This application is directed, in general, to integrated circuits and, more specifically, to protecting integrated circuits from voltage variations.
Hardware security is a concern in essentially all product categories where chips are being subjected to security attacks to extract information. Various tools can be used for physical attacks, which may compromise secure information stored on a chip. One example of a common physical attack is a voltage attack. In a voltage attack, a hacker can spike the voltage rail of a chip causing hold violations, which can result in a system hang during boot up. During the hang, secure information can potentially be read out through JTAG outputs. Voltage glitches can also result in setup time (logic) failures on a chip. If this happens in the security engine control logic, security checks can be bypassed, giving a hacker complete access to secured content/encrypted information.
In addition to voltage attacks, voltage changes can affect the operation of a chip. For example, rapid changes in voltage due to change in workload may result in localized voltage drops that can affect the chip operation. Voltage changes exceeding an operating threshold can also damage components of a chip.
In one aspect the disclosure provides a voltage variation detector for monitoring a voltage of an integrated circuit (IC). In one example the voltage variation detector includes: (1) a transistor stack that corresponds to a voltage threshold, (2) a transistor diode, and (3) an inverter that receives an input signal and provides a detection signal that controls one or more gates of the transistor stack, wherein the transistor stack and the transistor diode provide the input signal and the detection signal indicates when the voltage crosses the voltage threshold.
In another aspect, the disclosure provides an IC. In one example the IC includes: (1) circuitry configured to perform one or more functions, and (2) a voltage variation detector that monitors an operating voltage of the functional circuitry and has: (2A) a transistor stack that corresponds to a voltage threshold for the operating voltage, (2B) a transistor diode, and (2C) an inverter that receives an input signal and provides a detection signal that controls one or more gates of the transistor stack, wherein the transistor stack and the transistor diode provide the input signal and the detection signal indicates when the operating voltage crosses the voltage threshold.
In still another aspect, the disclosure provides a method of protecting an integrated circuit from voltage variations. In one example the method includes: (1) detecting at least one transition of a voltage across a voltage threshold, wherein the detecting is based on a transistor diode being reversed biased, (2) generating a detection signal when the voltage crosses the voltage threshold, wherein the voltage threshold corresponds to a transistor stack that is controlled by the detection signal, and (3) performing one or more defensive actions in response to the detection signal.
Reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
Chips need to be secure from voltage attacks to prevent the extraction of information. Additionally, chips need to be protected against voltage changes that can damage components, cause timing failures, or both. Accordingly, the disclosure recognizes the need for protecting an IC from both intentional and unintentional voltage variations.
The disclosure provides a voltage detecting circuit that detects voltage increases and voltage decreases using a diode drop and voltage thresholds. The voltage detecting circuit, referred to as a voltage variation detector, uses the diode to maintain a differential between the voltage being monitored and a voltage threshold. When the diode is reversed bias, the voltage variation detector generates a detecting signal indicating the monitored voltage crossed the voltage threshold. The voltage variation detector uses a positive feedback mechanism to inject current to invert a latched value to generate the detection signal. The detection signal is maintained as a sticky output until reset. The reset can be an external reset signal provided by, for example, a response circuit after the voltage variation is acknowledged. A voltage variation is a voltage increase, such as a spike or glitch, or a voltage decrease, such as a voltage drop or droop, which crosses a voltage threshold. The voltage threshold can be a selectable threshold that is configured for particular instances. A transistor stack can be used to establish the voltage threshold.
The disclosed voltage variation detector has many advantages over existing voltage detectors. For example, analog-to-digital (ADC) detectors are slow to respond to a voltage change, wherein a typical response time to slowdown clock during load release should be within tens of nanoseconds. Also, ADCs need an analog supply, which might be expensive to add at multiple locations.
Ring Oscillator or delay line-based detectors are other examples for monitoring voltage changes. These techniques, however, need a fixed clock as reference to compare the change in frequency with respect to a fixed power supply. Nevertheless, propagating a fixed clock at a given voltage across a chip can be expensive.
Voltage Sense Amplifier based detectors are also used for voltage monitoring. These differential based sense amplifiers can detect change in voltage given a reference voltage. As such, a voltage reference is needed and adding a fixed reference voltage source across the chip can be expensive.
Advantageously, the disclosed voltage variation detector provides faster voltage detection and a smaller silicon footprint compared to existing detectors. Additionally, the voltage variation detector does not require an analog voltage reference, either internal or external, and does not require a clock reference. Instead of an analog reference, the disclosed voltage variation detector uses a self-generated reference.
The voltage variation detector can be used to protect against security voltage glitch attacks to detect high/low frequency voltage glitches and used as a voltage threshold-based feedback mechanism to a slowdown clock. The voltage variation detector can provide the detection signal to a response circuit that initiates one or more defensive actions to protect against both intentional voltage attacks and unintentional voltage variations.
The functional circuitry 110 is functional or logic circuitry configured to perform a particular function. The functional circuitry 110 may be any circuitry that can be integrated onto a common substrate either now or in the future. For example, the functional circuitry can include hybrid (analog/digital) circuitry and input/output (I/O) circuitry. The integrated circuit 100 can be part of a control system for a machine and the functional circuitry 110 can be directed to a control function for the machine. The machine can be, for example, an autonomous vehicle, a semi-autonomous vehicle, a technology assisted vehicle, or an advanced driver-assistance vehicle. The machine can be a machine, such as a robot, that uses a vision-based control system.
The voltage variation detector 120 can be configured to detect a voltage glitch of VDD. Alternatively, the voltage variation detector 120 can be configured to detect a voltage droop of VDD.
The response circuit 130 initiates one or more actions based on the detection signal. The one or more actions can be different depending on if the detection signal is for a glitch or a droop. For example, a voltage glitch may be due to a voltage attack and the one or more actions can include protecting data on the integrated circuit. Accordingly, data, such as sensitive information, can be immediately removed or the integrated circuit can be shut down or reset to prevent data from being taken.
Instead of a security risk, an over voltage can also indicate the voltage is approaching an absolute voltage level that can damage components of the integrated circuit. As such, the voltage threshold can be set below a maximum operating voltage for one or more components of the integrated circuit and the detecting signal can provide a warning before a damaging voltage level is reached. Accordingly, the one or more actions can be directed to reducing the voltage level before damage occurs. The detection signal can be fed to a monitoring circuit that is configured to identify an amount of time or a number of times the operating voltage exceeds the voltage threshold and the one or more actions can be initiated based on the amount of time or the number of times. The monitoring circuit can be, for example, a counter that is used to count the number of voltage excursions. The monitoring circuit can be part of the response circuit 130, such as represented by monitoring circuit 134. To prevent damage, the response circuit 130 can initiate one or more actions to avoid certain operating modes, avoid certain tests, etc.
For an undervoltage, the one or more actions can slow down a speed of a clock, which can be spatially far from the localized voltage drop (dynamic frequency scaling), to avoid timing failures. More than one response circuit 130 can be used and a unique response circuit can be used with a particular voltage variation detector 120. The response circuit 130 can initiate an action via a security or safety system associated with the IC 100.
The voltage variation detector 120 receives a reset signal that is used to reset the detection signal. As such, the detection signal is a sticky signal that remains asserted until reset. The reset signal can be received from an external circuit, such as the response circuit 130. Depending on the application, the number of cycles before sending the reset signal can be programmed and can be based on the particular application. Once reset, the detection signal may again be asserted if the voltage is still above the threshold.
Similar to functional circuitry 110, the functional circuitries 210, 220, 230, are functional or logic circuitry configured to perform a particular function. The integrated circuit 200 can also be part of a control system for a machine such as noted above with respect to
As with voltage variation detector 120, voltage variation detectors 215, 225, 235, are reset via a reset signal. The reset signal can be an external reset signal that is, for example, received after the voltage variation is acknowledged. The reset signal can be provided by the response circuit 240.
The transistor stack 310 corresponds to the voltage threshold. The transistor stack 310 includes multiple transistors (not shown) connected in series. To set the voltage threshold, a number of the multiple transistors are selected. The number of transistors selected can be selected at manufacturing to establish the voltage threshold for particular applications. The transistor stack 310 provides a variable portion that allows the voltage variation detector 300 to be tuned by moving the reference point for the threshold. As such, the self-generating reference of the voltage variation detector 300 can be controlled. The transistor stack 310 is connected between the operating voltage VDD and an input port of the inverter 320. The number of transistors selected to use for the transistor stack 310 changes the current injected to the input of the inverter 320. The transistor stack 310 can be a stack of PMOS transistors. Also connected between the operating voltage VDD and the inverter 320 input is resistor 330, which is connected in series with the transistor diode 340 at an internal node denoted as VDD_INT. The resistor 330 and the transistor diode 340 are connected in parallel with the transistor stack 310 between VDD and the inverter 320 input and provide an input signal at a node denoted as DIODE_OUT to the inverter 320. A voltage drop across the resistor 330 maintains the high voltage side of the transistor diode 340, noted as VDD_INT in
The inverter 320 includes the input port and also includes an output port (not shown), wherein the inverter 320 receives the input signal at the input port and provides the detection signal at the output port. The output port of the inverter 320 is coupled to the feedback circuit 350 at an internal node denoted by INT, which provides the detection signal to the transistor stack 310.
The detection signal controls one or more gates of the transistors of the transistor stack 310 and indicates when the voltage VDD crosses the voltage threshold based on the transistor diode 340 being reversed biased. Positive feedback from the internal detection signal sets a latch when VDD exceeds the threshold. The latch can be set to high. The detection signal can be a sticky signal and the inverter 320 can be a skewed inverter that is coupled to a skewing circuit as shown in
The inverter 320 is skewed by a skewing stack 420. The skewing stack 420 is a stack of NMOS transistors to skew the voltage at the output port of inverter 320 high. The number of transistors for the skewing stack can vary depending on the particular instance. In some examples, 20-30 NMOS transistors can be selected to form the skewing stack 420 and make the output of the inverter 320 skewed to high. The voltage at the output port of the inverter 320 is nearly the same voltage as VDD_INT as the pmos gate of transistor diode 340 is ‘0’, in linear mode and the resistance of transistor stack 310 is very high. The output of the transistor diode 340 DIODE_OUT sees one Vthp drop from VDD_INT.
Transistor 442 makes VDD_INT reach full rail (VDD) once OUT_INV goes low. Transistor 446 is a feedback latch transistor which holds INT net close to VDD_INT during nominal voltage (i.e., when there is no overshoot). As VDD rises, current is injected onto DIODE_OUT from VDD_INT and transistor stack 310. Once VDD glitches, the rate at which VDD_INT increases will be less than VDD due to the resistor 330. The output of the transistor diode 340 DIODE_OUT−output of transistor stack 310, which are in saturation mode, continues to rise above Vt of inverter 320 once trigger voltage is exceeded. When V(DIODE_OUT)>VDD_INT−Vthp, the transistor diode 340 D1 is reverse biased and turns off. DIODE_OUT then pulls the inverter 320 output to ‘0’ once it exceeds Vthn of transistor stack 310. The voltage threshold can be controlled by size of the transistor stack 310, the stack resistance from VDD, and GND.
To control resistance of the transistor stack 310, the voltage variation detector 400 uses a positive feedback. Feedback stack 430, which is also a stack of NMOS transistors, is used to assist in controlling feedback of the voltage variation detector 400.
Once the switching threshold of inverter 320 is exceeded the detection signal is provided as an output from inverter 370. The detection signal stays high as an SR latched signal until a reset signal is received at reset terminal 410. The reset signal can be an active high signal.
The voltage variation detector 300, and also voltage variation detector 400, can respond to both high and low frequency voltage glitches and various voltage ramp slopes. During a voltage glitch, there are several current sources for the voltage variation detector. Referring to
The differential between VDD_INT −DIODE_OUT increases as the voltage ramps up and decreases once DIODE_OUT exceeds (VDD_INT−Vthp). This decrease happens once the positive feedback (from internal) kicks in. Eventually, the decrease pulls down the internal net to VSS.
VDD operates at a nominal voltage until a voltage glitch occurs. The voltage glitch can be intentional or unintentional. Once VDD passes the threshold voltage, which is independent of the nominal operating voltage, the output signal OUT transitions from a logical 0 to a logical 1 and remains high until the reset signal is asserted. At that point, the output signal OUT is reset to logical 0. The inverse signal OUT_INV stays high and transitions to low when VDD crosses the voltage threshold. Once the reset signal is received, OUT_INV returns to logical 1. The delay of output signal OUT once the voltage VDD exceeds the voltage threshold can be between 5 ns and 10 ns across PVTs.
Timing diagram 500 represents a voltage variation detector for detecting voltage glitches of a monitored voltage. A voltage variation detector for detecting voltage droops, such as illustrated in
The transistor stack 610 corresponds to the voltage threshold and includes multiple transistors (not shown) connected in series. For example, to set the voltage threshold, a number of the multiple transistors are selected. The number of transistors selected can be selected at manufacturing to establish the voltage threshold for particular applications. As with transistor stack 310, transistor stack 610 provides a variable portion that allows the voltage variation detector 600 to be tuned by moving the reference point for the threshold. As such, the self-generating reference of the voltage variation detector 600 can be controlled. The transistor stack 610 can be a stack of NMOS transistors. The transistor stack 610 is connected between the operating voltage VDD and transistor diode 640. The number of transistors selected to use for the transistor stack 610 changes the current provided to the transistor diode 640. The transistor diode 640 is connected between the transistor stack 610 and an input port of the inverter 620. Also connected between the operating voltage VDD and the inverter 320 input is resistor 630. The resistor 630 is connected in parallel to the transistor stack 610 and the transistor diode 640 between VDD and the inverter 620 input and provide an input signal to the inverter 620. The transistor diode 640 can be a PMOS diode.
The inverter 620 includes the input port and also includes an output port (not shown), wherein the inverter 620 receives the input signal at the input port and provides the detection signal at the output port. The output port of the inverter 620 is coupled to the feedback circuit 650, which provides the detection signal to the transistor stack 610.
The detection signal controls one or more gates of the transistors of the transistor stack 610 and indicates when the voltage VDD crosses the voltage threshold based on the transistor diode 640 being reversed biased. Positive feedback from the internal detection signal sets a latch when VDD exceeds the threshold, which can be set to high. The detection signal can be a sticky signal and the inverter 620 can be a skewed inverter that is coupled to a skewing circuit as shown in
DIODE_OUT_INT in
As VDD drops, current is injected onto DIODE_OUT from VSS_INT and transistor stack 610. Once VDD drops, the rate at which VSS_INT decreases will be less than VDD due to the resistor 630. The output of the transistor diode 640 DIODE_OUT−output of transistor stack 610, which are in saturation mode, continues to decrease below Vt of inverter 620 once the voltage threshold is crossed. When V(DIODE_OUT)>VSS_INT−Vthp, the transistor diode 640 D1 is reverse biased and turns off. DIODE_OUT then pulls the inverter 620 output to ‘1’ once it exceeds Vthn of transistor stack 610. Resistors 630 and 680 can be, for example, 30 ohms in some applications.
Transistor 746 makes VSS_INT reach full rail (VSS) once OUT_INV goes low. Transistor 742 operates as a feedback latch transistor which holds INT net close to VSS_INT during nominal voltage (i.e., when there is no undershoot). Resistor stack 680 sets the initial voltage of DIODE_OUT driving inverter 620, which helps INT net stay low.
Once the switching threshold of inverter 620 is crossed the detection signal is provided as an output from inverter 670. The detection signal stays high as an SR latched signal until a reset signal is received at reset terminal 710. The reset signal can be an active high signal.
In step 810, at least one transition of a voltage across a voltage threshold is detected. The transition can be crossing over a voltage threshold or crossing under a voltage threshold. The detecting can be based on a transistor diode being reversed biased. Using detection of an undervoltage as an example, diode 640 provides an example of a transistor diode that can be used.
In step 820, a detection signal is generated when the voltage crosses the voltage threshold. The voltage threshold can correspond to a transistor stack that is controlled by the detection signal. For example, the voltage threshold can be set by the number of transistors of the transistor stack that are selected. Continuing the undervoltage example, transistor stack 610 is an example of a stack that can be used.
One or more defensive actions are performed in step 830 in response to the detection signal. A response circuit, such as response circuit 130 or response circuit 240 can perform or initiate one or more defensive actions in response to the detection signal.
The method 800 continues to step 840 and ends.
Features for detecting voltage variations are disclosed herein. A detection signal is generated indicating a monitored voltage crossing a threshold. The detection signal can be provided to a response circuit that initiates an action, such as a preventive or defensive action. The response circuit can include, for example, a security engine or prevention engine. Thresholds used for monitoring the voltages can be set depending on the intent of the monitoring. For example, if a security engine the thresholds can be set to detect when outside of an operation range—such as an over voltage. If a prevention engine, the thresholds can be set at a level below a max operating voltage for components of the functional circuitry before damage occurs to the components. The prevention circuit could include a counter or other circuitry to determine amount of time or number of times the voltage exceeds the threshold. The thresholds can also be set to detect an under voltage that could cause timing delays.
A portion of the above-described apparatus, systems or methods may be embodied in or performed by various digital data processors or computers, wherein the computers are programmed or store executable programs of sequences of software instructions to perform one or more of the steps of the methods. The software instructions of such programs may represent algorithms and be encoded in machine-executable form on non-transitory digital data storage media or non-transitory computer-readable medium, e.g., magnetic or optical disks, random-access memory (RAM), magnetic hard disks, flash memories, and/or read-only memory (ROM), to enable various types of digital data processors or computers to perform one, multiple or all of the steps of one or more of the above-described methods, or functions, systems or apparatuses described herein.
The digital data processors or computers can be comprised of one or more processing units. The processing unit may include one or more GPUs, one or more CPUs, one or more hardware accelerators, e.g., a deep learning accelerator, a vision processing unit, and a tensor processing unit, one or more of other processor types, or a combination thereof. The digital data processors and computers can be located proximate each other, proximate a user, in a cloud environment, a data center, or located in a combination thereof. For example, some components can be located proximate the user and some components can be located in a cloud environment or data center.
The processing units in the processors or computers, such as GPUs, can be embodied on a single semiconductor substrate, included in a system with one or more other devices such as additional GPUs, a memory, and a CPU. The GPUs may be included on a graphics card that includes one or more memory devices and is configured to interface with a motherboard of a computer. The GPUs may be integrated GPUs (iGPUs) that are co-located with a CPU on a single chip. Configured or configured to means, for example, designed, constructed, or programmed, with the necessary logic and/or features for performing a task or tasks.
Portions of disclosed embodiments may relate to computer storage products with a non-transitory computer-readable medium that have program code thereon for performing various computer-implemented operations that embody a part of an apparatus, device or carry out the steps of a method set forth herein. Non-transitory used herein refers to all computer-readable media except for transitory, propagating signals. Examples of non-transitory computer-readable media include but are not limited to: magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROM disks; magneto-optical media such as floptical disks; and hardware devices that are specially configured to store and execute program code, such as ROM and RAM devices. Examples of program code include both machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter.
In interpreting the disclosure, all terms should be interpreted in the broadest possible manner consistent with the context. In particular, the terms “comprises” and “comprising” should be interpreted as referring to elements, components, or steps in a non-exclusive manner, indicating that the referenced elements, components, or steps may be present, or utilized, or combined with other elements, components, or steps that are not expressly referenced.
Those skilled in the art to which this application relates will appreciate that other and further additions, deletions, substitutions, and modifications may be made to the described embodiments. It is also to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting, since the scope of the present disclosure will be limited only by the claims. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. Although any methods and materials similar or equivalent to those described herein can also be used in the practice or testing of the present disclosure, a limited number of the exemplary methods and materials are described herein.
Each of the aspects disclosed in the Summary may have one or more of the additional features of the dependent claims in combination. It is noted that as used herein and in the appended claims, the singular forms “a”, “an”, and “the” include plural referents unless the context clearly dictates otherwise.