1. Field of the Invention
This invention relates to computer system security and, more particularly, to an apparatus and method for securing against accessing a securable slave device (or address range within the slave device) coupled to an I2C bus.
2. Description of the Related Art
Securing a computer system involves preventing unauthorized access to sensitive data and/or instructions contained within various hardware resources attributed to that system. The terms xe2x80x9cinstructionsxe2x80x9d and xe2x80x9cdataxe2x80x9d refer generically to all forms of electronic information, including data entries and files created by the instructions as well as the executable instructions themselves.
Typically a computer system will include a plurality of hardware resources, henceforth referred to as xe2x80x9cdevices.xe2x80x9d A group or set of devices may contain sensitive information and therefore must be periodically secured. Alternatively, a device may be an electromechanical mechanism, such as a latch, which prevents unauthorized access to the interior of the computer chassis. Thus, the device is interchangeably referred to as a hardware resource which either contains sensitive information or provides a gateway, or securement, to that information. One form of securement involves a technique of known as xe2x80x9cpassword matching.xe2x80x9d
Upon reset or boot-up of the computer system, a password stored within non-volatile memory will be entered into volatile memory proximate to a comparator. The previously stored password can then be compared against a user-entered password to determine if the user is allowed access. Typically, the volatile memory which receives the previously stored password, as well as a comparator locally linked to the volatile memory, are contained in what is often referred to as a xe2x80x9cblack boxxe2x80x9d. Description of a black box security device is generally set forth in U.S. Pat. No. 5,748,888 (herein incorporated by reference).
The password stored in non-volatile memory, and loaded into the black box, is derived from various non-volatile resources. For example, the password can be derived from electrically erasable ROM (EEROM) coupled to a specially designed bi-directional two wire bus, often referred to as the inter integrated circuit (or xe2x80x9cI2Cxe2x80x9d) bus. The I2C bus is generally well-known and is set forth, for example, in numerous publications to Phillips Semiconductor Corporation. General purpose circuits, such as liquid crystal display drivers, remote I/O ports, microcontrollers, RAM, and EEROM/EEPROM, can be connected to an I2C bus. The basic protocol and bus specification is described in numerous articles, some of which define electrically erasable or electrically erasable and programmable ROMs coupled to the I2C bus, and containing passwords which are maintained even though power to the computer system is terminated.
Depending on the number of passwords stored in non-volatile memory and then loaded into the black box, at least one comparison can be carried forth. In this fashion, a black box may serve to compare multiple stored passwords against multiple user-entered passwords, the result of each compare being placed on a corresponding conductor or xe2x80x9cslotxe2x80x9d as a lock or unlock signal. The intent of storing multiple passwords and comparing against those passwords is to provide a hierarchical structure of security. For example, a user may enter a password to gain access to only his or her computer, whereas a system administrator can enter a password mutual to numerous computers across, for example, a network of computers.
Storage of multiple passwords within a non-volatile media connected to an I2C bus presents numerous challenges. Firstly, an I2C bus is typically not securable and therefore can be accessed by undesired personnel. Secondly, once accessed, passwords (or any other information requiring security) that is stored in an I2C memory device can be quickly ascertained thus allowing an unwanted xe2x80x9chackerxe2x80x9d to match his or her input to that sensitive information to obviate the security and integrity of not only that computer, but many other computer networked thereto. As defined hereinbelow, the term xe2x80x9cpasswordxe2x80x9d encompass any and all types of sensitive information and extends beyond the normal definition of a password in general.
If the boot-up operation involves the Basic Input Output System (xe2x80x9cBIOSxe2x80x9d) loading stored password (or passwords) from an I2C non-volatile memory, measures must be taken to protect against improper access to that memory. In addition, if a device other than memory is coupled to the I2C bus and contains sensitive information, that device along with memory must be maintained securable. Thus, not only must memory coupled to the I2C bus be securable, but the I2C bus in general must be securable since other non-memory devices may also contain sensitive information. Still further, measures must be taken to account for multiple passwords stored in separate and distinct regions of the I2C non-volatile memory. Securing one area separate from another will ensure certain passwords will be protected separate from others, and that the potential hierarchical status of those passwords is maintained depending on a particular user seeking access. Thus, while it would be desirable to allow a system administrator access to all areas within I2C non-volatile memory, a single computer user of the system administrator network may only be granted access to only a portion (i.e., one password) of the entire non-volatile memory space. The need for securing an I2C bus, various I2C devices (including non-volatile memory), and securing select portions of an I2C non-volatile memory would prove highly desirable if passwords or other sensitive information is contained upon a specific I2C bus, within an I2C device, or within a portion of an I2C device.
The problems outlined above are in large part solved by an improved computer security system hereof. The security system encompasses at least one I2C bus and multiple I2C devices connected thereto. Securing those devices is achieved by placing security components within a southbridge of the computer system, or any device within the I2C engine. The southbridge includes a black box having multiple slot outputs, each of which may carry a lock or unlock signal depending on whether comparison of the stored password corresponds with a respective user-entered password. The lock or unlock signal can then be assigned via a slot assignment register to a particular device coupled upon the I2C bus. For example, one slot may be assigned or mapped to a particular I2C device, whereas another slot may be assigned to another I2C device. Yet further, one slot may be assigned to a particular portion of an I2C non-volatile memory device, separate from another slot assigned to an altogether different portion of the same I2C non-volatile memory device.
In addition to the black box and the slot assignment register, the southbridge may also include an I2C controller. The controller contains at least one security mapping register. That register includes fields which have been programmed with I2C slave addresses that are securable, and are also programmed with a word address range that is securable within each of the securable slave addresses. As such, an address of an I2C transaction issued from a processor will be compared against the secured slave addresses and secured word addresses stored within the security mapping registers. Comparison is carried forth in logic, interchangeably referred to as security control logic. If the incoming address matches the protected slave or word address and a corresponding unlock is issued from the slot assignment register, then access is granted to that protected device, or word address range within that device.
The keyboard includes any device into which a user can enter data. Also, the password could simply be implemented as a hash, absent a black box, wherein the hash can be used to decrypt an entered password and compare the decrypted results with the previously stored data.
According to one embodiment, the I2C controller further includes an I2C control unit which responds to a transaction valid signal issued from the security control logic. The transaction valid signal allows passage of the I2C transaction address to the corresponding device. The transaction valid signal will be issued during various circumstances. For example, transaction valid signal will be issued if access is attempted to an unprotected target. This ensues if the I2C transaction address is to a target (or slave) address of an unprotected I2C device. The transaction valid signal will also be issued if access is attempted to a protected slave (protected I2C device); however, access is attempted to a word address outside the protected range of that slave. The transaction valid signal will also be issued if, as stated above, access is attempted to a protected target within a protected word address range; however, the corresponding slot of that target device yields an unlock signal.
According to another embodiment, a computer system is provided incorporating a plurality of securable devices coupled to a two-wire bidirectional bus. The computer system includes a keyboard and a storage unit operably coupled to the keyboard. The storage unit is adapted to produce an unlock signal upon an output conductor (or xe2x80x9cslotxe2x80x9d) of the storage unit if a stored password within the storage unit favorably compares with a password entered upon the keyboard. A controller is operably coupled to the storage unit for allowing access to an address of the securable device upon receiving the unlock signal. According to one embodiment, the controller is an I2C controller, and the securable device is a device coupled to an I2C bus. Thus, the two-wire bidirectional bus is an I2C bus, according to a preferred embodiment. The storage unit may issue several dissimilar unlock signals upon separate and distinct conductors or slots. For example, another unlock signal can be produced to unlock an address range associated with the securable device. In this instance, the securable device is non-volatile memory having a plurality of securable address ranges, each of which can be unlocked separate from the other.
According to yet another embodiment, a bus interface unit is provided. The bus interface unit is coupled to an I2C bus upon which a plurality of I2C devices are connected. The bus interface unit includes a storage unit configured to retain a stored password. A security mapping register is also provided an includes a field of bits which identify a password secured device among the plurality of I2C devices. A comparator is coupled to the storage unit for comparing a user entered password against the stored password and to present an unlock signal from the comparator if the user entered password favorably compares with the stored password. Security control logic is operably coupled between the comparator and the security mapping register for allowing access to the password secured device upon receipt of the unlock signal. The security mapping register may include another field of bits which identify a second password secured device among a plurality of I2C devices connected to a second I2C bus. The security control logic is configured to allow access to a password secured device upon the second I2C bus during receipt of a corresponding unlock signal. The password secured device may comprise, for example, a device bay controller or a non-volatile memory.
According to yet another embodiment, a method is presented for unlocking a plurality of password securable devices. The method includes comparing a user-entered password against a stored password. A target address issued to an I2C device is compared against a field code within a security mapping register to determine if the target address is a password secured address. An unlock signal can then be presented to the I2C device to de-assert lock if the user entered password is the same as the stored password. The user-entered password can be either entered locally or distally from a computer containing the I2C device. Bits within the field code can be fixed to identify the I2C device as a non-volatile memory. Bits can also be programmed within the field code to identify the I2C devices coupled to one of possibly two I2C buses. Yet further, bits within the field code can be programmed to indicate a password secured address range of a password secured I2C device. Separate field codes can be dedicated to separate password secured address ranges. This provides flexibility at which various passwords can be protected depending on the status of a user seeking to gain access. The capability of unlocking one portion or all portions of a secured word address within an I2C non-volatile memory allows the stored password to be updated only by select individuals.