Implementations of the claimed invention generally may relate to security verification and, more particularly, to preventing software modification via secure booting.
In certain applications, it may be desirable to prevent unauthorized modification of software, for example to protect high-value content and/or service provider revenue. One scheme that has been proposed to prevent such unauthorized modification is to “securely boot” from a trusted (e.g., assumed uncorrupted) source to ensure that software is not or has not been modified. Such secure booting may ensure data security itself, or it may trigger subsequent verification in a so-called “chain of trust.”
One way to design a secure boot scheme may be for a processor to read trusted boot code from an external memory device, such as non-volatile, flash-type memory. Such boot code may reside, for example, in a one-time programmable (OTP) area of the external memory device. Such one-time programmability may prevent overwriting of the trusted boot code.
Such an external memory device, however, may be vulnerable to a replacement attack, where the external memory may be removed and replaced with a different memory device containing modified boot code.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate one or more implementations consistent with the principles of the invention and, together with the description, explain such implementations. The drawings are not necessarily to scale, the emphasis instead being placed upon illustrating the principles of the invention. In the drawings,
The following detailed description refers to the accompanying drawings. The same reference numbers may be used in different drawings to identify the same or similar elements. In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular structures, architectures, interfaces, techniques, etc. in order to provide a thorough understanding of the various aspects of the claimed invention. However, it will be apparent to those skilled in the art having the benefit of the present disclosure that the various aspects of the invention claimed may be practiced in other examples that depart from these specific details. In certain instances, descriptions of well known devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
Processor package 110 may include a processor 120, a boot storage 130, and an identifier (ID) storage 140. In some implementations, processor 120, boot storage 130, and ID storage 140 may be located on the same die and/or semiconductor substrate. In some implementations, processor 120, boot storage 130, and ID storage 140 may be located on different dies and/or chips that are packaged together. In some implementations, processor 120 and boot storage 130 may be located on the same die and/or semiconductor substrate, and ID storage 140 may be located on a different die and/or chip that is packaged with that of processor 120. Other variations are both possible and contemplated.
Processor 120 may include a general-purpose or special-purpose processor configured to execute instructions or series of instructions to operate on data. In some implementations, processor 120 may be a general-purpose processing element that may execute instructions stored in boot storage 120 and/or in memory 160.
Boot storage 130 may include a non-volatile memory, such as a read-only memory (ROM). In some implementations, boot storage 130 may store some portion of the boot code for initializing and establishing operational parameters of processor 120. In some implementations, boot storage 130 may include security verification code for verifying one or more properties of memory 160 before further booting may occur. In some implementations, boot storage may be about 200 Bytes to about 10 kilobytes in size, although smaller or larger sizes are possible.
ID storage 140 may include a non-volatile memory, such as a one-time programmable (OTP) flash memory. In some implementations, ID storage 140 may include an electrically erasable programmable read-only memory (EEPROM), such as a serial EEPROM. In some implementations, ID storage 140 may include a bank of fuses that may be blown during manufacturing to store information.
ID storage 140 may be arranged to store identification information about memory 160. In some implementations, where a relatively small amount of information (e.g., a single identifier) is to be stored in ID storage 140, it may be around 32 bits in size. Slightly larger sizes for ID storage 140 are also possible, such as 128 bits or 256 bits. In some implementations, where a larger amount of information (e.g., an identifier and other information, such as a cryptographic signature) is to be stored, ID storage may be larger (e.g., around 160 bits to several kilobytes in size).
Communication link 150 may connect processor package 110 and memory 160. Although illustrated as a single bidirectional arrow, communication link may include one or more busses and/or point-to-point connections between processor package 110 and memory 160. In some implementations, communication link 150 may be implemented via conductive traces and/or wires. In some implementations, link 150 may be implemented in a non-conductive manner (e.g., optically and/or wirelessly).
Memory 160 may include a unique identifier (ID) 170, a boot code portion 180, and a portion for storing kernel and/or application code 190. In some implementations, unique ID 170 and/or boot code 180 may be stored in OTP portions of memory 160. Memory 160 may include flash-type or other nonvolatile memory including OTP and/or many-times programmable portions.
Unique ID 170 may be programmed into memory 160 when memory 160 is manufactured. In some implementations, unique ID 170, once programmed into memory 160, may not be rewritten or overwritten. In some implementations, unique ID 170 may be less than, for example, about 128 bits. Unique ID 170 may be sufficiently long, however, to make accidental duplication of the ID unlikely.
Boot code 180 also may be programmed into memory 160 when memory 160 is manufactured. In some implementations, boot code 180, once programmed into memory 160, may not be rewritten or overwritten. Boot code 180 may include a remainder of code needed to boot processor 120, in addition to a security verification portion of the initializing code that may be stored in boot storage 130. In some implementations, boot code 180 may also include verification code to verify the integrity of, for example, kernel and/or applications 190.
Kernel and/or applications 190 may include code and/or instructions to be executed by processor 120 after boot code 180. Kernel and/or applications 190 may include instructions that define a “steady state” functionality of system 100. For example, if system 100 is included in a set-top box, kernel and/or applications 190 may include an operating system and/or tuner software and/or a program guide to control playback of media information.
Processing may begin with processor 120 executing verification code stored in boot storage 130 [act 205]. In some implementations, act 205 may occur on a system reset and/or restart or startup. The verification code may direct processor 120 to perform some or all of acts 210-255 in
Processing may continue with processor 120 retrieving at least unique ID 170 from memory 160 via communication link 150 [act 210]. In some implementations, processor 120 may send a particular command sequence to memory 160 to read unique identifier 170. For example, the design of memory 160 may necessitate a specific sequence of commands to be sent before unique ID 170 may be obtained. Such a sequence may be similar to those used to get status or write to typical flash memory devices. In some implementations, processor 120 may also retrieve a portion (e.g., some or all) of boot code 180 from memory 160 in act 210. In some implementations, processor 120 may optionally retrieve a portion of kernel and/or applications 190 in addition to boot code 180. Such optional retrieval of boot code 180 (and, optionally, kernel and/or applications 190) may facilitate optional acts 225, 245, and/or 250 (illustrated by dashed lines) described below. Although such acts may be described with regard to boot code 180 for ease of presentation, it should be understood that optional acts 225, 245, and/or 250 may also involve kernel and/or applications 190.
If it is the first time processor 120 has executed the verification code from boot storage 130 [act 215], processor may store unique ID 170 locally in ID storage 140 [act 220]. As previously mentioned with regard to
Optionally, if processor 120 has retrieved a portion of boot code 180 in act 210, processor 120 may compute a cryptographic hash or digital signature (or otherwise generate a unique identifier) on boot code 180 and also locally store the resultant hash or signature, herein referred to as ‘signature’ in ID storage 140 [act 225]. Any now-known or later-developed hashing (such as MD-5, SHA-1) or similar algorithm such as a Message Authentication Code (hashing algorithm which uses a secret key, such as HMAC-MD5, HMAC-SHA-1) or a Digital Signature algorithm (such as RSA, DSA, El-Gamal etc) may be stored in boot storage 130 and used in act 225. Message Authentication Codes (MACs), which may be referred to as keyed hashes, may provide greater security in some implementations than non-keyed hashes, because knowledge of the key is implied. Acts 220, and optionally 225, may “bind” external memory 160 to processor package 110 during manufacturing and/or before the opportunity for a memory replacement attack on system 100.
On subsequent executions of verification code [act 215], processor 120 may compare unique ID 170 from external memory 160 with a corresponding identifier in ID storage 140 [act 230]. If the identifiers do not match [act 235], the verification code executed by processor 120 may prevent further booting [act 240]. In such a case, processor 120 may not execute boot code 180, because the identity or trustworthiness of memory 160 is suspect. In some implementations, processor 120 may issue an error code or other notification to the remainder of system 100 that booting has stopped in act 240.
If the identifiers match [act 235] and if a signature of boot code 180 is also present in ID storage 140, the verification code executed by processor 120 may compute a signature of the boot code 180 (and/or other code) read from memory 160 in act 210 [act 245]. The signature algorithm performed on boot code 180 from memory 160 may be the same as the algorithm used in act 225. If the computed signature from act 245 does not equal the corresponding signature value from ID storage 140 [act 250], the verification code executed by processor 120 may prevent system 100 from booting further [act 240], as previously described.
If the computed signature from act 245 matches the corresponding signature value from ID storage 140 [act 250], processor 120 the verification code executed by processor 120 may permit further booting from boot code 180 in external memory 160 [act 255]. In some implementations, boot code 180 may include the remainder of all boot code beyond the verification portion that is stored in boot storage 130. In some implementations, boot code 180, having been verified in act 250, may proceed to verify other code in memory 160, such as kernel and/or applications 190. In some implementations, boot code 180 may load kernel and/or applications 190 for further execution by processor 120.
It should be noted that in implementations that do not include a signature of boot code 180, when identifiers match in act 235, processor may permit booting from boot code 180 in act 255. In other words, when acts 245 and 250 are not present and/or performed, act 255 may follow act 235 when appropriate.
Further, some systems 300 may not include certain ones of elements 310-350. In some implementations, system 300, for example, may lack storage 340. Other systems 300, such as server-type systems, may lack one or more of tuner 320, display 330, and/or user interface 350.
Network interface 310 may be arranged to transmit and receive data via one or more communication links. In some systems 300, network interface 310 may function as a switch or router, but in other systems 300, network interface 310 may function as an access point. Network interface 310 may be arranged to facilitate communication via any associated communication link(s). For example, if the associated communication links include a wireless link, network interface 310 may include circuitry and optionally an antenna arranged to send and receive wireless signals. Conversely, if the communication link include a wired link (including wires or other physical conduits such as optical fibers), network interface 310 may include circuitry and a connector arranged to send and receive signals via a wire, cable, fiber, or the like.
Tuner 320 may include one or more devices that are arranged to separate one or more streams of information (e.g., television channel(s)) from an input media stream. Tuner 320 may also include a physical interface to receive a transport medium (e.g., a coaxial cable, Ethernet cable, wireless connection, etc.) that carries the media stream. Tuner 320 may lock onto and output a first stream of information, such as a television channel or other information, present at a first frequency range in the media stream. The particular choice of which first stream or channel to be output by tuner 320 may be made by a user via user interface 350 or by processing system 100.
Display 330 may include a television, monitor, projector, or other device suitable for displaying media information, such as video and/or audio. Display 330 may utilize a number of technologies for such displaying, including cathode ray tube (CRT), liquid crystal display (LCD), plasma, and/or projection-type technologies. In some situations, display 330 may receive media information to output from tuner 320. In other situations, display 330 may receive media information to output from network interface 310 and/or storage 340.
Processing system 100, after a successful booting process 200, may interact with storage 340 (if present) and/or tuner 320 and/or network interface 310 to store and/or play media information in accordance with, for example, kernel and/or applications 190. Processing system 100 may, for example, play or store media information to/from “local” storage 340 and/or tuner 320. In some cases, however, processing system 100 may play media information from, or store media information to, remote media systems via network interface 310, as will be described in further detail below.
In addition, processing system 100 may also perform other associated tasks in accordance with kernel and/or applications 190, such as encoding or decoding of media information before and/or after storage in storage 340 or transfer via network interface 310. For example, processing system 100 may convert media information to or from various formats, such as MPEG-1, MPEG-2, MPEG-4 (from the Moving Picture Experts Group), or any other known or later-developed media format. Processing system 100 may also control which channels of information in the media stream are selected by tuner 320.
Storage 340 may include a solid-state, magnetic or optical storage medium, examples of which may include semiconductor-based memory, magnetic hard disks, optical disks, etc. Storage 340 may be arranged to store instructions and/or programs for execution by processing system 100, as well as data products of the instructions and/or programs. Storage 340 may include random access memory (RAM), read only memory (ROM), flash memory, and may include other types of storage media, such as magnetic hard drives and (read-only or writable) optical media (e.g., compact discs (CDs), digital versatile discs (DVDs), etc.) and their associated optical drives.
User interface 350 may be arranged to supply input to a program on processing system 100 from a user. User interface 350 may include, for example, a keyboard, mouse, remote control, multi-purpose controller or similar device. Although shown directly connected to processing system 100 in
The foregoing description of one or more implementations provides illustration and description, but is not intended to be exhaustive or to limit the scope of the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of various implementations of the invention.
For example, although processor 120, boot storage 130, and ID storage 140 have been described as being in a single package 110, one or more of these elements may be implemented in separate physical packages in desired. Similarly, although boot storage 130 and/or ID storage 140 have been described as read-only and/or OTP, in some implementations, one or more of storages 130 and 140 may be writable and/or programmable more than once. Also, in some implementations, boot storage 130 and/or ID storage 140 may be logical portions of the same physical storage device or structure. Moreover, in some implementations, some or all of boot code 180 may reside in boot storage 130, instead of in memory 160.
Further, although the loading of unique ID 170 into ID storage 140 has been described as happening on the first boot of processor 120 during manufacturing, this need not necessarily be the case. For example, in some implementations such loading of unique ID 170 may happen during second or subsequent boots of processor 120, perhaps in a deliberate operation, rather than automatically on first boot. Also, such loading of unique ID 170 need not necessarily be performed by the manufacturer of processor system 100, but rather may be performed by another entity, such as an integrator of system 100 (e.g., into system 300), and/or by a service provider at a later time.
In addition, as used herein “one time programmable” may refer to a certain element within a storage device, and not necessarily to the number of storage operations that may be performed to that device. For example, some percentage of the “one time programmable” elements in a device may be programmed at a certain time, and a remaining percentage of the “one time programmable” elements in the device may be programmed at a later time.
Moreover, the acts in
No element, act, or instruction used in the description of the present application should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Variations and modifications may be made to the above-described implementation(s) of the claimed invention without departing substantially from the spirit and principles of the invention. All such modifications and variations are intended to be included herein within the scope of this disclosure and protected by the following claims.