[go: up one dir, main page]

GB2557305A - Memory protection logic - Google Patents

Memory protection logic Download PDF

Info

Publication number
GB2557305A
GB2557305A GB1620684.9A GB201620684A GB2557305A GB 2557305 A GB2557305 A GB 2557305A GB 201620684 A GB201620684 A GB 201620684A GB 2557305 A GB2557305 A GB 2557305A
Authority
GB
United Kingdom
Prior art keywords
memory
access
protection
microcontroller
configuration registers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1620684.9A
Other versions
GB201620684D0 (en
Inventor
Aune Frank
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nordic Semiconductor ASA
Original Assignee
Nordic Semiconductor ASA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nordic Semiconductor ASA filed Critical Nordic Semiconductor ASA
Priority to GB1620684.9A priority Critical patent/GB2557305A/en
Publication of GB201620684D0 publication Critical patent/GB201620684D0/en
Priority to PCT/GB2017/053644 priority patent/WO2018104711A1/en
Priority to TW106142391A priority patent/TW201821998A/en
Publication of GB2557305A publication Critical patent/GB2557305A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1441Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1491Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

A resettable microcontroller (e.g. of an integrated radio) comprises a processor, a memory, a memory bus and memory protection logic. The microcontroller is arranged to clear a set of memory-protection configuration registers whenever the microcontroller is reset. The memory protection logic is arranged to access the set of memory protection configuration registers and is configured to monitor memory access requests on the bus, detect when a memory access request attempts to access a memory address in a protectable region of the memory, determine whether the memory access request satisfies an access criterion that depends on data stored in the set of memory-protection configuration registers, and block the memory access request when the access criterion is not satisfied. The memory protection logic is also arranged to prevent writing to any memory-protection configuration register unless the memory-protection configuration register is in a cleared state. This may be determined by a re-write controller of the memory protection logic that determines whether the data contained within the memory-protection configuration are different from the cleared value. The access criteria may be written by a bootloader arranged to read cryptographic data from the protectable region, and executed after a reset and before any other instructions.

Description

(71) Applicant(s):
Nordic Semiconductor ASA
Otto Nielsens veg 12, Trondheim, 7052, Norway (72) Inventor(s):
Frank Aune (56) Documents Cited:
GB 2503583 A US 20030014653 A1 (58) Field of Search:
INT CL G06F, G11C Other: WPI, EPODOC
G06F 21/78 (2013.01)
US 5778444 A (74) Agent and/or Address for Service:
Dehns
St. Bride's House, 10 Salisbury Square, LONDON, EC4Y 8JD, United Kingdom (54) Title of the Invention: Memory protection logic
Abstract Title: Configuring memory protection registers after a system reset (57) A resettable microcontroller (e.g. of an integrated radio) comprises a processor, a memory, a memory bus and memory protection logic. The microcontroller is arranged to clear a set of memory-protection configuration registers whenever the microcontroller is reset. The memory protection logic is arranged to access the set of memory protection configuration registers and is configured to monitor memory access requests on the bus, detect when a memory access request attempts to access a memory address in a protectable region of the memory, determine whether the memory access request satisfies an access criterion that depends on data stored in the set of memory-protection configuration registers, and block the memory access request when the access criterion is not satisfied. The memory protection logic is also arranged to prevent writing to any memoryprotection configuration register unless the memoryprotection configuration register is in a cleared state. This may be determined by a re-write controller of the memory protection logic that determines whether the data contained within the memory-protection configuration are different from the cleared value. The access criteria may be written by a bootloader arranged to read cryptographic data from the protectable region, and executed after a reset and before any other instructions.
Figure GB2557305A_D0001
Figure 2
1/3
Clock
Power
Figure GB2557305A_D0002
Processor
Radio
1 I t t - - w w Memory Flash Memory
Protection Controller
Logic
RAM Flash
I/O
Peripherals
Fig. 1
2/3
Figure GB2557305A_D0003
Figure 2
Φ <4
Figure GB2557305A_D0004
Ό
Φ
Ο C Φ Ο !ς φ ο. CX C ο
Π3
Μ
U
Φ +-»
Ο ι_
Ω_
-α φ
4-» (J
Φ
4-»
Ο
U.
Q.
C ο
*w>
φ ex c
Ο
Ρ φ =5 £ .5Ρ ’eio φ
C u_
Ο υ
7Γ σ’ λ-. C 2? Ο ο +-* c w Ε φ
J· <ν «J ί
V*t to
J
Η, φ
σ
Π3 _ο +->
ο ο
CQ “Υ.
Φ ω
Φ ex υη
Π!
ι_
Φ
Ο.
Φ
CL <4
Η
7\
Ο to
7“
Jr γ
Χ ±χ β
to μ
Μ
Η to
1Γ ri rsA to
X.
Jto /\ ri
A to to
X.
<O ώ
Intellectual
Property
Office
Application No. GB1620684.9
RTM
Date :23 June 2017
The following terms are registered trade marks and should be read as such wherever they occur in this document:
ARM
Cortex
TrustZone
Intellectual Property Office is an operating name of the Patent Office www.gov.uk/ipo
- 1 Memory Protection Logic
This invention relates to controlling memory access on a microcontroller.
It is known to restrict read, write or execute access to memory on a microcontroller in order to prevent unauthorised access to data or programs.
Typically, in the prior art, certain trusted code can always gain full access to restricted and unrestricted memory areas—e.g., by causing a processor on the microcontroller to enter a privileged mode and then accessing a restricted memory area.
The applicant has recognised that this presents a security risk. For example, if an attacker is able to cause the attacker's own malicious code to be executed with the same elevated security permissions, the attacker could read sensitive data, such as encryption keys, from restricted memory.
The present invention seeks to address this shortcoming.
From a first aspect, the invention provides a resettable microcontroller comprising a processor, a memory, a memory bus, and memory protection logic, wherein:
the microcontroller is arranged to clear a set of memory-protection configuration registers whenever the microcontroller is reset;
the memory protection logic is arranged to access the set of memory-protection configuration registers and is configured to:
monitor memory access requests on the bus;
detect when a memory access request attempts to access a memory address in a protectable region of the memory;
determine whether the memory access request satisfies an access criterion for the protectable region, the access criterion depending on data stored in the set of memory-protection configuration registers;
block the memory access request when the access criterion is not satisfied; and
-2prevent writing to any memory-protection configuration register unless the memory-protection configuration register is in a cleared state.
Thus it will be seen by those skilled in the art that, in accordance with the invention, access to a protectable region of memory can be restricted securely, by storing appropriate values in the set of memory-protection configuration registers to restrict or block access to the protectable region. This restriction cannot then be overridden, even when the processor is executing instructions in a secure or privileged mode, until the microcontroller is next reset. This versatile mechanism thus enables a programmer to be assured of enhanced security in many different situations.
For example, some embodiments enable a programmer to prevent all write access to the protectable region of memory, by installing a bootloader that—every time the microcontroller is reset—stores an access criterion in the set of memory-protection configuration registers that prevents write access to the region.
As another example, some embodiments enable a bootloader to read sensitive cryptographic data from the protectable region and use it during a boot process in order to verify the integrity of the microcontroller, and then, once the cryptographic data has been used, the bootloader can set an access criterion preventing any further read or write access to the sensitive cryptographic data until the microcontroller is next reset.
It will be appreciated that a microcontroller reset may clear the set of memoryprotection configuration registers by a hardware reset mechanism (e.g., by temporarily removing power to RAM), or by writing a default value to the set of memory-protection configuration registers. Thus, only once the memory-protection configuration registers are cleared may they then be set to store access criteria for controlling access to the protectable region.
In some embodiments, the microcontroller may also prevent modification of the configuration registers by a peripheral—even a bus master—and it may prevent or limit modification by an external debugger.
- 3The write protection for the memory-protection configuration registers may be implemented by a re-write controller within the memory protection logic. Upon a request to write to a memory-protection configuration register, the re-write controller may be arranged to determine whether the data contained within the configuration register is different from the cleared or default value. When the re-write controller determines that there is a difference, the re-write controller may be configured to block the write request. When the re-write controller determines that there isn’t a difference, the re-write controller may be configured to allow the write request.
Thus, the re-write controller may provide access for a bootloader to set access criteria in the set of memory-protection configuration registers, following a microcontroller reset.
The protectable region may be defined by one or more values stored in the set of memory-protection configuration registers. For example, a base address for the protectable region may be stored in one of the memory-protection configuration registers. Another memory-protection configuration register may store an end address, or a length, for the protectable region. The protectable region may be defined by a single range of memory addresses, or it may comprise a plurality of memory address ranges or blocks of memory.
Values stored in the memory-protection configuration registers may define a plurality of protectable regions in the memory, each of which may have one or more associated access criteria. Logic may be provided for resolving conflicts where regions overlap. Preferably, conflict is resolved by preventing access to a region if at least one configuration register is set to prevent such access (even if another register is set to allow access).
An access criterion may specify or determine a type of memory access request that is permitted for a protectable region. In some embodiments, it may specify that one or more of read access, write access, erase access and execute access is allowed for a protectable region (or, conversely, it may specific that such access is prohibited). In some embodiments, an access criterion may additionally or alternatively require that the processor or microcontroller be in one of a set of particular states, such as in a secure mode, or in a privileged mode, or that the access request is from an external
-4debugger, in order to allow access to the protectable region. In some embodiments, a region may be associated with configuration registers relating to secure-mode access permissions and further configuration registers relating to non-secure-mode access permissions. An access criterion may additionally or alternatively require that the memory access request be generated by an instruction stored in one or more particular areas of memory on the microcontroller. An access criterion may additionally or alternatively require that the memory access request be generated by one of a particular set of components, such as by the processor, or by a particular peripheral (e.g. a serial interface, a digital-to-analogue converter, or a servicing unit such as an external debugger) or set of peripherals. In some embodiments, an access criterion may additionally or alternatively require that the access request has a secure or privileged status, or that it is associated with a particular process (e.g. a firmware process or a third-party software process).
Preferably, for at least one or more of the memory-protection configuration registers, the value of the configuration register in a cleared state represents more permissive access than is represented by an alternative value, or by any other value. For example, a cleared value (e.g., a zero bit) may define unrestricted access for a particular type of memory access (such as read access when the processor is in a non-secure state), whereas an alternative value (e.g., a one bit) may represent blocked access for the particular type of memory access.
The memory protection logic may be configured to block a memory access request by triggering a bus-fault exception.
The memory protection logic is preferably arranged to detect memory access instructions regardless of their origin; i.e. from any bus master. This allows it to be used to detect direct memory access (DMA) instructions from peripherals, for example, or from an external debugger, as well as instructions from the processor.
The memory-protection configuration registers are preferably addressable by the processor, e.g. over the memory bus. They can preferably be written to and/or read from by the processor. In this way, a bootloader may set the configuration registers following a reset. Each register may occupy a contiguous region of memory, or it may be split across a plurality of locations. A register, as referred to herein, may be only a
- 5single bit long (possibly within a larger bit field), or it may comprise a plurality of bits (e.g. a 32-bit word).
The memory on the microcontroller may store one or more software components, such as a bootloader and/or a firmware module and/or a user application. The processor is preferably arranged to execute instructions from a predetermined memory address after a reset—preferably before executing any other instructions. In some embodiments, a bootloader is stored at said predetermined memory address, which may be in a protectable region of memory. The bootloader may comprise instructions for writing access criteria to one or more memory-protection configuration registers so as to prevent writing to said predetermined memory address and/or to a protectable region containing the bootloader. In this way the bootloader can be made read-only, which can enhance the security of the microcontroller. In particular, this prevents an attacker from modifying the bootloader so as to prevent it from writing the correct access criteria into the memory-protection configuration registers after the next reset.
In some embodiments, the memory protection logic may also be arranged to access a set of non-secure-mode-write-protected memory-protection configuration registers. These non-secure-mode-write-protected memory-protection configuration registers may act similarly to the other memory-protection configuration registers, in that they define and control access to one or more protectable regions of memory. However, the re-write controller is preferably configured to allow the processor to modify the nonsecure-mode-write-protected memory-protection configuration registers any number of times, without having to reset the microcontroller, when the processor is in a secure mode. Preferably, when the processor is not in a secure mode, the re-write controller prevents writing to the non-secure-mode-write-protected memory-protection configuration registers, unless they are in a cleared state. As with the other memoryprotection configuration registers, the memory protection logic may be configured to determine whether a memory access request satisfies an access criterion depending on data stored in the set of non-secure-mode-write-protected memory-protection configuration registers. The memory protection logic may block the memory access request when the access criterion is not satisfied. Such non-secure-mode-writeprotected memory-protection configuration registers may be desirable as they can be used by software other than just the bootloader, and may be changed during normal operation of the device (so long as the processor is in a secure mode).
-6In one set of embodiments, non-secure-mode-write-protected memory-protection configuration registers are used to store access criteria that are enforced when the processor is in a non-secure mode but that are not enforced when the processor is in a secure mode. In some of these embodiments, the standard memory-protection configuration registers (for which re-write protection applies regardless of whether the processor is in a secure mode or a non-secure mode) are used to store access criteria that are enforced the same regardless of whether the processor is in a secure mode or a non-secure mode.
The memory (including one or more protectable regions) may comprise volatile and/or non-volatile memory, such as RAM and/or flash memory. The memory may store program code. The memory is preferably addressable by the processor over the memory bus. The memory-protection configuration registers may comprise nonvolatile memory (e.g., flash), but preferably comprise volatile memory, since this may avoid a need for dedicated circuitry to clear the memory-protection configuration registers on reset.
The processor may be any suitable processor. In some embodiments it is a processor from ARM™, such as a processor from ARM™'s Cortex™ range. A secure mode, as referred to herein, may in some embodiments be a secure mode or state according to ARM™'s TrustZone™ specifications. The microcontroller may comprise one or more further processors, connected to the memory bus.
The memory bus may be an address or instruction bus, or it may carry both instructions and data. The microcontroller may comprise a plurality of buses, such as a processor bus and a peripheral bus. The memory protection logic may be arranged to monitor memory access instructions on a plurality of buses.
The memory protection logic preferably operates independently of the processor. It preferably comprises distinct logic gates, separate from the processor. In this way, a malicious or careless programmer cannot execute code on the processor that bypasses the memory protection logic. For the same reasons, the memory protection logic is preferably entirely hardware-based; i.e., it does not comprise a generalpurpose processor for executing software instructions. A re-write controller, within the
- 7memory protection logic, is preferably also partly or entirely hardware-based—i.e. comprising logic gates distinct from those of the processor. It will be appreciated that the memory protection logic is not limited to any particular physical shape or location on the microcontroller, and may comprise any number of separate logical components.
The microcontroller is preferably an integrated device—e.g., integrated on silicon. In some embodiments, it may comprise a radio transmitter or receiver—e.g., a so-called radio-on-a-chip device. From another aspect, the invention provides an integrated radio device comprising a microcontroller as disclosed herein.
Certain preferred embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 is a schematic drawing of a microcontroller embodying the invention; Figure 2 is a schematic drawing operations undertaken by the re-write controller within the memory protection logic of the microcontroller; and
Figure 3 is a flow diagram illustrating a boot sequence of the microcontroller of
Figure 1, together with some examples of access request processes.
Figure 1 shows an integrated-circuit microcontroller 1 or radio-on-a-chip which comprises clock logic 3, which may include a resistor-capacitor oscillator and/or may receive an input from an off-chip crystal oscillator (not shown), power management circuitry 5, a processor 7 (e.g. an ARM™ Cortex-M0), memory protection logic 9, RAM 11, a flash memory controller 20, flash memory 13, radio communication logic 17, one or more peripherals 15, and input/output circuitry 19.
These components are interconnected using suitable lines and/or buses (not shown). The microcontroller 1 may use a Harvard architecture or a von Neumann architecture. The memory protection logic 9 is arranged to intercept all memory access instructions to the RAM 11 and to the flash memory controller 20. Thus, memory access instructions from the processor 7 and peripherals 15 are all intercepted by the memory protection logic 9.
The microcontroller 1 also has a debugging interface 18 which may be used for loading data into the flash memory 13 and for debugging the processor 7. It is expected that the debugging interface 18 will be completely disabled before the microcontroller 1 is shipped to an end user. The microcontroller 1 may comprise a
- 8configurable mechanism for restricting or blocking access to the flash memory 13 and RAM 11 from the debugging interface 18.
In use, the microcontroller 1 can be connected to a number of external components such as a power supply, radio antenna, crystal oscillator, sensors, output devices, etc.
The memory protection logic 9 can be configured such that the flash memory 13 has at least one protected region of memory and at least one unprotected region of memory. The protected region(s) stores firmware data and code, and a bootloader. The unprotected region(s) stores third party software. In other embodiments, third-party software may also be stored in a protected region. The memory protection logic 9 can also be configured such that RAM 11 has at least one protected region and at least one unprotected region.
Access to a given region (e.g. protected region) of flash memory 13 or RAM 11 is controlled by the memory protection logic 9 and is only granted if access criteria for that region are satisfied. The access criteria can define the protected region of flash 13 or RAM 11 (e.g., by a memory start address and a length value) and can specify whether system processes (e.g. firmware processes or software processes) and peripherals 15 are granted access to that memory region for each of read, write and execute operations. In some embodiments, access to an erase function may also be controlled directly by the access criteria. The debugging interface 18 can override the memory protection logic 9 when an override register is set (unless debugging has already been disabled for the microcontroller 1), but apart from this exception, the configured protection is applied to all components that access the memory bus.
The access criteria are stored in at least one memory-protection configuration register 26. The memory-protection configuration registers 26 may be part of the RAM 11 memory or flash 13 memory. In this embodiment they are part of the RAM 11. This is advantageous as it ensures that the memory-protection configuration registers 26 are cleared immediately when the microcontroller 1 resets. If the memory-protection configuration registers 26 are a part of the flash 13 memory, the microcontroller 1 (e.g., the flash memory controller 20) would need to be arranged to erase one or more flash memory blocks containing the memory-protection configuration registers 26 automatically when a reset 22 event occurs.
- 9There may be a plurality of sets of memory-protection configuration registers 26, each set relating to a respective protectable region. For example, one set of memoryprotection configuration register 26 may have a start-address register and a size register for defining a protected region, a binary flag for enabling or disabling execute access to the region in a secure mode, a binary flag for enabling or disabling read access to the region in a secure mode, a binary flag for enabling or disabling write access to the region in a secure mode, a binary flag for enabling or disabling execute access to the region in a non-secure mode, a binary flag for enabling or disabling read access to the region in a non-secure mode, and a binary flag for enabling or disabling write access to the region in a non-secure mode. In one set of embodiments, there are eight such sets of memory-protection configuration registers 26. Each binary flag may be treated as a separate register, or a group of binary flags (e.g., all the secure mode flags, or all the non-secure mode flags, or all the secure and non-secure flags) may be treated together as a single register.
In some embodiments a cleared value (e.g., a 0) in a binary flag indicates that the associated access type is allowed for the respective region. Thus, writing an alternative value (e.g., a 1) to a binary flag after a reset represents a restriction of access to the region.
The memory protection logic 9 has read access to the memory-protection configuration registers 26. A re-write controller forms part of the memory protection logic 9. When the memory protection logic 9 intercepts a request to write to a memory-protection configuration register 26, the re-write controller is arranged to determine whether the configuration register 26 is in a cleared state or if it contains data different from the cleared or default value - i.e. it determines if the register 26 has been written to already since the last reset. When the re-write controller determines that there is a difference, the re-write controller is configured to block the request to modify the configuration register 26. When the re-write controller determines that there isn’t a difference, the re-write controller allows the configuration register 26 to be written to.
In this way, the re-write controller ensures that the memory-protection configuration register 26 may only be written to once after each reset. If the cleared values represent more permissive settings then the re-write controller prevents software from easing restrictions on memory access by reverting a register to a cleared value.
- 10Thus, it will be appreciated that when booting the microcontroller 1 following a reset 22 event (e.g., after the device has been manually rebooted, after new batteries have been installed into the device, or when a watchdog timer triggers a reset, etc.), the memory-protection configuration registers 26 will be cleared, and bootloader software will have write access to the configuration registers 26. More generally, whenever the microcontroller 1 starts executing from address zero, the memory-protection configuration registers 26 will be reset. Normally, the bootloader will subsequently write appropriate values to the memory-protection configuration registers 26, which will have the effect of preventing any modification of those registers 26 by other software on the device. If the bootloader does not need to configure as many distinct protected memory regions as are supported by the configuration registers 26 (e.g., it only needs to define five regions, while the registers 26 can support eight regions), the bootloader preferably duplicates one or more of the region settings in the spare sets of configuration registers 26, so as to prevent their being writable by any other software until the next reset. Thus, attackers are prevented from using malicious code to modify the memory-protection configuration registers 26 to change the access criteria, and thereby gaining access to a protected region of the memory. Similarly, bugs in non-malicious code are prevented from accidentally writing to protected regions of RAM 11 or flash 13.
The bootloader itself (including its data) may be stored in a region of the flash 13 memory which the bootloader write-protects immediately after reset. This prevents any other software from accidentally or maliciously manipulating the bootloader so as to prevent it from setting the proper access criteria after each reset.
The processor 7 may have a secure mode of operation and a non-secure mode of operation. In general, the re-write controller in the memory protection logic 9 prevents re-writing to the configuration registers 26 even when the processor 7 is in a secure mode. However, in some embodiments, the re-write controller allows re-writing of particular registers (which may be binary flags) that relate to non-secure mode permissions, when the processor 7 is in a secure mode (but it always prevents rewriting of the binary flags that relate to secure mode permissions).
Figure 2 illustrates, in more detail, the various main operations of the re-write controller in the memory protection logic 9.
- 11 When the memory protection logic 9 receives a reset signal from the processor 7, it sets all the configuration registers to a default value—e.g., 0x0000 0000 (a 32-bit word having the value zero) for word-length registers, or to a zero bit for a single-bit register.
When the memory protection logic 9 detects a memory access attempt, it determines whether the attempt is to write a secure configuration register (i.e., a register which relates to permissions for the processor in secure-mode). If so, it checks whether the value of the secure configuration register is the default value. If it is the default value, it allows the write; otherwise, it denies the write (e.g., by triggering a bus fault exception).
If the memory access attempt is not for a secure configuration register, the memory protection logic 9 determines whether the attempt is to write a non-secure configuration register (i.e., a register which relates to permissions for the processor in non-secure-mode). If so, it checks a line from the processor 7 which indicates whether the processor 7 is executing in a secure state or a non-secure, and determines which state the processor 7 is currently in. If the processor 7 is in a secure state, the re-write controller allows the write. If the processor 7 is not in a secure state, the re-write controller checks whether the value of the non-secure configuration register is the default value. If it is the default value, it allows the write; otherwise, it denies the write (e.g., by triggering a bus fault exception).
Figure 3 illustrates the operation of the microcontroller 1 following a reset, together with some examples of how the memory protection logic 9 may respond to data access requests from software processes running from an unprotected region of memory 11, 13, firmware processes running from a protected region of memory 11,
13, and a peripheral 15.
When the microcontroller 1 resets, the memory-protection configuration registers 26 are cleared and the bootloader 24 is initiated at step 200 to start a boot sequence.
The bootloader 24 is stored at a special address, which is the first address the processor 7 starts executing from after a reset. The bootloader 24 can therefore execute before any software processes or firmware processes can make data access requests. At step 202, the bootloader 24 reads its own data, representing the desired access criteria, as well as cryptographic data directly from a soon-to-be-protected
- 12region of flash memory 13 and performs an integrity check with the cryptographic data to ensure that the microcontroller 1 hasn’t been compromised. The bootloader 24 then issues a write request to write the access criteria in the memory-protection configuration registers 26, at step 204. The write request is intercepted by the memory protection logic 9 and processed by the re-write controller within the memory protection logic 9. The re-write controller determines whether or not the requested configuration registers 26 are in their cleared state. It does this by reading the registers 26 as explained above. In other embodiments, though, the re-write controller may check one or more separate flags representing the state of the configuration registers 26 (e.g., indicating whether or not they have been written to).
In the example of Figure 3, the requested configuration registers 26 are found to be in their cleared state by step 206, since the microcontroller is booting from a reset event. Thus, the bootloader 24 is allowed to proceed with writing the access criteria to the requested configuration registers at step 206. Preferably, the access criteria define the region of memory from where the cryptographic data was retrieved and specify that the data cannot be read or written to again. Read protection is particularly valuable if the cryptographic data include private-key data. They may also write-protect the region containing the bootloader itself. The bootloader may also define other protected regions at this stage—e.g., for protecting firmware code from being overwritten. Henceforth, protection for these memory regions is active, until the next reset.
It will be appreciated that once these configuration registers 26 are written to, they will no longer be in their cleared state and as such the re-write controller of the memory protection logic 9 will thereafter not allow any further requests to write to those configuration registers 26. In this way, the data in the configuration registers 26 is protected from modifications until the next reset. Further, by using a hardware re-write controller to determine whether the configuration registers 26 are in their cleared state, all write requests from any type of process (e.g. secured or protected) or peripheral will be denied, and this mechanism cannot be bypassed by software.
Once the bootloader 24 has finished writing access criteria to the configuration registers 26, the memory protection logic 9 will manage (i.e. grant or deny) all memory access requests based on the access criteria.
- 13At step 210, a third party software process running from code stored in an unprotected region of the flash memory 13 sends a write request to write data to a protected region of the flash memory 13, followed by a read request for data from the same protected region. These requests are intercepted and processed by the memory protection logic 9. At step 212, the memory protection logic 9 retrieves access criteria associated with the requested region of memory from the memory-protection configuration registers. The access criterion specifies what operations (e.g. write, read, or execute) are allowed for the protected region of memory. In this example, the access criterion specifies that the software process is not allowed to write data to the protected region of memory, but it is allowed to read data from the protected region. Accordingly, based on the access criteria, the memory protection logic 9 denies the write request at step 214, and allows the read request at step 216. This prevents inadvertent or malicious writing by the software process to protected regions of memory (e.g. protected memory locations allocated to firmware data and code), thereby increasing robustness and security. When denying access, the memory protection logic 9 may trigger a bus fault exception.
At step 220, a secure mode firmware process running from code stored in a protected region of the flash memory 13 sends a request to write an access criterion to a memory-protection configuration register 26. The memory protection logic 9 intercepts the request. The re-write controller in the memory protection logic 9 determines that the data in the requested configuration register 26 is different to the cleared state this is because the bootloader has already written to the configuration register 26 during the boot sequence following a reset. Accordingly, the memory protection logic 9 denies the write request at step 222.
At step 230, a peripheral 15 tries to read data from a protected region of the flash memory 13 via a direct memory access (DMA) request. This request is intercepted by the memory protection logic 9. At step 232, the memory protection logic 9 retrieves access criteria in connection with the requested region of memory from the memoryprotection configuration registers 26. The access criteria specify whether or not the peripheral 15 is allowed to read the data in the requested region of memory. In this example, the access criteria specify that the peripheral 15 is not allowed to read the data and as such the memory protection logic 9 denies the read request at step 234 by triggering a bus fault exception.
- 14At step 240, a peripheral 15 sends a request to write an access criterion to a memory protection configuration register 26. The memory protection logic 9 intercepts the request. The re-write controller determines that the data in the requested configuration register 26 is different to the cleared state - this is because the bootloader has already written to the configuration register 26 during the boot sequence following a reset. Accordingly, the memory protection logic 9 denies the write request at step 242.
Thus, devices have been described which have a versatile memory protection mechanism that can be used for a wide variety of purposes, and which employ hardware logic to allow the devices to prepare the access permissions during a controlled boot sequence using a trusted bootloader. Malicious code will not be able to modify the boot sequence or permission scheme later on.
- 1510

Claims (15)

Claims: CO CM CM CM
1. A resettable microcontroller comprising a processor, a memory, a memory bus, and memory protection logic, wherein:
the microcontroller is arranged to clear a set of memory-protection configuration registers whenever the microcontroller is reset;
the memory protection logic is arranged to access the set of memoryprotection configuration registers and is configured to:
monitor memory access requests on the bus;
detect when a memory access request attempts to access a memory address in a protectable region of the memory;
determine whether the memory access request satisfies an access criterion for the protectable region, the access criterion depending on data stored in the set of memory-protection configuration registers;
block the memory access request when the access criterion is not satisfied; and prevent writing to any memory-protection configuration register unless the memory-protection configuration register is in a cleared state.
2. A resettable microcontroller according to claim 1, wherein the memory protection logic comprises a re-write controller arranged, upon a request to write to a memory-protection configuration register, to determine whether the data contained within the memory-protection configuration register is different from the cleared value, and to block the write request when there is a difference.
3. A resettable microcontroller according to claim 2, wherein the memory protection logic is also arranged to access a set of non-secure-mode-writeprotected memory-protection configuration registers, wherein the re-write controller is configured to prevent writing to the non-secure-mode-write-protected memoryprotection configuration registers when the processor is not in a secure mode, unless the non-secure-mode-write-protected memory-protection configuration registers are in a cleared state.
- 164. A resettable microcontroller according to claim 3, wherein the microcontroller is arranged to clear the set of non-secure-mode-write-protected memory-protection configuration registers whenever the microcontroller is reset.
5 5. A resettable microcontroller according to any preceding claim, wherein the memory protection logic is configured to block a memory access request by triggering a bus-fault exception.
6. A resettable microcontroller according to any preceding claim, wherein the
10 memory protection logic is arranged to detect a memory access request from any bus master.
CO
CM
CM
CM
7. A resettable microcontroller according to any preceding claim wherein:
a predetermined address of the memory stores a bootloader that
15 comprises instructions for writing access criteria to one or more memoryprotection configuration registers; and the processor is arranged to execute the bootloader after a reset before executing any other instructions.
20
8. A resettable microcontroller according to claim 7, wherein the bootloader is arranged to read cryptographic data from the protectable region and use it during a boot process in order to verify the integrity of the microcontroller, and then, once the cryptographic data has been used, to set an access criterion preventing any further read or write access to the cryptographic data until the microcontroller is next reset.
9. A resettable microcontroller according to any preceding claim, wherein the memory-protection configuration registers comprise volatile memory.
10. A resettable microcontroller according to any preceding claim, wherein the 30 memory protection logic comprises logic gates that are separate from those of the processor.
- 1722 12 16
11. A resettable microcontroller according to any preceding claim, wherein the access criterion specifies or determines a type of memory access request that is permitted for a protectable region.
5
12. A resettable microcontroller according to any preceding claim, wherein the access criterion requires that the processor or microcontroller be in one of a set of particular states, or that the access request be from an external debugger, in order to allow access to the protectable region.
10
13. A resettable microcontroller according to any preceding claim, wherein the protectable region is defined by one or more values stored in the set of memoryprotection configuration registers.
14. A resettable microcontroller according to claim 13, wherein the set of
15. An integrated radio device comprising a microcontroller according to any
20 preceding claim.
Intellectual
Property
Office
GB1620684.9
1-15
Application No:
15 memory-protection configuration registers store values defining a plurality of protectable regions in the memory, and one or more access criteria for each protectable region.
GB1620684.9A 2016-12-05 2016-12-05 Memory protection logic Withdrawn GB2557305A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB1620684.9A GB2557305A (en) 2016-12-05 2016-12-05 Memory protection logic
PCT/GB2017/053644 WO2018104711A1 (en) 2016-12-05 2017-12-04 Memory protection logic
TW106142391A TW201821998A (en) 2016-12-05 2017-12-04 Memory protection logic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1620684.9A GB2557305A (en) 2016-12-05 2016-12-05 Memory protection logic

Publications (2)

Publication Number Publication Date
GB201620684D0 GB201620684D0 (en) 2017-01-18
GB2557305A true GB2557305A (en) 2018-06-20

Family

ID=58159856

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1620684.9A Withdrawn GB2557305A (en) 2016-12-05 2016-12-05 Memory protection logic

Country Status (3)

Country Link
GB (1) GB2557305A (en)
TW (1) TW201821998A (en)
WO (1) WO2018104711A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4411538A1 (en) * 2023-02-03 2024-08-07 STMicroelectronics International N.V. Method for emulating start-up programs

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201810533D0 (en) * 2018-06-27 2018-08-15 Nordic Semiconductor Asa Hardware protection of files in an intergrated-circuit device
TWI688861B (en) * 2018-09-18 2020-03-21 新唐科技股份有限公司 Data processing apparatus and data protection method thereof
CN109739673B (en) * 2018-12-05 2023-05-09 新华三技术有限公司合肥分公司 Register write-in protection method, logic device and communication equipment
GB2596103B (en) * 2020-06-17 2022-06-15 Graphcore Ltd Dual level management
GB2596102B (en) 2020-06-17 2022-06-29 Graphcore Ltd Processing device comprising control bus
US11809334B2 (en) * 2021-01-19 2023-11-07 Cirrus Logic Inc. Integrated circuit with asymmetric access privileges
US12039090B2 (en) 2021-01-19 2024-07-16 Cirrus Logic Inc. Integrated circuit with asymmetric access privileges
WO2022157467A1 (en) * 2021-01-19 2022-07-28 Cirrus Logic International Semiconductor Limited Integrated circuit with asymmetric access privileges
US11386019B1 (en) * 2021-04-06 2022-07-12 Mediatek Inc. Data protection method and storage device
IT202100021944A1 (en) * 2021-08-17 2023-02-17 St Microelectronics Srl Shielding of registers in semiconductor devices

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5778444A (en) * 1996-05-06 1998-07-07 Motorola, Inc. Method and apparatus for reset-sensitive and controlled register write accesses in a data processing system with user and test modes
US20030014653A1 (en) * 2001-07-10 2003-01-16 Peter Moller Memory device with data security in a processor
GB2503583A (en) * 2012-06-27 2014-01-01 Nordic Semiconductor Asa Erasing memory protection-configuration region only if protected region is in an erased state

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7313705B2 (en) * 2002-01-22 2007-12-25 Texas Instrument Incorporated Implementation of a secure computing environment by using a secure bootloader, shadow memory, and protected memory
DE60308215T2 (en) * 2002-11-18 2007-08-23 Arm Ltd., Cherry Hinton PROCESSOR SWITCHING BETWEEN SAFE AND UNSAFE MODES
US20080263256A1 (en) * 2007-04-20 2008-10-23 Motorola, Inc. Logic Device with Write Protected Memory Management Unit Registers
CN102929674B (en) * 2012-11-02 2016-02-10 威盛电子股份有限公司 Electronic device and booting method
US9875358B2 (en) * 2014-06-20 2018-01-23 Microsoft Technology Licensing, Llc Preventing code modification after boot

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5778444A (en) * 1996-05-06 1998-07-07 Motorola, Inc. Method and apparatus for reset-sensitive and controlled register write accesses in a data processing system with user and test modes
US20030014653A1 (en) * 2001-07-10 2003-01-16 Peter Moller Memory device with data security in a processor
GB2503583A (en) * 2012-06-27 2014-01-01 Nordic Semiconductor Asa Erasing memory protection-configuration region only if protected region is in an erased state

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4411538A1 (en) * 2023-02-03 2024-08-07 STMicroelectronics International N.V. Method for emulating start-up programs
FR3145629A1 (en) * 2023-02-03 2024-08-09 Stmicroelectronics International N.V. Method of emulating boot programs

Also Published As

Publication number Publication date
GB201620684D0 (en) 2017-01-18
WO2018104711A1 (en) 2018-06-14
TW201821998A (en) 2018-06-16

Similar Documents

Publication Publication Date Title
GB2557305A (en) Memory protection logic
EP2867776B1 (en) Memory protection
US11507654B2 (en) Secure environment in a non-secure microcontroller
US9389793B2 (en) Trusted execution and access protection for embedded memory
US7444668B2 (en) Method and apparatus for determining access permission
US10565132B2 (en) Dynamic configuration and peripheral access in a processor
EP3238070B1 (en) Memory protection with non-readable pages
CN110020561B (en) Semiconductor device and method of operating semiconductor device
US20120260082A1 (en) System and method for processing requests to alter system security databases and firmware stores in a unified extensible firmware interface-compliant computing device
US20100131729A1 (en) Integrated circuit with improved device security
US20190370439A1 (en) Secure system on chip for protecting software program from tampering, rehosting and piracy and method for operating the same
US20090158011A1 (en) Data processing system
JP7001670B2 (en) Context-based protection system
KR101426479B1 (en) Storage information protection systems and methods
WO2019081057A1 (en) Memory with rules
CN110569205A (en) Security system single chip and method of operation thereof

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)