[go: up one dir, main page]

WO2018104711A1 - Memory protection logic - Google Patents

Memory protection logic Download PDF

Info

Publication number
WO2018104711A1
WO2018104711A1 PCT/GB2017/053644 GB2017053644W WO2018104711A1 WO 2018104711 A1 WO2018104711 A1 WO 2018104711A1 GB 2017053644 W GB2017053644 W GB 2017053644W WO 2018104711 A1 WO2018104711 A1 WO 2018104711A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory
access
protection
microcontroller
configuration registers
Prior art date
Application number
PCT/GB2017/053644
Other languages
French (fr)
Inventor
Frank AUNE
Original Assignee
Nordic Semiconductor Asa
Wilson, Timothy James
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nordic Semiconductor Asa, Wilson, Timothy James filed Critical Nordic Semiconductor Asa
Publication of WO2018104711A1 publication Critical patent/WO2018104711A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1441Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1491Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping

Definitions

  • This invention relates to controlling memory access on a microcontroller. It is known to restrict read, write or execute access to memory on a microcontroller in order to prevent unauthorised access to data or programs.
  • certain trusted code can always gain full access to restricted and unrestricted memory areas— e.g., by causing a processor on the microcontroller to enter a privileged mode and then accessing a restricted memory area.
  • the present invention seeks to address this shortcoming.
  • the invention provides a resettabie microcontroller comprising a processor, a memory, a memory bus, and memory protection logic, wherein:
  • the microcontroller is arranged to clear a set of memory-protection
  • the memory protection logic is arranged to access the set of memory-protection configuration registers and is configured to:
  • access to a protectable region of memory can be restricted securely, by storing appropriate values in the set of memory-protection configuration registers to restrict or block access to the protectable region.
  • This restriction cannot then be overridden, even when the processor is executing instructions in a secure or privileged mode, until the microcontroller is next reset.
  • some embodiments enable a programmer to prevent all write access to the protectable region of memory, by installing a bootloader that— every time the microcontroller is reset— stores an access criterion in the set of memory-protection configuration registers that prevents write access to the region.
  • some embodiments enable a bootloader to read sensitive cryptographic data from the protectable region and use it during a boot process in order to verify the integrity of the microcontroller, and then, once the cryptographic data has been used, the bootloader can set an access criterion preventing any further read or write access to the sensitive cryptographic data until the microcontroller is next reset.
  • a microcontroller reset may clear the set of memory- protection configuration registers by a hardware reset mechanism (e.g., by temporarily removing power to RAM), or by writing a default value to the set of memory- protect! on configuration registers.
  • a hardware reset mechanism e.g., by temporarily removing power to RAM
  • writing a default value to the set of memory- protect! on configuration registers may be set to store access criteria for controlling access to the protectable region.
  • the microcontroller may also prevent modification of the configuration registers by a peripheral— even a bus master— and it may prevent or limit modification by an external debugger.
  • the write protection for the memory-protection configuration registers may be implemented by a re-write controller within the memory protection logic.
  • the re-write controller may be arranged to determine whether the data contained within the configuration register is different from the cleared or default value. When the re-write controller determines that there is a difference, the re-write controller may be configured to block the write request. When the re-write controller determines that there isn't a difference, the re-write controller may be configured to allow the write request.
  • the re-write controller may provide access for a bootloader to set access criteria in the set of memory-protection configuration registers, following a microcontroller reset.
  • the protectable region may be defined by one or more values stored in the set of memory-protection configuration registers. For example, a base address for the protectable region may be stored in one of the memory-protection configuration registers. Another memory-protection configuration register may store an end address, or a length, for the protectable region.
  • the protectable region may be defined by a single range of memory addresses, or it may comprise a plurality of memory address ranges or blocks of memory.
  • Values stored in the memory-protection configuration registers may define a plurality of protectable regions in the memory, each of which may have one or more associated access criteria.
  • Logic may be provided for resolving conflicts where regions overlap.
  • conflict is resolved by preventing access to a region if at least one configuration register is set to prevent such access (even if another register is set to allow access).
  • An access criterion may specify or determine a type of memory access request that is permitted for a protectable region. In some embodiments, it may specify that one or more of read access, write access, erase access and execute access is allowed for a protectable region (or, conversely, it may specific that such access is prohibited). In some embodiments, an access criterion may additionally or alternatively require that the processor or microcontroller be in one of a set of particular states, such as in a secure mode, or in a privileged mode, or that the access request is from an external debugger, in order to allow access to the protectable region. In some embodiments, a region may be associated with configuration registers relating to secure-mode access permissions and further configuration registers relating to non-secure-mode access permissions. An access criterion may additionally or alternatively require that the memory access request be generated by an instruction stored in one or more particular areas of memory on the microcontroller. An access criterion may
  • an access criterion may additionally or alternatively require that the access request has a secure or privileged status, or that it is associated with a particular process (e.g. a firmware process or a third-party software process).
  • the value of the configuration register in a cleared state represents more permissive access than is represented by an alternative value, or by any other value.
  • a cleared value (e.g., a zero bit) may define unrestricted access for a particular type of memory access (such as read access when the processor is in a non-secure state), whereas an alternative value (e.g., a one bit) may represent blocked access for the particular type of memory access.
  • the memory protection logic may be configured to block a memory access request by triggering a bus-fault exception.
  • the memory protection logic is preferably arranged to detect memory access instructions regardless of their origin; i.e. from any bus master. This allows it to be used to detect direct memory access (DMA) instructions from peripherals, for example, or from an external debugger, as well as instructions from the processor.
  • DMA direct memory access
  • the memory-protection configuration registers are preferably addressable by the processor, e.g. over the memory bus. They can preferably be written to and/or read from by the processor. In this way, a bootloader may set the configuration registers following a reset. Each register may occupy a contiguous region of memory, or it may be split across a plurality of locations. A register, as referred to herein, may be only a sing!e bit long (possibly within a larger bit field), or it may comprise a plurality of bits (e.g. a 32-bit word).
  • the memory on the microcontroller may store one or more software components, such as a bootioader and/or a firmware module and/or a user application.
  • the processor is preferably arranged to execute instructions from a predetermined memory address after a reset— preferably before executing any other instructions.
  • a bootioader is stored at said predetermined memory address, which may be in a protectable region of memory.
  • the bootioader may comprise instructions for writing access criteria to one or more memory-protection configuration registers so as to prevent writing to said predetermined memory address and/or to a protectable region containing the bootioader.
  • the bootioader can be made read-only, which can enhance the security of the microcontroller. In particular, this prevents an attacker from modifying the bootioader so as to prevent it from writing the correct access criteria into the memory-protection configuration registers after the next reset.
  • the memory protection logic may also be arranged to access a set of non-secure-mode-write-protected memory-protection configuration registers.
  • These non-secure-mode-write-protected memory-protection configuration registers may act similarly to the other memory-protection configuration registers, in that they define and control access to one or more protectable regions of memory.
  • the re-write controller is preferably configured to allow the processor to modify the non- secure-mode-write-protected memory-protection configuration registers any number of times, without having to reset the microcontroller, when the processor is in a secure mode.
  • the re-write controller prevents writing to the non-secure-mode-write-protected memory-protection configuration registers, unless they are in a cleared state.
  • the memory protection logic may be configured to determine whether a memory access request satisfies an access criterion depending on data stored in the set of non-secure-mode-write-protected memory-protection configuration registers. The memory protection logic may block the memory access request when the access criterion is not satisfied.
  • non-secure-mode-write- protected memory-protection configuration registers may be desirable as they can be used by software other than just the bootioader, and may be changed during normal operation of the device (so long as the processor is in a secure mode). ln one set of embodiments, non-secure-mode-write-protected memory-protection configuration registers are used to store access criteria that are enforced when the processor is in a non-secure mode but that are not enforced when the processor is in a secure mode.
  • the standard memory-protection configuration registers (for which re-write protection applies regardless of whether the processor is in a secure mode or a non-secure mode) are used to store access criteria that are enforced the same regardless of whether the processor is in a secure mode or a non-secure mode.
  • the memory may comprise volatile and/or non-volatile memory, such as RAM and/or flash memory.
  • the memory may store program code.
  • the memory is preferably addressable by the processor over the memory bus.
  • the memory-protection configuration registers may comprise non- volatile memory (e.g., flash), but preferably comprise volatile memory, since this may avoid a need for dedicated circuitry to clear the memory-protection configuration registers on reset.
  • the processor may be any suitable processor. In some embodiments it is a processor from ARMTM, such as a processor from ARMTM's Cortex' M range.
  • a secure mode as referred to herein, may in some embodiments be a secure mode or state according to AR TM's TrustZoneTM specifications.
  • the microcontroller may comprise one or more further processors, connected to the memory bus.
  • the memory bus may be an address or instruction bus, or it may carry both
  • the microcontroller may comprise a plurality of buses, such as a processor bus and a peripheral bus.
  • the memory protection logic may be arranged to monitor memory access instructions on a plurality of buses.
  • the memory protection logic preferably operates independently of the processor. It preferably comprises distinct logic gates, separate from the processor. In this way, a malicious or careless programmer cannot execute code on the processor that bypasses the memory protection logic.
  • the memory protection logic is preferably entirely hardware-based; i.e., it does not comprise a generai- purpose processor for executing software instructions.
  • a re-write controller, within the memory protection logic is preferably also partly or entirely hardware-based— i.e. comprising logic gates distinct from those of the processor. It will be appreciated that the memory protection logic is not limited to any particular physical shape or location on the microcontroller, and may comprise any number of separate logical components.
  • the microcontroller is preferably an integrated device— e.g., integrated on silicon. In some embodiments, it may comprise a radio transmitter or receiver— e.g., a so-called radio-on-a-chip device. From another aspect, the invention provides an integrated radio device comprising a microcontroller as disclosed herein.
  • FIG. 1 is a schematic drawing of a microcontroller embodying the invention
  • Figure 2 is a schematic drawing operations undertaken by the re-write controller within the memory protection logic of the microcontroller.
  • Figure 3 is a flow diagram illustrating a boot sequence of the microcontroller of Figure 1 , together with some examples of access request processes.
  • Figure 1 shows an integrated-circuit microcontroller 1 or radio-on-a-chip which comprises clock logic 3, which may include a resistor-capacitor oscillator and/or may receive an input from an off-chip crystal oscillator (not shown), power management circuitry 5, a processor 7 (e.g. an ARMTM Cortex-MO), memory protection logic 9, RAM 11 , a flash memory controller 20, flash memory 13, radio communication logic 17, one or more peripherals 15, and input output circuitry 19.
  • clock logic 3 may include a resistor-capacitor oscillator and/or may receive an input from an off-chip crystal oscillator (not shown), power management circuitry 5, a processor 7 (e.g. an ARMTM Cortex-MO), memory protection logic 9, RAM 11 , a flash memory controller 20, flash memory 13, radio communication logic 17, one or more peripherals 15, and input output circuitry 19.
  • processor 7 e.g. an ARMTM Cortex-MO
  • memory protection logic 9 e.g. an ARMTM Cortex-MO
  • RAM 11 e.
  • the microcontroller 1 may use a Harvard architecture or a von Neumann architecture.
  • the memory protection logic 9 is arranged to intercept all memory access instructions to the RAM 11 and to the flash memory controller 20. Thus, memory access instructions from the processor 7 and peripherals 15 are all intercepted by the memory protection logic 9.
  • the microcontroller 1 also has a debugging interface 18 which may be used for loading data into the flash memory 13 and for debugging the processor 7. It is expected that the debugging interface 8 will be completely disabled before the microcontroller 1 is shipped to an end user.
  • the microcontroller 1 may comprise a configurabie mechanism for restricting or blocking access to the flash memory 13 and RAM 1 1 from the debugging interface 18.
  • the microcontroller 1 can be connected to a number of external components such as a power supply, radio antenna, crystal oscillator, sensors, output devices, etc.
  • the memory protection logic 9 can be configured such that the flash memory 13 has at least one protected region of memory and at least one unprotected region of memory.
  • the protected region(s) stores firmware data and code, and a bootloader.
  • the unprotected region(s) stores third party software. In other embodiments, third-party software may also be stored in a protected region.
  • the memory protection logic 9 can also be configured such that RAM 11 has at least one protected region and at least one unprotected region, Access to a given region (e.g. protected region) of flash memory 13 or RAM 1 1 is controlled by the memory protection logic 9 and is only granted if access criteria for that region are satisfied.
  • the access criteria can define the protected region of flash 13 or RAM 1 1 (e.g., by a memory start address and a length value) and can specify whether system processes (e.g. firmware processes or software processes) and peripherals 15 are granted access to that memory region for each of read, write and execute operations, in some embodiments, access to an erase function may also be controlled directly by the access criteria.
  • the debugging interface 18 can override the memory protection logic 9 when an override register is set (unless debugging has already been disabled for the microcontroller 1), but apart from this exception, the configured protection is applied to all components that access the memory bus.
  • the access criteria are stored in at least one memory-protection configuration register 28.
  • the memory-protection configuration registers 26 may be part of the RAM 1 1 memory or flash 13 memory. In this embodiment they are part of the RAM 1 1. This is advantageous as it ensures that the memory-protection configuration registers 26 are cleared immediately when the microcontroller 1 resets. If the memory-protection configuration registers 26 are a part of the flash 13 memory, the microcontroller 1 (e.g., the flash memory controller 20) would need to be arranged to erase one or more flash memory blocks containing the memory-protection configuration registers 26
  • One set of memory-protection configuration register 26 may have a start-address register and a size register for defining a protected region, a binary flag for enabling or disabling execute access to the region in a secure mode, a binary flag for enabling or disabling read access to the region in a secure mode, a binary flag for enabling or disabling write access to the region in a secure mode, a binary flag for enabling or disabling execute access to the region in a non-secure mode, a binary flag for enabling or disabling read access to the region in a non-secure mode, and a binary flag for enabling or disabling write access to the region in a non-secure mode.
  • each binary flag may be treated as a separate register, or a group of binary flags (e.g., all the secure mode flags, or all the non-secure mode flags, or all the secure and non-secure flags) may be treated together as a single register.
  • a cleared value e.g., a "0" in a binary flag indicates that the associated access type is allowed for the respective region.
  • writing an alternative value e.g., a "1" to a binary flag after a reset represents a restriction of access to the region.
  • the memory protection logic 9 has read access to the memory-protection configuration registers 26.
  • a re-write controller forms part of the memory protection logic 9.
  • the re-write controller intercepts a request to write to a memory-protection configuration register 26, the re-write controller is arranged to determine whether the configuration register 26 is in a cleared state or if it contains data different from the cleared or default value - i.e. it determines if the register 26 has been written to already since the last reset.
  • the re-write controller determines that there is a difference
  • the re-write controller is configured to block the request to modify the configuration register 26.
  • the re-write controller determines that there isn't a difference, the re-write controller allows the configuration register 26 to be written to.
  • the re-write controller ensures that the memory-protection configuration register 26 may only be written to once after each reset. If the cleared values represent more permissive settings then the re-write controller prevents software from easing restrictions on memory access by reverting a register to a cleared value.
  • a reset 22 event e.g., after the device has been manually rebooted, after new batteries have been installed into the device, or when a watchdog timer triggers a reset, etc.
  • the memory-protection configuration registers 26 will be cleared, and bootloader software will have write access to the configuration registers 26.
  • the memory-protection configuration registers 26 will be reset. Normally, the bootloader will subsequently write appropriate values to the memory-protection configuration registers 26, which will have the effect of preventing any modification of those registers 26 by other software on the device, if the bootloader does not need to configure as many distinct protected memory regions as are supported by the configuration registers 26 (e.g., it only needs to define five regions, while the registers 26 can support eight regions), the bootloader preferably duplicates one or more of the region settings in the spare sets of configuration registers 26, so as to prevent their being writable by any other software until the next reset.
  • attackers are prevented from using malicious code to modify the memory-protection configuration registers 26 to change the access criteria, and thereby gaining access to a protected region of the memory.
  • bugs in non-malicious code are prevented from accidentally writing to protected regions of RAM 1 1 or flash 13.
  • the bootloader itself (including its data) may be stored in a region of the flash 13 memory which the bootloader write- protects immediately after reset. This prevents any other software from accidentally or maliciously manipulating the bootloader so as to prevent it from setting the proper access criteria after each reset.
  • the processor 7 may have a secure mode of operation and a non-secure mode of operation.
  • the re-write controller in the memory protection logic 9 prevents re-writing to the configuration registers 26 even when the processor 7 is in a secure mode.
  • the re-write controller allows re-writing of particular registers (which may be binary flags) that relate to non-secure mode permissions, when the processor 7 is in a secure mode (but it always prevents rewriting of the binary flags that relate to secure mode permissions).
  • Figure 2 illustrates, in more detail, the various main operations of the re-write controller in the memory protection logic 9.
  • the memory protection logic 9 receives a "reset" signal from the processor 7, it sets ail the configuration registers to a default value—e.g., 0x0000 0000 (a 32-bit word having the value zero) for word-length registers, or to a zero bit for a single-bit register.
  • the memory protection logic 9 detects a memory access attempt, it determines whether the attempt is to write a secure configuration register (i.e., a register which relates to permissions for the processor in secure-mode). If so, it checks whether the value of the secure configuration register is the default value. If it is the default value, it allows the write; otherwise, it denies the write (e.g., by triggering a "bus fault" exception).
  • the memory protection logic 9 determines whether the attempt is to write a non-secure
  • configuration register i.e., a register which relates to permissions for the processor in non-secure-mode. If so, it checks a line from the processor 7 which indicates whether the processor 7 is executing in a secure state or a non-secure, and determines which state the processor 7 is currently in. If the processor 7 is in a secure state, the re-write controller allows the write. If the processor 7 is not in a secure state, the re-write controller checks whether the value of the non-secure configuration register is the default value. If it is the default value, it allows the write; otherwise, it denies the write (e.g., by triggering a "bus fault" exception).
  • Figure 3 illustrates the operation of the microcontroller 1 following a reset, together with some examples of how the memory protection logic 9 may respond to data access requests from software processes running from an unprotected region of memory 1 1 , 13, firmware processes running from a protected region of memory 11 , 13, and a peripheral 15.
  • the memory-protection configuration registers 26 are cleared and the bootloader 24 is initiated at step 200 to start a boot sequence.
  • the bootloader 24 is stored at a special address, which is the first address the processor 7 starts executing from after a reset. The bootloader 24 can therefore execute before any software processes or firmware processes can make data access requests.
  • the bootloader 24 reads its own data, representing the desired access criteria, as well as cryptographic data directly from a soon-to-be- protected region of flash memory 13 and performs an integrity check with the cryptographic data to ensure that the microcontroller 1 hasn't been compromised. The bootloader 24 then issues a write request to write the access criteria in the memory-protection
  • the write request is intercepted by the memory protection logic 9 and processed by the re-write controller within the memory protection logic 9.
  • the re-write controller determines whether or not the requested configuration registers 26 are in their cleared state. It does this by reading the registers 26 as explained above. In other embodiments, though, the re-write controller may check one or more separate flags representing the state of the configuration registers 26 (e.g., indicating whether or not they have been written to).
  • the requested configuration registers 26 are found to be in their cleared state by step 206, since the microcontroller is booting from a reset event.
  • the bootloader 24 is allowed to proceed with writing the access criteria to the requested configuration registers at step 206.
  • the access criteria define the region of memory from where the cryptographic data was retrieved and specify that the data cannot be read or written to again. Read protection is particularly valuable if the cryptographic data include private-key data. They may also write-protect the region containing the bootloader itself.
  • the bootloader may also define other protected regions at this stage— e.g., for protecting firmware code from being overwritten. Henceforth, protection for these memory regions is active, until the next reset.
  • the memory protection logic 9 will manage (i.e. grant or deny) all memory access requests based on the access criteria.
  • a third party software process running from code stored in an unprotected region of the flash memory 13 sends a write request to write data to a protected region of the flash memory 3, followed by a read request for data from the same protected region. These requests are intercepted and processed by the memory protection logic 9.
  • the memory protection logic 9 retrieves access criteria associated with the requested region of memory from the memory-protection configuration registers. The access criterion specifies what operations (e.g. write, read, or execute) are allowed for the protected region of memory.
  • the access criterion specifies that the software process is not allowed to write data to the protected region of memory, but it is allowed to read data from the protected region. Accordingly, based on the access criteria, the memory protection logic 9 denies the write request at step 214, and allows the read request at step 218, This prevents inadvertent or malicious writing by the software process to protected regions of memory (e.g.
  • the memory protection logic 9 may trigger a "bus fault" exception.
  • a secure mode firmware process running from code stored in a protected region of the flash memory 13 sends a request to write an access criterion to a memory-protection configuration register 26.
  • the memory protection logic 9 intercepts the request.
  • the re-write controller in the memory protection logic 9 determines that the data in the requested configuration register 26 is different to the cleared state - this is because the bootloader has already written to the configuration register 26 during the boot sequence following a reset. Accordingly, the memory protection logic 9 denies the write request at step 222.
  • a peripheral 15 tries to read data from a protected region of the flash memory 13 via a direct memory access (DMA) request.
  • This request is intercepted by the memory protection logic 9.
  • the memory protection logic 9 retrieves access criteria in connection with the requested region of memory from the memory- protection configuration registers 26.
  • the access criteria specify whether or not the peripheral 15 is allowed to read the data in the requested region of memory. In this example, the access criteria specify that the peripheral 15 is not allowed to read the data and as such the memory protection logic 9 denies the read request at step 234 by triggering a bus fault exception.
  • a peripheral 15 sends a request to write an access criterion to a memory- protection configuration register 26.
  • the memory protection logic 9 intercepts the request.
  • the re-write controller determines that the data in the requested
  • the memory protection logic 9 denies the write request at step 242.
  • devices have been described which have a versatile memory protection mechanism that can be used for a wide variety of purposes, and which employ hardware logic to allow the devices to prepare the access permissions during a controlled boot sequence using a trusted bootloader. Malicious code will not be able to modify the boot sequence or permission scheme later on.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

A resettable microcontroller (1) comprising a processor (7), a memory (11, 13), a memory bus, and memory protection logic (9). The microcontroller (1) is arranged to clear a set of memory- protection configuration registers (26) whenever the microcontroller (1) is reset. The memory protection logic (9) is arranged to access the set of memory-protection configuration registers (26) and is configured to monitor memory access requests on the bus; detect when a memory access request attempts to access a memory address in a protectable region of the memory (11, 13); determine whether the memory access request satisfies an access criterion for the protectable region, the access criterion depending on data stored in the set of memory- protection configuration registers (26); block the memory access request when the access criterion is not satisfied; and prevent writing to any memory-protection configuration register (26) unless the memory-protection configuration register (26) is in a cleared state.

Description

emory Protection Logic
This invention relates to controlling memory access on a microcontroller. It is known to restrict read, write or execute access to memory on a microcontroller in order to prevent unauthorised access to data or programs.
Typically, in the prior art, certain trusted code can always gain full access to restricted and unrestricted memory areas— e.g., by causing a processor on the microcontroller to enter a privileged mode and then accessing a restricted memory area.
The applicant has recognised that this presents a security risk. For example, if an attacker is able to cause the attacker's own malicious code to be executed with the same elevated security permissions, the attacker could read sensitive data, such as encryption keys, from restricted memory.
The present invention seeks to address this shortcoming.
From a first aspect, the invention provides a resettabie microcontroller comprising a processor, a memory, a memory bus, and memory protection logic, wherein:
the microcontroller is arranged to clear a set of memory-protection
configuration registers whenever the microcontroller is reset;
the memory protection logic is arranged to access the set of memory-protection configuration registers and is configured to:
monitor memory access requests on the bus;
detect when a memory access request attempts to access a memory address in a protectable region of the memory;
determine whether the memory access request satisfies an access criterion for the protectable region, the access criterion depending on data stored in the set of memory-protection configuration registers;
block the memory access request when the access criterion is not satisfied; and prevent writing to any memory-protection configuration register unless the memory-protection configuration register is in a cleared state.
Thus it will be seen by those skilled in the art that, in accordance with the invention, access to a protectable region of memory can be restricted securely, by storing appropriate values in the set of memory-protection configuration registers to restrict or block access to the protectable region. This restriction cannot then be overridden, even when the processor is executing instructions in a secure or privileged mode, until the microcontroller is next reset. This versatile mechanism thus enables a
programmer to be assured of enhanced security in many different situations.
For example, some embodiments enable a programmer to prevent all write access to the protectable region of memory, by installing a bootloader that— every time the microcontroller is reset— stores an access criterion in the set of memory-protection configuration registers that prevents write access to the region.
As another example, some embodiments enable a bootloader to read sensitive cryptographic data from the protectable region and use it during a boot process in order to verify the integrity of the microcontroller, and then, once the cryptographic data has been used, the bootloader can set an access criterion preventing any further read or write access to the sensitive cryptographic data until the microcontroller is next reset.
It will be appreciated that a microcontroller reset may clear the set of memory- protection configuration registers by a hardware reset mechanism (e.g., by temporarily removing power to RAM), or by writing a default value to the set of memory- protect! on configuration registers. Thus, only once the memory-protection configuration registers are cleared may they then be set to store access criteria for controlling access to the protectable region.
In some embodiments, the microcontroller may also prevent modification of the configuration registers by a peripheral— even a bus master— and it may prevent or limit modification by an external debugger. The write protection for the memory-protection configuration registers may be implemented by a re-write controller within the memory protection logic. Upon a request to write to a memory-protection configuration register, the re-write controller may be arranged to determine whether the data contained within the configuration register is different from the cleared or default value. When the re-write controller determines that there is a difference, the re-write controller may be configured to block the write request. When the re-write controller determines that there isn't a difference, the re-write controller may be configured to allow the write request. Thus, the re-write controller may provide access for a bootloader to set access criteria in the set of memory-protection configuration registers, following a microcontroller reset.
The protectable region may be defined by one or more values stored in the set of memory-protection configuration registers. For example, a base address for the protectable region may be stored in one of the memory-protection configuration registers. Another memory-protection configuration register may store an end address, or a length, for the protectable region. The protectable region may be defined by a single range of memory addresses, or it may comprise a plurality of memory address ranges or blocks of memory.
Values stored in the memory-protection configuration registers may define a plurality of protectable regions in the memory, each of which may have one or more associated access criteria. Logic may be provided for resolving conflicts where regions overlap. Preferably, conflict is resolved by preventing access to a region if at least one configuration register is set to prevent such access (even if another register is set to allow access).
An access criterion may specify or determine a type of memory access request that is permitted for a protectable region. In some embodiments, it may specify that one or more of read access, write access, erase access and execute access is allowed for a protectable region (or, conversely, it may specific that such access is prohibited). In some embodiments, an access criterion may additionally or alternatively require that the processor or microcontroller be in one of a set of particular states, such as in a secure mode, or in a privileged mode, or that the access request is from an external debugger, in order to allow access to the protectable region. In some embodiments, a region may be associated with configuration registers relating to secure-mode access permissions and further configuration registers relating to non-secure-mode access permissions. An access criterion may additionally or alternatively require that the memory access request be generated by an instruction stored in one or more particular areas of memory on the microcontroller. An access criterion may
additionally or alternatively require that the memory access request be generated by one of a particular set of components, such as by the processor, or by a particular peripheral (e.g. a serial interface, a digital-to-analogue converter, or a servicing unit such as an external debugger) or set of peripherals, in some embodiments, an access criterion may additionally or alternatively require that the access request has a secure or privileged status, or that it is associated with a particular process (e.g. a firmware process or a third-party software process). Preferably, for at least one or more of the memory-protection configuration registers, the value of the configuration register in a cleared state represents more permissive access than is represented by an alternative value, or by any other value. For example, a cleared value (e.g., a zero bit) may define unrestricted access for a particular type of memory access (such as read access when the processor is in a non-secure state), whereas an alternative value (e.g., a one bit) may represent blocked access for the particular type of memory access.
The memory protection logic may be configured to block a memory access request by triggering a bus-fault exception.
The memory protection logic is preferably arranged to detect memory access instructions regardless of their origin; i.e. from any bus master. This allows it to be used to detect direct memory access (DMA) instructions from peripherals, for example, or from an external debugger, as well as instructions from the processor.
The memory-protection configuration registers are preferably addressable by the processor, e.g. over the memory bus. They can preferably be written to and/or read from by the processor. In this way, a bootloader may set the configuration registers following a reset. Each register may occupy a contiguous region of memory, or it may be split across a plurality of locations. A register, as referred to herein, may be only a sing!e bit long (possibly within a larger bit field), or it may comprise a plurality of bits (e.g. a 32-bit word).
The memory on the microcontroller may store one or more software components, such as a bootioader and/or a firmware module and/or a user application. The processor is preferably arranged to execute instructions from a predetermined memory address after a reset— preferably before executing any other instructions. In some
embodiments, a bootioader is stored at said predetermined memory address, which may be in a protectable region of memory. The bootioader may comprise instructions for writing access criteria to one or more memory-protection configuration registers so as to prevent writing to said predetermined memory address and/or to a protectable region containing the bootioader. In this way the bootioader can be made read-only, which can enhance the security of the microcontroller. In particular, this prevents an attacker from modifying the bootioader so as to prevent it from writing the correct access criteria into the memory-protection configuration registers after the next reset.
In some embodiments, the memory protection logic may also be arranged to access a set of non-secure-mode-write-protected memory-protection configuration registers. These non-secure-mode-write-protected memory-protection configuration registers may act similarly to the other memory-protection configuration registers, in that they define and control access to one or more protectable regions of memory. However, the re-write controller is preferably configured to allow the processor to modify the non- secure-mode-write-protected memory-protection configuration registers any number of times, without having to reset the microcontroller, when the processor is in a secure mode. Preferably, when the processor is not in a secure mode, the re-write controller prevents writing to the non-secure-mode-write-protected memory-protection configuration registers, unless they are in a cleared state. As with the other memory- protection configuration registers, the memory protection logic may be configured to determine whether a memory access request satisfies an access criterion depending on data stored in the set of non-secure-mode-write-protected memory-protection configuration registers. The memory protection logic may block the memory access request when the access criterion is not satisfied. Such non-secure-mode-write- protected memory-protection configuration registers may be desirable as they can be used by software other than just the bootioader, and may be changed during normal operation of the device (so long as the processor is in a secure mode). ln one set of embodiments, non-secure-mode-write-protected memory-protection configuration registers are used to store access criteria that are enforced when the processor is in a non-secure mode but that are not enforced when the processor is in a secure mode. In some of these embodiments, the standard memory-protection configuration registers (for which re-write protection applies regardless of whether the processor is in a secure mode or a non-secure mode) are used to store access criteria that are enforced the same regardless of whether the processor is in a secure mode or a non-secure mode.
The memory (including one or more protectable regions) may comprise volatile and/or non-volatile memory, such as RAM and/or flash memory. The memory may store program code. The memory is preferably addressable by the processor over the memory bus. The memory-protection configuration registers may comprise non- volatile memory (e.g., flash), but preferably comprise volatile memory, since this may avoid a need for dedicated circuitry to clear the memory-protection configuration registers on reset.
The processor may be any suitable processor. In some embodiments it is a processor from ARM™, such as a processor from ARM™'s Cortex' M range. A secure mode, as referred to herein, may in some embodiments be a secure mode or state according to AR ™'s TrustZone™ specifications. The microcontroller may comprise one or more further processors, connected to the memory bus. The memory bus may be an address or instruction bus, or it may carry both
instructions and data. The microcontroller may comprise a plurality of buses, such as a processor bus and a peripheral bus. The memory protection logic may be arranged to monitor memory access instructions on a plurality of buses. The memory protection logic preferably operates independently of the processor. It preferably comprises distinct logic gates, separate from the processor. In this way, a malicious or careless programmer cannot execute code on the processor that bypasses the memory protection logic. For the same reasons, the memory protection logic is preferably entirely hardware-based; i.e., it does not comprise a generai- purpose processor for executing software instructions. A re-write controller, within the memory protection logic, is preferably also partly or entirely hardware-based— i.e. comprising logic gates distinct from those of the processor. It will be appreciated that the memory protection logic is not limited to any particular physical shape or location on the microcontroller, and may comprise any number of separate logical components.
The microcontroller is preferably an integrated device— e.g., integrated on silicon. In some embodiments, it may comprise a radio transmitter or receiver— e.g., a so-called radio-on-a-chip device. From another aspect, the invention provides an integrated radio device comprising a microcontroller as disclosed herein.
Certain preferred embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 is a schematic drawing of a microcontroller embodying the invention;
Figure 2 is a schematic drawing operations undertaken by the re-write controller within the memory protection logic of the microcontroller; and
Figure 3 is a flow diagram illustrating a boot sequence of the microcontroller of Figure 1 , together with some examples of access request processes.
Figure 1 shows an integrated-circuit microcontroller 1 or radio-on-a-chip which comprises clock logic 3, which may include a resistor-capacitor oscillator and/or may receive an input from an off-chip crystal oscillator (not shown), power management circuitry 5, a processor 7 (e.g. an ARM™ Cortex-MO), memory protection logic 9, RAM 11 , a flash memory controller 20, flash memory 13, radio communication logic 17, one or more peripherals 15, and input output circuitry 19.
These components are interconnected using suitable lines and/or buses (not shown). The microcontroller 1 may use a Harvard architecture or a von Neumann architecture. The memory protection logic 9 is arranged to intercept all memory access instructions to the RAM 11 and to the flash memory controller 20. Thus, memory access instructions from the processor 7 and peripherals 15 are all intercepted by the memory protection logic 9.
The microcontroller 1 also has a debugging interface 18 which may be used for loading data into the flash memory 13 and for debugging the processor 7. It is expected that the debugging interface 8 will be completely disabled before the microcontroller 1 is shipped to an end user. The microcontroller 1 may comprise a configurabie mechanism for restricting or blocking access to the flash memory 13 and RAM 1 1 from the debugging interface 18.
In use, the microcontroller 1 can be connected to a number of external components such as a power supply, radio antenna, crystal oscillator, sensors, output devices, etc.
The memory protection logic 9 can be configured such that the flash memory 13 has at least one protected region of memory and at least one unprotected region of memory. The protected region(s) stores firmware data and code, and a bootloader. The unprotected region(s) stores third party software. In other embodiments, third-party software may also be stored in a protected region. The memory protection logic 9 can also be configured such that RAM 11 has at least one protected region and at least one unprotected region, Access to a given region (e.g. protected region) of flash memory 13 or RAM 1 1 is controlled by the memory protection logic 9 and is only granted if access criteria for that region are satisfied. The access criteria can define the protected region of flash 13 or RAM 1 1 (e.g., by a memory start address and a length value) and can specify whether system processes (e.g. firmware processes or software processes) and peripherals 15 are granted access to that memory region for each of read, write and execute operations, in some embodiments, access to an erase function may also be controlled directly by the access criteria. The debugging interface 18 can override the memory protection logic 9 when an override register is set (unless debugging has already been disabled for the microcontroller 1), but apart from this exception, the configured protection is applied to all components that access the memory bus.
The access criteria are stored in at least one memory-protection configuration register 28. The memory-protection configuration registers 26 may be part of the RAM 1 1 memory or flash 13 memory. In this embodiment they are part of the RAM 1 1. This is advantageous as it ensures that the memory-protection configuration registers 26 are cleared immediately when the microcontroller 1 resets. If the memory-protection configuration registers 26 are a part of the flash 13 memory, the microcontroller 1 (e.g., the flash memory controller 20) would need to be arranged to erase one or more flash memory blocks containing the memory-protection configuration registers 26
automatically when a reset 22 event occurs. There may be a plurality of sets of memory-protection configuration registers 26, each set relating to a respective protectable region. For example, one set of memory- protection configuration register 26 may have a start-address register and a size register for defining a protected region, a binary flag for enabling or disabling execute access to the region in a secure mode, a binary flag for enabling or disabling read access to the region in a secure mode, a binary flag for enabling or disabling write access to the region in a secure mode, a binary flag for enabling or disabling execute access to the region in a non-secure mode, a binary flag for enabling or disabling read access to the region in a non-secure mode, and a binary flag for enabling or disabling write access to the region in a non-secure mode. In one set of embodiments, there are eight such sets of memory-protection configuration registers 26. Each binary flag may be treated as a separate register, or a group of binary flags (e.g., all the secure mode flags, or all the non-secure mode flags, or all the secure and non-secure flags) may be treated together as a single register.
In some embodiments a cleared value (e.g., a "0") in a binary flag indicates that the associated access type is allowed for the respective region. Thus, writing an alternative value (e.g., a "1") to a binary flag after a reset represents a restriction of access to the region.
The memory protection logic 9 has read access to the memory-protection configuration registers 26. A re-write controller forms part of the memory protection logic 9. When the memory protection logic 9 intercepts a request to write to a memory-protection configuration register 26, the re-write controller is arranged to determine whether the configuration register 26 is in a cleared state or if it contains data different from the cleared or default value - i.e. it determines if the register 26 has been written to already since the last reset. When the re-write controller determines that there is a difference, the re-write controller is configured to block the request to modify the configuration register 26. When the re-write controller determines that there isn't a difference, the re-write controller allows the configuration register 26 to be written to. In this way, the re-write controller ensures that the memory-protection configuration register 26 may only be written to once after each reset. If the cleared values represent more permissive settings then the re-write controller prevents software from easing restrictions on memory access by reverting a register to a cleared value. Thus, it wiil be appreciated that when booting the microcontroller 1 following a reset 22 event (e.g., after the device has been manually rebooted, after new batteries have been installed into the device, or when a watchdog timer triggers a reset, etc.), the memory-protection configuration registers 26 will be cleared, and bootloader software will have write access to the configuration registers 26. More generally, whenever the microcontroller 1 starts executing from address zero, the memory-protection configuration registers 26 will be reset. Normally, the bootloader will subsequently write appropriate values to the memory-protection configuration registers 26, which will have the effect of preventing any modification of those registers 26 by other software on the device, if the bootloader does not need to configure as many distinct protected memory regions as are supported by the configuration registers 26 (e.g., it only needs to define five regions, while the registers 26 can support eight regions), the bootloader preferably duplicates one or more of the region settings in the spare sets of configuration registers 26, so as to prevent their being writable by any other software until the next reset. Thus, attackers are prevented from using malicious code to modify the memory-protection configuration registers 26 to change the access criteria, and thereby gaining access to a protected region of the memory. Similarly, bugs in non-malicious code are prevented from accidentally writing to protected regions of RAM 1 1 or flash 13.
The bootloader itself (including its data) may be stored in a region of the flash 13 memory which the bootloader write- protects immediately after reset. This prevents any other software from accidentally or maliciously manipulating the bootloader so as to prevent it from setting the proper access criteria after each reset.
The processor 7 may have a secure mode of operation and a non-secure mode of operation. In general, the re-write controller in the memory protection logic 9 prevents re-writing to the configuration registers 26 even when the processor 7 is in a secure mode. However, in some embodiments, the re-write controller allows re-writing of particular registers (which may be binary flags) that relate to non-secure mode permissions, when the processor 7 is in a secure mode (but it always prevents rewriting of the binary flags that relate to secure mode permissions).
Figure 2 illustrates, in more detail, the various main operations of the re-write controller in the memory protection logic 9. When the memory protection logic 9 receives a "reset" signal from the processor 7, it sets ail the configuration registers to a default value— e.g., 0x0000 0000 (a 32-bit word having the value zero) for word-length registers, or to a zero bit for a single-bit register. When the memory protection logic 9 detects a memory access attempt, it determines whether the attempt is to write a secure configuration register (i.e., a register which relates to permissions for the processor in secure-mode). If so, it checks whether the value of the secure configuration register is the default value. If it is the default value, it allows the write; otherwise, it denies the write (e.g., by triggering a "bus fault" exception).
If the memory access attempt is not for a secure configuration register, the memory protection logic 9 determines whether the attempt is to write a non-secure
configuration register (i.e., a register which relates to permissions for the processor in non-secure-mode). If so, it checks a line from the processor 7 which indicates whether the processor 7 is executing in a secure state or a non-secure, and determines which state the processor 7 is currently in. If the processor 7 is in a secure state, the re-write controller allows the write. If the processor 7 is not in a secure state, the re-write controller checks whether the value of the non-secure configuration register is the default value. If it is the default value, it allows the write; otherwise, it denies the write (e.g., by triggering a "bus fault" exception).
Figure 3 illustrates the operation of the microcontroller 1 following a reset, together with some examples of how the memory protection logic 9 may respond to data access requests from software processes running from an unprotected region of memory 1 1 , 13, firmware processes running from a protected region of memory 11 , 13, and a peripheral 15.
When the microcontroller 1 resets, the memory-protection configuration registers 26 are cleared and the bootloader 24 is initiated at step 200 to start a boot sequence. The bootloader 24 is stored at a special address, which is the first address the processor 7 starts executing from after a reset. The bootloader 24 can therefore execute before any software processes or firmware processes can make data access requests. At step 202, the bootloader 24 reads its own data, representing the desired access criteria, as well as cryptographic data directly from a soon-to-be- protected region of flash memory 13 and performs an integrity check with the cryptographic data to ensure that the microcontroller 1 hasn't been compromised. The bootloader 24 then issues a write request to write the access criteria in the memory-protection
configuration registers 26, at step 204. The write request is intercepted by the memory protection logic 9 and processed by the re-write controller within the memory protection logic 9. The re-write controller determines whether or not the requested configuration registers 26 are in their cleared state. It does this by reading the registers 26 as explained above. In other embodiments, though, the re-write controller may check one or more separate flags representing the state of the configuration registers 26 (e.g., indicating whether or not they have been written to).
In the example of Figure 3, the requested configuration registers 26 are found to be in their cleared state by step 206, since the microcontroller is booting from a reset event. Thus, the bootloader 24 is allowed to proceed with writing the access criteria to the requested configuration registers at step 206. Preferably, the access criteria define the region of memory from where the cryptographic data was retrieved and specify that the data cannot be read or written to again. Read protection is particularly valuable if the cryptographic data include private-key data. They may also write-protect the region containing the bootloader itself. The bootloader may also define other protected regions at this stage— e.g., for protecting firmware code from being overwritten. Henceforth, protection for these memory regions is active, until the next reset.
It will be appreciated that once these configuration registers 26 are written to, they will no longer be in their cleared state and as such the re-write controller of the memory protection logic 9 will thereafter not allow any further requests to write to those configuration registers 26. In this way, the data in the configuration registers 26 is protected from modifications until the next reset. Further, by using a hardware re-write controller to determine whether the configuration registers 26 are in their cleared state, all write requests from any type of process (e.g. secured or protected) or peripheral will be denied, and this mechanism cannot be bypassed by software.
Once the bootloader 24 has finished writing access criteria to the configuration registers 26, the memory protection logic 9 will manage (i.e. grant or deny) all memory access requests based on the access criteria. Αί step 210, a third party software process running from code stored in an unprotected region of the flash memory 13 sends a write request to write data to a protected region of the flash memory 3, followed by a read request for data from the same protected region. These requests are intercepted and processed by the memory protection logic 9. At step 212, the memory protection logic 9 retrieves access criteria associated with the requested region of memory from the memory-protection configuration registers. The access criterion specifies what operations (e.g. write, read, or execute) are allowed for the protected region of memory. In this example, the access criterion specifies that the software process is not allowed to write data to the protected region of memory, but it is allowed to read data from the protected region. Accordingly, based on the access criteria, the memory protection logic 9 denies the write request at step 214, and allows the read request at step 218, This prevents inadvertent or malicious writing by the software process to protected regions of memory (e.g.
protected memory locations allocated to firmware data and code), thereby increasing robustness and security. When denying access, the memory protection logic 9 may trigger a "bus fault" exception.
At step 220, a secure mode firmware process running from code stored in a protected region of the flash memory 13 sends a request to write an access criterion to a memory-protection configuration register 26. The memory protection logic 9 intercepts the request. The re-write controller in the memory protection logic 9 determines that the data in the requested configuration register 26 is different to the cleared state - this is because the bootloader has already written to the configuration register 26 during the boot sequence following a reset. Accordingly, the memory protection logic 9 denies the write request at step 222.
At step 230, a peripheral 15 tries to read data from a protected region of the flash memory 13 via a direct memory access (DMA) request. This request is intercepted by the memory protection logic 9. At step 232, the memory protection logic 9 retrieves access criteria in connection with the requested region of memory from the memory- protection configuration registers 26. The access criteria specify whether or not the peripheral 15 is allowed to read the data in the requested region of memory. In this example, the access criteria specify that the peripheral 15 is not allowed to read the data and as such the memory protection logic 9 denies the read request at step 234 by triggering a bus fault exception. Αί step 240, a peripheral 15 sends a request to write an access criterion to a memory- protection configuration register 26. The memory protection logic 9 intercepts the request. The re-write controller determines that the data in the requested
configuration register 26 is different to the cleared state - this is because the bootloader has already written to the configuration register 26 during the boot sequence following a reset. Accordingly, the memory protection logic 9 denies the write request at step 242. Thus, devices have been described which have a versatile memory protection mechanism that can be used for a wide variety of purposes, and which employ hardware logic to allow the devices to prepare the access permissions during a controlled boot sequence using a trusted bootloader. Malicious code will not be able to modify the boot sequence or permission scheme later on.

Claims

Claims:
1. A resettable microcontroller comprising a processor, a memory, a memory bus, and memory protection logic, wherein:
the microcontroller is arranged to clear a set of memory-protection configuration registers whenever the microcontroller is reset;
the memory protection logic is arranged to access the set of memory- protection configuration registers and is configured to:
monitor memory access requests on the bus;
detect when a memory access request attempts to access a memory address in a protectable region of the memory;
determine whether the memory access request satisfies an access criterion for the protectable region, the access criterion depending on data stored in the set of memory-protection configuration registers;
block the memory access request when the access criterion is not satisfied; and
prevent writing to any memory-protection configuration register unless the memory-protection configuration register is in a cleared state.
2. A resettable microcontroller according to claim 1 , wherein the memory protection logic comprises a re-write controller arranged, upon a request to write to a memory-protection configuration register, to determine whether the data contained within the memory-protection configuration register is different from the cleared value, and to block the write request when there is a difference,
3. A resettable microcontroller according to claim 2, wherein the memory protection logic is also arranged to access a set of non-secure-mode-write- protected memory-protection configuration registers, wherein the re-write controller is configured to prevent writing to the non-secure-mode-write-protected memory- protection configuration registers when the processor is not in a secure mode, unless the non-secure-mode-write-protected memory-protection configuration registers are in a cleared state.
4. A resettable microconirolier according to claim 3, wherein the
microcontroller is arranged to clear the set of non-secure-mode-write-protected memory-protection configuration registers whenever the microcontroller is reset.
5. A resettable microcontroller according to any preceding claim, wherein the memory protection logic is configured to block a memory access request by triggering a bus-fault exception,
6. A resettable microcontroller according to any preceding claim, wherein the memory protection logic is arranged to detect a memory access request from any bus master.
7. A resettable microcontroller according to any preceding claim wherein:
a predetermined address of the memory stores a bootloader that comprises instructions for writing access criteria to one or more memory- protection configuration registers; and
the processor is arranged to execute the bootloader after a reset before executing any other instructions.
8. A resettable microcontroller according to claim 7, wherein the bootloader is arranged to read cryptographic data from the protectable region and use it during a boot process in order to verify the integrity of the microcontroller, and then, once the cryptographic data has been used, to set an access criterion preventing any further read or write access to the cryptographic data until the microcontroller is next reset.
9. A resettable microcontroller according to any preceding claim, wherein the memory-protection configuration registers comprise volatile memory.
10. A resettable microcontroller according to any preceding claim, wherein the memory protection logic comprises logic gates that are separate from those of the processor.
11. A resettable microcontroller according to any preceding claim, wherein the access criterion specifies or determines a type of memory access request that is permitted for a protectable region.
12. A resettable microcontroller according to any preceding claim, wherein the access criterion requires that the processor or microcontroller be in one of a set of particular states, or that the access request be from an external debugger, in order to allow access to the protectable region,
13. A resettable microcontroller according to any preceding claim, wherein the protectable region is defined by one or more values stored in the set of memory- protection configuration registers.
14. A resettable microcontroller according to claim 13, wherein the set of memory-protection configuration registers store values defining a plurality of protectable regions in the memory, and one or more access criteria for each protectable region.
15. An integrated radio device comprising a microcontroller according to any preceding claim.
PCT/GB2017/053644 2016-12-05 2017-12-04 Memory protection logic WO2018104711A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1620684.9 2016-12-05
GB1620684.9A GB2557305A (en) 2016-12-05 2016-12-05 Memory protection logic

Publications (1)

Publication Number Publication Date
WO2018104711A1 true WO2018104711A1 (en) 2018-06-14

Family

ID=58159856

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2017/053644 WO2018104711A1 (en) 2016-12-05 2017-12-04 Memory protection logic

Country Status (3)

Country Link
GB (1) GB2557305A (en)
TW (1) TW201821998A (en)
WO (1) WO2018104711A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109739673A (en) * 2018-12-05 2019-05-10 新华三技术有限公司合肥分公司 A kind of register write protection method, logic device and communication equipment
CN112567349A (en) * 2018-06-27 2021-03-26 北欧半导体公司 Hardware protection of files in integrated circuit devices
GB2596103A (en) * 2020-06-17 2021-12-22 Graphcore Ltd Dual level management
GB2602849A (en) * 2021-01-19 2022-07-20 Cirrus Logic Int Semiconductor Ltd Integrated circuit with asymmetric access privileges
WO2022157467A1 (en) * 2021-01-19 2022-07-28 Cirrus Logic International Semiconductor Limited Integrated circuit with asymmetric access privileges
US20230055842A1 (en) * 2021-08-17 2023-02-23 Stmicroelectronics S.R.L. Register shielding in semiconductor devices
US11681642B2 (en) 2020-06-17 2023-06-20 Graphcore Limited Processing device comprising control bus
US12039090B2 (en) 2021-01-19 2024-07-16 Cirrus Logic Inc. Integrated circuit with asymmetric access privileges
TWI888315B (en) 2021-01-19 2025-06-21 英商思睿邏輯國際半導體股份有限公司 Integrated circuit with asymmetric access privileges

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI688861B (en) * 2018-09-18 2020-03-21 新唐科技股份有限公司 Data processing apparatus and data protection method thereof
US11386019B1 (en) * 2021-04-06 2022-07-12 Mediatek Inc. Data protection method and storage device
FR3145629A1 (en) * 2023-02-03 2024-08-09 Stmicroelectronics International N.V. Method of emulating boot programs

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030140238A1 (en) * 2002-01-22 2003-07-24 Texas Instruments Incorporated Implementation of a secure computing environment by using a secure bootloader, shadow memory, and protected memory
WO2004046924A1 (en) * 2002-11-18 2004-06-03 Arm Limited Processor switching between secure and non-secure modes
US20080263256A1 (en) * 2007-04-20 2008-10-23 Motorola, Inc. Logic Device with Write Protected Memory Management Unit Registers
US20140129818A1 (en) * 2012-11-02 2014-05-08 Via Technologies, Inc. Electronic device and booting method
US20150371046A1 (en) * 2014-06-20 2015-12-24 Microsoft Corporation Preventing code modification after boot

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5778444A (en) * 1996-05-06 1998-07-07 Motorola, Inc. Method and apparatus for reset-sensitive and controlled register write accesses in a data processing system with user and test modes
EP1276033B1 (en) * 2001-07-10 2012-03-14 Trident Microsystems (Far East) Ltd. Memory device with data protection in a processor
GB2503470B (en) * 2012-06-27 2014-08-13 Nordic Semiconductor Asa Memory protection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030140238A1 (en) * 2002-01-22 2003-07-24 Texas Instruments Incorporated Implementation of a secure computing environment by using a secure bootloader, shadow memory, and protected memory
WO2004046924A1 (en) * 2002-11-18 2004-06-03 Arm Limited Processor switching between secure and non-secure modes
US20080263256A1 (en) * 2007-04-20 2008-10-23 Motorola, Inc. Logic Device with Write Protected Memory Management Unit Registers
US20140129818A1 (en) * 2012-11-02 2014-05-08 Via Technologies, Inc. Electronic device and booting method
US20150371046A1 (en) * 2014-06-20 2015-12-24 Microsoft Corporation Preventing code modification after boot

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112567349A (en) * 2018-06-27 2021-03-26 北欧半导体公司 Hardware protection of files in integrated circuit devices
CN109739673A (en) * 2018-12-05 2019-05-10 新华三技术有限公司合肥分公司 A kind of register write protection method, logic device and communication equipment
CN109739673B (en) * 2018-12-05 2023-05-09 新华三技术有限公司合肥分公司 Register write-in protection method, logic device and communication equipment
US11520941B2 (en) 2020-06-17 2022-12-06 Graphcore Limited Dual level management
WO2021254654A1 (en) * 2020-06-17 2021-12-23 Graphcore Limited Dual level management
GB2596103A (en) * 2020-06-17 2021-12-22 Graphcore Ltd Dual level management
US11681642B2 (en) 2020-06-17 2023-06-20 Graphcore Limited Processing device comprising control bus
GB2602849A (en) * 2021-01-19 2022-07-20 Cirrus Logic Int Semiconductor Ltd Integrated circuit with asymmetric access privileges
WO2022157467A1 (en) * 2021-01-19 2022-07-28 Cirrus Logic International Semiconductor Limited Integrated circuit with asymmetric access privileges
US11809334B2 (en) 2021-01-19 2023-11-07 Cirrus Logic Inc. Integrated circuit with asymmetric access privileges
US12039090B2 (en) 2021-01-19 2024-07-16 Cirrus Logic Inc. Integrated circuit with asymmetric access privileges
TWI865813B (en) * 2021-01-19 2024-12-11 英商思睿邏輯國際半導體股份有限公司 Integrated circuit with asymmetric access privileges
TWI888315B (en) 2021-01-19 2025-06-21 英商思睿邏輯國際半導體股份有限公司 Integrated circuit with asymmetric access privileges
US20230055842A1 (en) * 2021-08-17 2023-02-23 Stmicroelectronics S.R.L. Register shielding in semiconductor devices
US12307002B2 (en) * 2021-08-17 2025-05-20 Stmicroelectronics S.R.L. Register shielding in semiconductor devices

Also Published As

Publication number Publication date
TW201821998A (en) 2018-06-16
GB2557305A (en) 2018-06-20
GB201620684D0 (en) 2017-01-18

Similar Documents

Publication Publication Date Title
WO2018104711A1 (en) Memory protection logic
EP2867776B1 (en) Memory protection
US10565132B2 (en) Dynamic configuration and peripheral access in a processor
US7444668B2 (en) Method and apparatus for determining access permission
US9389793B2 (en) Trusted execution and access protection for embedded memory
US10783240B2 (en) Secure environment in a non-secure microcontroller
US6976136B2 (en) Flash memory protection scheme for secured shared BIOS implementation in personal computers with an embedded controller
JP2727520B2 (en) Memory card and operating method thereof
US20120260082A1 (en) System and method for processing requests to alter system security databases and firmware stores in a unified extensible firmware interface-compliant computing device
US20080263256A1 (en) Logic Device with Write Protected Memory Management Unit Registers
US20100131729A1 (en) Integrated circuit with improved device security
JP7001670B2 (en) Context-based protection system
KR101426479B1 (en) Storage information protection systems and methods
WO2019081057A1 (en) Memory with rules

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17809361

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17809361

Country of ref document: EP

Kind code of ref document: A1