A general architecture that implements the various feature of the invention will now be described with reference to the drawings. The drawings and the associated descriptions are provided to illustrate embodiments of the invention and not to limit the scope of the invention.
Various embodiments according to the invention will be described hereinafter with reference to the accompanying drawings. In general, according to one embodiment of the invention, a firmware protection method applied to an electronic apparatus comprising a chip of a processor, wherein the processor stores external unique information and chip unique information that is assigned uniquely to the chip, the firmware protection method comprising: transferring a firmware to the electronic apparatus, the firmware subjected to an encryption and a tampering check data addition by using information that is identical with the external unique information; performing a tampering check and a decryption of the firmware by using the external unique information stored in the chip; performing an encryption of the firmware and an addition of a tampering check data to the firmware by using the chip unique information; and storing the firmware in a predetermined storage.
An embodiment of the invention will be discussed with reference to the accompanying drawings.
A CPU (Central Processing Unit) 11 shown in
The playback unit is provided with a firmware storage section 101, volatile memory 102, etc., as well as the CPU 11. The firmware storage section 101 is a storage area for storing (installing) encrypted firmware after encryption and addition of tampering check data are conducted at least using the chip unique information C in the chip of the CPU 11 in the manufacturing process. The volatile memory 102 is memory for storing (loading) the firmware after tampering check and decryption are performed at least using the chip unique information C in the chip of the CPU 11 for the encrypted firmware read from the firmware storage section 101 in playback processing after shipment of the playback unit.
In the development process, a development department develops firmware and hardware of the playback unit. When the developed firmware is transferred from the development department to a manufacturing department, the firmware is encrypted using the same information as the vendor unique information V in the chip of the CPU 11 by a computer, etc., and tampering check data is generated (for example, a hash value is generated by performing predetermined computation based on the same information as the vendor unique information V in the chip) and is added to the encrypted firmware. The encrypted firmware to which the tampering check data is added is delivered to the playback unit provided in the manufacturing department from the computer of the development department, for example, through a network or via a memory card, etc. The arbiter 111 exclusively (i.e., selectively) gives each of the plurality of control processor portions 91 and 92 a permission for establishment of communication with the IC card 7. That is, the arbiter 111 arbitrates communication requests from both the to the IC card 7, and gives only one of the control processor portions 91 and 92 a permission for communication with the IC card 7. Each of the control processor portions 91 and 92 transmits a part of broadcast data to the IC card 7, and receives a response from the IC card 7 to thereby use the descrambling of the contents data.
In the manufacturing process, the manufacturing department manufactures hardware of the playback unit and installs the firmware. When the encrypted firmware to which the tampering check data is added is entered in the playback unit, the CPU 11 starts installation processing of the firmware. In the installation processing, using the vendor unique information V in the chip of the CPU 11, the firmware entered in the playback unit is subjected to tampering check (for example, check to see if a hash value provided by performing predetermined computation based on the vendor unique information V in the chip matches the hash value added to the firmware) and decryption. If tampering is detected as the hash values do not match, etc., execution of the subsequent processing is prohibited. On the other hand, if the hash values match (no tampering exists), the firmware is again encrypted at least using the chip unique information C in the chip of the CPU 11 and tampering check data is generated (for example, a hash value is generated by performing predetermined computation using the chip unique information C in the chip) and is added to the encrypted firmware and this firmware is stored in the firmware storage section 101.
In product shipment P3, the playback unit with the encrypted firmware stored in the firmware storage section 101 is shipped. After shipment, when the user, etc., starts the playback unit, boot processing for the encrypted firmware in the firmware storage section 101 is started. In the boot processing, the encrypted firmware in the firmware storage section 101 is read and then is subjected to tampering check and decryption at least using the chip unique information C in the chip of the CPU 11. If tampering is detected as the hash values do not match, etc., execution of the subsequent processing is prohibited. On the other hand, if the hash values match (no tampering exists), the decrypted firmware is stored in the volatile memory 102.
The playback unit is made up of the CPU 11, a north bridge 12, main memory 13, a south bridge 14, nonvolatile memory 15, an audio codec 16, a USB (Universal Serial Bus) controller 17, a card slot 18, an HD DVD drive 1, an audio bus 19, a graphics bus 20, a PCI (Peripheral Component Interconnect) bus 21, a video controller 22, an audio controller 23, an audio decoder 24, a video decoder 25, a blend processing section 30, audio mixers (Audio Mix) 31 and 32, a video encoder 40, an AV interface (HDMI-TX) 41 such as HDMI (High Definition Multimedia Interface), and the like.
The above-described firmware storage section 101 corresponds to the nonvolatile memory 15, for example. The above-described volatile memory 102 corresponds to the main memory 13, for example.
In the playback unit, a player application 150 and an operating system (OS) are installed in the nonvolatile memory 15. The player application 150 is software operating on the OS and performs control to play back AV content read from the HD DVD drive 1.
The CPU 11 is a processor provided for controlling the operation of the playback unit as described above. When the user, etc., starts the playback unit, the CPU 11 performs processing for booting the OS from the nonvolatile memory 15 and loading the OS and the related player application 150 into the main memory 13. The north bridge 12 is a bridge device for connecting a local bus of the CPU 11 and the south bridge 14. The north bridge 12 contains a memory controller for controlling access to the main memory 13. It further contains a GPU (Graphics Processing Unit) 120.
The GPU 120 is a graphics controller for generating graphics data (also called graphics image data) to form a graphics screen image from data written by the CPU 11 into video memory (VRAM) assigned to a storage area of a part of the main memory 13. The GPU 120 generates graphics data using a graphics computation function like bit block transfer. For example, if the CPU 11 writes image data (subvideo, subpicture, etc.,) into three planes on the VRAM, the GPU 120 uses bit block transfer to execute blend processing of superposing the image data corresponding to the three planes for each pixel, thereby generating graphics data to form a graphics screen image having the same resolution as main video (for example, 1920×1080 pixels).
The GPU 120 sends graphics data (RGBA data) that is made up of graphics data (digital RGB video signal) and alpha data through the graphics bus 20 to the blend processing section 30.
The south bridge 14 controls the devices on the PCI bus 21. It contains an IDE (Integrated Drive Electronics) controller for controlling the HD DVD drive 1. The south bridge 14 further has a function of accessing the nonvolatile memory 15, the USB controller 17, and the audio codec 16.
The HD DVD drive 1 is a drive unit for driving a storage medium such as an HD DVD medium storing audio video (AV) content corresponding to the HD DVD standard.
The audio codec 16 converts subaudio data decoded by software into a digital audio signal in I2S (Inter-IC Sound) format. The audio codec 16 is connected to the audio mixers (Audio Mix) 31 and 32 through the audio bus 19. The audio bus 19 is a transmission line connecting the audio codec 16 and the audio mixers (Audio Mix) 31 and 32. It allows the digital audio signal from the audio codec 16 to be transferred to the audio mixers (Audio Mix) 31 and 32 not via the PCI bus 21.
The card slot 18 is connected to the south bridge 14 for enabling data to be written onto and read from an attached memory card, etc. For example, the encrypted firmware to which the tampering check data is added in the development department is stored in a memory card and this memory card is placed in the card slot 18 for read in the manufacturing department, whereby the above-described installation processing can be executed.
The video controller 22 is connected to the PCI bus 21. The video controller 22 is an LSI performing an interface with the video decoder 25. A stream of main video data (Video Stream) separated from an HD DVD stream by software is sent to the video decoder 25 through the PCI bus 21 and the video controller 22. Decode control information (Control) output from the CPU 11 is also sent to the video decoder 25 through the PCI bus 21 and the video controller 22.
The video decoder 25 decodes the main video data and generates a digital YUV video signal to form a video screen image with a resolution of 1920×1080 pixels, for example. The digital YUV video signal is sent to the blend processing section 30.
The audio controller 23 is connected to the PCI bus 21. The audio controller 23 is an LSI performing an interface with the audio decoder 24. A stream of main audio data (Audio Stream) separated from an HD DVD stream by software is sent to the audio decoder 24 through the PCI bus 21 and the audio controller 23.
The audio decoder 24 decodes the main audio data and generates a digital audio signal in the I2S (Inter-IC Sound) format. The digital audio signal is sent to the audio mixers (Audio Mix) 31 and 32 through the audio controller 23.
The blend processing section 30 is connected to the GPU 120 and the video decoder 25 and executes blend processing to superpose the graphics data output from the GPU 120 and the main video data decoded by the video decoder 25. In the blend processing, blend processing (alpha blending processing) to superpose the digital RGB video signal to form the graphics data and the digital YUV video signal to form the main video data in pixel units is executed based on the alpha data output together with graphics data (RGB) from the GPU 120. In this case, the main video data is used as the lower screen image and the graphics data is used as the upper screen image superposed on the main video data.
The output image data provided by performing the blend processing is supplied to the video encoder 40 and the AV interface (HDMI-TX) 41 as the digital YUV video signal, for example. The video encoder 40 converts the output image data provided by performing the blend processing (digital YUV video signal) into a component video signal or an S-video signal and outputs the signal to an external display (monitor) like a TV receiver. The AV interface (HDMI-TX) 41 outputs a digital signal group containing the digital YUV video signal and the digital audio signal to an external HDMI apparatus.
The audio mixer (Audio Mix) 31 mixes the subaudio data decoded by the audio decoder 16 and the main audio data decoded by the audio decoder 24 and outputs the mixing result as a stereo audio signal. The audio mixer (Audio Mix) 32 mixes the subaudio data decoded by the audio decoder 16 and the main audio data decoded by the audio decoder 24 and outputs the mixing result as a 5.1-channel audio signal.
Next, protection programs (tools) for realizing protection of the firmware of the embodiment will be discussed with reference to
A program 201 used in the development process P1 is a program for delivering the firmware developed in the development department to the manufacturing department with safety and is executed by a computer of the development department, and so on. The program 201 is made up of various functions of an encryption/tampering check data addition processing section 51, a transmission processing section (or a storage processing section) 52, and so on.
The encryption/tampering check data addition processing section 51 performs a function of encrypting the firmware developed in the development department and adding tampering check data to the firmware using the same information as the vendor unique information V in the chip of the CPU 11.
The transmission processing section (or the storage processing section) 52 performs a function of transmitting the encrypted firmware to which the tampering check data is added to a playback unit in the manufacturing department through the network or storing the firmware on a memory card, etc.
A program 202 used in the manufacturing process P2 is a program (installing tool) for installing the firmware delivered from the development department with safety and is stored in a predetermined storage area in the playback unit (for example, in the CPU 11) and is executed by the CPU 11 in the playback unit. The program 202 is made up of various functions of a reception processing section (or a read processing section) 53, a tampering check/decryption processing section 54, a re-encryption/tampering check data addition processing section 55, a storage processing section 56, and so on.
The reception processing section (or the read processing section) 53 performs a function of receiving the encrypted firmware transmitted through the network from the development department in a playback unit or reading the encrypted firmware stored on a memory card, and so on, supplied from the development department into a playback unit.
The tampering check/decryption processing section 54 performs a function of checking the encrypted firmware input by the reception processing section (or the read processing section) 53 for tampering and decrypting the encrypted firmware using the vendor unique information V in the chip of the CPU 11.
The re-encryption/tampering check data addition processing section 55 performs a function of again encrypting the firmware subjected to the tampering check and decryption by the tampering check/decryption processing section 54 and adding tampering check data to the firmware at least using the chip unique information C in the chip of the CPU 11.
The storage processing section 56 is a function of storing (installing) the re-encrypted firmware to which the tampering check data is added by the re-encryption/tampering check data addition processing section 55 in the firmware storage section 101.
A program 203 used after the product shipment P3 is a program for booting the encrypted firmware installed in the manufacturing department with safety and is stored in a predetermined storage area in the playback unit and is executed by the CPU 11 in the playback unit like the program 202. The program 203 is made up of various functions of a read processing section 57, a tampering check/decryption processing section 58, a storage processing section 59, etc.
The read processing section 57 performs a function of reading the encrypted firmware installed in the firmware storage section 101 in the manufacturing department when the playback unit is started.
The tampering check/decryption processing section 58 performs a function of checking the encrypted firmware read by the read processing section 57 for tampering and decrypting the encrypted firmware at least using the chip unique information C in the chip of the CPU 11.
The storage processing section 59 performs a function of storing (loading) the firmware subjected to the tampering check and decryption by the tampering check/decryption processing section 58 in (into) the volatile memory 102.
The programs 202 and 203 may be integrated into one. The function portions common to both the programs 202 and 203 may be implemented as one module.
In the development process, using the same information as the vendor unique information V in the chip of the CPU 11, the developed firmware is encrypted and a hash value is generated and is added to the encrypted firmware by a computer of the development department (step S11). The encrypted firmware to which the hash value is added is delivered to a playback unit provided in the manufacturing department from the computer of the development department through the network or via a memory card, and so on (step S12).
In the manufacturing process, when the encrypted firmware to which the hash value is added is entered in the playback unit (step S13), the CPU 11 starts installation processing of the firmware. In the installation processing, using the vendor unique information V in the chip of the CPU 11, the firmware entered in the playback unit is subjected to tampering check (hash value check) and decryption (step S14). If tampering is detected as the hash values do not match, and so on, execution of the subsequent processing is prohibited. On the other hand, if the hash values match (no tampering exists), using the chip unique information C in the chip of the CPU 11, the firmware is again encrypted and a hash value is generated and is added to the encrypted firmware (step S15) and this firmware is stored in the firmware storage section 101 (step S16).
After shipment, when the user, etc., starts the playback unit, boot processing for the encrypted firmware in the firmware storage section 101 is started. In the boot processing, the encrypted firmware in the firmware storage section 101 is read (step S17) and then is subjected to tampering check (hash value check) and decryption using the chip unique information C in the chip of the CPU 11 (step S18). If tampering is detected as the hash values do not match, etc., execution of the subsequent processing is prohibited. On the other hand, if the hash values match (no tampering exists), the decrypted firmware is stored in the volatile memory 102 (step S19).
In the example previously described with reference to
In the example previously described with reference to
Thus, re-encryption, hash value generation, hash value check, and decryption are executed using both the “chip unique information C” and the “vendor unique information V,” whereby the degree of difficulty in analyzing the firmware by a hacker, etc., can be still more enhanced.
In the description given above, the information previously stored in the chip of the CPU 11 is the “chip unique information” and the “vendor unique information” by way of example, but the invention is not limited to the mode. For example, the invention can also be applied to the case where “model unique information” assigned uniquely to the corresponding playback unit model rather than the “vendor unique information” is stored in the chip of the CPU 11. In this case, the “vendor unique information” in the function description and the operation description given above may be replaced with the “model unique information” for interpretation. That is, the combination of the “chip unique information” and the “vendor unique information” can be replaced with the combination of the “chip unique information” and the “model unique information.” The “model unique information” may be stored in a predetermined storage area outside the chip (for example, a secret area in the playback unit). The chip unique information, the model unique information, etc., is key information and thus may be stored in a concealment state. The “chip unique information” may be given at random to each chip based on random numbers or may be given as serial numbers.
The invention can also be applied to the case where “apparatus unique information” assigned uniquely to the corresponding playback unit rather than the “chip unique information” is stored in the chip of the CPU 11. In this case, the “chip unique information” in the function description and the operation description given above may be replaced with the “apparatus unique information” for interpretation. That is, the combination of the “chip unique information” and the “vendor unique information” can be replaced with the combination of the “apparatus unique information” and the “vendor unique information.” The “apparatus unique information” may be stored in a predetermined storage area outside the chip (for example, a secret area in the playback unit).
Likewise, the combination of the “chip unique information” and the “vendor unique information” can also be replaced with the combination of the “apparatus unique information” and the “model unique information” existing outside the chip, for example. In this case, the “chip unique information” in the function description and the operation description given above may be replaced with the “apparatus unique information” and the “vendor unique information” may be replaced with the “model unique information” for interpretation.
According to the above-described embodiment, the following advantages can be provided:
Since the firmware delivered from the development process to the manufacturing process is subjected to encryption and tampering check data addition using the same information as the vendor unique information in the chip of the CPU, the degree of difficulty in analyzing the firmware by a hacker, another vendor using the same CPU, etc., can be enhanced.
Since the firmware after delivered to the manufacturing process is subjected to both decryption involving tampering check and re-encryption by the program (firmware installing tool) stored in the CPU, etc., the degree of difficulty in analyzing the firmware by a hacker, another vendor using the same CPU, etc., can be enhanced.
After the product shipment, the firmware stored in the firmware storage section of the playback unit is subjected to encryption and tampering check data addition at least using the chip unique information in the chip of the CPU, so that the degree of difficulty in analyzing the firmware by a hacker, another vendor using the same CPU, etc., can be enhanced.
It is to be understood that the invention is not limited to the specific embodiment described above and that the invention can be embodied with the components modified without departing from the spirit and scope of the invention. The invention can be embodied in various forms according to appropriate combinations of the components disclosed in the embodiment described above. For example, some components may be deleted from all components shown in the embodiment. Further, the components in different embodiments may be used appropriately in combination.
Number | Date | Country | Kind |
---|---|---|---|
P2006-282806 | Oct 2006 | JP | national |