| 摘要 |
A data processing system (DPS) 1 comprises protected memory 8 and non-protected (unprotected, un-trusted) memory 9. In normal, non-secure mode, the operating system (OS) 3 of the DPS cannot read from protected memory but does have read-access to non-protected memory and may have write access to protected (trusted) memory. An accelerator of the DPS, typically a Graphics Processing Unit (GPU) 5, can be switched between normal and protected operating modes. When in normal, non-protected mode, the accelerator has read-access and write-access to non-protected memory but has no access or write-only access to protected memory. When in protected mode, to perform protected processing of data, the accelerator has read and write-access to protected memory but has read-only access to non-protected memory. Memory access restrictions may be provided by bus transaction filtering, preferably via a firewall (40, fig. 3) between accelerator and memory. Alternatively, restrictions may be provided by memory address virtualisation mapping in a memory management unit (MMU, 50, fig. 4), preferably using the same MMU stage two page tables for both normal and protected mode; page table access permissions are interpreted differently according to mode. The system is typically used in Digital Rights Management. |
