1. Field of the Invention
This invention relates in general to the field of microelectronics, and more particularly to a microprocessor that provides a secure execution mode of operation that allows code to be executed in a highly secure environment within the microprocessor itself.
2. Description of the Related Art
The use of desktop, laptop, and handheld computing and communication devices as platforms for digital communication of sensitive or proprietary data and digital rights controlled content continues to drive security innovations in the computing industry. For example, there are numerous applications which are disturbed at no cost over the Internet for the purposes of downloading and managing digital audio and video files. Through these applications, a user is allowed limited rights to songs, television shows, and movies. And a great deal of attention is paid to protecting those rights through the use of security features built into the applications which often rely on security mechanisms provided by their host platforms.
In addition to the protection of digital content rights, another factor which continues to drive improvements in computer system security is use restrictions which may be applied to the host platforms themselves. It is a well known fact that the cell phone industry has provided for so-called “pay-as-you-go” use of particular communication devices. With such a plan, a user pays no monthly fee, but instead pre-pays for a certain number of cellular minutes. When the minutes are exhausted, the user is denied access to the cellular network for any calls other than emergency calls.
As early as 2006, MICROSOFT® Corporation along with partner corporations, began to provide “pay-as-you-go” personal computing which is primarily directed toward emerging computer markets. Under this scheme, a user pays for their computer as it is used, through the purchase of prepaid cards. In addition, U.S. Patent Application Publication 20060282899, which is assigned to MICROSOFT, describes a system and method for delivery of an modular operating system, which includes a core function module, or basic kernel, providing fundamental operating system support and one or more add-on modules that allow customization of the operating system as desired. In this application, add-on modules may provide support or extended capability to the computer including hardware, applications, peripherals, and support. A digital signature may be used to confirm the integrity of an add-on module prior to installation, and certification may be verified to determine if installation of the add-on module is authorized. By withholding certification, a service provider may manage illegal or undesired modifications to a provided computer. In addition, digital rights management may be used to enforce terms of use of the add-on module in keeping with licensing arrangements.
Not surprisingly, a veritable host of techniques have been developed as well which provide for circumventing the security measures that are now in place to protect and control access to rights controlled digital media, communication devices, and computing platforms. In more recent times, “hacking” has become a bona fide field of study. In fact, the present inventors have noted the publication of numerous works which are dedicated to tampering with or altogether defeating the security measures that have been put into place to safeguard access to and/or use of protected assets. One such work is the book, Hacking the Xbox: An Introduction to Reverse Engineering, by Andrew Huang, San Francisco: No Starch Press, 2003. The book focuses in particular on teaching hacking techniques to overcome the security mechanisms of the XBOX® gaming platform produced by MICROSOFT, and additionally provides significant teaching on the subjects of computer security and reverse engineering in general, with a discussion of the vulnerabilities of so-called “secure” computing platforms.
Consequently, platform architects and designers continue to pursue techniques and mechanisms that are more effective at protecting against unauthorized platform access, regardless of whether the access is benign (e.g., probing, snooping), malicious (e.g., destructive or rights-defeating hacks), or somewhere in between (e.g., tampering). Many of these mechanisms are directed at preventing an intruder from physically accessing a platform, such as housing the platform in a secure chassis (e.g., a locked metal enclosure) or encapsulating vulnerable circuits in epoxy. But it is well known that these types of techniques add both cost and complexity to a system. Alternative mechanisms utilize security features that are provided for in a particular computer architecture itself.
Consider the two primary security features provided for by the well-known x86 architecture: paged virtual memory and privileged execution. Under paged virtual memory, the underlying operating system defines a separate virtual address space along with access rights (e.g., execute only, read only) for each application that is being executed, thus precluding another surreptitious application from executing within the defined space or modifying its data. But the data associated with virtual address translation (i.e., page tables) can be easily snooped and changed since the data is resident in system memory and is presented external to the host microprocessor on its system bus.
With privileged execution, the architecture provides several levels of execution privileges, CPL0 through CPL3. Accordingly, certain system resources and instructions may only be accessed by applications which are executing at higher privilege levels. It is common to find operating system components operating at the highest privilege level, CPL0, and user applications relegated to the lowest privilege level, CPL3. But as one skilled in the art will appreciate, these architectural features were developed primarily to preclude system crashes due to software bugs, and are not very effective at preventing intentional or directed hacks.
As a result, various methods and apparatus have been developed which are more closely concentrated toward the prevention of intentional intrusion or takeover of a platform. In U.S. Pat. No. 5,615,263, Takahashi teaches a secure mode within a dual mode processor (i.e., microprocessor). In a general/external mode, the dual mode processor executes instructions provided from an external source. The instructions are supplied to the processor via input/output to the processor. Upon receiving a special software or hardware interrupt, the dual mode processor enters a secure/internal mode. The interrupt specifies a secure function stored in a read-only memory within the dual mode processor. Upon receiving such an interrupt, input/output to the dual mode processor is disabled. The identified secure function is executed by the processor. During execution of the secure function, any attempt to insert instructions not originating from the read-only memory are ignored. However, the processor may access data specifically identified by secure function being executed. Upon completion of performance of the secure function, an exit routine is executed to enable input/output to the processor and resume execution of instructions provided via input/output from the source external to the processor.
Takahashi teaches that the secure mode is to be used for encryption and decryption and the dual mode processor relies upon normal instructions and data to be provided from an external control channel processor via a bus conforming to a standard bus architecture such as the Industry Standard Architecture (ISA). The dual mode processor powers up in non-secure mode and the secure mode is initiated via a software or a hardware interrupt. In secure mode, a limited number of functions (i.e., instructions) related to encryption and decryption can be executed. These functions are stored within a read-only memory (ROM) which is internal to the dual mode processor. As such, the present inventors have noted that Takashi's dual mode processor is inadequate in that it can only perform the limited number of functions which are provided for within it's internal ROM. Thus, an application comprising general purpose instructions cannot be executed in secure mode.
In U.S. Pat. No. 7,013,484, Ellison et al. teach a chipset for establishing a secure environment for an isolated execution mode by an isolated storage, which are accessible by at least one processor. The at least one processor has a plurality of threads and operates in normal execution mode or the isolated execution mode. The secure environment of Ellison et al. relies upon an external chipset (“isolated execution circuit”) which provides the mechanism for a processor to operate in isolated execution mode. The external chipset thus configures a secure memory area, it handles decoding and translation of isolated instructions, generation of isolated bus cycles, and generation of interrupts. While the external chipset indeed provides for proactive steps to isolate memory areas, instruction execution, and the like, it is noted that the external chipset is coupled to the at least one processor via a typical system bus, thus allowing for bus snooping and tampering with traffic on the bus itself during execution of any secure thread.
In U.S. Pat. No. 7,130,951, Christie et al. teach a method for controlling a secure execution mode-capable processor including a plurality of interrupts to interrupt the secure execution mode-capable processor when it is operating in a non-secure execution mode. The method includes disabling the plurality of interrupts from interrupting the secure execution mode-capable processor when it is operating in a secure execution mode. And while disabling interrupts is a desirable security feature in a secure execution environment, the processor according to Christie et al. relies upon instructions and data to be provided via an operating system over a system bus. Once the instructions are provided, then interrupts are disabled. Like the mechanism of Ellison et al., such an approach is clearly susceptible to bus snooping and tampering with any of the instructions which are passed to the processor over the bus.
In U.S. Pat. No. 6,983,374, Hashimoto et al. teach a tamper resistant microprocessor that saves context information for one program whose execution is to be interrupted, where the processor state is encrypted and stored to system memory. Hashimoto also teaches a technique for fetching encrypted instructions from system memory and apparatus for decrypting and executing the decrypted instructions. In addition, Hashimoto teaches using a symmetric key to provide the encrypted instructions in memory and then using an asymmetric key algorithm to encrypt the symmetric key, which is stored in memory. The symmetric key is known to the program creator and is encrypted using a public key that is read from the processor. The processor includes a unique private key that corresponds to the public key, which cannot be accessed by the user. Accordingly, upon execution of a branch instruction, program control is transferred to a “start encrypted execution” instruction which passes a pointer to the encrypted symmetric key. The processor fetches the encrypted symmetric key and decrypts it using its internal private key. Subsequently, the encrypted program instructions are fetched from system memory, decrypted using the decrypted symmetric key, and executed by the processor. If an interrupt or exception occurs, the state of the processor is symmetrically encrypted and saved to memory. Hashimoto teaches the use of common cache mechanisms, interrupt logic, and exception processing logic for both unencrypted and encrypted code.
The present inventors have noted that the microprocessor of Hashimoto is limiting in that the symmetric key corresponding to secure code is known by the code's creator, and could be compromised, thus exposing all systems having that code to security attacks. In addition, the present inventors have noticed that the processor of Hashimoto is disadvantageous in that decryption of secure code must be executed on the fly as instructions are fetched, which is extremely time consuming, thus causing throughput of the microprocessor to slow to a crawl. Furthermore, it is noted that the secure code of Hashimoto utilizes existing non-secure resources such as system memory, page tables, interrupt and exception mechanisms, all of which are subject to snooping.
Accordingly, the present inventors have noted that it is clearly desirable to provide a microprocessor which is capable of executing an application or application thread comprising general purpose instructions (i.e., any of the instructions in the microprocessor's instruction set) within a secure execution environment.
It is additionally desirable that the secure execution environment be isolated from any of the known methods of snooping and tampering. Thus, it is required that instructions executed by a secure execution mode microprocessor be isolated from hardware within the microprocessor that provides access such as cache snoops, system bus traffic, interrupts, and debug and trace features.
It is furthermore desirable when applications are loaded for secure execution by the microprocessor, that a mechanism is provided to obfuscate the structure and content of the applications from any extant observation means and that a mechanism be provided to authenticate the source of the application and to confirm its veracity.