1. Field of the Invention
The present invention relates to a microcomputer having a security function, such as an IC card, and, more particularly, to a microcomputer having a test circuit for testing the security function and a test method therefor.
2. Description of the Related Art
In general, LSIs (Large Scale Integration circuits) suffer operational defects originated from productional defects at a certain probability in the fabrication process of making fine processes on silicon wafers or assembling the LSIs into packages. At the time of fabrication, therefore, a supply voltage and a signal are applied to completed LSIs to test if the LSIs operate as expected and a defective LSI, if any, is then removed. To improve the controllability and observability, a test facilitating design to preinstall a test circuit, such as a circuit with a scan capability, is taken at the time of designing logics of each LSI.
The “controllability” means the capability to set an arbitrary signal in an LSI to any level (“H” or “L”) and the “observability” means the capability to detect the level of an arbitrary signal in an LSI. Because it is not possible to output the levels of all the signals from an LSI and directly detect them, the scan capability employs such a structure as to output the levels of the internal signals as variations in output patterns of specific terminals.
To increase the controllability and observability is to be able to control and detect internal signals, and therefore means lowering the security level in case of an LSI associated with security. In other words, an improvement on the controllability and observability makes it easier to read data which should not be known by an unauthorized person, such as a password or a private key.
For a microcomputer for an IC card, particularly, the ISO 7816 standards define terminal shapes and the electric characteristics of signals and limit the number of external connection terminals to five, namely, power supply terminals (VDD and GND), clock terminal (CLK), reset terminal (RST) and a serial data terminal (SIO) for half duplex communication. Because of its security usage and fewer terminals for external connection, such a microcomputer has various restrictions on testing.
Further, a microcomputer for advanced security, which can download an application program from outside and run the program, requires an advanced security function to execute a specific instruction in an application program and inhibit an access and jump or the like to a specific area in order to protect against a process of downloading an illegitimate program and reading and writing data, such as a password and a private key.
FIG. 2 is structural diagram showing one example of a conventional microcomputer having the aforementioned function.
This microcomputer has a CPU (Central Processing Unit) 1, ROMs (Read Only Memories: non-volatile memories) 2 and 3, a RAM (Random Access Memory) 4, a peripheral circuit 5, a bus (or bridge) 6, a security circuit 7, a test circuit 8 and a test mode detection circuit 9.
The CPU 1 executes instructions stored in memories, such as the ROMs 2 and 3, one after another. The ROM 2 is a memory where a program, such as an OS (Operating System), which determines the main operations of the microcomputer, is stored. The ROM 3 is a memory where a program for a chip production test, a minimum library for security, sub routines for function calls and the like are stored.
The RAM 4 is a memory to store data and temporarily store a program, and includes a non-volatile memory which is electrically reprogrammable. The peripheral circuit 5 performs encryption and communication with an external circuit. The bus 6 connects the CPU 1 to other circuits, such as the ROMs 2 and 3, and is a bridge circuit which makes a bus connection, such as a tristate bus or OR bus, and adjusts logics and a timing between blocks.
The security circuit 7 monitors addresses or instructions, read by the CPU 1, one after another and sends an illegitimate access detection signal IL to the CPU 1 to cause the CPU 1 to perform an adequate process when there has been an access to a program area or a data area an access to which to execute a instruction or write or read data is not permitted.
The test circuit 8 has a plurality of test signal input terminals 8a provided on the chip but connected to no external circuit and a selector 8b whose switching is controlled by a test mode signal TM. The test circuit 8 gives test instructions to the CPU 1 from the test signal input terminals 8a through the probe of a testing apparatus at the time of carrying out a production test and causes the CPU 1 to execute a sequence of arbitrary instructions to test if the CPU 1 can properly execute the application program or if the peripheral circuit 5 operates properly.
The test mode detection circuit 9 detects the pattern of a specific sequence of signals given to the terminals CLK, RST and SIO and enables the test mode signal TM for the test circuit 8 to indicate that the microcomputer has been set to the test mode.
In the testing operation that is executed at the time of manufacturing such a microcomputer, a specific signal pattern for setting the test mode is given to the terminals CLK, RST and SIO. This enables the test mode signal TM output from the test mode detection circuit 9, thus connecting the test signal input terminals 8a of the test circuit 8 to the CPU 1. Further, test instructions are given to the test signal input terminals 8a of the test circuit 8 and the CPU 1 is allowed to execute a sequence of arbitrary instructions to test if the CPU 1 can properly execute the application program or if the peripheral circuit 5 operates properly.
In the normal operation mode, the security circuit 7 always monitors an address ADR output from the CPU 1 and determines whether or not an access is directed to within an allowed area. If the access is directed to an allowed area, the instructions read from the memory, such as the ROM 2 or ROM 3, are directly executed by the CPU 1. If the access is directed to an unauthorized area, the security circuit 7 outputs the illegitimate access detection signal IL and the CPU 1 performs a process such as interruption of the execution of the program or invalidation of the access.
The conventional microcomputer however has the following problems.
(a) The test circuit 8 has the test signal input terminals 8a to provide test instructions supplied from an external testing apparatus. Because the test signal input terminals 8a, though not connected to external input/output pins, are formed on the chip as test pads, there is a danger that a malignant third party performs security violation, such as reading data through the pads or downloading an illegitimate program.
(b) In case where the wire pattern for the illegitimate access detection signal IL is short-circuited with the power supply GND or VDD or the transistor which outputs the illegitimate access detection signal IL from the security circuit 7 has an operational failure, it is not possible to detect that the illegitimate access detection signal IL is not output properly. The reason for this shortcoming is as follows.
The CPU 1 should self-test the security function based on the test program stored in the ROM 3 and output data indicating the presence/absence of a failure from the terminals CLK, RST and SIO. To achieve it, the user application stored in, for example, the RAM 4 should cause an exceptional state (a state where execution of an illegitimate instruction has been detected) and the CPU 1 should detect the exceptional state and detect that the exceptional state does not occur in the proper operation mode as the flow of execution of the test program or a change in read data, without executing a program at the jumping destination. The reason why the program at the jumping destination cannot be run is that the OS is stored in the ROM 2 and it is not possible to specify which instruction is stored at which address, so that if the program at the jumping destination is run, the subsequent operation of the CPU 1 cannot be specified and the flow cannot return to the test program. Therefore, the structure of the microcomputer in FIG. 2 cannot carry out such a process.