI_TYPE is suitably made part of SSM register 4215A and/or used to augment the EE_active bit field therein. Correspondingly, this bit field WFI_TYPE is included with the per-category per-CPU information describing each interrupt in registers SSM_FIQ_EE_y as to provide an additional two bits of information per interrupt line in one example, so that five interrupt lines (32/6) are described by each 32-bit register SSM_FIQ_EE_Y. A sufficient number of such registers indexed y are provided to accommodate the interrupts and EEs. The hypervisor code then suitably takes account of this information about kinds of WFI instructions by accessing WFI_TYPE in the EE_Active bit field when FIQ interrupt SSM_WFIFIQ is active on line 4245 A. The scan controller 4290 of FIG. 7 is combined with the WFI conversion circuitry of FIG. 7 and serially provides a multi- bit scan signal to an emulator at a scan output and receives a multi-bit scan signal from the emulator at a scan input. TABLE 8A #########WFI ACTIVE EXPANSION BLOCK 4234A#######

SECURE_WFI_ACTIVE_INT <= NOT (CP 15NS) AND STANDB YWFI;

- WFI executed in the SECURE WORLD

For X = 0 to 7

EEX_WFI_ACTIVE_INT <= CP 15NS AND EE_ACTIVE = OxX AND STANDB YWFI; - WFI executed in the EE = Ox(EEx)

######### FIQ generator 4238A ##########

SSM_WFI_FIQ_INT <= NOT (SECURE_WFI_FIQ_EN) OR NOT

(SECURE_WFI_ACTIVE_INT) AND - Active LOW

NOT (EE0_WFI_FIQ_EN) OR NOT (EE0_WFI_ACTIVE_INT) AND NOT (EE1_WFI_FIQ_EN) OR NOT (EE1_WFI_ACTIVEJNT) AND NOT (EE2_WFI_FIQ_EN) OR NOT (EE2_WFI_ACTIVE_INT) AND NOT (EE3_WFI_FIQ_EN) OR NOT (EE3_WFI_ACTIVE_INT) AND NOT (EE4_WFI_FIQ_EN) OR NOT (EE4_WFI_ACTIVE_INT) AND NOT (EE5_WFI_FIQ_EN) OR NOT (EE5_WFI_ACTIVE_INT) AND NOT (EE6_WFI_FIQ_EN) OR NOT (EE6_WFI_ACTIVE_INT) AND NOT (EE7_WFI_FIQ_EN) OR NOT (EE7_WFI_ACTIVE_INT); SSM_WFIFIQ <= NOT (SSM_.WFI_.FIQ_.ACKNOWLEDGE); - Active LOW IDLE_ACK condition <= (do not ack when a STANDB YWFI request is ongoing unless all WFI request have requested and are enabled)

############ WFI FIQ ACKNOWLEDGEMENT 4254A - HW set / SW clear###########

IF SSM_WFI_FIQ_INT = '0' THEN SSM_WFI_FIQ_ACKNOWLEDGE <='l"; ENDIF; ############WFI ACTIVE BITS BLOCK 4258A - HW set / SW clear##################

IF SECURE_WFI_ACTIVE_INT = ' 1 ' THEN SECURE_WFI_ACTIVE <=' 1 " ; ENDIF; For x = 0 to 7

IF EEX_WFI_ACTIVE_INT=' l' THEN EEX_WFI_ACTIVE<=' 1';ENDIF

In FIG. 8, IRQ interrupts fed to the CPUi IRQ input line are delivered by hardware directly to an actively executing/scheduled EE. Hypervisor context switches the CPUi entire Virtual Address space (e.g. 4GB) and placing the active EE(s) there, making visible an EE vector table and all of EE' s other private memory data. An interrupt goes through an EE' s private vector table when and only when Hypervisor has previously securely configured interrupt controller 2720 and memory management unit MMU for that to occur. The CPU is previously configured by setting an FIQ trap bit so that FIQ at the separate FIQ input line of CPUi is automatically trapped, triggers a switch to Monitor mode, and uses Monitor vector table FIQ vector for FIQ servicing. The hypervisor securely configures the interrupt controller 2720 to allow each interrupt line, which is associated with a particular EE, at the input of the interrupt controller to be selected and routed as FIQ or IRQ to the FIQ input or IRQ input of CPUi depending on whether the EE is suspended or active respectively. A suspended EE cannot receive and service interrupts since it is inactive. Instead, a suspended EE' s interrupts are configured as FIQ and fed to the FIQ input line, so that they go directly to Hypervisor to determine if an immediate EE context switch is required to deliver the interrupt to the appropriate EE. If not, the hypervisor keeps the interrupt pending until the hypervisor normally schedules the EE. A mask register keeps the interrupt pending and mask logic demuxing 5940 couples interrupt line to the separate FIQ input instead of IRQ input of a CPU, because EE is suspended. Some embodiments of FIGS. 1 and 2, interrupt- map or tag EE FIQ as Secure FIQ and not Public FIQ using register EE_Active and FIG. 8 hardware 5910, 5920, 5930. Comparator circuitry in suspend control 5920 of FIG. 8 determines whether the contents of the EE_Active register match the EE identification for any given interrupt line. If a match, then the EE is active, otherwise suspended. Then that EE' s interrupt lines are reconfigured as IRQ when the suspended EE subsequently becomes active due to a hypervisor response to the FIQ. Interrupt lines that were previously masked by hypervisor are unmasked to propagate directly into the EE. An active EE receives and services interrupts on the IRQ input line directly, with zero hypervisor overhead for such interrupts, so that the IRQ fire directly into the EE's private interrupt vector table. As hypervisor kernel executes in Monitor mode, this automatic switching of the CPU from non-secure world to secure-world is highly efficient, speeds up operations, and is completely done by CPUi internal mechanics. That even encompasses a switch from non- secure MMU to secure MMU, as secure zone HW MMU virtualizes MMU into secure/non- secure sets of controls. Demuxes 5940, each responsive to an active/suspend selector control from suspend control circuit 5920 in FIG. 8, present only the interrupts on interrupt lines exclusively dedicated to the currently executing (active, in-context) EE as IRQ on the IRQ output line of the interrupt controller to the IRQ input of that CPUi. Demuxes 5940 each have one input coupled to a respective system interrupt line, and have two outputs each. The first output of each demux is coupled to the FIQ input of the CPU. A second output of each demux is coupled to IRQ input of the CPU. Some embodiments route the FIQs to a control CPUO and route IRQs to CPUi to which they pertain. In other embodiments, the plural CPUi each have an IRQ input connected in common to IRQ outputs of a subset of the Demuxes 5940, and the plural CPUi each have an FIQ input coupled in common to FIQ outputs of some of those demuxes as appropriate to the embodiment.

FIQ interrupts on the CPUi take priority over IRQ interrupts, and the active EE is configured to be allowed Global Masking privilege for changing only the IRQ mask flag in the CPUi CPSR register. The active EE is prevented from masking the FIQ flag in the ARM CPSR register by CPSR F bit lockdown configuration. An active EE is prohibited from and locked out of access to the FIQ interrupt line mask register in interrupt controller if the EE attempts to do any masking of one or more FIQ interrupt lines there. The interrupt stays pending on an interrupt initiator such as a peripheral until it is signaled to retract or deactivate that pending interrupt by EE actions: 1) servicing the status register and clearing the interrupt requester circuit of the initiator, and 2) initiating a new agreement NEWFIQAGR transaction with the interrupt controller. However, Suspension/queuing of the interrupts for an EE occurs herein by leaving the interrupt line pending, and will latch the timer's interrupt generation, and thus timer interrupts are not lost. Time skewing is dealt with by hypervisor herein having a software function/service for simulating IRQ interrupts to the EE and for delivery of EE expected timer tick interrupts. The priority level for SD storage card interrupt line, or any other interrupt line, can be reconfigured by hypervisor governance/arbitration over interrupt deliveries depending on the latency, usage or interrupt service quality level desired. SSM is provided with one- shot circuitry herein that detects when EE have re-enabled interrupts via their CSPSR IRQ flag, just before Hypervisor delivers a HIGH Priority interrupt to an EE. SSM reports the detection of such EE CPSR IRQ unmasking via an FIQ interrupt to hypervisor. IRQ interrupts are intercepted in Secure Environment SE operation and immediately forwarded to Non- Secure Environment, with little interaction from the SW Hypervisor component by global masking of both IRQ and FIQ at CPSR register. FIQ interrupts are re-enabled just before applying the IRQ interrupt into EE. A context save/restore of the Secure Interrupt Register SCR is allowed at every EE context switch point. Virtual IRQ interrupts appear as real as any hardware/peripheral generated interrupt, due to ability of Hypervisor to write/set values for interrupts to a particular EE (with OS). Once a base port has read the Secure Interrupt Register SCR and serviced the corresponding interrupt identified by the Secure Interrupt Register SCR, a New Agreement NEWFIQAGR bit in an interrupt controller register is set by the OS such that further interrupts and sorting can occur.

In FIG. 8 a Secure Fast Interrupt Request (SFIQ) Preemptive Masking Handler 2715, when enabled, operates to prevent Public FIQ from Public non-privileged and even privileged Public processes from contending, competing, or interfering with the operations of Monitor Mode and other Secure processes, and so that the categories or EEs of FIG. 1 can be separated from each other. Preemptive Masking Handler 2715 itself further supports Public FIQ masking by circuitry that generates an interrupt SSMFIQ_GEN distinct from a masking flag SSMFIQ_STATUS. A fully automated process (SICR Autolnhibit active) or a Monitor Mode method (Autolnhibit inactive) is selectable by establishing and setting or clearing the Autolnhibit field or bit in the Interrupt Handler SICR register such as at Boot time. Autolnhibit when active causes a signal SSMFIQ_Automatic_EN to be fed to the Secure FIQ Pre-emptive Masking Handler 2715 and control the interrupt SSMFIQ_GEN.

SSM_PMASK_FEEDBACK_Q is taken into account in Automatic mode wherein Public Non- Virtual HLOS can mask only its own public, non-virtual FIQ from the Public Non- Virtual category from the Secure Environment 2450. Automatic method is transparent to the system and occupies no instruction cycles in MPU 2610, so Automatic method is useful, for instance, when plural CPUi are operated in symmetric multiprocessing SMP such as with an SMP UIEE HLOS 1. By contrast, the Monitor Mode method does occupy some instruction cycles in the MPU 2610. Assume IRQ_Trapped_In_Monitor is active and also that the virtual processor Modem is running. When in Monitor Mode method (also here called Manual mode), then if a Public HLOS FIQ occurs, the Monitor Mode is entered. Monitor Mode code responds to signal SSMFIQ_Status via Interrupt Handler 2720 of FIG. 8 so that only HLOS FIQ are masked (several lines of Monitor code as in FIG. 9 and TABLE 43). Publiclnhibit in Secure Interrupt Control Register SICR is activated to mask any subsequent HLOS FIQ that might occur. Monitor code also generates a newFIQ agreement NEWFIQAGR in Interrupt Handler 2720 to release the current hardware signal (nFIQ) that just occurred. FIG. 9 and TABLE 29 show a process flow embodiment for the Monitor Mode hypervisor 4410 with software interrupt SWI handlers 4420 and 4430 and an example of vectors and their addresses in an associated memory infrastructure for the Monitor Mode hypervisor. In the Public space 4440, UIEE/PSEE of FIGS. 1 and 2 calls a Public SWI (software interrupt) handler 4420 to request activation of another category such as modem in public virtual category or a protected application (under security kernel) in secure non- virtual category or other software in some other category. A PSEE 2460 or 2470 or UIEE 2480 in FIG. 2 can also request activation of another PSEE, UIEE or Secure environment 2490. A Public SWI handler 4420 operates in Public Privilege mode and has an associated entry SWI vector 4425 offset from a base address Public_BA. Monitor code can also transition to the Public SWI handler 4420 by using the entry SWI vector 4425. Software Monitor Interrupt (SMI) in the Public SWI handler accesses a Monitor Mode vector 4455 to enter Monitor code. The STANDB YWFI signal of FIG. 6 or FIG. 7 is expanded so that the originating EE of the interrupt is identified.

SECMON bus carries bit codes to identify modes for User, FIQ, IRQ, Supervisor, Abort, Undefined, System, and Monitor with associated vector address including a base address and an offset address. Vector base address registers (designations with "_BA") are provided as in FIG. 9, for example. A software monitor interrupt SMI instruction is then used to make a transition from a given mode to the Monitor Mode. Monitor code, Monitor Stack, and Monitor Mode vectors 4410 reside in the Secure space. At respective offsets from a Monitor Mode base address Monitor_BA, several Monitor Mode vectors are provided for SMI vector, External Prefetch Abort vector, External Data Abort vector, IRQ mode vector, FIQ mode vector, and Monitor code. On-chip Secure RAM has still further offset addresses and space for the Monitor Stack. The Monitor code acts as a bridge between public EEs and between categories by pushing and popping contexts of EEs to the Monitor Stack. These involve both register file RF and interrupt context IRQ/FIQ that are muxed in FIG. 8 depending on whether EE x is identified by register EE_Active=x or whether that EE is not so identified and is thus suspended (SUSP). The context for EE x that is pushed or popped is indicated in FIG. 9 by a context legend CTX: (RF_x, IRQ/FIQ_X}

In the Secure space 4450, Secure SWI (software interrupt) handler 4430 operates in Secure Privilege mode and has an associated entry SWI vector 4435 offset from a base address Secure_BA. Monitor code transitions to the Secure SWI handler 4430 by using the entry SWI vector 4435 like a protection wall. To transition from the Secure SWI handler 4430, Software Monitor Interrupt (SMI) accesses a Monitor Mode vector in Secure mode at an address identified by the sum MONITOR_BA plus address offset and then enters Monitor code. The hypervisor makes an entry identifying a particular EE in the EE_Active register or UIEE_Active register in any of several situations such as 1) when a SMI #code generated by the currently activated EE that is requesting a switch to the particular EE is allowed by the secure SW running in hypervisor using an allowed connectivity table, 2) hypervisor scheduler schedules the EE under normal processor bandwidth allocation wherein it has become the regular turn of the particular EE to be executed, 3) hypervisor schedules a switch to the particular EE when executing a service in a process of back and forth communication between a requesting EE and a servicing EE wherein the particular EE is the latest EE to be involved in the back-and-forth communication, 4) when a critical interrupt is received such as SSM_WFI (to force scheduling of execution of the particular EE or actions therein) or 5) other interrupts are received such as wakeup event, error event, connection event (e.g., USB plug-in), or other event. An EE is active as soon as its boundaries of execution/data (Physical and Virtual) are defined in the SSM and as soon as the EE_ACTIVE and UIEE_ACTIVE registers are configured in SSM and as soon as Monitor mode is exited to some other CPUi mode. Then the SSM tags correctly all the CPUi bus transactions with the qualifier identifying the particular EE that is currently executing and thus active. Hypervisor removes an entry identifying an EE in the EE_Active register or

UIEE_Active register in situations such as 1) SMI #code requested is allowed from the EE, so the EE is removed and an EE to be activated according to the SMI #code request is entered in the register instead, 2) EE is de-scheduled and removed from the register because its allowed time slice in FIG. 11 is finished, 3) hypervisor alternately enters and removes in the register an EE participating in back-and-forth communication between EEs and hypervisor correspondingly removes and enters the other EE in and the back-and-forth communication, 4) the currently active EE generates a WFI and consequently the EE is de- scheduled and removed from the register, or 5) hypervisor scheduler has assigned more priority to another EE because of a critical interrupt received so the higher priority EE is entered in the register in place of the current EE.

Notice that "000" signifies DOMAINO in the EE_Active register or UIEE_Active register. DOMAINO is the public domain for the UIEE SMP HLOS which is assumed to exist even if there were no PSEEs. DomainO is is the General Purpose (GP, lower security) device type default value for firewalls and DMA channels setup. The UIEE_Active register can contain an entry for an active UIEE at the same time as the EE_Active register contains an entry for an active PSEE. The UIEE_Active register is the default for transaction tagging when data transfer occurs outside the EE address start/end boundaries defined in the SSM hypervisor EE address range start/end registers. UIEE does not execute on a given CPU at the same time as a PSEE, and UIEE runs as EE if no PSEE is running. Transactions tagged to belong to UIEE (even if not currently running) can occur interleaved or interspersed with EE_Active running according to the time slices of FIG. 11. In TABLE 29,see also TABLE 42, fast context (CTX) switch is provided in the Monitor code of FIG. 9 for uncomplicated and inexpensive implementation. TABLE 29

MONITOR CODE TRANSITIONS IF PUBLIC SMI -4420 use entry vector 4455; call to enter Secure space:

PUSH CTX -Public EE Context from public register bank to Monitor Code Stack SCR [] = 0 - Reset NS bit to establish Secure mode SCR [] = 1 - Set IRQ trap in Monitor Mode ENABLE I, F, A bits - Enable MPU CPSR IRQ mask, FIQ mask

<Hypervisor Body Software Operations here>

POP CTX - Secure EE Context from Monitor Code Stack 1MB (Flush prefetch buffer for Instruction Memory Barrier) Emulated SWI -- Enter Secure SWI using Secure SWI entry vector 4435 ENDIF

IF SECURE SMI —4430 use entry vector to Monitor code; call to enter Public space:

PUSH CTX - Secure EE Context from secure register bank to Monitor Code Stack ENABLE I, F, A bits - Enable MPU CPSR IRQ mask, FIQ mask

<Hypervisor Body Software Operations here>

SCR [] = 1 - Set NS bit to establish Public mode DISABLE I bit - Disable IRQ mask

SCR [] = 0 - Set IRQ trap in Public mode

POP CTX - Public EE Context from Monitor Code Stack

1MB (Flush prefetch buffer for Instruction Memory Barrier) to propagate NS in pipeline.

Emulated SWI -Enter Public SWI using Public SWI entry vector 4425 ENDIF Regarding SMI in FIG. 9, SMI and WFI in some embodiments are used together in the system when WFI is expanded on a per-category per-EE basis as in FIG. 6 or FIG. 6A. SMI is used for IPC (inter-processor call) or for calling a new service, for instance. IPC are used when for example one domain is filling a buffer and executes an SMI to signal for another domain to process the buffer if the communication is likely to be faster than a mailbox. An example of SMI and WFI used together features four domains numbered as follows: DOMAINl: HLOS, D0MAIN2: Web browser, D0MAIN3: Display driver, D0MAIN4: Modem. At one point of time, the four domains are working all together and assume for this example that the hypervisor scheduler schedules each domain one after the other. In FIG. 9, when an execution domain XX is scheduled it may, via an SMI instruction execution, request a service to be executed by another domain YY. For some ARM® processors, a SMI type of instruction is designated secure monitor call SMC and has a 16 bit immediate field. A set of predetermined values for use by CPUi software in the SMI immediate field are established and used herein to also respectively designate particular communications requests to the hypervisor from one domain XX to get service or information from another domain YY. Thus, the particular value in the 16-bit immediate field is chosen from the set of predetermined values. The hypervisor is configured and coded so that it interprets the particular value in the 16 bit immediate field correspondingly. The SMI immediate value is present in the SMI opcode in CPUi and in some embodiments is also delivered directly to, or suitably decoded to, a SSM register 4220. A system such as in FIG. 1OC suitably has a set of counters 5085. i and signals for any active EE identified by hypervisor when configuring the set of counters 5085. i. In some embodiments, the SMI immediate information has the requesting domain EE signified by the processor CPUi executing that EE currently. In some security embodiments, the SSM includes a circuit that compares that SMI immediate information signifying EE with the register 4215A entry EE_Active as indicated by hypervisor and issues a security violation signal if that information and the entry do not match.

Suppose that DOMAIN2 web browser is programmed to execute a SMI with a predetermined immediate such as SMI #012345, and that SMI number is configured in advance for reference by the hypervisor. The hypervisor compares the SMI immediate with its configured SMI numbers and thereby interprets the newly asserted SMI as a request from DOMAIN2 for service from D0MAIN3. Hypervisor responds and calls the Display service from D0MAIN3. The Display makes a determination of what to do and either schedules this action for later execution or direct execution using IPC inter-processor communication with web browser D0MAIN2. When Display D0MAIN3 executes the action, Display D0MAIN3 can request more data if needed by using an IPC return by executing, for example, SMI #132654, i.e., a SMI with a different numerical code configured to signify a request originated in D0MAIN3 directed towards D0MAIN2. On the other hand, when Display D0MAIN3 is scheduled in an ordinary succession by the hypervisor scheduler, the Display may have nothing to do, meaning no action is needed by Display software. Display software will generate a WFI FIQ to the hypervisor. Without more, the hypervisor has no way of determining which domain is originating the WFI FIQ. By use of the per CPU per EE (per domain) expansion such as in FIG. 6, 7 or otherwise as taught herein, the hypervisor can now de- schedule the Display D0MAIN3 in this example because D0MAIN3 is precisely the domain that has generated the current WFI FIQ. Additionally, the per-CPU per-EE (per domain) expansion is securely situated in the SSM hardware of the system as described herein. The hypervisor thereafter schedules by way of replacement one or more other domains, or executes one or more pending maintenance functions as discussed in connection with FIG. 5.

Notice that the category or EE xx indicated by VPl_Active or an identifying value in register EE_Active[:] in FIGS. 6, 7 is updated by the hypervisor as active contexts change. Consider various relative timing of operations in this regard. Suppose a CPUi issues a WFI and/or SMI from one EE that requests service from another domain and CPUi is interrupted to begin another EE on CPUi while a servicing domain executed by CPUj is active. The hypervisor can, if its software indicates a benefit, update the EE_Active entered in the SSM registers for that CPUi so that CPUi is doing some processing of said another EE when the previous EE that was active on CPUi is waiting for the response to service by the servicing domain on CPUj. Before that update of EE_Active, the WFI (and/or SMI) from the requesting EE xx is expanded using the then-current EE_Active information from register 4215, or 4215A. The expansion makes an entry xx_WFI_Active in registers 4220 (FIG. 6) or 4220A (FIG. 7). In this way, the subsequent update of the EE_Active entry for another EE on CPUi usefully provides further information, while the entry xx_WFI_Active preserves the information xx identifying the requesting EE xx. Thus the results xx of the expansion are preserved in the register 4220, or 4220A, of FIGS. 6, 7. If there are successive WFIs from contexts on the same CPUi that successively go inactive any time interval of FIGS. 11, 12, then plural WFI_Active bits are successively set in register 4220 xx_WFI_active corresponding to the plural categories or EEs xx that are active and corresponding successive SSM_WFI_FIQ signals are issued. The hypervisor is suitably coded to maintain registers 4215/A and 4220/A as its EE operations proceed. These registers are suitably serviced such as to reset the bits when a given time interval of FIGS. 11, 12 is completed in the loop, or other scheduling timeline, of FIG. 14 or to otherwise maintain the bits when appropriate. Some other embodiments establish a WFI instruction format in each CPUi so that WFI is accompanied by a WFI immediate value, such as for security checks, loaded with the same immediate value as a SMI in the code near the WFI. If there is no SMI, then the WFI immediate is either zero or some default value, or identifies the EE xx that is requesting service and becoming Idle. Symmetric multiprocessing (SMP) cores can have a SMP control core CPUO with

Hypervisor. A secure environment SE software runs on CPUO and in connection with SSM 5030 of FIG. 1OC. A single processor operating system OS such as WinCE and Nucleus runs on the SMP platform. A pseudo-symmetric architecture has virtual processors wherein any of the virtual processors can do SMP (symmetric multi-processing) while using a control core CPUO plus a further number n-1 (one less than n) CPU cores, also called processor cores herein. FIG. 19 shows another CPUl to work with CPUO. CPUO has the Secure Environment SE (EE with NS=O), as well as a Modem RTOS PSEE and a Router PSEE. CPUl can have a PSEE for a MMF/ISP RTOS (multimedia framework, Internet), a PSEE for a Gaming HLOS, and a PSEE for Non-GPL Drivers. If a CPU cluster has four (4) cores or processors, then the pseudo-symmetric virtual core mechanism uses an SMP cluster of four CPUs as processor cores with some operations conducted by the control core CPUO. CPUO runs the secure EE designated SE (NS=O) and also runs the Router PSEE (NS=I). CPUl is allocated the MMF/ISP RTOS PSEE (NS=I) and Non-GPL Drivers PSEE (NS=I). CPU2 runs the Modem RTOS PSEE, and CPU3 runs the HLOS for gaming. Some embodiments also are arranged to run CPUO as a uniprocessor without any other cores, and CPUO runs all the software in FIG. 1. The Security zone mechanism (SZ) traps any FIQ in Monitor Mode. The Monitor code is written to identify to which category (Public Non- virtual, Public Virtual, Secure Nonvirtual or Secure Virtual) or to which FIG. 1 EE the FIQ belongs. To do this, the Monitor code reads the Interrupt Handler 2720 register of which category or EE an interrupt line belongs to in FIG. 6 or 7, or reads the SSM 2460 (5030) register XX_WFI_ ACTIVE. Using the identified mode information, the Monitor code switches operations to a specific processor CPUi and category or EE xx. In some embodiments, the security zone mechanism is implemented on all CPUs of the cluster. The Secure Kernel and its secure services run specifically on CPUO or any CPUi core hot plugged to run the Secure Kernel in place of CPUO.

In FIGS. lOA/lOB/lOC, WFI expansion and conversion are integrated with a multi- core CPU system. In FIG. 1OA, the circuitry of FIG. 6 or 7 is replicated four times for four CPU cores in a multi-core WFI OS scheduling optimization embodiment. SSM Registers in FIG. 1OB now has registers 4215.0, .1, .2, .3 for holding respective information pertaining to each CPU core CPUO, CPU 1 , CPU2, CPU3. Per-CPU CPUi_SSM_WFI_SCHEDULING registers 4220.0, .1, .2, .3 hold respective information pertaining to the enablement and operation of the WFI-related hardware analogous to the hardware in FIG. 6 or 7 for supporting each CPU core CPUO, CPUl, CPU2, CPU3. This WFI-related hardware includes four portions 4230.0, .1, .2, .3 in FIG. 1OA which are each a replica of SSM WFI Scheduling block 4230, and which each are coupled to a Global Interrupt Controller GIC by per- world (xx) per-CPU (i) FIQ output lines CPUi_xx_WFI_FIQ. Each of these four portions 4230.0, .1, .2, .3 is respectively fed by and responsive to corresponding lines CPUi_STANDBYWFI, and Public/Secure CPUi_CP15NS from its processor core CPUi, as well as a Virtual/Non- Virtual VPl_Active signal from the corresponding register 4215.0, .1, .2, .3. SSM WFI Scheduling blocks 4230.0, .1, .2, .3 include their corresponding WFI Active Expansion blocks 4234.0, .1, .2, .3 and FIQ Generator blocks 4238.0, .1, .2, .3. SSM Registers WFI blocks 4250.0, .1, .2, .3 include their WFI FIQ Acknowledgements blocks 4254.0, .1, .2, .3 and WFI Active Bits blocks 4258.0, .1, .2, .3.

In FIG. 1OB, further hardware circuits are provided to handle multi-core WFI OS scheduling in addition to and acting in concert with the replicated circuitry described just above. WFI Status Update circuitry 4580 has a WFI Status Update block 4582 fed by per- world per-CPU lines from each of the sixteen bits CPUi_xx_WFI_Active in registers 4220.0, .1, .2, .3. Block 4582 of WFI Status Update circuitry 4580 generates an active global output WFI_STATUS_UPDATE when any of those sixteen per- world per-CPU bits CPUi_xx_WFI_Active changes state compared to its state in the previous clock cycle. In other words, if one of the CPUi in any world xx has generated or cleared a WFI Active of a register 422O.i, then the global output WFI_STATUS_UPDATE is made active by WFI Status Update circuitry 4580. This global output is stored as a bit designated WFI_STATUS_UPDATE in an SSM register 4585 called SSM_GLOBAL_STATUS, which has Secure Privilege access. It should be understood that SSMFIQ_Status_Global_REG of FIG. 8 is distinct from Global Status 4585 of FIG. 1OB pertaining to WFI status update.

A scan controller 4590, for use with an emulator, serially scans in and scans out bits configuring and reporting operations from the per-CPUi, per-category registers 4215.i and 4220.i (or 4215A.i and 4220A.i of FIG. 6A) for WFI-based interrupt expansion as well as scanning in/out global status 4585. The configurable register circuits 4215.i and 4220. i enable and record signal states and are coupled to a CPU peripheral bus for configuration.

In FIGS. 10A/10B, a Global Interrupt Controller GIC 5020 is configurable in Secure Privilege mode to maintain a record of the interrupt mapping and to route per- world per-CPU secure FIQ interrupt(s) from all the CPUi cores to the interrupt interface INTH for the particular CPU which is responsible for running the hypervisor. In hot plug cases, the GIC 5020 is reconfigured in response to SSM register bits configured by the hypervisor running on a current CPU core designated for the hypervisor. The CPU secure FIQ interrupts are routed from GIC 5020 on lines respectively designated CPU0_FIQ, CPU1_FIQ, CPU2_FIQ, CPU3_FIQ to GIC Bus interfaces of the cores CPUO, CPUl, CPU2, CPU3. Notice that because of the configurable GIC 5020, the secure FIQ signals are routed in a manner in FIG. 1OA that goes beyond that shown for a single CPU system in FIG. 6.

In another embodiment, the circuitry of FIG. 7 is substituted into the system of FIGS. 10A/10B. A single line CPU0_SSM_WFIFIQ is substituted for the four lines CPU0_xx_WFI_FIQ and similarly for each CPUi. In all, four lines CPU0_SSM_WFIFIQ, CPU1_SSM_WFIFIQ, CPU2_SSM_WFIFIQ, CPU3_SSM_WFIFIQ are substituted for the 16 lines CPUi_xx_WFI_FIQ in FIGS. 10A/10B. Similarly the SSM registers of FIG. 7 relating to execution environments and WFI expansion are replicated for each CPUi. In FIGS. 10A/10B, the SSM circuitry applying FIG. 7 therein is suitably designated 4230A.0, 4230A.1, 4230A.2, 4230A.3.

In FIG. 1OC, EEs, Hypervisor and Secure Kernel run a four-CPU system coherently. MMUi (Memory Management Units) for each of the CPUi (CPUO-3), Ll$i (Level 1 Cache) for each of the CPUi (CPUO-3), and a shared Snoop Control Unit SCU 5010 are provided for memory management and cache coherency to the extent desired. Public Virtual OS or RTOS (WinCE, Nucleus, etc.) runs non-coherently and as a not-shared device with an MMU. Registers 5035 include EE-related registers for each CPU and EE xx to be used, respectively designated EE_xx_Debug_Dis for debug disable, EE_xx_NS for EE- specific secure state or non- secure state, and EE_Active for active or inactive status. Registers are designated PHYSICAL_EE_xx_START, PHYSICAL_EE_xx_END, VIRTU AL_EE_xx_START, VIRTU AL_EE_xx_END for Start/End addresses for EE indexed xx. SSM_PHYSICAL_EE_DATA and SSM_VIRTUAL_EE specify whether the physical and virtual address spaces for EE xx are Data- only or not. In FIG. 1OC, Virtual Checker 5045 checks CPSR register bits on each CPUi Trace

Bus SECMON/ETM.i 2635 to check that the currently-active EEs execute properly and in their own virtual address spaces. Virtual Checker 5045 has four outputs coupled to GIC 5020 that signify fast interrupt mask enables CPUi_FIQMASK and pertain respectively to the several CPU i. Also in FIG. 1OC, an Error Generator 5050 receives an Abort request SRESP from the Physical Checker 5055 if EEs don't execute properly in their own physical address space. Read and Write channel are coupled via Error Generator 5050 to a cache L2$ 5060 coupled to a bus interface 5065, and ROM and/or RAM. SSM CPUi registers 5035 are accessible through an OCP splitter in MPU2BUS 5065 or via a peripheral bus and another MPU2BUS interface. EE Creator 5075 generates respective EE-specific MreqDomainX qualifiers to interface MPU2BUS 5065 and interconnects 5070 for each EE indexed X.

In FIGS. 1OC and 11, synchronous timer scheduling derived from Master Counter 5088 makes all CPU timers 5085. i synchronous relative to each other in order to facilitate scheduling and to efficiently schedule the different categories or EEs. Also, the timers are made configurable with time allocations through interfaces 5080A-Z that are responsive to active qualifier MreqDomainx, where index x on the qualifier name identifies which EE x is attempting an access. This protects the category or EE from tampering of the timers. The local timers 5085. i output two interrupts per CPUi, a first interrupt for the SMP HLOS and a second interrupt for the EE running on the CPUi or secure mode. On a dual core or multi- core embodiment where multiple virtual worlds are evolving on a single CPUi, software is made to have only the Secure mode control the local timers 5085. i (for allocating time/bandwidth to the EEs). In this way, the secure hypervisor dispatches or allocates CPU bandwidth correctly between EEs. The local timers 5O85.i are banked so that SMP HLOS programs its own setting. Then each EE xx or secure mode programs its respective setting into a timer bank register. The timer bank registers are each protected by a respective firewall 5080A, 5080B, etc. A comparator in each local timer 5085. i then detects when the timer counter has reached the configured or programmed setting, whereupon a local timer IRQ is generated to GIC 5020.

For FIGS. 1OC and 11, a 5085. i secure hypervisor timer and a secure kernel SE timer are not accessible by the HLOSes. Additional timers are allocated so that any HLOS has at least one timer (e.g., 1 millisecond) to which it has public access. Timers have clocking 32KHz, free running 32-bit up counter, compare and capture modes, auto-reload mode, start- stop mode, programmable divider clock source, dedicated input trigger for capture mode and dedicated output trigger, and on-the-fly read/write while counting.

In FIG. 11, the timers for FIG. 1OC are shown in an example with Master Counter 5088 ticks being twice the rate of SMP HLOS timer ticks. CPUO receives SMP HLOS ticks 87.5% and Secure Kernel SE 12.5% in the illustration of FIG. 11 so that the Secure Kernel has 12.5% of the CPUO bandwidth and the SMP HLOS has 87.5% of the CPUO bandwidth. Horizontal arrows for CPUO in FIG. 11 show a 7/8 = 87.5% time interval and a 1/8 = 12.5% time interval. CPUl receives SMP HLOS ticks 50% (1/2) and RTOS (e.g., modem) ticks 50% (1/2). CPU2 receives SMP HLOS ticks 75% (3/4) and Public HLOS ticks 25% (1/4). CPU3 receives SMP HLOS ticks 100% in this example. Different but analogous time allocations are shown for the other CPUs. Time interval(s) used by the hypervisor in Monitor mode each occupy a very short period of time indistinguishable from the width of each up-arrow (tick) itself that otherwise signifies the interrupt to hypervisor.

In FIG. 11 the appropriate arrows (ticks) from local timers 5085i are selected to establish the percentages and are suitably gated onto FIQ interrupt lines with ticks timing in the rows for CPUO-3 in FIG. 11 below the top row for Master Counter 5088 of FIG. 1OC. FIQ are trapped in Monitor Mode by interrupt hardware and vectoring in CPUi and/or control CPUO. Each FIQ is tagged to belong to a category or EE such as SMP HLOS, SE, RTOS, Public HLOS in or by the hardware of GIC 5020 and SSM registers 2620. Each FIQ occurs on the particular CPUi that governs execution of, or is assigned to execute, the category or EE to which the FIQ belongs. When the FIQ is initiated (fires), that FIQ is trapped in the Monitor Mode of this particular CPUi. The Monitor Mode of the particular CPUi has code to initiate a context switch between the different categories or EEs. The category or EE of execution of the particular CPUi can usually mask only the FIQ belonging to that category or EE, with some possible exception as described elsewhere herein, refer to TABLE 42. In this way, the Monitor code of control core CPUO allocates accurate bandwidth (e.g., FIG. 11 time percentage of each processor core CPUi) for each category or EE.

When an EE uses all the current time in one latest time slot for it, a secure hypervisor timer fires (ticks), the currently active EE HLOS timer can fire, and a HLOS timer for a suspended EE might fire, all at essentially the same time. If several timer interrupts occur simultaneously or very close in time, some coordination is advisable in the system.

Accordingly, the hypervisor operates as an EE scheduler or bridge and the hypervisor timer is used to schedule which EE is made active currently. Then the EE currently scheduled (active) can program its own timer in this window of time represented by its percentage in FIG. 11. The hypervisor reacts to interrupt of various EEs in a selective manner depending on whether the EE is suspended or active. Also, the FIQ have LOW, MEDIUM, HIGH priority (see registers 4222A and 4224A in FIG. 6A) such that LOW priority interrupt of other EE are masked in interrupt handler itself, MEDIUM are trapped by the monitor mode (HYPERVISOR code) but do not change current scheduling (can still affect it later on), and HIGH priority interrupts force a scheduling to activate the EE (and thus execution of its software) in response to the EE associated with the interrupt. A HIGH priority interrupt can originate from an EE local timer 5085. i. The system is arranged to operate properly even if plural local timers fire at the same time or that the system is arranged so that plural local timers do not fire all at the same time. In FIG. 12, changing an execution environment EE or virtual world or category assigned to CPU2 is accomplished in a step 3640. The processor system is operable to execute plural high-level operating systems (HLOSes), indicated for instance as execution environments EE3 and EE5. Note that execution environment EE3 has been operative in the past but then issued a WFI as indicated by the bit or signal CPU2_EE3_WFI_Active in SSM register 4220. This WFI active signal has not been cleared by the hypervisor. Accordingly CPU2 is in a wait for interrupt mode relative to execution environment EE3. In the meantime, another execution environment EE5 has been running on the processor CPU2. In due course, EE5 performs operations until a WFI instruction is hypothetically reached, whereupon a signal CPU2_STANDBYWFI is issued and circuitry such as in FIG. 6 or FIG. 6A activates the register 4220 bit CPU2_EE5_WFI_Active in FIG. 1 IA. In step 3640 of FIG. 5, the hypervisor is interrupted and substitutes the EE3 HLOS for the EE5 HLOS on CPU2. The hypervisor proceeds by initiating the EE3 HLOS on the same processor core CPU2 in the 25% timeslot that previously was used by the EE5 HLOS. To do this, the Hypervisor resets and inactivates the bit CPU2_EE3_WFI_Active in FIG. 1 IA in SSM register 4220 of FIG. 6 or 7. Also, the hypervisor sends an interrupt to CPU2 so that the EE3 HLOS is launched in the 25% timeslot that previously was used by the EE5 HLOS, and the switchover is complete.

Any appropriate power management transition is also suitably handled at this time. Suppose the hypervisor process determines that the 25% timeslot should not be filled on CPU2 when the EE5 HLOS terminates, and the 25% timeslot is not projected to be utilized on CPU2 for a sufficient period of time. Notice that the SMP UIEE is using CPU2 in the

75% timeslot. The hypervisor can then reconfigure the local time counter 5085.2 for CPU2 so that SMP UIEE occupies CPU2 90% of the time (or even 100% of the time like CPU3 of FIG. 11), for example, instead of 75%. Since SMP UIEE may not really need this much CPU2 bandwidth, the PRCM is suitably controlled (see step 3625 of FIG. 5) and operated to reduce the operating performance point (OPP) for CPU2. This saves energy and increases battery life for the system. Note that if UIEE is intended to not only symmetrically but also identically use the processors CPUi, then if the allocation on one CPU is changed then other CPUs may have their local timers reconfigured to change the UIEE percentage allocation. Various embodiments may run the UIEE on fewer than all the CPUi. Then in the example, CPU2 might then have 75% bandwidth allocated to a PSEE such as EE4 which could then take over a higher amount of bandwidth such as 90% or 100%. Thus, numerous types of EE allocations are contemplated.

In addition to the SSM PFIQ pre-emptive masking above, GIC 5020 also supports SSM Public (NS =1) FIQ pre-emptive masking capability. An input hardware bit or field GIC_PFIQ_MASK is provided. When this bit or field is set active, GIC 5020 masks all Public FIQ that can occur on this specific CPU core (enforcement analogous to PFIQ CPSR F enable). GIC 5020 provides an OK_Feedback readable by Secure Privilege software, SFIQ are still active. When the GIC_PFIQ_MASK is inactive, GIC 5020 unmasks all public FIQ that can occur on this specific core (analogous to PFIQ CPSR F disable). GIC 5020 clears the OK_Feedback, which is readable by secure privilege SW, and both PFIQ and SFIQ are active. Signals CPUx_GIC_PFIQ_MASK for each CPUi in a multi -processing embodiment are established and are configured and reset by Secure Privilege software. Implementing PFIQ and SFIQ input at each CPUi core boundary provides uncomplicated interrupt virtualization wherein CPSR F Disable/Enable applies only on PFIQ input when operations are in Public mode. The GIC 5020 routes all FIQ marked as Public to PFIQ and all FIQ marked as Secure to SFIQ. Note that in some embodiments herein, no interrupts are marked PFIQ at all.

Turning to more hypervisor description, TABLE 43 depicts Hypervisor Monitor Code of FIG. 9 and switch handling operations for responding to various events such as SMI of TABLE 29, WFI FIQ of FIGS. 6 and 7 and FIGS. lOA/lOB/lOC; and to RTOS scheduler events of FIGS. 1OC, 11, 12, 13, and 14; and other hypervisor events.

TABLE 43

MONITOR CODE, SWITCH HANDLER SMI, WFI FIQ, RTOS Scheduler or other Hypervisor event.

Save Register File RFx and SCR Interrupt context IRQ/FIQx of current category/EE by: PUSH RF RO -> R14 of each mode {User, Supervisor, System, IRQ, FIQ, Aborts, Undef}

Execute decision process to choose switching A/B/C/D.

Restore Register File and SCR Interrupt context of category/EE that has to be switched to: POP RF RO -> R14 of each mode {User, Supervisor, System, IRQ, FIQ, Aborts, Undef}

Data Coherency

Execute: Data Memory Barrier (DMB) Execute: Data Synchronisation Barrier (DSB)

SWITCHING #COMMENTS

A. Go to SMP HLOS

CP15_NS_Bit = 1; #Public world Virtual_Processorx_Active = 0; #Non-virtual world (SMP HLOS FIG. 4) or

UIEE_Active=Oxx; #User Interaction Execution Environment FIG

4A

Virtual_Processorx_Dbg = Debug_Conf #Depends of current system debug settings

IRQ trapped in SMP HLOS #Direct servicing of SMP HLOS IRQ in IRQ mode

FIQ trapped in Monitor Mode #DISPATCH when in Monitor Mode

(SMP HLOS, SE, Virtual worlds)

External aborts (EA) trapped in HLOS #DMB/DSB ensures no EA pending after switch IRQ maskable in HLOS #- FIQ not maskable in HLOS #SMP HLOS FIQ is preempted

(automatic mode)

SSM FIQ_Pre-emptive_Masking= 1; #Mechanism activated in blocks 5110, 5170 SSM FIQ_Automatic_EN=l; #Automatic mode 100% hardware

B. Go to Public Virtual NON-REAL-TIME OS x # (Public HLOS, e.g., WinCE, Non-

GPL) x <= {0; n} possible worlds or EEs

CP 15_NS_Bit = 1 ; #Public world

Virtual_Processorx_Active = 1; #Virtual world, FIG. 4 EE_Active=Oxx; #Platform Support Execution

Environment, FIG. 1 Virtual_Processorx_Dbg = Debug_Conf #Depends on current system debug settings

IRQ trapped in Monitor Mode #Direct switch to SMP HLOS IRQ mode FIQ trapped in Monitor Mode #DISPATCH when in Monitor Mode

(SMP HLOS, SE, Virtual worlds)

EA trapped in Public Virtual OS #DMB/DSB ensures no EA pending after switch

IRQ maskable in Public Virtual OS #SMP HLOS is maskable

(rising condition of SMP) FIQ not maskable in Public Virtual OS #Virtual world is preempted

(manual mode)

SSM FIQ_Pre-emptive_Masking = 1; #mechanism activated in blocks 5110,

5170

SSM FIQ_Automatic_EN=0; #Manual mode (SW driven) re PFIQ

C. Go to Public Virtual REAL-TIME OS x # (e.g., Nucleus OS Modem) x <= {0; n} possible real-time worlds

CP15_NS_Bit = 1; #Public world

Virtual_Processorx_Active= 1; #Virtual world, FIG. 4 EE_Active=Oxx, #Platform Support Execution

Environment, FIG. 1

Virtual_Processorx_Dbg = Debug_Conf #Depends on current system debug settings

IRQ trapped in Monitor Mode #Direct switch to SMP HLOS IRQ mode FIQ trapped in Monitor Mode #Dispatch when in Monitor Mode (SMP HLOS, SE, Categories)

EA trapped in Public Virtual OS #DMB/DSB ensures no EA pending after switch

IRQ maskable in Public Virtual OS #SMP HLOS is maskable (rising condition of SMP)

FIQ maskable in Public Virtual OS #True Real-Time capable (SE not running on this core, CPUl, 2, 3

DOS attacks are resisted)

SSM FIQ_Pre-emptive_Masking= 0; #SSMFIQ_EN disabled, blocks 5110,

5170

SSM FIQ_Automatic_EN=0; #Manual mode re PFIQ

D. Go to SECURE OS #S.E.

CP15_NS_Bit = 0; #Secure Environment

Virtual_Processorx_Active= 0; #Non-virtual world, FIG. 4 EEActive=lxx; #Secure Environment, FIG. 1

Virtual_Processorx_Dbg = Debug_Conf #Depends on current system debug settings

IRQ trapped in Monitor Mode #Direct switch to SMP HLOS IRQ mode

FIQ trapped in Monitor Mode #Dispatch when in Monitor Mode (SMP HLOS, SE, Categories)

EA trapped in Secure OS #-

IRQ maskable in Secure OS #SMP HLOS is maskable (rising condition of SMP)

FIQ maskable in Secure OS #True Real-Time capable SSM_FIQ_Pre-emptive_Masking= 0; #SSMFIQ_EN disabled, blocks 5110,

5170

SSM FIQ_Automatic_EN= 0; #Manual mode re PFIQ

Note: DOS attack is denial of service attack. In FIG. 1OC, the Snoop Control Unit SCU 5010 distinguishes which CPUi has issued the current access. SCU 5010 propagates coherent shared data into the caches associated with the other CPUs. SCU 5010 ensures data coherency between all level-one caches Ll$i of the cores CPUi as a cluster by moving/updating any updated instruction cache line and any updated data cache line from the cache area associated with any one CPUi to the caches of all the CPUs, i.e., all the cores in the cluster. SCU 5010 is coupled to and cooperates with the multi-core hypervisor using an enable/disable circuit in SCU 5010 that operates as an asymmetric mode switch configurable by core CPUO at run-time in an auxiliary control register. CPUO that runs the hypervisor operates or disables the SCU 5010 to exclude accesses of CPUO from being used to update cache lines for all the other CPUi by turning off the snooping and cache line updating by SCU 5010 when hypervisor needs to disable those operations. This facilitates isolation of the hypervisor in CPUO from the rest of the multi- core system. In this way SCU 5010 acts as an example of a cache control circuit for updating coherency between the caches subject to hypervisor isolation condition or to asymmetry conditions. The protective circuitry of SSM 5030 is responsive to a line from CPUO indicating that Monitor Mode is activated in CPUO to temporarily disable the cache control circuit from updating coherency between the caches. Enable and disable of the symmetric coherent or asymmetric not-coherent configuration per CPUi is established, for example, by configuring an auxiliary control register asymmetric field on each CPUi of the cluster. When the asymmetric field is configured active on each core CPUi, then each transaction issued by the MMU stage of the respective core CPUi to its Ll$i cache and then to SCU 5010 is tagged with in-band qualifier MreqNCoherence that commands or controls the SCU 5010 to not maintain coherency on these accesses. In some embodiments, the SCU 5010 outputs information pertaining to each access that tells which CPUO-3 has generated the access. In response to the information identifying which CPUi generated the access, the SSM 5030 generates the corresponding MreqDomainX qualifiers and provides the address boundary checking and configuration checking that pertain to that CPUi category or EE_xx. The SSM 5030 implements added registers to support the CPUO SMP core hypervisor. A register for CPUO inter-CPU SFIQ generation is configurable in Secure Privilege mode and this register enables each SFIQ to occur on one or more specified CPUs that are configuration-specified. Each SFIQ is maskable individually by Secure Privilege software configuring a dedicated Mask register. Per-CPU EE activation and debug control is provided. Per-CPU SMI call forward to CPUO is provided. Per-CPU Wait for Interrupt WFI call forward to the same CPU is provided. CPUi can replace this by trapping WFI into Monitor Mode analogously to trapping SMI with a dedicated exception vector. A Flag is provided for each interrupt line to identify which EE the interrupt line belongs to. A Secure / Public interrupt designation is made at GIC 5020 level. SSM 5030 adds the register

CPUi_EE_ACTIVE to differentiate the EEs XX. Debug control over different CPUi cores and execution domains EE_xx is established using bits described next. Debug is made applicable on a CPUi core- specific basis and execution domain EE- specific basis. Run time activation of DBGEN debug enable and NIDEN non-invasive debug enable is performed rapidly. TABLE 5 execution environment debug control bits EE_Debug_DOMAINx when active permits entry into the corresponding EE (allows entering), provided that both bits SSM_DBGEN_DISABLE and SSM_NIDEN_DISABLE are active in this register.

The SSM has an execution environment control register SSM_EE_CTRL[:] 4215A. A control bit Hypervisor_EN when active, enables hardware reinforcement of the hypervisor domain by the SSM protective circuitry. IN SSM_EE_CTRL register, a bit field UIEE_Active provides a binary number x that represents which domain x should be activated as UIEE domain for SMP (symmetric multiprocessing) when the hypervisor in Monitor mode exits. A bit field EE_Active provides a binary number x that represents which PSEE domain x (e.g., any number 0-7) should be activated as PSEE domain when the hypervisor in Monitor mode exits. All these bits are read-only, except read/write in Monitor mode. In FIG. 13, a boot process embodiment is shown. Operations commence with an

MPU reset 5805 followed by Secure Boot 5810. Secure boot includes a secure zone SZ configuration step 5815, and then a secure operating system memory management unit MMU configuration 5820. Operations proceed in a step 5825 to do SSM secure zone SZ configuration. Compare with TABLE 42 and SWITCHING case D. A succeeding step 5830 operates a PPA that performs EE mapping, EE FIQ definition, interconnect firewall physical configuration, and configures the SSM EE security violation report strategy. A further step 5835 loads the hypervisor and performs an SSM CP15DISABLE Lock to lock the processor state. The secure OS scheduler is invoked in a step 5840. Upon completion of secure boot 5810, operations proceed to a step 5850 to go to the UIEE execution environment via a Monitor mode switch. Compare with TABLE 42 and SWITCHING case A. Then HLOS boot 5860 commences for the UIEE execution environment. As part of HLOS boot, UIEE MMU configuration is performed in a step 5865, and then the UIEE scheduler is invoked in a step 5868. Application launch in any of the PSEEs is initiated by the hypervisor using Monitor mode scheduler 5890, and operations go to the PSEE OS in a step 5895 by a Monitor mode switch. Compare TABLE 42 and SWITCHING case B or case C. The PSEE is booted in a step 5870. The PSEE OS scheduler is invoked in a step 5875. PSEE execution commences in a step 5878. During this PSEE execution an interrupt SSM_WFIFIQ of FIG. 6A (or an interrupt xx_WFI_FIQ of FIG. 6) may occur. In FIG. 13, this PSEE is now waiting (as indicated by the WFI occurrence) wherein system operations transition from step 5878 to a step 5880 for WFI wait scheduling via the Monitor Mode Scheduler 5890. As shown in FIG. 13, Monitor Mode Scheduler 5890 is invoked either by secure OS FIQ or UIEE FIQ/IRQ (i.e., IRQ transformed into FIQ). Substitution of HLOSl' for HLOSl in the UIEE as in FIG. 1 is performed by Monitor mode scheduler 5890 in FIG. 13 by configuring the substitution in the SSM register and transitioning from scheduler 5890 to UIEE HLOSl' boot 5860 such as by a Monitor mode switch like step 5850. A transition to a PSEE is made by Monitor Mode Scheduler 5890 going to PSEE OS by a Monitor mode switch in step 5895. Boot software is coded to run in Secure Supervisor mode at Boot time to set an FIQ_Trap_In_Monitor bit/field of TABLE 8. SCR register circuitry of Interrupt Handler 2720 is also made so it is configurable to specify and make an interrupt a Secure FIQ when appropriate. A Secure FIQ means an interrupt that is handled only in a Secure mode. For the present example, one determines according to desired system architecture which interrupt(s) are to be Secure FIQ and boot-configures the SCR to make the thus-determined interrupts Secure FIQ. Interrupts that are not configured as FIQ in the SCR are ordinary interrupts IRQ. The configuration in the SCR is operative for a given EE when that EE is active. To configure the system to handle interrupts when a given EE is inactive, SSM register SSM_FIQ_EE_y of FIGS. 7 and 8 is additionally configured at step 5830 to make the ordinary interrupt requests IRQ into fast interrupt requests FIQ. Also, the priority HIGH register 4222A/B and priority MEDIUM registers 4224 A/B of FIGS. 6 and 7 are configured so that the priority of these transformed ordinary interrupts is specified for use when the given EE is inactive. In this way, the interrupt requests IRQ, FIQ and SFIQ are configured for use in the process of FIG. 13.

FIG. 14 shows a time sequence of operation of the structures and processes of the other Figures activating and suspending various execution environments EE, wherein represents three operational layers: 1) RTOS scheduler coupled to 2) Monitor mode Hypervisor, which has high level supervision over 3) one or more execution environments EE or categories. FIG. 14 has an associated interrupt priority diagram. In FIG. 14, an EE is active and has IRQ configuration selected in FIG. 8. As time elapses, a local timer IRQ (up arrow, FIG. 11) is received by the RTOS scheduler from the timer 5085. i for a given CPUi and indicates the EE is timed out and is to become a suspended EE. RTOS scheduler supplies hypervisor with a high priority timer Secure FIQ, which suspends the previously active EE. Any interrupt emanating from the suspended EE is configured as FIQ by muxing in FIG. 8. Monitor Hypervisor saves both the GIC IRQ context and register file context from CPUi for the suspended EE by PUSH to stack operations, compare TABLE 42. A suspended EE issues SFIQ when 1) an EE starts a DMA transfer and then gets de- scheduled/suspended, and the DMA component then issues an interrupt request identified to the EE upon completion. 2) The EE has programmed a timer 5085. i that fires an interrupt after the EE is suspended. 3) The EE receives a mailbox interrupt or interprocessor communication IPC from another EE, a processor core or block such DSP, IVA, UART, Modem, etc. Even though the suspended EE is inactive, resources like DMA, SAD2D, or peripherals generate an interrupt identified to the three bit EE entry in the CONTROL_MREQDOMAIN_EXP1,2, etc. register of FIG. 3. The now-active EE may complete its operations before the next local timer IRQ timeout event for the active EE, in which case the active EE issues a WFI. The WFI is provided to the WFI expansion circuit such as shown in FIG. 6 or FIG. 6A, or otherwise. The WFI is converted to an SFIQ that is trapped into the Monitor mode for hypervisor action. If the WFI does not occur prior to the local timer IRQ, then the RTOS scheduler handles the local timer event.

Each time a PSEE/UIEE is activated, a save PUSH and restore POP of its IRQ context and processor and register file for the context (TABLE 13 register banking) is performed using fast secure RAM by software, and the save/restore includes the IRQ Mask (MIR register in interrupt handler 2720, or 4280 or 5020). FIG. 8 shows a change from suspended to not suspended as a mux 5910 operation.

Some embodiments reconfigure the SCR register using selected contents of register SSM_FIQ_EE_y and suspend control circuit 5920 and mux 5910 of FIG. 8 on the basis of which EE has become suspended. When configuring the SCR register in FIG. 8, any IRQ of an inactivated or suspended PSEE/UIEE becomes a secure FIQ of high priority 0 and SSM HW (e.g. using the FIG. 6A PR_HIGH priority and PR_MEDIUM priority registers 4222A and 4224A) then differentiates priority between such transformed IRQ and other secure FIQ. Mux circuit 5910 has inputs for the SCR and a Suspend Control circuit 5920 responsive to the suspended EEs, which are EE other than these EE specifiied in the EE_Active register of FIG. 6A. Configured original IRQ priority for each inactivated PSEE/UIEE is kept in the interrupt handler 2720 even if not relevant to the inactivated state, and this simplifies the save and restore process. HW improvements, for example, relate to circuit support of the context switching that occurs with Interrupt Morphing. In the interrupt handler 2720 individual bit masking for FIQ interrupts prevents any race conditions when the morph or transformation actually takes place at the EE context switch points. A circuit change is provided in the SSM for detecting when an EE has finished processing an IRQ interrupt as indicated specifically by when the EE unmasks its global IRQ bit in the CPSR register. In response, the SSM fires an FIQ which the hypervisor can utilize to detect that the first IRQ of an EE actively running in its time slice has been delivered.

In FIG. 14, the SSM HW implements registers for interrupt priority high PR_High 4222A and interrupt priority medium PR_Medium 4224A in FIG. 7 to store and protect an interrupt certificate (e.g., file preestablished by the system architect representing an interrupt configuration) safely in the SSM HW. In this example, all FIQ are trapped into Monitor Mode, and each PSEE/UIEE that is not activated has its interrupt remapped as a more urgent type of interrupt request (e.g., FIQ) and with an interrupt priority specified by the system architect using registers 4222A and 4224A. Three types of priority are assignable by configuration for use by the SSM HW: LOW priority wherein each FIQ is masked or not masked at INTH 4280 level by Hypervisor as per interrupt certificate definition. MEDIUM priority means the FIQ is trapped into Monitor mode but does not necessarily cause a PSEE/UIEE context switch (Hypervisor SW decides what to do). HIGH priority means the FIQ is trapped in Monitor Mode and forces PSEE/UIEE context switch. Other embodiments use fewer or more priority registers for fewer or more levels as may be desired.

In FIG. 14, FIQ sorting as between the different PSEE/UIEE is speeded up on the basis of these assigned priorities in registers 4222A and 4224A of FIG. 7 to facilitate hypervisor determination of what response is appropriate for a given FIQ. A bank of registers SSM_FIQ_EE_y and PR_HIGH and PR_MEDIUM as described hereinbelow are added to SSM 2460 in order to inform the Hypervisor in Monitor Mode which FIQ belongs to which PSEE/UIEE and if it is of priority LOW, MEDIUM or HIGH. Per-EE FIQ tagging in the SSM is accomplished as follows. For 128 interrupts, the corresponding number of bits are provided in a register space SCRx[:] in FIG. 8 that holds public IRQ and FIQ and secure FIQ in the SCR register space. And another corresponding number of interrupt mask bits for each of the interrupts are provided in a Mask Interrupt Register space MIRx[:] in the SCR register space in FIG. 8. Accesses other than secure privilege accesses are not permitted to SCRx to maintain security. The SSM_FIQ_EE_y registers have a half-byte field (four bits) respective to each interrupt and associating the respective interrupt with one of the (e.g. 8) public EEs or one of up to 8 secure EEs with Monitor Mode as described elsewhere herein. A number nl of these SSM_FIQ_EE_y registers y=l, 2, ...nl is provided to accommodate a number M of interrupt lines in the hardware so that nl= 4M/32, or first integer greater than or equal to 4M/32. The interrupt indexed i is handled by register y half byte Z where i=32y/4+Z or i=8y+Z. In other embodiments with registers other than 32 bits and interrupt information different from 4-bit (half-byte) then the formula is revised accordingly. The set of 32-bit registers 4222A also designated SSM_FIQ_HIGH has many bit positions signifying any given interrupt number by a bit position in the register set. One or more one (1) bits are entered in the register set at particular bit positions. Configuring a "one" bit at a particular bit position specifies that the interrupt represented by that bit position is high priority due to the "one" bit. Another set of 32-bit registers 4224A also designated SSM_FIQ_MEDIUM has "one" bits inserted therein to analogously specify which FIQ are medium priority. Secure FIQ are directed to the secure environment software or to the hypervisor in Monitor mode. The number n2 of medium priority registers equals the number n2 of HIGH priority registers and n2 equals first integer greater than or equal to M/32 when the registers are 32 bit registers.

An example of an EE WFI OS scheduling process operates so that when software in a PSEE/UIEE/SECURE mode is running and is going to enter the IDLE mode (current task is finished and OS is waiting for re-scheduling or wake up event), that software executes a WFI instruction. When the WFI instruction is executed, the processor CPUi generates an HW signal STANDB YWFI at CPU boundary to signal PRCM 1470/3670. The PRCM starts a specified power saving procedure either as permitted or directed by the hypervisor. The system is independently running several EE that are not aware of each other, and this

STANDBYWFI signal is used by the SSM as in FIG. 6 or 7 to generate a WFI FIQ that is treated as a secure fast interrupt request SFIQ and forces an automatic entry to the Monitor Mode hypervisor. The hypervisor operates according to the supervisory programming established for it and is able to activate another PSEE/UIEE in order to run/resume a pending task and perform further processing. The activation of EEs in succession rotates in accordance with and around a process scheduling timeline in the system as illustrated by the loop in FIG. 14.

For routing interrupts to IRQ and FIQ respectively, the interrupt handler 2720 has the SCR register configured with at least one bit for each interrupt line and representing whether that interrupt line is to be routed to IRQ or FIQ depending on whether the bit is active or inactive. A set of 1:2 Demuxes 5940 in FIG. 8 do the routing in response to selector control lines from each bit of the SCR register thus configured. When the SSM hypervisor enable HYP_EN in FIG. 8 (HYPERVIS OR_EN in FIG. 7) is active however, the SCR register control over Demuxes 5940 is overridden by bit contents of a substitute register 5925 loaded by suspend control circuit 5920. Suspend control circuit 5920 has a set of comparators to determine match and non-match conditions as between the active EE represented in a register EE_Active and each EE per interrupt line represented in each bit field of the register SSM_FIQ_EE_y in the SSM. The per interrupt line match and non-match determinations constitute a dynamically determined routing representation. On each context switch to a new currently-active EE, the hypervisor revises the entry in the register EE_Active and the suspend control circuit 5920 updates the register 5925, whereupon the selector controls to the Demuxes 5940 are updated. Other FIQ, IRQ routing circuits can be used as well.

Each processor CPUi may have a pipeline and have 1) reduced instruction set computing (RISC), 2) digital signal processing (DSP), 3) complex instruction set computing (CISC), 4) superscalar, 5) skewed pipelines, 6) in-order, 7) out-of-order, 8) very long instruction word (VLIW), 9) single instruction multiple data (SIMD), 10) multiple instruction multiple data (MIMD), 11) multiple-core, and 12) microcontroller pipelines. "Monitor mode" refers to a high-level control mode of a processor and should be understood in a broad and substantial sense whether or not a particular processor that substantially has a monitor mode lacks the explicit name monitor mode. Block diagrams herein are also representative of flow diagrams for operations of any embodiments whether of hardware, software, or firmware, and processes of manufacture thereof, and vice- versa. Those skilled in the art to which the invention relates will appreciate that the described implementations are merely example embodiments, and that many other implementations and embodiments are possible within the scope of the invention.

Claims

CLAIMSWhat is claimed is:

1. An electronic interrupt circuit characterized by: an interrupt-related input line; a security-related status input line; a context-related status input line; and a conversion circuit having plural interrupt-related output lines and selectively operable in response to an interrupt-related signal on said interrupt-related input line depending on an active or inactive status of each of said security -related status input line and said context-related status input line.

2. The electronic interrupt circuit claimed in claim 1 further characterized by a register having a bit field for holding bits related to the state of activity of said plural interrupt-related output lines, a processor circuit, and an interrupt handler circuit coupling said plural interrupt-related output lines to said processor circuit, and said register is coupled separately to said processor circuit.

3. The electronic interrupt circuit claimed in claim 1-2 further characterized by a plurality of enable lines and a logic circuitry having a first set of inputs respectively coupled to the plurality of enable lines and a second set of inputs respectively coupled to said plural interrupt-related output lines wherein said logic circuitry supplies a one-line logic interrupt- related output responsive to both said first set of inputs and said second set of inputs.

4. The electronic interrupt circuit claimed in claims 1-3 further characterized by: plural processor cores operable in execution environments and having respective interrupt inputs and respective wait for interrupt outputs, at least one of said interrupt inputs coupled to at least one of said plural interrupt-related output lines of said conversion circuit, and said conversion circuit fed with at least two of said respective wait for interrupt outputs and at least two of said respective security outputs.

5. The electronic interrupt circuit claimed in claim 4 further characterized by said plural processor cores having respective security outputs and a register coupled to at least one of the processor cores for identifying an active execution environment, and said conversion circuit is operable to selectively activate a selected one of said plural interrupt- related output lines depending on an active or inactive status of said security output from a given one of said processor cores and an active execution environment identified by said register.

6. The electronic interrupt circuit claimed in claims 4-5 further characterized by a power control circuit operable to configurably adjust supply voltages and clock rates for said supply voltage inputs and clock inputs; and said conversion circuit responsive to at least one said wait for interrupt output to provide an interrupt signal, at least one of said processors operable to configure said power control circuit in response to the interrupt signal.

7. The electronic circuit claimed in claim 6 further characterized by said processors being operable to run applications and for a first processor among them to generate a wait for interrupt signal to said conversion circuit for providing an interrupt signal to a selected one of the interrupt inputs of a second processor among said processors, and for the second processor to transfer at least one application from the first processor onto at least a third processor and then configure said power control circuit to put said first processor into a lower power state.

8. The electronic interrupt circuit as claimed in claims 6-7 further characterized by at least one configuration register coupled to said processors and operable in response to said conversion circuit so as to identify an execution environment associated with a wait for interrupt signal from a given processor among said processors even if the given processor becomes powered down by said power control circuit.

9. The electronic interrupt circuit claimed in claims 4-8 further characterized by said plural cores having an application and a maintenance function that would interfere with the application if concurrently executed, and at least one of said processor cores operable in response to said conversion circuit to schedule the maintenance function separated in time from execution of the application.

10. The electronic interrupt circuit claimed in claim 9 further characterized by each processor having a category that issues the wait for interrupt signal being in a wait for interrupt mode relative to that category until interrupted, and the maintenance function includes a security integrity check of a secure category on a said processor core, and at least one of said processor cores is operable to launch the security integrity check of that secure category on that processor core provided an enabling condition exists from said conversion circuit that predetermined public categories are in the wait for interrupt mode.

11. The electronic interrupt circuit claimed in claims 9-10 further characterized by the plural processor cores operable to execute plural high-level operating systems (HLOSes), and each processor having a category that issues the wait for interrupt signal is in a wait for interrupt mode relative to that category until interrupted, and the maintenance function includes terminating one HLOS in a particular category on a first of the processor cores and initiating another HLOS on the same processor core, and at least one of said processor cores is operable to launch the other HLOS provided an enabling condition exists that the first processor core activates an interrupt line from the conversion circuit that signifies that the particular category on the first processor core is in the wait for interrupt mode.

12. The electronic interrupt circuit claimed in claims 1-11 further characterized by: a scan controller operable for serially providing a multi-bit scan signal at a scan output and receiving a multi-bit scan signal at a scan input; and a configurable register circuit to enable and record signal states and said configurable register circuit coupled to said conversion circuit, said configurable register circuit coupled to said scan output and to said scan input of said scan controller.

13. The electronic interrupt circuit claimed in claims 1-12 further characterized by: a wireless modem coupled to at least one of said plural processor cores; and a user interface coupled to said processing system.

14. A method of operating an electronic circuit having at least one interruptible processor operable in different security and context-related modes and the electronic circuit having a wait for interrupt output, the method characterized by expanding the wait for interrupt output depending on which security and context-related modes of a given processor pertain to a wait for interrupt signal therefrom, and providing at least one interrupt signal.