1. Field of the Invention
The present invention relates generally to the security of an electronic apparatus.
2. Description of the Related Art
It finds applications, in particular, in an electronic apparatus having an architecture with several symmetric processors and with shared memory, which is external to the processors linked together by at least one communication bus. Such an architecture is known by the term SMP architecture (standing for “Symmetric Multi-Processor”).
Security designates the aspects of countering the hacking of an apparatus, such as by introducing a hack circuit or in running a hack code (program) in the apparatus.
The electronic apparatus aimed at here is a unitary hard-wired apparatus, that is to say formed of an assembly of elements (microprocessors, peripheral controllers, network cards, memories, etc.) of components with a certain physical and functional unity, for example a general purpose computer, a decoder box or “Set-Top Box”, a personal digital assistant or PDA, a portable telephone, or other portable wireless products, etc. In distributed systems, such as complex computing systems comprising several machines (computers, servers, routers, etc.) networked together or linked via the Internet, specific security techniques may be implemented. Likewise, in systems integrated entirely onto silicon or SoC systems (standing for “System-on-Chip”), security is generally ensured mechanically by sealing (or encapsulation) in a plastic or ceramic package.
It is known that the security of an electronic apparatus may be managed, in the first place during the booting of the apparatus. One then speaks of secure booting of the apparatus.
According to a first technique, the so-called incremental secure boot technique, the integrity of each hardware element and of each software element is checked before booting thereof that is to say, respectively before enabling thereof or execution thereof. Stated otherwise, the activation of each element of the apparatus is preceded by a procedure of validation of integrity and/or of authentication of the said element. The element can then be used with confidence by the other elements, that is to say as an element regarded as reliable from a security point of view (“trustworthy”). The operation of each element thus relies on elements regarded as reliable forming a secure domain inside the apparatus. If the integrity of an element is not validated or if authentication thereof fails, this element is not booted. As a result of this, a service or a function of the apparatus may not be assured. U.S. Pat. No. 6,263,431 illustrates this technique.
A second technique, the so-called secure boot tracking technique, is distinguished from the previous one in that it does not invoke the bootstrap process. Instead, it makes provision to monitor and to keep an audit trail of every software element that has been booted in the apparatus. One can subsequently determine whether such an element has been booted securely by consulting a bootup log which has been recorded. Thus, the applications executing in the apparatus can detect whether the elements have been booted securely and whether consequently they can share sensitive data with them completely securely. US Patent Application 2003/0074548 may be cited by way of prior art illustrating this technique.
In an SMP architecture apparatus, a plurality of processors are connected to a shared memory, via a communication bus or any similar interconnection device (“crossbar” or the like). As far as booting is concerned, the fundamental difference with a single-processor apparatus, is that the codes of the OSs executing respectively in each processor have at a certain level to synchronize their boot procedure.
With the Pentium® and Itanium® processors from Intel Corporation, all the processors of the apparatus are powered-up at the same time when the apparatus is powered-up. After carrying out an automatic power-up test or POST (“Power-on Self Test”) and the booting of certain internal hardware elements, the processors synchronize themselves by using the memory bus so that a specified processor, called the bootstrap processor or BSP continues the booting of its OS while the other processors, called application processors or APs, stand by awaiting the receipt of a boot signal or handshake signal in order to continue their boot procedure. This boot signal is typically triggered by an OS boot code (or “OS startup code”) of the BSP after the initialization of the processor tables that are required by the OS (e.g., the interrupt tables and the pages of memory tables for enabling the virtual memory). With this boot signal, a memory address is sent, which indicates a page of the shared memory from which the APs are supposed to resume their boot procedure.
A similar protocol is disclosed in U.S. Pat. No. 6,012,142, which provides furthermore for a signal to be sent from processor to processor to signal to them that it is their turn to boot.
Other approaches have been proposed in U.S. Pat. Nos. 6,400,717 and 6,347,372, which both provide for the addition to the system of a dedicated circuit, which provides the processors with a boot signal individually and one at a time. In addition to that, the above-cited U.S. Pat. No. 6,347,372 reserves the memory bus for the processor that is currently booting, so as to speed up the boot procedure.