In a multi-processor platform, such as a system-on-a-chip (SOC), multiple platform entities may access a shared hardware peripheral (e.g., a peripheral memory device). A “platform entity” may include one or more hardware blocks adapted to perform one or more functions. A platform entity may include, for example, a general purpose processor, a microcontroller, a digital signal processor (DSP), a memory controller, direct memory access (DMA) hardware, a cryptographic accelerator, a video, audio, and/or graphics processor, an Ethernet controller, or any of a number of other types of hardware blocks. A platform entity that initiates a transaction may be considered a bus master.
Managing system resources and peripheral access can be complicated, and often this management is performed by one or two privileged entities, such as a memory controller. When an entity requests access (e.g., read or write access) to a peripheral, a memory controller may allocate resources on the chip for the data transfer (e.g., a partition of on-chip random access memory (RAM)). Additionally, the memory controller may set permissions for accessing that resource.
In some cases, an entity may request access to sensitive data. For example, a cryptographic accelerator entity may request access to a secret encryption key. In such cases, it may be desired that only entities within a “trusted” domain have access to the sensitive data, where a “domain” includes a subset of the group of platform entities included within a system, which may have the same access privileges. An entity within a trusted domain may be designed to carefully control use of the sensitive data, and to avoid allowing entities within non-trusted domains from gaining access to the data. Although the cryptographic accelerator may be within the trusted domain, the memory controller that allocated the chip resources typically falls within a non-trusted domain.
During the access transaction, the memory controller may continue to have access to the allocated chip resources, using current system designs. Because the memory controller maintains access to the chip resources, and thus access to the sensitive data, a possibility exists that the memory controller may compromise the sensitive data during the access transaction. Accordingly, a need exists to provide entity domain separation, so that entities within a non-trusted domain are excluded from accessing chip resources allocated to data transfers for entities within a trusted domain.
In addition, there are times when a system is more likely to be secured than others. For example, during booting of a chip, the code execution environment may be very secure, because code is executed out of read-only memory (ROM). After booting, code may be executed from RAM, which is writeable and therefore more prone to being corrupted. Similarly, in a device manufacturing facility, a software image for a product can be written by provisioning software to establish hardware-specific encryption keys. After the device is sold, a device owner may be able to access the encryption keys for some use other than what was originally intended. Accordingly, an additional need exists for methods and apparatus with which data storage initially may be performed with less-restrictive permissions (e.g., in a secure environment such as a manufacturing facility), where the data later becomes accessible with more restrictive permissions (e.g., in a less secure environment outside the manufacturing facility).