| 发明名称 | Secure processing unit systems and methods | ||
| 摘要 | A hardware Secure Processing Unit (SPU) is described that can perform both security functions and other information appliance functions using the same set of hardware resources. Because the additional hardware required to support security functions is a relatively small fraction of the overall device hardware, this type of SPU can be competitive with ordinary non-secure CPUs or microcontrollers that perform the same functions. A set of minimal initialization and management hardware and software is added to, e.g., a standard CPU/microcontroller. The additional hardware and/or software creates an SPU environment and performs the functions needed to virtualize the SPU's hardware resources so that they can be shared between security functions and other functions performed by the same CPU. | ||
| 申请公布号 | US9536111(B2) | 申请公布日期 | 2017.01.03 |
| 申请号 | US201313874184 | 申请日期 | 2013.04.30 |
| 申请人 | Intertrust Technologies Corporation | 发明人 | Sibert W. Olin |
| 分类号 | G06F15/167;G06F21/71;G06F21/86;G06F12/14;G06F21/62;G06Q50/18;H04L29/06 | 主分类号 | G06F15/167 |
| 代理机构 | Finnegan, Henderson, Farabow, Garrett & Dunner LLP | 代理人 | Finnegan, Henderson, Farabow, Garrett & Dunner LLP |
| 主权项 | 1. A method comprising: establishing a secure environment within a secure processing unit, wherein establishing the secure environment comprises generating a first cryptographic key and a second cryptographic key, the first cryptographic key and second cryptographic key being unique to the secure processing unit; setting, in response to establishing the secure environment, a secure flag indicating that the secure processing unit is operating in a secure state; storing, in a first region of a secure memory associated with the secure processing unit, secret information based on a determination that the secure flag is set and a determination that a first indication in an erasure control register associated with the secure memory indicates that the first region will be erased in response to a change in a state of the secure flag; encrypting a first portion of the secret information using the first cryptographic key to generate an encrypted copy of the first portion of the secret information; storing, in a second region of the secure memory, the encrypted copy of the first portion of the secret information based on a determination that a second indication in the erasure control register indicates that the second region will be persisted in response to a change in the state of the secure flag; encrypting a second portion of the secret information using the second cryptographic key to generate an encrypted copy of the second portion of the secret information; storing, in the second region of the secure memory, the encrypted copy of the second portion of the secret information based on the determination that the second indication in the erasure control register indicates that the second region will be persisted in response to a change in the state of the secure flag; and implementing, by a monitoring module executing on the secure processing unit, at least one protective action in response to a determination that the secure processing unit has been tampered with, wherein the at least one protective action comprises erasing the first region of the secure memory containing the secret information based on the first indication. | ||
| 地址 | Sunnyvale CA US | ||