This invention relates generally to data request handling and transfer of data within an integrated system, and more particularly, to techniques, implemented at least partially via a data access control function of an integrated system, for initializing, maintaining, updating and recovering secure operation of the integrated system.
Multiple master functions are today being commonly integrated onto a single system chip. When initially defining an architecture for the integration of multiple discrete components onto a single chip, access to external devices can be an issue. For example, an MPEG video decoder system often employs external memory for various data areas, or buffers such as frame buffers. This external memory is conventionally implemented using either DRAM or SDRAM technology.
Two approaches are typical in the art for accessing off-chip devices. In a first approach, each on-chip functional unit is given access to the needed external device(s) through a data bus dedicated to that particular unit. Although locally efficient for accessing the external device, globally within the integrated system this approach is less than optimal. For example, although each function will have complete access to its own external memory area, there is no shared access between functions of the integrated system. Thus, transferring data from one memory area to another memory area of the system is often needed. This obviously increases data transfers and can degrade performance of the overall system, i.e., compared with a shared memory system.
Another approach is to employ a single common bus within the integrated system which allows one or more functional units of the system to communicate to external devices through a single port. Although allowing the sharing of devices, one difficulty with this approach concerns controlling access to content or other sensitive data in the integrated system. For example, when using a large common memory pool in an integrated design, it becomes difficult to prevent unauthorized access to protected memory spaces, such as compressed data supplied by a transport demultiplexer to a decoder of a set-top box. This is especially true for a system where the programming interface is open and outside development is encouraged. Each of the functional masters should be able to access the memory space and it is not possible to differentiate whether an access is from a trusted master or an outside request, e.g., coming through an untrusted or open master.
In addition, when working with a system-on-chip design with multiple functional masters using shared memory, it is desirable to provide a mechanism for protecting the data from unauthorized access, particularly when the data comprises the device""s system programming code. More particularly, facilitating initialization of a secure operating environment begins by ensuring that the system code is secure and performs the functions intended. In order to guarantee a secure operating environment, therefore, the integrated system should be activated or booted in a secure mode.
In view of the above, various needs exist in the art for enhanced data access control approaches for an integrated system. More particularly, needs exist for techniques to initialize, maintain, update and recover secure operation of an integrated system.
The shortcomings of the prior art are overcome and additional advantages are provided through the provision of a method for facilitating secure operation of an integrated device having multiple levels of software. The method includes: authenticating by a current level of software, a next level of software of the multiple levels of software before passing control of the integrated system to the next level of software; and limiting ability of the next level of software to modify an operational characteristic of the integrated system, wherein the limiting is implemented via a data access control function of the integrated system.
In another aspect, a method of initializing secure operation of an integrated system is provided. This method includes: generating at least one key for the integrated system; loading initial code into the integrated system, the loading including using the at least one key to encrypt the initial code via a data access control function of the integrated system; and reinitializing the integrated system using the encrypted initial code.
In still another aspect, a method is provided for migrating data encrypted using a first key set to data encrypted using a second key set. This method includes: decrypting data encrypted using the first key set; and re-encrypting, by a data access control function within the integrated system, the data using a second key set. Advantageously, by re-encrypting using the data access control function, the encryption of the data is unique to the integrated system.
In a further aspect, a method of recovering integrated system functionality following a trigger event is provided. This method includes automatically establishing a reduced level of functionality within the integrated system following a tamper detection trigger event; and allowing for full functional recovery of the integrated system through a user selectively employing a trusted recovery procedure.
Systems and computer program products corresponding to the above-summarized methods are also disclosed herein.
Advantageously, the secure operation techniques disclosed herein can be used to initialize, maintain, update and/or recover a secure operating environment within an integrated system. More particularly, the techniques presented provide an ability to limit updates to operational characteristics maintained by a data access control function. The operational characteristics may include one or more of a key set, an access table, an access level, and access parameters employed by different levels of software within the integrated system. This ability to limit updates provides the different levels of software with hierarchical security privileges.
The techniques presented herein further provide an ability to make updates in the field in a secure manner, including the use of version numbers to prevent replay of an older version of software or other data. Also presented is an ability to migrate encrypted data from a first key set to a second key set as part of a key management process, and/or for importing protected data from other systems. Further, an ability to provide functionality is described, notwithstanding that the integrated system has entered a tamper triggered state. Specifically, limited functionality with no access to secret data and applications can be automatically provided, as well as a mechanism for recovering full functionality with limited service facility dependency.
Additional features and advantages are realized through the techniques of the present invention. Other embodiments and aspects of the invention are described in detail herein and are considered a part of the claimed invention.