In the field of this invention, it is known for signal processing devices, such as microcontrollers, to be operably coupled to memory elements, and for such memory elements to have stored therein instructions to be executed by the signal processing devices. The memory elements also contain stored data to be used during the execution of those instructions. For some applications, the data stored within the memory elements may be in need of protection from being illegitimately read or modified. For example, modern vehicles may comprise many microcontrollers, for example forming part of electronic control units (ECUs), arranged to manage various vehicle subsystems. Typically, the largest of these microcontrollers is in the engine control unit, which is operably coupled to a non-volatile memory element comprising engine mapping data and the like. Vehicle manufacturers spend a lot of time and effort calibrating and tuning the engines, the resulting calibration data being stored within these memory elements, for example in a form of multi-dimensional tables. During runtime, the engine control unit uses these tables to look up engine calibration data to determine the desired engine behaviour for a given state of the engine, for example spark timing, fuel injection timing, etc. As will be appreciated, if this engine calibration data were altered, the engine could be re-tuned. Such re-tuning could not only affect the performance of the engine, but also have significant safety and warrant implications. Thus, it is important that protection is provided to such data stored in memory, in order to protect the data from illegitimate access and manipulation.
FIG. 1 illustrates an example of a microcontroller system 100 as is known in the art, for example such as might be used to implement an engine control unit within a vehicle. The microcontroller system 100 comprises signal processing logic in a form of a microcontroller 110. The microcontroller 110 is operably coupled to a non-volatile memory element 120 comprising instructions to be executed by the microcontroller 110, along with data used during the execution of those instructions, such as engine mapping data in the case of an engine control unit. For the illustrated example, the microcontroller 110 is operably coupled to an access port 130, for example a test access port such as a JTAG (Joint Test Action Group) serial port used during testing and for diagnosis purposes etc. Access to the memory element 120 may be made available to external devices via the access port 130 and the microcontroller 110.
As previously mentioned, for applications such as an engine control unit, it is important that protection is provided to data stored in the memory element 120 in order to protect the data from illegitimate access, such as access from an external device via the access port 130. Accordingly, for the illustrated example, the microcontroller 110 comprises censorship logic, which for the illustrated example forms a part of a Boot Assist Module (BAM) 140. The Boot Assist Module 140 typically comprises a hard coded piece of software that is resident within the microcontroller 110, and which is executed upon exiting a reset, and which provides some initial configuration to the microcontroller 110. In particular, the Boot Assist Module 140 provides a mechanism whereby an external device, for example a diagnostic tool, is able to input a password, or security key, via the access port 130. Upon receipt of such a password, the Boot Assist Module 140 is able to compare the received password with a password stored in memory 150. If the passwords match, the censorship logic of the Boot Assist Module 140 permits access to the memory and/or debug resources of the microcontroller system 100. In particular for the illustrated example, a censorship control word 160 is used to define the censorship scheme, and thus the access permitted. Subsequent access to the memory element 120 is implemented through access control logic 170, which receives an indication 145 from the Boot Assist Module as to whether or not access is permitted. When access is to be permitted, the access control logic 170 reads the censorship control word 160 and enables or restricts access to the memory element 120 accordingly. Notably, access to the memory and/or debug resources of the device is only temporarily permitted by a matching password, and following a subsequent reset of the microcontroller system 100 is again locked (or at least restricted). Conversely, if no password is received, or an incorrect password is received, the censorship logic of the Boot Assist Module 140 locks, or otherwise restricts, access to the memory element 120 via the access port 130. In this manner, access to the memory element 120, and thereby access to the sensitive data contained within the memory element 120, may be prevented via the access port 130 unless a valid password is input.
Manufacturers often do not want to have to maintain databases that contain large numbers of passwords for accessing the memory elements of large numbers of microcontroller systems. It is therefore known to use a common password or security key to control access to a large number of microcontroller systems. In this manner, it is not necessary to keep track of a large number of individual passwords. However, a problem with this approach is that, if a ‘hacker’ manages to obtain the password, and in particular if the hacker manages to ‘open’ the microcontroller system 100 and gain access to the copy of the password 150 stored in memory, that hacker is then able to use that password to access the memory elements of all other microcontroller systems that use the same password via their access ports. Clearly this is an unacceptable security risk.