MICROPROCESSOR TESTING CIRCUIT

Abstract

A microprocessor testing circuit includes a sensor selection circuit to select a sensor measuring a characteristic of a microprocessor. An offset circuit artificially drives a signal from the selected sensor out of a predetermined range to invoke a fault operation in the microprocessor.

Description

BACKGROUND

Processors have gained in sophistication with technological developments to create a more secure and useful environment. Security may be comprised when a party tampers with these processors. Additionally, these processors may be operating outside a range of acceptable tolerances, such as temperature and/or voltage which may cause issues with data corruption, unpredictable behavior, and even processor failure.

BRIEF DESCRIPTION OF DRAWINGS

The embodiments are described in detail in the following description with reference to the following examples disclosed in the following figures.

FIG. 1 illustrates a microprocessor testing circuit;

FIG. 2 illustrates the microprocessor testing circuit according to another example;

FIG. 3 illustrates a microprocessor that may include the illustrates a microprocessor testing circuit; and

FIG. 4 illustrates a method.

DETAILED DESCRIPTION OF EMBODIMENTS

For simplicity and illustrative purposes, the principles of the embodiments are described by referring mainly to examples thereof. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the embodiments. It is apparent that the embodiments may be practiced without limitation to all the specific details. Also, the embodiments may be used together in various combinations.

Processor security and tolerances may be monitored through sensor measurements. Sensors may measure internal characteristics of the processor. For example, the sensors may measure voltage, temperature, vibration, shock, acceleration, package penetration, magnetic orientation, radiation, etc. A processor may determine when measurements from a sensor are outside a predetermined range and then perform a security function if such measurements are detected. A security function may include invoking a fault operation, such as generating an alarm, entering a fault state, etc. The microprocessor testing circuit artificially drives a measurement signal from a sensor out of a predetermined range to test a security function of the microprocessor. The microprocessor reads a signal to determine whether a sensor is out of a predetermined range in order to determine whether to invoke the fault operation.

Artificially driving a measurement signal from a sensor out of a predetermined range may include modifying the signal read by the microprocessor so the processor determines a measurement from the sensor is out of the predetermined range. In one example, an offset is provided to a measurement signal output from a sensor. For example, the measurement signal output from a sensor is a voltage representative of a measured internal characteristic of the microprocessor. For example, temperature measured by the sensor is converted to a voltage. An offset voltage may be added to the voltage output from the sensor to increase or decrease the voltage out of its predetermined range so the microprocessor determines the sensor measurement is outside its predetermined range. The predetermined range may be acceptable temperatures determined, for example, by the manufacturer or another entity. Temperatures outside the range are considered unacceptable and may invoke a fault operation.

The microprocessor testing circuit may be provided in a microprocessor. For example, the microprocessor testing circuit is provided on the integrated circuit of the microprocessor. The microprocessor may include a secure microprocessor that includes security measures to provide tamper resistance. Examples of the security measures may include external bus encryption, secure key storage, zeroization, environmental failure protection, comprehensive state management, status display and event logging, and extensive on-chip testing. The microprocessor may function in a plurality of states. For example, the states may include a clear state, a secure state, and a zeroized state. The clear state is before the microprocessor stores encrypted data. The secure state is the normal mode of operation, such as when the microprocessor stores encrypted data. The zeroized state is when a fault occurs and whatever secrets, e.g., cryptographic keys, PINs, critical data, are stored in the microprocessor are erased. This is a fault operation. The microprocessor testing circuit may include logic to prevent testing when the microprocessor is in the secure state to resist tampering. For example, the testing circuit may include a switch connected to an external port of the microprocessor. As long as the switch is kept open, information cannot be read from the external port and no external voltage can force the internal circuitry to malfunction. The microprocessor may be compliant with the FIPS 140 standard. Federal Information Processing Standards (FIPS) 140 are a series of U.S. government computer security standards published by National Institute of Standards and Technology (NIST) that specify standards for cryptographic modules which include both hardware and software components.

FIG. 1 illustrates an example of a microprocessor testing circuit 100 which includes a sensor selection circuit 101 and an offset circuit 102. Sensors 110 measure characteristics, including the internal characteristics, of a microprocessor, such as temperature, voltage, etc., and the sensors 110 output sensor measurement signals representative the measured characteristics of the microprocessor. The sensor selection circuit 101 selects a sensor from the sensors 110 to read, and the sensor measurement signal 120 from the selected sensor is provided for reading the measurement from the selected sensor. The offset circuit 102 outputs an offset signal 121 to artificially drive the sensor measurement signal out of a predetermined range. For example, an offset source 111 reads the sensor measurement signal 120 and determines how much to offset the sensor measurement signal 120 to make it fall outside a predetermined range, which may include one or more values. The offset source 111 may generate a signal of the offset amount and the offset circuit 102 provides the offset signal 121, including the offset amount, for combining with the sensor measurement signal 120 at a combiner 105. The offset source 111 may be an external testing system that is connected to the microprocessor via an external port such as shown in FIG. 2.

The combiner 105 generates an offset sensor measurement signal 122 which represents the selected sensor measurement offset by the offset amount represented by the offset signal 121. If the signals 120 and 121 are voltages representing the sensor measurement and offset amount respectively, such as described in the example in FIG. 2, the combiner 105 may combine these voltages to generate the offset sensor measurement signal 122 representing the combined voltages.

A conversion module 104 may be used to convert measurement signals to a signal that can be read by the microprocessor. For example, the combiner 105 and the fault detection module 106 may include a security application comprising machine readable instructions executed by the microprocessor. The conversion module 105 may include an analog-to-digital converter (ADC) to convert voltages representative of sensor measurements, and analog offset signals, to digital values that represent the sensor measurements and offset amounts. For example, the signal 120 may be a voltage output from a sensor that is converted to a digital value. The signal 121 may also be a voltage that is converted to a digital value by the conversion module 104, as represented by the dashed line, or the signal 121 may be provided as a digital value to the combiner 105, in which case no analog-to-digital conversion may be needed. The conversion module 105 may also use calibration values for the sensors and/or the ADC and other circuit components to determine the digital values that represent the sensor measurements and offsets. The digital values may be stored in a register and the fault detection module 106 determines if the offset sensor measurements are out of the predetermined range and invokes fault operations in response to the out of range measurements. Accordingly, the microprocessor testing circuit 100 may be used to artificially drive sensor measurements out of a predetermined range to test the security functions and fault operations of the microprocessor.

The offset circuit 102 may control the access of the offset source 111 to the microprocessor to minimize tampering. For example, if the microprocessor is a secure processor operating in a secure state, such as when the microprocessor stores sensitive data or manages cryptographic keys, the offset circuit 102 may not allow an external system to read or write data to the microprocessor via an external port. State control logic 141 may determine the state of the microprocessor, and send an enable signal 124 to the offset circuit 102 if the microprocessor is not operating in the secure state. If the microprocessor is operating in the secure state, the state control logic 141 may send a signal to disable the connection of the offset source 111 to the microprocessor testing circuit 100.

FIG. 2 illustrates an embodiment of the microprocessor testing circuit 100. The sensors 110 are shown as 110a-n. The sensor selection circuit 101 includes the multiplexer 204, and the offset circuit 102 includes the switch 207 and the resistor 206 connected between the switch 207 and an output of the multiplexer 204. The conversion module 105 may include the ADC 205 and lookup table 206 comprised of calibration values.

In operation, the sensors 110a-n convert a measurement, for example, into a voltage representing a measurement. The voltage is output from the sensors to the multiplexer 204. The multiplexer 204 receives a selection signal, for example, from the microprocessor to select a sensor. The voltage output of the selected sensor is output from the multiplexer 204. Also, if the switch 207 is closed, the offset source 111 connected to the microprocessor external port 208 can read the voltage across the resistor 206 to determine the voltage output from the selected sensor. The offset source 111 can also generate the offset signal 121 to offset the voltage from the selected sensor to be outside of a predetermined range to invoke a fault operation. The offset measurement signal 122 shown in FIG. 1 may be the combined voltage of the selected sensor output and the offset voltage provided by the offset signal 121. The ADC 205 converts a voltage input to the ADC to a digital measurement 210, such as a binary value representing the input voltage. The digital measurement 210 may be adjusted using calibration values in the lookup table 206 to account for variations caused by the ADC 205, the multiplexer 204, and/or nonlinearity in the sensors 110a-n, and the adjusted digital values may be read by the microprocessor (e.g., security application 311) to determine whether a measurement is outside a predetermined range. The switch 207 may be controlled by the state control logic 141. For example, the switch 207 is opened if the microprocessor is operating in the secure state.

FIG. 3 shows the microprocessor testing circuit 100, which may include the testing circuit shown in FIG. 1 or FIG. 2, in the microprocessor 300. The microprocessor 300 may include a central processing unit core 301, a data storage 302, which may include a cache, a microprocessor security system 310 including the microprocessor testing circuit 100 and a security application 311. The security application 311 may include the fault detection module 106 and/or the combiner 105 shown in FIG. 1. The microprocessor 300 may be a secure microprocessor and may include security components 320 other than the security system 310, such as secure data storage, hardware cryptographic engine, etc., to provide tamper resistance for the secure microprocessor. The components of the microprocessor may be connected via a bus 321.

FIG. 4 describes a method 400 including steps that may be performed by the microprocessor testing circuit 100 shown in FIGS. 1-3. At 401, the offset circuit 102 determines whether calibration and/or testing may be performed. For example, the microprocessor 300 sends a signal to the offset circuit 102 to enable testing and/or calibration. For example, the switch 207 shown in FIG. 2 is closed to enable calibration and/or testing. Testing and/or calibration may be enabled if the microprocessor 300 is not in a secure state.

If testing and calibration are enabled, at 410 calibration may be performed. If calibration is to be performed, the calibration may include ADC calibration 411 or sensor calibration 412.

ADC calibration 411 may include the microprocessor 300 selecting the multiplexer input shown in FIG. 2 that is connected to the switch 207 and the external port 208. The microprocessor 300 closes the switch 207, and the offset source 111 or another external system connected to the external port 208 drives the external port 208 with a variable direct current (DC) voltage source. Simultaneously, the microprocessor reads the output of the ADC 205 and measures the voltage being input on the external port 108. The lookup table 206 (or similar correction table) is created to convert the values output from the ADC to the voltage values provided on the external port 208. The ADC calibration may be performed because many components in the ADC 205 can alter the readings, including the voltage reference, the multiplexer 204, and typical design tolerances of the components when the integrated circuit is made. The values in the lookup table 206 are used to determine the voltage inputs representative of sensor measurements. A separate lookup table may exist for each multiplexer input.

At 412, sensor calibration may be performed. For example, the switch 207 shown in FIG. 2 is closed. As the multiplexer 204 selects the different sensors, the voltage at the input of the ADC 205 is passed to the external port 208 via the resistor 206, and an external system connected to the external port 208 may use a voltmeter to measure the voltage. While a sensor is selected, it may be tested throughout its range, e.g., by varying the chip temperature, supply voltage or other characteristics measured by the sensors 110. This gives an external reading of the functionality of each sensor, and the sensor voltages may be stored in a lookup table to correspond to the measured values of the microprocessor characteristics. The calibration values determined at 411 and 412 may be used to determine the actual measurements from the outputs of the sensors 110.

At 420, the security functions of the microprocessor 300 are tested using the microprocessor testing circuit 100. The testing may use the calibration values determined at 411 and/or 412 to determine the linearized measurements 211 shown in FIG. 2. For example, the switch 207 shown in FIG. 2 is closed. The microprocessor selects one of the sensors 110 using the multiplexer 204. For example, the sensor 110a is selected and voltage output from the sensor 110a is output from the multiplexer 204. The voltage is read by an external system, such as offset source 111, connected to external port 208.

The offset source 111 generates the offset signal 121 which includes the offset amount to add to the voltage read at external port 208. For example, the offset source 111 stores the predetermined ranges of the sensors 110. Measurements outside the predetermined ranges are considered out of tolerance and should invoke security functions of the microprocessor 300. For example, the sensor 110a measures power supply voltage and the range is 4.8 to 5.2 volts. The offset source 111 reads the voltage at external port 208 to determine the sensor value of the selected sensor 110a. If the sensor value is representative of a 5 volt measurement, the offset source may generate a 1 volt offset signal and communicate the offset signal to the security application 311 reading the sensor measurements. The 1 volt offset may be communicated through another port or through another communication channel not shown to the security application 311. The security application receives the 5 volt measurement and the 1 volt offset and combines them to treat the measured power supply voltage to be 6 volts, even though it is actually at 5 volts. The 6 volts is out of the predetermined range for the sensor 110a, so the security application should invoke a fault operation that can be detected through testing. The same procedure may be performed for each sensor 110 to artificially drive each sensor out of its predetermined range to test if the proper fault operation is invoked.

Functions, steps and methods described herein may be embodied as machine readable instructions stored in non-transitory computer readable medium, such as data storage 302. The machine readable instructions may be executed by the microprocessor 300.

Claims

1. A microprocessor comprising: a multiplexer having inputs connected to a plurality of sensors and connected to an external port via a switch, wherein each sensor outputs a voltage representative of measured characteristic of the microprocessor; andan analog to digital converter (ADC) having an input connected to an output of the multiplexer, wherein the microprocessor determines whether a characteristic measured by one of the sensors is within a predetermined range based on signal values output from the ADC and an offset signal generated from an external system.

2. The microprocessor of claim 1, comprising a resistor connected between the switch and the output of the multiplexer wherein if the switch is closed, a voltage of the selected sensor output from the multiplexer is read via the resistor from the external port.

3. The microprocessor of claim 2, wherein the external system determines an offset amount for the offset signal based on the voltage read from the external port, and the offset amount when combined with the voltage read from the external port represents a measured characteristic outside the predetermined range.

4. The microprocessor of claim 1, comprising switch control logic to prevent the switch from being closed if the microprocessor is in a secure state.

5. The microprocessor of claim 1, wherein a voltmeter is to be connected to the external port if the switch is closed to read the voltages generated by each sensor as each of the inputs of the multiplexer are selected.

6. A microprocessor testing circuit comprising: a sensor selection circuit to select one of a plurality of sensors measuring characteristics of a microprocessor; andan offset circuit to artificially drive a signal from a selected one of the plurality of sensors out of a predetermined range to invoke a fault operation in the microprocessor.

7. The microprocessor testing circuit of claim 6, wherein the sensor selection circuit comprises a multiplexer having inputs connected to the plurality of sensors and an input connected to an external port of the microprocessor via a switch, wherein each of the sensors outputs a voltage representative of measured characteristics of the microprocessor.

8. The microprocessor testing circuit of claim 7, wherein the offset circuit comprises the switch and a resistor, wherein the switch is connected between the external port and the resistor, and the resistor is connected to the switch and an output of the multiplexer.

9. The microprocessor testing circuit of claim 8, wherein an external system is connected to the offset circuit via the external port via the switch if the switch is closed, and the external system is to provide an offset signal to artificially drive the signal from the selected one of plurality of sensors out of the predetermined range.

10. The microprocessor testing circuit of claim 9, comprising an analog to digital converter (ADC) having an input connected to an output of the multiplexer, wherein the microprocessor determines whether the artificially driven signal is out of the predetermined range based on a signal value output from the ADC.

11. The microprocessor testing circuit of claim 10, wherein the microprocessor selects the input of the multiplexer connected to the external port to perform calibration using an external system providing varying voltages via the external port to the multiplexer and the ADC.

12. The microprocessor testing circuit of claim 7, wherein the plurality of sensors are calibrated by closing the switch and reading the voltages generated by the plurality of sensors via the external port by an external system as the multiplexer selects each of the sensors and as each sensor is tested throughout its range.

13. A method of testing a microprocessor comprising: determining whether testing and calibration is enabled in the microprocessor;if the testing and calibration are enabled calibrating an analog to digital (ADC) converter or calibrating sensors measuring characteristics of a microprocessor; andtesting a security function of the microprocessor using the calibrations determined for the ADC or the sensors, wherein the testing comprises selecting one of the sensors through the multiplexer, converting an analog output of the selected sensor to a digital value through the ADC and the calibrations, determining an offset amount received from an external system, determining a combined value from the offset amount and the digital value, and detecting the combined value is out of a predetermined range for the selected sensor to invoke a fault operation.

14. The method of claim 13, comprising repeating the testing for each sensor.

15. The method of claim 13, comprising: determining whether the microprocessor is not in a secure state; andif the microprocessor is not in the secure state, enabling the external system to read the output of the selected sensor.