The present invention relates to a semiconductor memory device, and more particularly to a flash memory (flash EEPROM (Electrically Erasable Programmable Read Only Memory)) having a security function and a protect function.
Flash memories are well known as semiconductor memory devices in which On-Board programming can be executed. In order to prevent data stored therein from leaking out or being tampered with, some of the flash memories have means for prohibiting rewrite of the stored data (hereinafter referred to as a "protect function") and means for prohibiting reading of the stored data (hereinafter referred to as a "security function").
The outline of the protect function and the security function employed in the conventional flash memories will be described.
FIG. 1 shows the basic structure of a conventional flash memory having such a protect function. In this flash memory, protect information is stored in a protect information storing circuit 102 that differs from a flash memory main body 101. The protect information is provided for setting a desired one of a stored-data rewrite prohibiting mode (protect-on mode) and a rewrite permitted mode (protect-off mode). The protect information storing circuit 102 is constituted of, for example, a dedicated flash memory (i.e. a fuse cell array).
Writing and erasing of data into and from the flash memory main body 101 is controlled by a state machine 103. The state machine 103 comprises an AND circuit 103a and a write/erase control circuit 103b. When writing or erasing data, the AND circuit 103a generates an AND output (a rewrite signal), which consists of a signal from a command interface 104 and a signal indicating protect information stored in the protect information storing circuit 102. The write/erase control circuit 103b is controlled on the basis of the AND output of the AND circuit 103a.
If "1 (which indicates the protect-off mode)" is stored as the protect information, the AND output is always "1 (which indicates permission)". In this case, rewrite of data stored in the flash memory main body 101 is permitted. On the other hand, if "0 (which indicates the protect-on mode)" is stored as the protect information, the AND output is "0 (which indicates prohibition)". In this case, rewrite of data stored in the flash memory main body 101 is prohibited. Thus, the protect function controls permission/prohibition of rewrite of data stored in the flash memory main body 101 in order to prevent the stored data from being tampered with by any person other than a legitimate user.
In numerous flash memories (not shown) that have the respective memory areas (the memory area of each flash memory main body corresponds to all address areas thereof) of their flash memory main bodies divided into a plurality of blocks, a single protect function can be set for each block. Suppose there is a case where data stored in a certain block (BLK0) of the flash memory main body is program data which is rewritten at a low frequency (or important program data), while data stored in another block (BLK1) is rewritten at a high frequency (or not so important data). For this case, there is an example of use of the protect function, wherein the protect-on mode is set for the block (BLK0) since it is very possible that data damage due to, for example, erroneous writing will be a fatal system error, while the protect-off mode is set for the block (BLK1) because, for example, the setting of the protect information is rather troublesome.
FIG. 2 shows the basic structure of a conventional flash memory having a security function. In this flash memory, security information is stored in a security information storing circuit 105 that differs from a flash memory main body 101. The security information is provided for setting a desired one of a stored-data readout prohibiting mode (security-on mode) and a stored-data readout permitted mode (security-off mode). The security information storing circuit 105 is constituted of, for example, a dedicated flash memory (i.e. a fuse cell array).
Reading data out of the flash memory main body 101 is controlled by a data control circuit 106. The data control circuit 106 comprises an AND circuit 106a and a readout control circuit 106b. When reading out the stored data, the AND circuit 106a generates an AND output (a readout signal), which consists of a signal from the readout control circuit 106b and a signal indicating security information stored in the security information storing circuit 105. On the basis of the AND output of the AND circuit 106a, a tristate buffer 108 interposed between a readout circuit 107 and a data output terminal D.sub.out is controlled.
If "1 (which indicates a security-off mode)" is stored as the security information, the AND output is always "1 (which indicates permission)". In this case, the tristate buffer 108 is in an enable state, whereby readout of data from the flash memory main body 101 is permitted. On the other hand, if "0 (which indicates a security-on mode)" is stored as the security information, the AND output is "0 (which indicates prohibition)" irrespective of whether a signal is supplied from the readout control circuit 106b. In this case, the tristate buffer 108 is in a High-Z state (or in a fixed-data output state), thereby prohibiting readout of data from the flash memory main body 101. Thus, the security function controls permission/prohibition of readout of data from the flash memory main body 101 in order to prevent data stored therein from leaking to any person other than a legitimate user. Concerning the security function, a single security function is set, in many cases, for the memory area (all address areas) of the flash memory main body.
FIG. 3 schematically shows the structure of that essential part of the flash memory, which relates to the setting/releasing of the protect function and the security function. A description will be given of an example, where the memory area of the flash memory main body is divided into three blocks.
When setting/releasing the protect function and/or the security function, at first, a sequence of rewriting processing is started for a fuse cell array 201 by the input of an external trigger such as a command. In this state, block information (address information) is input through an address input terminal Add to set/release the protect function. This block information is supplied to a command interface 202 and a write/erase circuit 203. Then, on the basis of the block information, the write/erase circuit 203 turns on/off any of protect cells 102a, 102b and 102c, which are contained in the protect information storing circuit 102 and correspond to respective blocks. By setting the protect information by turning on/off any of the cells 102a, 102b and 102c, the protect function is set/released in units of one block.
To set/release the security function, block information is input through the address input terminal Add after the sequence of rewriting processing is started, and is supplied to the command interface 202 and the write/erase circuit 203. Then, on the basis of the block information, the write/erase circuit 203 turns on/off a security cell 102d contained in the security information storing circuit 105. By setting the security information by turning on/off the cell 102d, the security function is set/released in units of all blocks.
However, if, in the flash memory constructed as above, the security function is released by a third person, it is very possible that they will easily tamper with or leak data stored in the memory.
FIG. 4 illustrates the flow of processing executed by the flash memory of FIG. 3 for releasing the security function. When an instruction to release the security function has been issued, the on/off state of each protect cell 102a, 102b, 102c is checked, thereby sequentially erasing only data stored in a non-protected block (BALK) or non-protected blocks (step ST01-ST03). After that, the security cell 102d is turned off (step ST04), followed by termination of the processing. Thus, in the conventional case, the security function is released without erasing data stored in any protected block. This means that part of the stored data is not erased and can be read out. If a third person releases the security function, they can easily discover the protected data.
After reading out the stored data, the protect cell of a block corresponding to the data is turned off to release its protect function. Then, new data is written into the block, and the protect function is reset, when necessary, by turning on the protect cell.
If, in the conventional case, a third person knows the method for releasing the security function, it is very possible that they will easily tamper with the stored data. At this time, the protect function and the security function become useless.