1. Field of the Invention
The present invention relates to a memory module for simultaneously providing at least one secure and at least one insecure memory area, as well as to a microcontroller having such a memory module.
2. Description of the Related Art
The present invention relates to the field of so-called secure microcontrollers, in particular in the automotive industry. For most applications in safety-relevant areas, non-manipulatable or non-viewable storage of data is an essential basic requirement. The keys for symmetric methods or private keys of asymmetric methods are secrets and therefore must be kept secret from attackers. Other applications require at least protection against changes, for example, storing of serial numbers or mileage, preventing chip tuning, etc.
It is therefore customary to provide secure environments for executing functions which must view and/or change these secrets. These environments usually include a “secure CPU” and a separate memory module for the secure non-volatile storing of data, also referred to as “secure NVM” (NVM=Non-Volatile Memory), which may be addressed only via the “secure CPU.”
For providing secure functions, it is contemplated to use microcontrollers which in addition to the usual microcontroller components such as CPUs, memory modules, buses, I/O interfaces, etc., also include a secure CPU and a secure memory module. Providing the secure environment in a microcontroller is, however, relatively complicated, which is due, in particular, to the technology of the non-volatile memories normally used today. The secure memory module is normally designed as a flash module and includes, like all flash memory modules, the actual memory cells (transistors), a write/read electronic unit for operating the memory (for example, a state machine, address buffers, data buffers, line decoders, column decoders, etc.), an interface unit for connecting the write/read electronic unit to the internal microcontroller bus, as well as an analog circuit part for supplying and/or amplifying voltage, and the like. In particular, this analog circuit part, which normally (for example, flash, EEPROM) includes a charge pump and a battery of amplifiers, requires a very large chip surface and results in considerable costs for the module.
It is therefore desirable to have to use only one memory module in secure microcontrollers for storing both secure and insecure data. However, in the memory modules used in the related art, the user (normally a CPU) accessing such a memory is able to view and modify the entire data area, so that one memory module is used for secure data and one memory module for insecure data.
The present invention is based on the idea of making the simultaneous provision of secure and non-secure, i.e., insecure memory areas in a memory module, particularly simple, if for this purpose only those elements needed for providing the security functionality come in multiple forms, while all other elements come in single form, if possible. In particular, a memory module may simultaneously provide secure and insecure memory areas if a separate write/read electronic unit is provided for each memory area; however, only one analog circuit part, such as a voltage supply circuit, is provided for all write/read electronic units in the memory module. The present invention describes an extended memory module, which allows the joint use of a large memory for multiple users. It allows the users to use [memory] portions dedicated to them, whereby the security of the secret and/or non-manipulatable data remains ensured. A memory module according to the present invention may be advantageously defined on the chip as a single so-called hard macro.
Only one interface unit is advantageously provided for connecting the write/read electronic units. Thus, as a result, multiple memory areas having separate write/read electronic units are provided in a single memory module, superfluous interface units being particularly advantageously omitted.
According to one advantageous embodiment of the present invention, the memory module is designed as a flash memory module, only one charge pump and/or one battery of amplifiers (battery of write/read amplifiers) being provided for supplying the intended number of memory areas and write/read units. In particular in the case of flash memories, the present invention offers special advantages, since the voltage supply circuit as a component of the analog circuit part is particularly complex in this case.
It is understood that the above-named features and those to be elucidated below are usable not only in the given combination, but also in other combinations or alone without departing from the scope of the present invention.
The present invention is schematically illustrated in the drawing on the basis of an exemplary embodiment and is described in detail below with reference to the drawing.
Furthermore, a secure environment 140 is provided in microcontroller 100 via a secure CPU 150 and a secure memory module 160. In order to execute secure functions, secure CPU 150 is addressed via bus 120 and then accesses secure memory module 160 if necessary.
Memory modules 130 and 160 have essentially identical designs, each having an interface unit 131 and 161, respectively, for connecting the memory module to bus 120 within the microcontroller, a write/read electronic unit 132 and 162, respectively, and actual memory areas 133 and 163, respectively. Memory modules 130 and 160 advantageously include flash memories, so that memory areas 133 and 163 include a number of floating-gate transistors as memory cells. Furthermore, memory modules 130 and 160 each include an analog circuit part 134 and 164, respectively, which, in the described example of a flash memory, include at least one voltage supply circuit having a charge pump and a battery of write/read amplifiers. Write/read electronic units 132 and 162 each include, for example, a state machine, address buffers, data buffers, line decoders, column decoders, etc. Memory modules 130 and 160 are separate modules and therefore defined as separate hard macros on the chip surface.
Microcontroller 200 includes a memory module 230 according to one preferred specific embodiment of the present invention. Memory module 230 is designed for simultaneously providing an insecure memory area 133 and a secure memory area 163. Memory areas 133 and 163 are each provided with corresponding write/read electronic units 132 and 162, respectively. Write/read electronic units 132 and 162 each include, for example, a state machine, address buffers, data buffers, line decoders, column decoders, etc., i.e., essentially those elements which are necessary for providing securely separated memory areas.
Advantageously, however, memory module 230 has only one analog circuit part 234 which, in the case of a flash memory, includes in particular a voltage supply circuit having a charge pump and/or a battery of write/read amplifiers, and which is used for supplying all elements of memory module 230.
According to the illustrated preferred specific embodiment, write/read electronic units 132 and 162 are connected to the outside, in the present case to bus 120 within the microcontroller, via a single interface unit 231.
Memory module 230 may be advantageously defined as a hard macro on the chip surface for simultaneously providing secure and insecure, i.e., non-secure, memory areas.
According to the specific embodiment of the present invention illustrated herein, secure CPU 150 is connected to secure memory module 230 or to its interface unit 231 via an identification link 240. By adding an appropriate circuit logic to interface unit 231, access of users to different memory areas 133 and 163 may be limited if the user performing the access is unambiguously identifiable. Unambiguous identification may take place, for example, via identification link 240. However, identification may also take place via bus 120, for which purpose known signals, such as a master interface identifier, may be used.
Although in the present example only two users, i.e., CPUs 110 and 150, access only two memory areas, i.e., memory areas 133 and 163, in secure memory module 230, the present invention is not limited to this specific embodiment. Instead, any number of users and any number of memory areas may be provided independently of one another.
Number | Date | Country | Kind |
---|---|---|---|
10 2010 028 231 | Apr 2010 | DE | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2010/065858 | 10/21/2010 | WO | 00 | 2/5/2013 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2011/134541 | 11/3/2011 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
4974208 | Nakamura et al. | Nov 1990 | A |
5267218 | Elbert | Nov 1993 | A |
5293424 | Holtey et al. | Mar 1994 | A |
5491809 | Coffman et al. | Feb 1996 | A |
5732017 | Schumann et al. | Mar 1998 | A |
5749088 | Brown et al. | May 1998 | A |
6032237 | Inoue et al. | Feb 2000 | A |
6094724 | Benhammou et al. | Jul 2000 | A |
6122216 | Dykes | Sep 2000 | A |
6421279 | Tobita et al. | Jul 2002 | B1 |
6510501 | Ho | Jan 2003 | B1 |
6975547 | Byeon et al. | Dec 2005 | B2 |
7197595 | Asari et al. | Mar 2007 | B2 |
7210012 | Lee et al. | Apr 2007 | B2 |
7418602 | Yoshida et al. | Aug 2008 | B2 |
7849310 | Watt et al. | Dec 2010 | B2 |
8209550 | Gehrmann | Jun 2012 | B2 |
8245000 | Ramezani | Aug 2012 | B2 |
8370644 | Handschuh et al. | Feb 2013 | B2 |
20040181708 | Rothman et al. | Sep 2004 | A1 |
20070016832 | Weiss | Jan 2007 | A1 |
20070150754 | Pauly et al. | Jun 2007 | A1 |
20070199046 | O'Brien | Aug 2007 | A1 |
20090183009 | Delfs et al. | Jul 2009 | A1 |
20090296479 | Yamaoka et al. | Dec 2009 | A1 |
20130305342 | Kottilingal et al. | Nov 2013 | A1 |
Number | Date | Country |
---|---|---|
1 067 557 | Jan 2001 | EP |
2001-526819 | Dec 2001 | JP |
2002-353960 | Dec 2002 | JP |
2008-310350 | Dec 2008 | JP |
WO 0201368 | Jan 2002 | WO |
Entry |
---|
International Search Report for PCT/EP2010/065858, dated Mar. 28, 2011. |
Number | Date | Country | |
---|---|---|---|
20130128664 A1 | May 2013 | US |