In an increasingly security-conscious world, protecting access to information and/or to systems from unwanted discovery and/or corruption is a major issue for both consumers and businesses.
The growth of system connectivity has been one of the major developments in recent years. Fewer and fewer systems are operating as stand-alone boxes, and most of today's systems are increasingly becoming elements of complex networks. This growth in networking allows improved performance and increased flexibility. However, with this growth in system distribution, system security, and protection against unwanted access and/or corruption, has become a major concern for systems owners and/or operators. Many consumers and systems owners and/or operators may be vulnerable to unwanted access when the level of security provided within the system is insufficient for providing the appropriate protection. In that regard, many deployed systems, may incorporate the use of architectures that enable and improve security management in order to provide the necessary protection from unwanted access.
Many systems have dedicated security sub-systems, which in addition to monitoring the system security throughout its operations, may also function to ensure that the systems are initially loaded securely. These systems may also comprise processing units, which may be required to perform general processing functions including, but not limited to, loading code and/or data, performing code validation, executing code instructions, and performing memory manipulations. If the system is to be loaded securely, such processing unit need to be assured that it is executing clean code. Therefore, such processing unit may not be running during initial boot stages, and consequently, some of the functionality provided by the processing unit, including, but not limited to, memory operations, may not be available during early boot stages.
Secure system boot would require loading boot code sets that may be stored in memory. Some memory devices, including for example NAND flash memory devices, may utilize block structure, wherein internal space within these devices may be segmented into block causing data stored in these memory devices that may exceed block size to be stored in different blocks. Also, with such memory devices, some of these blocks may be unusable causing data stored in these devices to span non-contiguous blocks at times. Typically such situations are remedied using specific software operations that mask the internal storing details of these memory devices.
For example, a NAND flash memory, which may utilize internal block structure, may be arranged in block sizes from 8 k to 128 k (currently), and only the first block is guaranteed to be useable. When data is stored in NAND flash memory, and the size of data exceeds available space in a single block, the data may be stored in multiple blocks that may not necessarily be contiguous. A MIPS-based system incorporating a NAND flash memory for example may use specific software management scheme to manage such NAND flash memory limitations. One such software management scheme is Bad Block Management (BBM) wherein a mapping of different block locations associated with some data is maintained by a software application allowing the system to load the data as a whole regardless of the detail of the storage within the NAND flash memory (which blocks are actually used to store the different parts). Therefore, an application such as BBM would mask the fragmented details of storage within a memory device such as a NAND flash memory allowing the system to operate as if the data was being loaded as a whole.
Such approach, while practical in most situations, poses a problem during secure system boots. As stated above, during early phases of secure system boots it may be necessary to prevent and/or limit the processing unit operation while the integrity and security of the system is assured. It may be possible the boot code set necessary to allow the system to boot up and perform security operations during early phases of secure system boot may exceed the available area in such the guaranteed block in the NAND flash memory, and some of this boot code set may be stored in other, non-contiguous, blocks. Without the processing unit, the software applications that would allow use of Bad Block Management, for example, may not be available. Therefore, security code that need be loaded to assure the system security and integrity may not be available without the use of the processing unit that may not available during these early phases of secure system boots.
Further limitations and disadvantages of conventional and traditional approaches will become apparent to one of skill in the art, through comparison of such systems with some aspects of the present invention as set forth in the remainder of the present application with reference to the drawings.