Patent Application
20250167768
This disclosure relates to a power management apparatus and method or power management for a system including one or more power management devices and a system-on-chip (SoC).
An integrated circuit including at least one processor and memory, often referred to as a system-on-chip (SoC) may include security features for protection against hacking. This is particularly important for applications of SoCs in vehicle systems. These security features may still be vulnerable to hacking, for example by changing the supply voltage of the device to be out of specification. If this done in a specific manner, the SoC may having unexpected behaviour which, if used maliciously, can cause security measures to be bypassed. For vehicle applications, this unexpected behaviour can have a direct impact on the safety of the vehicle and its occupants.
Many SoCs have power provided by Power Management Integrated Circuits (PMICs). A possible attack vector is to run code on an SoC which requests the external PMIC to change the voltage in a malicious manner. The resulting change in voltage can then be used to bypass other security mechanisms and gain elevated access to the device. If the hardware is accessibly, the PMIC may be removed or disabled and an alternative or external power supply connected to the SoC which can then be controlled in order to attempt to bypass the security features.
Aspects of the disclosure are defined in the accompanying claims. In a first aspect, there is provided a power management integrated circuit (PMIC) configured to be coupled to a system on chip (SoC) the SoC comprising at least one of a plurality of SoC power domains and a plurality of SoC clock domains; wherein each of the PMIC and the SoC comprise a shared key; and wherein the PMIC is configured to: generate a challenge; output the challenge to the SoC; generate an expected-challenge-response determined from the challenge and the shared key; receive a challenge-response from the SoC; compare the challenge response and the expected-challenge-response; and depending on an operating state and in response to the challenge-response being different to the expected-challenge-response: (i) apply a reset to the SoC, or (ii) supply power to a subset of the plurality of SoC power domains and/or (iii) enable clocks of a subset of the plurality of SoC clock domains.
In some embodiments, the subset of the plurality SoC power domains and the subset of the plurality of SoC clock domains comprise at least one of a safety critical domain and a security domain.
In some embodiments, the plurality of SoC power domains comprises a safety-critical power domain, the operating state is a safe operating state, and in response to the challenge-response being different to the expected-challenge-response, the PMIC is further configured to supply power to the safety-critical power domain.
In some embodiments, the plurality of SoC power domains comprises a security power domain, the operating state is a safe operating state, and in response to the challenge-response being different to the expected-challenge-response, the PMIC is further configured to remove power from the security power domain.
In some embodiments, the SoC comprises further circuitry, the operating state is a safe operating state, and in response to the challenge-response being different to the expected-challenge-response, the PMIC is further configured to control the SoC to apply a reset to the further circuitry.
In some embodiments, at least one of the plurality of SoC power domains comprises a SoC power domain sense output and the PMIC further comprises: a voltage monitor configured to be coupled to the SoC power domain sense output and configured to compare the SoC power domain sense output voltage with a PMIC voltage output of a PMIC and to indicate whether the operating state is at least one of a safe operating state and secure operating state based on the comparison.
In some embodiments, the PMIC further comprises a bidirectional security operating state terminal configured to be coupled to the SoC and configured to at least one of: receive a secure operating state value from the SoC; output a secure operating mode status in response to the challenge-response being the same as expected-challenge-response; and output a non-secure operating mode status in response to the challenge-response being different to the expected-challenge-response.
In some embodiments, the PMIC is further configured after a predetermined time to: generate a further challenge; output the further challenge to the SoC; generate a further expected-challenge-response determined from the challenge and the shared key; receive a further challenge-response from the SoC; determine whether the further challenge-response is valid by comparing the further challenge response and the further expected-challenge-response; and depending on an operating state and in response to the further challenge-response being different to the further expected-challenge-response: (i) apply a reset to the SoC, or (ii) supply power to a subset of the plurality of SoC power domains and/or (iii) enable the clocks of a subset of the plurality of SoC clock domains.
In some embodiments, the PMIC further comprises a plurality of voltage regulators, each voltage regulator being configured to be coupled to a respective power domain of the plurality of SoC power domains.
In some embodiments, the PMIC further comprises a plurality of clock generators, each clock generator being configured to be coupled to a respective clock domain of the plurality of SoC clock domains.
Embodiments of the PMIC may be included in a system including a SoC coupled to the PMIC, wherein the SoC is configured to receive a challenge from the PMIC, generate a challenge-response determined from the shared key, and output the challenge response.
In a second aspect, there is provided a system on chip, SoC, comprising at least one of a plurality of SoC power domains and a plurality of SoC clock domains and configured to be coupled to a power management integrated circuit, PMIC; wherein each of the SoC and the PMIC comprise a shared key; and wherein the SoC is configured to: generate a challenge; output the challenge to the PMIC; generate an expected-challenge-response determined from the challenge and the shared key; receive a challenge-response from the PMIC; determine whether the challenge-response is valid by comparing the challenge response and the expected-challenge-response; and depending on an operating state and in response to the challenge-response being different to the expected-challenge-response: (i) apply a reset to the SoC, or (ii) output a control signal to the PMIC to supply power to a subset of the plurality of SoC power domains and/or (iii) enable the clocks of a subset of the plurality of SoC clock domains.
In a third aspect, there is provided a method of operating a power management integrated circuit (PMIC) configured to be coupled to a system on chip (SoC) comprising at least one of a plurality of SoC power domains and a plurality of SoC clock domains, wherein each of the PMIC and the SoC comprise a shared key, and wherein the method comprises: generating a challenge; outputting the challenge to the SoC; generating an expected-challenge-response determined from the challenge and the shared key; receiving a challenge-response from the SoC; comparing the challenge response and the expected-challenge-response; and depending on an operating state and in response to the challenge-response being different to the expected-challenge-response: (i) applying a reset to the SoC, or (ii) supplying power to a subset of the plurality of SoC power domains and/or (iii) enabling clocks of a subset of the plurality of SoC clock domains.
In some embodiments, the operating state is a safe operating state, the method further comprising supplying power to a safety-critical power domain of the SoC in response to the challenge-response being different to the expected-challenge-response.
In some embodiments, the operating state is a safe operating state, the method further comprising removing power from a security power domain of the SoC in response to the challenge-response being different to the expected-challenge-response.
In some embodiments, the operating state is a safe operating state, the method further comprising controlling the SoC to apply a reset in response to the challenge-response being different to the expected-challenge-response.
In some embodiments, the method further comprises comparing a voltage supplied to a SoC power domain sense output voltage with a PMIC voltage output; and indicating whether the operating state is at least one of a safe operating state and secure operating state based on the comparison.
In some embodiments, the method further comprises at least one of: receiving a secure operating state value from the SoC; outputting a secure operating mode status in response to the challenge-response being the same as expected-challenge-response; and outputting a non-secure operating mode status in response to the challenge-response being different to the expected-challenge-response.
In some embodiments, the method further comprises after a predetermined time: generating a further challenge; outputting the further challenge to the SoC; generating a further expected-challenge-response determined from the challenge and the shared key; receiving a further challenge-response from the SoC; determining whether the further challenge-response is valid by comparing the further challenge response and the further expected-challenge-response; and depending on an operating state and in response to the further challenge-response being different to the further expected-challenge-response: (i) applying a reset to the SoC, or (ii) supplying power to a subset of SoC power domains and/or (iii) enabling the clocks of a subset of SoC clock domains.
In the figures and description like reference numerals refer to like features. Embodiments are now described in detail, by way of example only, illustrated by the accompanying drawings in which:
It should be noted that the Figures are diagrammatic and not drawn to scale. Relative dimensions and proportions of parts of these Figures have been shown exaggerated or reduced in size, for the sake of clarity and convenience in the drawings. The same reference signs are generally used to refer to corresponding or similar features in modified and different embodiments.
In operation of the system 100, the PMIC 110 may initially powered up and set up power supplies to the SoC 114 to bring it out of reset. In example SoCs with multiple power domains, only critical domains may be initially powered up, for example domains including a boot core and security subsystem.
In operation of the system 100, the PMIC 110 and SoC 114 may execute an initial handshake for example via the communication bus 106 between the PMIC 110 and SoC 114. After an initial handshake, the PMIC 110 may generate a challenge variable and send it to the SoC 114 via the communications bus 106. The challenge variable may be randomly generated to prevent “replay attacks” for example using a linear feedback shift register or other known technique. The SoC 114 may combine the challenge with the shared key to generate a response. The response may then be sent back to the PMIC 110 via the communications bus 106 who has also carried out the same calculation locally with its own shared key. The PMIC 110 then compares the two responses and if a match is found continues to boot the SoC 114. In the case of a failure, the PMIC 110 may perform one or more actions to mitigate a potential attack. In one example the PMIC 110 may apply a reset to the SoC 114. In another example, the PMIC 110 may completely remove power from SoC 114. In some examples the PMIC 110 may place the SoC 114 into a limited operation (degraded) state where, for example, security assets are locked out and are unavailable. This may be done for example by physically powering down specific supplies to specific subsystems or not applying power to additional subsystems depending on the initial power state. For examples where a PMIC supplies multiple clocks as well as power, this may be done be removing clocks from one or more clock domains of the SoC. In other examples, the PMIC may indicate a reduced operating state via the operating state output 116 and the SoC 114 may disable one or more clocks in response.
In embodiments where system 100 is part of a vehicle control system, the reduced functionality may allow safety critical functions to operate. For example if a safety-critical control area network (CAN) used in connection to a braking electronic control unit (ECU) still needs to perform cipher-based message authentication code (CMAC) verify operations then the engine and respective keys may be available until the vehicle is transitioned into a safe state and other security assets may be taken offline via clock or power gating.
In other examples, the SoC 114 may be a mixed-criticality device where some cores run safety functions whereas others run “additional services” including but not limited to services such as infotainment, over-the-air (OTA) updates and cloud connectivity. The non-safety function cores may be safely powered down when a security attack is detected whereas the safety critical cores may keep running. The latter non-safety functions typically have the largest attack surface i.e. the largest number of possible points or attack vectors where an unauthorized user can access a system and extract or corrupt data, and so may be much more vulnerable to hacking.
In some examples, the authentication process may be carried out periodically at runtime. This may check that the PMIC is not removed after the initial boot flow. The time period for rechecking can be set via one-time-programmable OTP fuses or flash memory. In some examples, the authentication process may also be carried out after wakeup from a deep power down mode.
In some examples, the pre-shared key may be used to encrypt and authenticate any data transmitted on the communications bus 106. This may prevent a threat actor sending rogue messages to the PMIC to alter settings. Encrypting the data may prevent a rogue actor from monitoring the bus 106 for specific events, such as a request for a low power transition, in order to time an attack to occur after the specific event. In some examples, the PMIC 110 may include a timeout counter, to generate timeout signal if the PMIC 110 does not receive any response from the SoC 114. This may result in an automatic reset of the SoC 114.
Returning now to step 206, if a SoC response has been received, the method then checks whether or not the response is valid in step 212. If the response is valid, in optional step 213, the method may check whether the number of challenges sent in step 204 equals a predetermined maximum value. If the number of challenges sent is less than the maximum value, then the number of challenges sent is incremented, the method proceeds to step 210 and a periodic timeout starts as previously described. Otherwise from step 213 the method proceeds to step 216 and checks whether the SoC is in a safe operating state. In some examples, step 213 may be omitted in which case the method proceeds directly from step 212 to step 210. Returning to step 212, if the response is invalid, the method checks whether the SoC is in a safe operating state (step 216). If the SoC is not in a safe operating state, the device is reset in step 214 and the method finishes. If the SoC is in a safe operating state, in step 218 power and or clock may be removed from security critical and or non-safety critical domains. The method then proceeds to step 220 and the PMIC may assert a safety and or security pin to notify external circuitry of a potential system issue.
The SoC 460 has power domains 446-1 (power domain A), 446-2 (power domain B), 446-3 (power domain C) each with a respective power pin 436-1, 436-2, 436-3 connected to a respective voltage regulator output 418-1, 418-2, 418-3. In other examples, power domains may have more than one associated power pin. The power domain A 446-1 may have a sense output pin 438 connected to the first voltage monitor input 422-1. In other examples, additional power domains may have a sense pin. The SoC 460 has clock domains 438-1 (clock domain A), 438-2 (clock domain B) having a respective clock pin 438-1, 438-2 connected to respective clock source outputs 426-1, 426-2. As illustrated, the SoC 460 has three power domains and two clock domains. In other examples, the SoC may have fewer or more power domains and fewer or more clock domains. In some examples, the SoC may not receive a clock signal from a PMIC but may have another external clock source and an internal clock generation block which may derive the clocks for each clock domain internal to the SoC. The SoC 460 has an I2C interface 440 by communication bus 428, security pin 442 and associated circuitry (not shown). The I2C interface 440 is connected to the PMIC 12C interface 408 by communication bus 428. The security pin 440 is connected to the PMIC security pin 412 by connection 430. The vehicle control system may also have a CAN PHY 462 and Ethernet PHY 464 which has a security input connected to the PMIC security pin 412 by connection 430. The CAN PHY 462 and Ethernet PHY 464 may also have data connections to the SOC 460 (not shown).
The SOC 460 has a safety domain 452 which includes a power status pin 444 connected via connection 432 to PMIC power status pin 414. In some examples, the safety domain 452 may have a corresponding safety critical power domain (not shown) and safety critical clock domain, in other examples the safety domain may be located in a power domain shared with other circuitry, for example power domain A and the circuitry may be clocked in a clock domain shared with other circuitry, for example clock domain B.
The security domain 450 includes the security zone 468 and may include software and hardware for controlling the SoC 12C interface 440. The security domain 450 may include specific hardware such as a dedicated security core, specific software or a combination of hardware and software that has a privilege level greater than the minimum level for the system. The security domain 450 may include a Hardware Security Engine (HSE) security subsystem which may be considered as the “Root of Trust” for the SoC. The HSE may run relevant security functions for applications having stringent confidentiality and/or authenticity requirements. The HSE may isolate security-sensitive information such as pre-shared keys from the application and enforce security measures on the application during run-time and system startup. In some examples, the security domain 450 may have a corresponding security power domain (not shown) and security clock domain, in other examples the security domain may be located in a power domain shared with other circuitry, for example power domain B and the circuitry may be clocked in a clock domain shared with other circuitry, for example clock domain A.
After an initial handshake between the PMIC 410 and SoC 460, the PMIC 410 randomly generates a challenge variable send it to the SoC via the communications bus 428. Ensuring this challenge is truly random may prevent “replay attacks”. The SoC 460 combines the challenge with the shared key to calculate a challenge response. The challenge response is then sent back to the PMIC 410 which performs a local response calculation locally with its own shared key to determine an expected challenge response. The PMIC 410 then compares the two responses i.e. the challenge response and the expected challenge response. If a match is found the boot sequence continues for the SoC 460. In the case of an authentication failure, the PMIC 410 may initiate a SoC reset, for example by signaling a security failure on the security pin 412 to which the SoC 460 react or by a dedicated reset pin (not shown). Alternatively or in addition, the PMIC 410 may remove power from one or more SoC power domains. Alternatively or in addition, the PMIC 410 in conjunction with a secure enclave on the SoC such as the HSE, may force the SoC 460 into a degraded state where, for example, security assets are locked out and unavailable. This degraded state could include physically powering down specific supplies for example a subset of the power domains 446 or clock gating specific subsystems by for example clock gating one or more clock domains 448-1, 448-2.
As a further security measure, the voltage monitor 420 may compare the power domain A sense pin 438 voltage with voltage regulator 402-1 voltage to ensure that voltage at the SoC 460 matches the output voltage. If it does not match then a signal may be output on one or both of the security pin 412 and safe status pin 416. This may ensure that PMIC supply is not being bypassed. In the case of Over Voltage/Under Voltage detection on one of the regulators 402-1, 402-2, 402-3, the PMIC safe status, secure status pins 412, 416 may trigger at the same time the system if the system in a safe state and in a security state. The reaction to the PMIC safe status, secure status pins 412, 416 triggering may be programmable and deterministic for example to meet specific safety fault tolerant time requirements and/or specific application requirements. In other examples, other power domains may also have sense pins connected to voltage monitor 420 to perform equivalent checks.
In one example if a safety-critical CAN network used in connection to a braking ECU still needs to perform CMAC verify operations then this engine and respective keys would still be available until the vehicle could be transitioned into a safe state whereas other security assets would be taken offline via clock or power gating.
The SoC 460 may include some cores running safety functions whereas others run “additional services” such as infotainment, OTA updates, cloud connectivity, etc. The latter cores could be safely powered down when a security attack is detected whereas the former safety critical core would keep running. Given that the latter functions typically have the largest attack surface this is very desirable.
The vehicle control system 400 may react differently to a runtime security event depending on the current safety state of the vehicle. For example if the vehicle is parked then SoC 460 can be held in reset, if in motion then a controlled availability strategy may be used to lock down secure assets whilst still allowing the vehicle to operate safety critical features. Alternatively or in addition, the vehicle control system 400 may implement one or more of the methods 200, 300, 350.
Embodiments may provide a reaction to a security event to power down or clock gate security specific assets whilst still allowing safety critical logic to remain active. This may be critical for example in an automotive and industrial environment.
Embodiments implement a state machine that evaluates the different security and safety states of the device under attack to provide several controlled options to gracefully handle the security attack avoiding any life-threatening consequences
Embodiments described herein may prevent an attack where the PMIC is used for authentication but then an alternative source supplies voltages out of specification. The PMIC may monitor supplies at the SoC and continually check that the voltage matches the voltage value output by the PMIC. Embodiments with periodic (re) authentication requests may further prevent an attack which allows the PMIC to authenticate at boot and then removes the PMIC. If a potential threat is detected by PMIC, some embodiments may power down only security critical logic or non-safety critical logic within a predetermined Fault Tolerant Time Interval (FTTI). This may ensure that a safety critical subsystem still operates. Embodiments described may prevent an attack using an alternative power supply which fails at boot time (prior to any safety applications commencing) as the authentication fails. Embodiments described may prevent an attack which compromises high level software and requests the PMIC to change the voltage and/or clock to operate outside the specified value. Such an attack will fail as only the security subsystem has the pre-shared encryption key required to communicate with the PMIC and the PMIC will only allow secure registers to be altered by the authentic SoC.
A power management integrated circuit (PMIC) and method of operating a PMIC is described. The PMIC is configured to be coupled to a system on chip (SoC) including a number of power and clock domains. Each of the PMIC and the SoC have a shared key. The PMIC is configured to generate a challenge, output the challenge to the SoC and generate an expected-challenge-response determined from the challenge and the shared key. The PMIC is further configured to receive a challenge-response from the SoC and compare the challenge response with the expected-challenge-response. If the challenge response is different to the expected response, the PMIC may (i) apply a reset to the SoC, (ii) supply power to a subset of the SoC power domains and/or (iii) enable clocks of a subset of SoC clock domains.
In some example embodiments the set of instructions/method steps described above are implemented as functional and software instructions embodied as a set of executable instructions which are effected on a computer or machine which is programmed with and controlled by said executable instructions. Such instructions are loaded for execution on a processor (such as one or more CPUs). The term processor includes microprocessors, microcontrollers, processor modules or subsystems (including one or more microprocessors or microcontrollers), or other control or computing devices. A processor can refer to a single component or to plural components.
In other examples, the set of instructions/methods illustrated herein and data and instructions associated therewith are stored in respective storage devices, which are implemented as one or more non-transient machine or computer-readable or computer-usable storage media or mediums. Such computer-readable or computer usable storage medium or media is (are) considered to be part of an article (or article of manufacture). An article or article of manufacture can refer to any manufactured single component or multiple components. The non-transient machine or computer usable media or mediums as defined herein excludes signals, but such media or mediums may be capable of receiving and processing information from signals and/or other transient mediums.
Example embodiments of the material discussed in this specification can be implemented in whole or in part through network, computer, or data based devices and/or services. These may include cloud, internet, intranet, mobile, desktop, processor, look-up table, microcontroller, consumer equipment, infrastructure, or other enabling devices and services. As may be used herein and in the claims, the following non-exclusive definitions are provided.
Features which are described in the context of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub combination.
The applicant hereby gives notice that new claims may be formulated to such features and/or combinations of such features during the prosecution of the present application or of any further application derived therefrom.
For the sake of completeness it is also stated that the term “comprising” does not exclude other elements or steps, the term “a” or “an” does not exclude a plurality, a single processor or other unit may fulfil the functions of several means recited in the claims and reference signs in the claims shall not be construed as limiting the scope of the claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 23307004.4 | Nov 2023 | EP | regional |
