1. Field of the Invention
The field of the invention is data processing, or, more specifically, methods and apparatus for securing an integrated circuit.
2. Description of Related Art
The development of the EDVAC computer system of 1948 is often cited as the beginning of the computer era. Since that time, computer systems have evolved into extremely complicated devices. Today's computers are much more sophisticated than early systems such as the EDVAC. Computer systems typically include a combination of hardware and software components, application programs, operating systems, processors, buses, memory, input/output devices, and so on. As advances in semiconductor processing and computer architecture push the performance of the computer higher and higher, more sophisticated computer software has evolved to take advantage of the higher performance of the hardware, resulting in computer systems today that are much more powerful than just a few years ago.
One area of computer technology that has seen rapid advancement is the use of electronic fuses (‘efuses’) to manufacture integrated circuits that can reconfigure themselves automatically. An efuse is an element of an integrated circuit designed to undergo electromigration when exposed to a certain level of programming voltage and change the resistance of the circuit element from a low resistance to a high resistance, allowing a sensing circuit to sense the element as ‘on,’ ‘programmed,’ or ‘blown.’ During the life cycle of an integrated circuit, unblown efuses may be blown to configure and control access to scan circuitry and operational logic of an integrated circuit, for example. Efuses are used to configure integrated circuits after the silicon masking and fabrication process. Efuses may be used to configure customizable circuits or to correct silicon manufacturing defects and increase manufacturing yield.
Efuses can also be used to create test modes for an entire integrated circuit that customize the testability of an integrated circuit as it goes through the various stages of manufacturing. For some applications such as microprocessors it may be desirable to have various modes of operations. These modes may include various secure and non-secure states. By controlling clocks and mux selects, entire portions of an integrated circuit can be turned on and off depending on the integrated circuit's security state. After bring-up and testing is complete, secure information would only be readable during the normal operation of the integrated circuit and is unreadable to the outside world. More importantly the state of the outputs of a secure memory could not be scanned by an attacker or hacker who has forced the integrated circuit into test mode.
It may be possible for a hacker to attempting to defeat a security mechanism implemented by the efuses to alter the operating environment in such a way that the circuitry that senses efuses values does not operate correctly. Such environmental changes will usually affect most or all of the efuses on a given integrated circuit and would cause efuses that have actually been blown to appear to be unblown. If successful, the attacker would then have the same access to the integrated circuit is if the integrated circuit just came out of fabrication and all fuses are not blown.
Due to the fact that an integrated circuit is initially fabricated in a non-secure state it is general practice to equate an efuse's unblown state with a non-secure system state. In order to prevent environmental changes that make all efuses to appear unblown from unlocking a secured integrated circuit, it could instead be considered an invalid state. One or more efuses that should be always blown for all circumstances can then be used to set the integrated circuit in an invalid mode and block access if sensed as unblown. The difficulty with this is that all efuses are unblown at the end of fabrication and the integrated circuit would be locked before any fuses can be blown. One currently used way around this is through the use of a wafer-only pin (‘WOP’). During wafer testing, a WOP is accessible that can be driven high to the same logic that detects the always blown efuse(s) causing the always blown efuse(s) to appear to be blown. This allows access to the integrated circuit to burn the always burned efuse(s). When the integrated circuit die is packaged, this WOP is tied low and not brought out from the die to a package pin.
There are substantial disadvantages to the use of a WOP, however. In integrated circuit design, adding any circuit element adds expense, especially a circuit element that requires a conductive pathway to a circuit pad and an outside connection. In addition, test drive patterns must be made more complex and therefore more expensive in order to drive the additional enabling signals through the WOP.