The present invention relates to the field of data processing and in particular to the processing of sensitive data and code.
Many data processing systems and architectures provide ways of isolating and protecting sensitive data and sections of code from access by unauthorised persons or processes. Although it is important to be able to provide security, there is an overhead in performance and circuit area associated with this protection.
In small systems such as microcontrollers, it is very important that these overheads are kept low, and thus some compromise between level of security and performance may need to be made.
One way of keeping data and code secure is provided by ARM® of Cambridge UK, with their Trustzone architecture where there are secure and non-secure states (also referred to as secure and non-secure domains), and an exception instruction is used to transition between the states, the exception handler protecting the security of the secure side. Although this approach provides a high degree of security, considerable software intervention in the form of the software exception handler is required to change security states which both reduces the performance of the system and increases the amount of effort required to develop an external application program interface API for the secure software as all calls must be proxied through the exception hander. Similarly exceptions that occur whilst in the secure domain that require handling in the non-secure domain also need to be proxied through a secure exception handler, this allowing the secure state to be protected before control passes to the non-secure exception handler.
U.S. Pat. No. 7,966,466 and US 2008/0250216 discloses an alternative secure system where a data store has a secure side and a non-secure side and the location within this data store of the code currently being executed determines the domain the processor is operating in, and thus the data that it is allowed to access.
Many system architectures that contain a secure state only allow one mechanism for transitioning between states (typically by use of exceptions), since this simplifies the task of protecting the security of the data and program code in the secure state. However, with the aim of improving speed and efficiency, it is also possible to provide multiple mechanisms for transitioning between the secure and less secure states. For example, the CodeGuard system developed by Microchip Technology Inc. allows both exceptions and direct function calling as mechanisms for transitioning between security states. However, the use of multiple mechanisms for transitioning between states increases the vulnerability to malicious attack, for example allowing software in the less secure state to seek to return to the secure state via a return mechanism that is of a different type to the original mechanism used to transition from the secure state into the less secure state (e.g. by using a function call return to return from an exception, or an exception return to return from a function call).