1. Field
The present invention relates generally to controlling system capabilities and, more specifically, to using a "write once" method for securely and irrevocably changing selected capabilities of a device.
2. Description
Manufacturers of some electronic equipment, such as integrated circuits, microprocessors, network adapters, and computer systems, for example, often produce products with varying levels of capabilities or functions. Such disparate product versions may be produced as a result of marketing or legal concerns. For example, U.S. export law prohibits the exportation of certain technology that surpasses a defined level of processing performance or cryptographic security. In order to further the manufacturer's goals or to comply with the law, manufacturers use various techniques to enable certain capabilities for some versions of a product, but disable certain capabilities for other versions of the product. When the product may be manipulated or operated by software, the manufacturer may in some cases be able to enable or disable product capabilities via software controls or software configuration version updates. However, when the product by its nature may be manipulated only by hardware controls, version control becomes more complicated and difficult to manage.
In the example of cryptographic features of computer hardware devices, one requirement for developing exportable and non-exportable products that contain cryptographic capabilities is that the exportable product must not have certain capabilities that the non-exportable product does. For example, non-exportable products may implement Data Encryption Standard (DES) encryption using key lengths of 40, 56, 112, or 168 bits. However, exportable products may only implement key lengths of 40 bits for encryption. Given this restriction, a manufacturer might want to produce a product that can be configured to operate in either an exportable or a non-exportable mode. Furthermore, once the product is exported, it should not be possible to enable the non-exportable capabilities of the exported product. In this example, the product once exported should not be able to be configured to use key lengths of 56, 112, or 168 bits.
In many instances, to control the cost of design and manufacturing efforts for such products, the manufacturer should be able to delay configuration of the product to exportable mode or other reduced capability until the very latest stages of the manufacturing process. Therefore, it should be possible to change the product to an exportable mode or other reduced capability at minimum cost as late as possible, but while still making it extremely difficult or impossible for another party to enable the disabled capabilities at a later point in time.
Presently, several methods are used to handle this configuration problem. A basic approach is to provide two separate designs of the product, one for export or reduced capability, and one for domestic use or full capability. However, this means that an a priori knowledge of product demand for each design is required in order to control the product inventory by the manufacturer. Also, if the product fits into a larger system, original equipment manufacturers (OEMs) that use the product must also know the demand for their systems in the U.S. and abroad. Additionally, the manufacturer has the overhead and configuration management issues of supporting two different versions of the product. Clearly, this approach has disadvantages. In addition, due to the global manufacturing process, often the non-exportable products are exported, and then brought back into the country of origin. In this case, managing multiple inventories across countries becomes even more complicated.
In another approach, the manufacturer can delay the decision on configuring the product by incorporating an electronic fuse in the product. An electronic fuse may be, for example, a wire in the product that can be broken by applying a high voltage or high current. Internally, the product may check the status of current flow through the wire to determine the valid operational capabilities of the product. Thus, with the use of specialized tools, the electronic fuse may be blown to create an exportable product. However, this approach still presents problems for an OEM who wants to include the product in a system design and still delay the decision on whether to export the system or sell the system domestically. With the increasing globalization of system manufacturing sites, this approach in many cases is unacceptable. Additionally, the electronic fuses are fairly expensive to implement in silicon.
In yet another approach, one or more pins of the hardware product may be selectively bonded such that when the pin is bonded, a logic value (e.g., a 0 or a 1) can be applied to enable the product to be used in a full capability mode. However, if the pin is not bonded, the predetermined value cannot be applied to it, and therefore, it can be operated in exportable or reduced capability mode only. Again, this approach requires action on the part of the manufacturer fairly early in the manufacturing process to ensure correct bonding attributes.
Therefore, there is a need for a configuration technique to overcome these and other disadvantages of the prior art.