The present invention relates to a memory protection function (or data protection function) in a data transfer control apparatus, such as a DMAC (Direct Memory Access Controller), and, more specifically, to technology which is effective for application, for example, to a microcomputer (processor or microprocessor) and a data processing system having a memory management unit.
The load on a microcomputer, processor or CPU (Central Processing Unit) for effecting data transfer can be eased by use of a DMAC. In data transfer using a DMAC, a processor or CPU initially sets the transfer destination address or transfer source address into a transfer destination address register and transfer source address register in the DMAC, and the DMAC, having completed initial setting thereof, upon receiving the data transfer request, executes a data transfer by acquiring the bus right from the processor or CPU. As is obvious from this explanation, when a DMAC is provided, one access route is provided for the memory and register.
Nowadays, many computer systems support a virtual memory and provide substantial memory protection by means of a memory management unit (MMU). Therefore, when the processor and CPU make access to a register and memory, memory protection by the memory management unit can be realized. However, when the computer system includes a DMAC, since the CPU and processor set the data transfer destination address and transfer source address by direct memory access to the register in the DMAC as data, the memory protection is not effectuated in the course of an address conversion by the memory management unit. In other words, when a DMAC is provided between the MMU and an external input/output circuit, the transfer destination and transfer source address set in the DMAC are used directly as a physical address without passing through the MMU, and thereby the protection function performed by the MMU cannot be realized. Thereby, when the access route is provided by the DMAC, there is a fear that data or a program may be corrupted unexpectedly by an erroneous access to an access prohibited region or that security cannot be maintained because the OS (Operating System) and system data can be read freely.
The Japanese Patent Application Laid-open No. SHO 62-191950 describes a technique for memory protection which involves comparing an output address of the DMAC with a protection address, and the Japanese Patent Application Laid-open No. HEI 1-250162 describes a control system for write protection of a memory which involves comparing an output address of a DMAC with a write protect address. Moreover, the Japanese Patent Application Laid-open No. HEI 6-266648 describes a technique for intercepting an access to the main memory by a direct memory access control mechanism when the address output from the direct memory access control mechanism exceeds a data transfer allowable range on the main memory.
In addition, the Japanese Patent Application Laid-open No. HEI 2-297235 describes a technique involving a memory data protection circuit having region information indicating whether a relevant address region is a program region or a data region corresponding to an address of the main memory, making it possible to identify an irregular evens when the region information corresponding to the program fetch address of the main memory indicates a data region or to control a write request when the region information corresponding to the write address to the main memory indicates a program region.
Finally, Japanese Patent Application Laid-open No. HEI 6-119250 describes a technique for memory protection which involves forcibly setting a part of the output address signal of the device for DMA transfer control to a constant value.
However, the techniques mentioned above are intended to realize memory protection from outside of the device after the device, such as a DMAC, has started data transfer to output an address signal. That is, even if an access violates the memory protection, the device itself, such as a DMAC, first starts the data transfer operation. Since it is impossible in this case to control an operation of the DMAC itself which violates the memory protection, this operation of the circuit, such as a DMAC, is to a certain degree useless.
Moreover, since memory protection is executed to a particularly set address range, like a protection address or write protect address, if the protection address, etc. is undesirably updated because the setting is done erroneously for the protection addresses and the CPU operates under an uncontrollable condition, memory protection cannot be realized and the reliability of the memory protection becomes rather low. As described in the Japanese Patent Application Laid-open No. HEI 6-119250, even when a part of the output address signal of the device for DMA transfer control is updated to a constant value, the situation is the same, if an error exists in the setting of the constant value information.
It is therefore a first object of the present invention to provide a data transfer controller which can control a data transfer operation by itself when a violation of memory protection occurs.
It is a second object of the present invention to provide a data transfer controller which can improve the reliability of memory protection.
It is a third object of the present invention to provide a microcomputer, microprocessor and moreover a data processing system, which can reduce the possibility of useless data transfer as much as possible by a data transfer controller even if a data transfer request which violates memory protection is issued, thereby to contribute to improvement of the data processing efficiency.
It is a fourth object of the present invention to provide a microcomputer, microprocessor and moreover a data processing system, which can improve safe system operation as it relates to memory protection by a data transfer controller.
The aforementioned and other objects and novel characteristics of the present invention will become more apparent from the following description and the accompanying drawings.
Typical features of the present invention disclosed in this application will be explained briefly.
That is, the data transfer control circuit (8) has a storing region, in a control register (CHCRn), for resource select information (RS0 to RS3) to designate with a plurality of bits a mode of operation involving a combination of the data transfer source area and data transfer destination. This data transfer control circuit (8) refers to the transfer source address, transfer destination address and resource select information initially set to the address register (SARn, DARn) and detects, with an address error detector (96), an address error indicating that at least one of the transfer source address and data transfer destination address is deviated from the mode operation for the combination of the data transfer source area and data transfer destination designated by the resource select information in order to determine permission/prohibition of the data transfer. When data transfer is to be permitted, the data transfer controller asserts a signal, such as a bus right request signal (BREQ) to obtain the bus right from the other bus master, such as the CPU, and thereafter starts the data transfer operation. When data transfer is to be prohibited, the data transfer controller does not assert the bus right request signal, but asserts, for example, an address error interruption signal, in place of such bus right request signal, and transfers the process for dealing with such address error, for example, to the central processing unit (3).
The features explained above detects a memory protection violation specified by the data transfer controller as an address error. The application for data transfer (combination of the data transfer source area and transfer destination) of only one data transfer channel formed by the address register and control register is determined by the resource select information. With reference to the application for data transfer, when at least one of the transfer destination address and transfer source address is corrupted, the start of the data transfer operation is prohibited. Therefore, when the transfer destination and transfer source addresses to be set to the address register are corrupted for the combination of the transfer origination circuit and transfer destination circuit assigned to only one data transfer channel due to the setting error, noise or uncontrolled running of the system, the data transfer operation is prohibited. Moreover, if a setting error or unwanted update of the resource select information occurs, the data transfer operation is also prohibited even when the transfer origination and transfer destination addresses to be set to the address register are normal.
As explained above, a mode of operation involving a combination between the transfer source area and the transfer destination assuring data transfer is predetermined depending on a value of the resource select information, and the address error detector has address error determining logic conforming to the defined content and detects, on the basis of such logical structure, an address error which disables data transfer control by the data transfer controller depending on the resource select information of the control register and transfer source address and transfer destination address of the address register. Since the data transfer is started only when the resource select information is matched with the setting information of the address register, a higher reliability of memory protection can be assured for the data transfer operation by the data transfer controller. Moreover, the data transfer controller itself can control the data transfer operation for avoiding a memory protection violation by the data transfer controller, and thereby can avoid a useless data transfer operation.
According to a further detail of the feature explained above, the data transfer controller (8) comprises a plurality of data transfer charnels haying address registers (SARn, DARn) and control registers (CHCRn), an internal bus (80) connected to address registers and control registers included in a plurality of data transfer channels, a bus interface circuit (81) for interfacing the internal bus with an external circuit, and control circuits (82 to 85) for executing transfer control via the bus interface circuit by utilizing one data transfer channel in a plurality of data transfer channels depending on the data transfer request. To an address register, the data transfer source address and data transfer destination address are set.
The control register has a storing region for storing resource select information (RS0 to RS3) for designating, by a plurality of bits, a mode of operation involving a combination of a data transfer request source area assigned to the data transfer channel, including the relevant control register, a data transfer source area responding to the data transfer request from the requesting section and a data transfer destination. The control register also comprises an address error detector (96) for detecting an address error indicating that at least one of the data transfer source area address and data transfer destination address set to the address register is inconsistent with the mode of operation involving the combination of the data transfer source area designated by the resource select information included in the control register and the data transfer destination.
The control circuit determines the data transfer channel for responding to the request source area when a data transfer request is issued from the resource select information set to the control register. The control circuit further executes the data transfer operation using the data transfer channel responding to the data transfer request under the condition that an address error is not detected. The information identifying the transfer request source area included in the resource select information is similar to the information designating the kind of transfer request. In such a mode, the resource select information also designates the data transfer request issuing area or the kind of data transfer request assigned to the relevant data transfer channel. That is, the data transfer channel to be used for the data transfer request is determined by referring to the resource select information. The data transfer request is equivalent, for example, to a data transfer request from a particular peripheral circuit or a starting request (setting of the transfer enable bit (DE) of the control register) by the CPU. For example, the data transfer requesting area is indicated by the data transfer request signal individualized for each kind of requesting area or additional information indicating the requesting area. When the setting of the transfer enable bit is designated as a transfer request, the transfer requesting area is the CPU, and a value for equalizing the setting of the transfer enable bit to the starting request or starting request area is set in the resource select information.
In the event of exclusively operating a plurality of data transfer channels, priority may be changed by further providing an operation register (MDAOR) which is connected to the internal bus for common use for a plurality of data transfer channels and assigning, to this operation register, a storing region for storing the priority information (PR0, PR1) to determine the priority of the data transfer channels to execute a data transfer request when a plurality of data transfer requests are competing. In this case, the control circuit gives priority to the data transfer request for the data transfer channel having the higher priority depending on the priority information when the data transfer requests are competing for a plurality of data transfer channels at the time of determining a data transfer channel.
The microcomputer (1) which includes the data transfer controller comprises a central processing unit CPU(3), memory management units (40, 41, 42) for converting the logical addresses output from the CPU into physical addresses, a data transfer controller (8), a bus state controller (51) for controlling the bus access cycle depending on the physical address output from the memory management unit or the physical address output from the data transfer controller, built-in peripheral circuits (70 to 74) connected to the bus state controller vie the peripheral buses (56, 57) and an external bus interface circuit (6) coupled with the bus state controller. In this case, the CPU executes the setting for each register of the data transfer controller via the memory management unit, the data transfer controller allows, at the time of executing a data transfer in response to a data transfer request, the bus state controller to assert the bus right request signal (BREQ) and starts the data transfer after the responding bus right acknowledgment signal (BACK) is asserted by the bus state controller.
The microcomputer can be constituted by integration on a single semiconductor substrate.
The data processing system comprises a microcomputer, external buses (60, 61) coupled with the external bus interface circuit and external peripheral circuits (62 to 65) coupled with the external buses.
At the time of address conversion by the memory management unit, the microcomputer carries out memory protection for the address space administered by the CPU to prohibit access, for example, to the system space in the user mode. The memory protection by the memory management unit is effective for the access address In this case, the transfer controller (8) prohibits the start of data transfer for the transfer destination address and transfer source address, as explained above, when the CPU (3) designates a setting when the transfer mode of the resource select information is in conflict with the transfer destination address and/or transfer source address being set as data in the address registers. Therefore, the data protection for the access prohibiting area can also be realized for a data transfer operation by the data transfer controller to which the memory protection of the memory management unit is not directly available, and thereby safe operation of the data processing system can be enhanced. Moreover, the data transfer controller itself can prohibit a data transfer operation which is likely to produce a memory protection violation by the data transfer controller, thereby avoiding a useless data transfer operation, while contributing to the improvement of the data processing efficiency by the data processing system and the microcomputer.
A mode for detecting an address error by the address error detector in the data transfer controller comprising a microcomputer incorporated in the data processing system can be defined as (1) a condition where the transfer source address preset to the address register, when the data transfer source area responding to the data transfer request is a built in peripheral circuit, indicates an external peripheral circuit, (2) a condition where the transfer source address preset in the address register indicates a built-in peripheral circuit when the data transfer source area responding to the data transfer request is an external peripheral circuit, (3) a condition where the transfer destination address preset in the address register indicates an external peripheral circuit when the data transfer destination responding to the data transfer request is a built-in peripheral circuit, and (4) a condition where the transfer destination address preset in the address register indicates an internal peripheral circuit when the data transfer destination responding to the data transfer request is an external peripheral circuit. This address error mode can prevent erroneous operation caused by a serious memory protection violation resulting from a mistake concerning the internal space and the external space of the microcomputer.