Patent Application
20080077749
The present invention relates generally to microprocessor systems and more particularly to access control of memory space in microprocessor systems. The following description is presented to enable one of ordinary skill in the art to make and use the invention and is provided in the context of a patent application and its requirements. Various modifications to the implementations and the generic principles and features described herein will be readily apparent to those skilled in the art. Thus, the present invention is not intended to be limited to the implementations shown, but is to be accorded the widest scope consistent with the principles and features described herein.
Within a microprocessor system comprising one or more microprocessors, it may be desirable to have an access control mechanism that is able to limit the type of operations that can be performed by the one or more microprocessors on particular regions of a memory space in the system. Since the system may include more than one microprocessor, the access control mechanism should be processor independent and permit different levels of access to be set for different microprocessors. In addition, the access control mechanism should be user configurable and easily updatable.
Illustrated in
Microprocessors 202A-202B are Reduced Instruction Set Computer (RISC) microprocessors (e.g., an ARM7 or an ARM9 processor developed by ARM® Ltd.) in one implementation of the invention. In other implementations, the number of microprocessors and/or peripherals in system 200 may be increased or decreased. Additionally, the number of memory modules comprising memory space 204 may be different in other implementations.
Bus monitor 208 is a special function unit that hooks into system bus 214 and monitors various address and control signals associated with microprocessors 202A-202B (also referred to as masters) to determine whether the master seeking to perform an operation on a region of memory space 204 is allowed to perform the operation to the selected region of memory space 204. Programming of bus monitor 208 may be accomplished by firmware running on one or more of the microprocessors 202A-202B in system 200. Bus monitor 208 is coupled to a bus matrix (not shown) in another embodiment. The bus matrix is a type of memory controller that is operable to interconnect various components with system 200, which may be using different protocols.
In one implementation, the legality of the operation is determined by checking the operation against one or more definitions created for the region that is being accessed. The one or more definitions are user configurable and can be changed depending on the application. If an illegal operation (i.e., impermissible operation) is attempted, bus monitor 208 will abort the operation. In another implementation, bus monitor 208 will also set an alarm signal that can be used as an interrupt to microprocessors 202A-202B or by other security oriented modules (not shown) in system 200.
Shown in
Each region of memory space 204 that is protected has a corresponding protection register in the implementation. Other implementations of user interface module 302 may also include an identification register (not shown) that can be used to identify which of microprocessors 202A-202B is currently accessing memory space 204. The identification register may also be a stand-alone unit that is external to bus monitor 208.
The registers in user interface module 302 are used to configure MPU 304 in one embodiment. Access to the registers in user interface module 302 may be controlled by configuring one of the protection registers 406-0 to 406-n to include an address space of bus monitor 208. In one implementation, MPU 304 is operable to decode address, direction, and protection signals on system bus 214, then compare them to the address and protection definitions in protection registers 406-0 to 406-n.
If a violation is detected, the operation is aborted and a protection error alarm signal is generated. The alarm source (e.g., type of operation, identity of violating microprocessor, etc.) is stored in status register 402. In another embodiment, when an illegal read return data operation is intercepted, in addition to generating an abort sequence, the returned data is forced low (i.e., changed to all zeros) to provide additional protection in the event that the master (i.e., microprocessor) does not respond to the abort sequence.
EPU 306 is a non-configurable module that is operable to block opcode fetches (i.e., code executions) from EBI 210 for all masters in one implementation. In the implementation, EPU 306 is operable to monitor protection signals and EBI signals on system bus 214. If an attempt to execute code from EBI 210 is detected, the operation is aborted and a protection error alarm is generated. The alarm source is stored in status register 402.
Although the implementation defines permanent protection and non-configurable space to be EBI 210, which connects to, for instance, external memory and/or external busses, any particular space or type of operation can be permanently protected depending on the needs of the system. For example, a non-volatile memory (NVM), such as electrically erasable, programmable, read-only memory (EEPROM) or flash memory, may need to be permanently protected from specific types of operations (e.g., execute) because an unauthorized person could input code into the NVM and force the processor(s) to begin executing from the NVM, which could compromise the system.
Depicted in
Other implementations may include protection for operations in addition to or as an alternative to read, write, and execute, such as copy, swap, etc. In addition, a region defined in one protection register may overlap with a region defined in another protection register. When such an overlap occurs, the most restrictive protection is applied in one embodiment. Further, the permissions defined may be applicable to all user and privilege modes.
Bits 0 to 2 [2:0] of protection register 406-i indicate that read, write, and execute operations are permitted for the ARM7 microprocessor. Bits [5:3] indicate that read, write, and execute operations are also permitted for the ARM9 microprocessor. Bits [9:6] indicate the region size to be protected starting at the base address. In Table 1, a list of the region sizes available in one implementation of the invention are shown along with each size's corresponding bit-representation and least significant byte (LSB). For example, if the region size is 1 kilobytes (KB), bits [9:6] will read 0000. Other implementations may include different region sizes.
The base address of the region to be protected is stored in bits [31:10]. In one embodiment, the size of a region does not dictate a location for the region, i.e., the base address of the region. For example, if a 4 KB region is being defined for protection, the region need not begin at 0 KB, 4 KB, 8 KB, 12 KB, etc., and can instead begin at any location, such as 3 KB. In another embodiment, the base address of a region is a multiple of the smallest region size available. For instance, if the region sizes are based on Table 1, then the base address will be a multiple of 1 KB.
Bit [24] indicates an illegal attempt to execute code from EBI 210. Each of bits [23:0] corresponds to one protection register and is used to indicate violation of the protection definition in the respective protection register. In the implementation, twenty-four protection registers are included in user interface module 302. Other implementations may include more or less protection registers.
As an example, if the definition in protection register 406-1 is violated by microprocessor ARM7 attempting a write operation, bits [1] and [26] will be set to “1.” Thus, status register 402 can be used to determine the source and type of memory access violation. If a memory access violates the rules/definitions of multiple protection registers 406-0 to 406-n, multiple alarm bits will be set in one embodiment.
Illustrated in
Protection register 900 in the example of
The example in
Another 16 KB region is defined in protection register 1000B. Since the second 16 KB region starts at base address 0x00001C00 (i.e., 14 KB), base address bits [31:10] are set to binary 00 0000 0111 00. For this second 16 KB region, ARM7 is still limited to read-only operations, but ARM9 is allowed to perform read/write operations.
If the most restrictive protections are applied for overlapping regions, then for the 2 KB overlap between the first region defined in register 1000A and the second region defined in register 1000B from address 14 KB to 16 KB, the ARM9 microprocessor will be limited to read-only operations as defined in register 1000A since it is more restrictive than register 1000B. Hence, if the ARM9 microprocessor attempts to perform an operation other than a read in the 2 KB overlap region, an alarm condition will be raised and will show up in status register 402 in the bit associated with register 1000A.
Tables 2-7 are examples of various signals monitored by bus monitor 208 and their descriptions in accordance with one implementation of the invention. In the implementation, system bus 214 is an AHB and peripheral bus 216 is an APB.
In one implementation, if a protection error alarm condition (i.e., illegal memory access) is detected, bus monitor 208 will force ‘hresp[1:0]’ signals for the appropriate master(s) to 2′b01 (error) for two cycles. During the first of the two cycles, ‘hready’ will be LOW (e.g., 0). On the second cycle ‘hready’ will be HIGH (e.g., 1). Bus monitor 208 will also force ‘htrans[1:0]’ signals to 2′b00 (busy) for the appropriate master(s) to prevent a slave from responding to the illegal request. In addition, bus monitor 208 will force ‘hrdata[31:0]’ signals for the violating master(s) to LOW to prevent the master(s) from seeing protected data. Bus monitor 208 may only look at ‘hprot[1] and ‘hprot[0]’ to determine whether an opcode fetch is occurring and to determine what mode the master is operating in (e.g., user or privileged).
The invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment containing both hardware and software elements. In one aspect, the invention is implemented in software, which includes, but is not limited to, firmware, resident software, microcode, etc.
Furthermore, the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer-usable or computer-readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk, and an optical disk. Current examples of optical disks include DVD, compact disk-read-only memory (CD-ROM), and compact disk-read/write (CD-R/W).
Memory elements 1104a-b can include local memory employed during actual execution of the program code, bulk storage, and cache memories that provide temporary storage of at least some program code in order to reduce the number of times the code must be retrieved from bulk storage during execution. As shown, input/output or I/O devices 1108a-b (including, but not limited to, keyboards, displays, pointing devices, etc.) are coupled to data processing system 1100. I/O devices 1108a-b may be coupled to data processing system 1100 directly or indirectly through intervening I/O controllers (not shown).
In the embodiment, a network adapter 1110 is coupled to data processing system 1100 to enable data processing system 1100 to become coupled to other data processing systems or remote printers or storage devices through a communication link 1112. Communication link 1112 can be a private or public network. Modems, cable modems, and Ethernet cards are just a few of the currently available types of network adapters.
Through the use of a bus monitor, access control of the memory space of a microprocessor system is provided. The use of protection definitions provides a means to protect arbitrary regions of memory from one or more processors without being restricted to particular locations based oh the size of the region to be protected. Since the bus monitor is processor-independent, individual memory access control for multiple processors is made possible.
Processors within a system may also be able to share the same source code if an identity register is included because branch execution can be based on results of an identity register read. A means to permanently block certain types of access (e.g., executing code from external memory) to areas of the memory space is also provided.
Various implementations for access control of memory space in microprocessor systems have been described. Nevertheless, one of ordinary skill in the art will readily recognize that various modifications may be made to the implementations, and any variations would be within the spirit and scope of the present invention. For example, the above-described process flows are described with reference to a particular ordering of process actions. However, the ordering of many of the described process actions may be changed without affecting the scope or operation of the invention. Accordingly, many modifications may be made by one of ordinary skill in the art without departing from the spirit and scope of the following claims.
