Field of the Invention
The present invention generally relates to semiconductors and, more specifically, to secure provisioning of semiconductor chips in untrusted manufacturing factories.
Description of the Related Art
A typical computer system includes a central processing unit (CPU) and one or more parallel processing units (GPUs). The CPU usually executes the overall structure of a software application and then configures the PPUs to implement tasks that are amenable to parallel processing. As part of executing the software application, the CPU and the GPU access memory units included in the computer system. Often, one or more of the processing units, memory units, and connection circuitry are integrated to form single subsystem and then implemented in a semiconductor chip as a system on chip (SoC).
Increasingly, SoCs are configured to implement security measures intended to enable consumers to execute original equipment manufacturer (OEM) software applications on the processing unit in the SoC without jeopardizing either the consumer or the OEM. In particular, such “secure provisioning” is designed to both thwart unauthorized execution of the software application and protect the assets of the OEM. For example, successful secure provisioning protects the consumer against fraudulent software applications that implement malicious algorithms. In addition, secure provisioning usually protects the OEM assets from attempts at reverse engineering the software application.
In one approach to secure provisioning, a chip provider provides the OEM with production chips, and the OEM generates one or more security keys (also known as authentication keys). These security keys are intended to enable storage and retrieval of encrypted data on non-volatile memory included in the production chip. Notably, this non-volatile memory is not directly accessible by the consumer. The OEM then encrypts an OEM-developed software application (e.g., an operating system) and any additional OEM-specific chip configuration data via the security keys, generating a provisioning image. Subsequently, the OEM transfers the production chips, the security keys, and the provisioning image to a manufacturing factory. The manufacturing factory applies the provisioning image to the production chips. Among other things, the provisioning image configures the non-volatile memory in each production chip to gate execution of the software application based on authentication of the security keys. Finally, the manufacturing factory delivers the configured production chips to the consumer as secure consumer chips.
While such a security approach facilitates the protection of the software application at some stages in the secure provisioning process, the security of the provisioning image may be breached at the manufacturing factory. For example, a malicious employee at the manufactory factory may acquire the security keys, thereby rendering the security efforts ineffective and jeopardizing both the consumer and OEM. This gap in the security flow may be reduced by vetting the manufacturing factory and then limiting the number of manufacturing factories permitted to generate consumer chips to selected “trusted” manufacturing factories. However, such an approach only reduces the security risk and does not eliminate the exposure at the manufacturing factory. Further, restricting the number of manufacturing factories to trusted manufacturing factories may unacceptably constrain the generation of secure consumer chips. For example, the set of trusted manufacturing factories may not include enough cost-effective manufacturing factories to enable high volume production of competitively-priced secure consumer chips.
As the foregoing illustrates, what is needed in the art is a more effective approach to secure provisioning of semiconductor chips.