This invention relates to computer microprocessors, and more specifically to microprocessors that feature internal one-time programmable (OTP) memory.
Background: Permanent Operating Code in Computers and Microcontrollers
A computer or microcontroller typically has a significant portion of its operating code stored in non-volatile memory (e.g., ROM, EPROM, flash memory) so that the code is retained even when the power is off. Often, some or all of this code will be stored in memory residing on the same chip as the central processing unit (CPU) itself (internal memory), thus allowing the CPU and its basic operating code to be packaged as a single unit. This integration of functions within a single chip serves to simplify the design of assemblies using the processor. This integration also serves to reduce part count and improve reliability.
Background: Permanent Operating Code stored in OTP Memory
Many microprocessors, particularly the class of microprocessors known as microcontrollers, store their internal operating code in some form of electrically-programmable read-only memory (EPROM) such as UV-erasable EPROM, EEPROM, one-time programmable (OTP) memory, or flash memory. This design allows the operating code to be programmed after the ICs are manufactured, affording a much higher degree of flexibility than ROM-based designs. With this architecture, a manufacturer can revise and improve the operating code after manufacture or custom tailor the operating code to meet the particular needs of multiple customers. Alternatively, he can leave the EPROM banks empty or partially programmed so that the customer can install his own code. This design allows for the manufacture of a higher volume of chips with each setup, reduces the need for specialized inventory on-hand, and facilitates rapid prototyping.
Background: Security of On-chip Software
In many cases, a chip programmer (either the manufacturer or another party) will program a chip with software code lie would prefer to keep secret. In such a case, the earlier programmer will wish to constrain subsequent programmers and users of the chip from reading and copying the memory banks of the chip, while still allowing access for execution of the code stored therein. A manufacturer may wish to program one portion of the chip's internal memory while leaving the rest of the internal memory open for a customer to program. In such a case, one or both of the programmers may wish to protect the code from the other programmers and from third parties.
Background: Secure Memory
Protection of memory against unauthorized copying is a complex and difficult task. The protected memory will generally contain code and code-related data that must be readable by the processor in order to be of any use. More problematic, control of the CPU must be ceded to later programmers and users, many of whom will have interests hostile to those of the earlier programmers. Any protection scheme must anticipate possible avenues of circumvention ahead of time so as to close those avenues off in the design.
Current memory security schemes lock the internal memory banks as a unit. Where an initial programmer wished to program one portion of the memory while leaving the remainder for a customer, the read-protect had to be left disabled, leaving the first programmer's software unprotected. For those familiar with the device, there was generally one or more means of circumventing the security protection, making such security effective primarily against casual users.
At present there is no software security scheme allowing for protection of only one programmer-definable section of the array while allowing for programming of the remainder of the array.
Block-Segmented Secure Memory
This application describes a scheme to allow a device to be programmed by two or more parties with full security protection for each party's code. This invention allows a manufacturer to program basic routines into the device and a developer to further program the device for a particular application, with full security protection for each programmer's code. In an alternate embodiment, an end user or other subsequent programmer could add protected code specific to a particular installation. The security circuit and control disclosed in this application provide each programmer with strong protection against piracy by any third party as well as any of the other programmers.
In the preferred embodiment, security protection is accomplished by segmenting a non-volatile memory array into two or more sections, definable by the first programmer. Once one section is programmed and locked, no programmer or user has read or write access to any protected section, nor can established section boundaries be modified. A read instruction will only be executed by the CPU if it references a memory address in the same memory section as the instruction's address. An instruction to the CPU to read an address in a different section is simply ignored.
This application discloses a number of other features designed to prevent circumvention of the primary security scheme. The processor employs a mechanism to protect the values of the code section boundaries themselves and various novel schemes are employed to protect the secured code while the CPU is in one of its built-in test modes. Through these mechanisms, a developer can install his code on this CPU with a high degree of confidence that it is secure from piracy by his competitors and customers.
An advantage of the disclosed methods and structures is that they allow for programming and reading of one section of memory while completely protecting a secure section from read or program operations