High-bandwidth Digital Content Protection (HDCP) is a form of copy protection for digital media. It is typically implemented in media sources (e.g., set-top boxes, DVD player), media sinks (e.g., televisions, digital projectors), and repeaters (e.g., home theater receivers), and provides an encrypted data transmission between devices to prevent copying of digital audio and video content. The High-Definition Multimedia Interface (HDMI) interface, in particular, employs HDCP encryption.
In order to access HDCP-encrypted media, a device must be authenticated. During a typical authentication process, a pair of linked devices exchange respective public keys. Each device generates a number by processing a respective secret key according to the received public key. A device is then authenticated by comparing the generated number against the number provided by the linked device. If there is a match between the numbers, then the device is authenticated and the respective link is determined to be secure, enabling the device to access the encrypted media. If authentication fails due to a mismatch of the numbers, then the device is prohibited from accessing the protected content.
Example embodiments of the present invention provide a method and apparatus for authenticating and controlling access to privileged hardware. A microcode authentication unit receives a microcode segment and generates a corresponding signature resulting from a hash function. The signature and size of the microcode segment are compared against predetermined stored values. If a match is determined, the authentication unit enables access to protected hardware units within the device.
In an example embodiment, a method of controlling access to hardware features includes generating a signature corresponding to a received microcode segment, and comparing the signature against a stored signature value. If a match is detected between the signature and the stored signature value, access to a secure hardware unit is enabled. In further embodiments, a dimension of the microcode segment can be compared against a stored size value. Generating the signature may include executing a SHA-1 hash function of the microcode segment, the signature being a SHA-1 hash value. The secure hardware unit may include a device storing an AES secure key or an encrypted HDCP key.
In further embodiments, a circuit for controlling access to hardware features includes a secure hardware unit, a storage unit storing a stored signature value, and a microcode authentication unit. The microcode authentication unit may be configured to generate a signature corresponding to a received microcode segment, compare the signature against a stored signature value, and enable access to the secure hardware unit in response to a match between the signature and the stored signature value.
In still further embodiments, one or more fuse circuits may provide the stored signature value. A stored size value may be provided from the fuse circuit, and a dimension of the microcode segment may be compared against the stored size value. The fuse circuit may be permanently blown to indicate the stored signature value. The fuse circuit may be fixed to the protected hardware unit, which may render it inaccessible to outside access and therefore not susceptible to interception or modification. If an absence of a match between the signature and the stored signature value is detected, access to the secure hardware unit can be prevented, while access to an execution unit independent of the secure hardware unit can be enabled regardless of whether a match is detected.
The foregoing will be apparent from the following more particular description of example embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating embodiments of the present invention.
A description of example embodiments of the invention follows. Embodiments of the present invention provide a method and apparatus for authenticating and controlling access to privileged hardware.
For an HDCP transmitter (source), a Device Secret Key consists of a secret global constant (128 bits). For an HDCP receiver (sink), Device Secret Keys consists of the secret global constant and the Digital Content Protection, LLC (DCP)/Rivest,
Shamir and Adleman (RSA) private key (128 bits+1024 bits). The Device Secret Keys must be protected from exposure outside of the HDCP Device. To prevent such exposure, the Device Secret Keys are encrypted using an Advanced Encryption Standard (AES) secure key and stored either into fuses (ie. efuse[secret_keys]) or into external flash. In the latter case, the efuses contain other secret keys to protect the Device Secret Keys. Microcode comprises instructions for controlling various hardware and software components within the devices, and may implement the desired protection scheme (RSA, ECC, etc.), as determined by the respective device. The microcode is provided by a host controller. To prevent malicious microcode from exposing the Device Secret Keys, only authenticated microcode may access the efuse[secret_keys] or the AES secure key required to decrypt efuse[secret_keys].
The AES secure key (SKEY) can only be accessed in secure mode, which is enabled upon authenticating the received microcode. The secure key is accessed by writing to AES_SKEY register instead of AES_KEY register. A write to AES_SKEY while in secure mode will replace the write data with the secure key. When not in secure mode, AES_SKEY is just a synonym for AES_KEY. As a result, the actual write data will be used instead of the secure key.
Microcode cannot read the secure key or the secure key schedule, even in secure mode. Only the AES unit has access, and only in secure mode. As before, the AES backing store shares some addresses with the AES key and AES key schedule. Consequently, reads to the shared addresses will return zeros while the secure key or secure key schedule is loaded. The only way to clear out the secure key is to write another key to AES_KEY and then create a new key schedule by writing to any of AES_DATA_.
Microcode authentication is performed by the “microcode authentication unit” hardware, described below with reference to
If no fuses have been blown, then efuse[kernel_size]=0. In this case, no microcode will be granted access to the privileged hardware features.
A device may exit the secure mode by performing a reset of the execution unit. A reset clears the register file, cpu/aux registers, FV, accumulator, etc.
The kernel microcode can be either a small bootstrap microcode that supports loading secure images (i.e., RSA signature verification support must be included in the bootstrap image), or it can be a full featured microcode with complete feature set to support HDCP2.0, etc.
If desired, the kernel microcode may allow loading of secure microcode images. In order for the secure images to be loaded, they must be signed with a private key (at microcode image generation time) and successfully verified with a public key (at microcode load time). Only images whose digital signature is successfully verified can be loaded in the secure mode (a kernel software feature).
The microcode authentication unit 120 processes the microcode segment to generate a signature. Fuses 130 store one or more values for comparing against the microcode segment or the generated signature. The microcode memory 115 maintains the microcode for execution by an execution unit 140, which may include a processor to carry out hardware operations according to the microcode instructions. The execution unit may have access to additional hardware units (not shown) present in the respective device. If the microcode is authorized by the microcode authentication unit 120, the execution unit 140 will have access to protected hardware units 150, which may include keys such as an AES secure key. The protected hardware units may further include any other hardware components, functions or information (e.g., keys, privileged or encrypted data) that are to be protected from access by unauthorized microcode.
The assembly 101 may be implemented in a single integrated circuit, or as a plurality of chips enclosed in a system-in-package (SiP) embodiment. Implementing the fuses 130 within the chip may provide additional security in authenticating the microcode. In particular, by providing the predetermined values for authentication (stored in the fuses) within the chip, rather than loading the values onto the chip, the assembly is not susceptible to receiving incorrect values from an external source, which could result in incorrectly authenticated microcode.
An example operation of the assembly 101 is described below with reference to
Once the microcode is loaded at the memory 115 and the authentication unit 120 (215), the execution unit 140 is enabled (230) to carry out hardware operations as instructed by the microcode in response to requests made by the host controller 109. The authentication unit 120 accesses the fuses 130 to read one or more codes corresponding to characteristics of the microcode or the generated signature (235). For example, the fuses 130 may specify a predetermined signature that corresponds to (or matches) the signature generated from an authorized microcode segment (“Efuse[kernel_signature]”), as well as specify a size of the microcode segment to be authenticated (“Efuse[kernel_size]”).
The authentication unit 120 then compares the loaded microcode size and generated signature against the predetermined values stored at the fuses 130 (240). The authentication unit 120 may compare a subset of the generated signature (rather than the entire signature) against the predetermined value. For example, if the signature is generated by an SHA-1 hash and is 160 bits in size, a 64-bit subset of the signature may be selected for the comparison. If the values match, then the authentication unit 120 enables access to the protected hardware units 150 (250). The execution unit 140 proceeds to execute the microcode (270), and may access the protected hardware units 150 as required by the microcode. If a match fails (240), then access to the protected hardware units 150 remains disabled, and the execution unit 140 proceeds to execute the microcode without accessing the protected hardware units 150.
Additional information regarding HDCP procedures and authentication are described in U.S. patent application Ser. No. 12/848184 and U.S. Provisional Application 61/326546, the teachings of which are incorporated by reference. The teachings of all patents, published applications and references cited herein are incorporated by reference in their entirety.
While this invention has been particularly shown and described with references to example embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention encompassed by the appended claims.
This application claims the benefit of U.S. Provisional Application No. 61/445,681, filed on Feb. 23, 2011. The entire teachings of the above application are incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
61445681 | Feb 2011 | US |