The present disclosure generally relates to the field of electronics. More particularly, aspects generally relate to apparatus and methods to manage high capacity memory.
Electronic devices such as computers, tablets, mobile phones, electronic readers, and the like comprise components from various manufacturers. It may be useful to permit component providers to define secure partitions in memory to allow for storage of component-specific information such as information manuals, configuration menus, system logs, and the like. Accordingly, techniques to provide secure data partitions in nonvolatile memory systems may find utility, e.g., in memory systems for electronic devices.
The detailed description is provided with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of various examples. However, various examples may be practiced without the specific details. In other instances, well-known methods, procedures, components, and circuits have not been described in detail so as not to obscure the particular examples. Further, various aspects of examples may be performed using various means, such as integrated semiconductor circuits (“hardware”), computer-readable instructions organized into one or more programs (“software”), or some combination of hardware and software. For the purposes of this disclosure reference to “logic” shall mean either hardware, software, or some combination thereof.
In some examples described herein a controller coupled to memory implements logic which allows authorized users to create a secure memory partition in a non-volatile memory device on an electronic device. The controller implements a system management mode (SMM) mailbox which provides an interface between the controller and configuration utilities available when the host processor device is placed in system management mode. An authorized user, e.g., a component manufacturer, can generate a request to the SMM mailbox through BIOS SMM code to create a partition in the non-volatile memory device. Thereafter, the user can implement read and write operations to memory in the partition via the SMM mailbox. The user can also request to delete the partition through the SMM mailbox. The controller further includes partition logic which, in response to requests from the user, implements operations to create the partition, manage read and write operations, and delete the partition. Specific examples will be described below with reference to
Memory interface 124 is coupled to one or more remote memory device(s) 140 by a communication bus 160. In some examples, the communication bus 160 may be implemented as traces on a printed circuit board, a cable with copper wires, a fibre optic cable, a connecting socket, or a combination of the above. Memory device(s) 140 may comprise a controller 142 and memory 150. In various embodiments, at least some of the memory 150 may be implemented using volatile memory, e.g., static random access memory (SRAM), a dynamic random access memory (DRAM), alone or in combination with nonvolatile memory, e.g., phase change memory, NAND (flash) memory, ferroelectric random-access memory (FeRAM), nanowire-based non-volatile memory, memory that incorporates memristor technology, three dimensional (3D) cross point memory such as phase change memory (PCM), spin-transfer torque memory (STT-RAM) or Magnetoresistive Random Access Memory (MRAM). The specific configuration of the memory device(s) 150 in the memory 140 is not critical.
As described briefly above, in some examples described herein, the controller 142 comprises a system management mode (SMM) mailbox 146 which provides an interface between the controller 142 and configuration utilities available when the device is placed in system management mode. As illustrated in
Operations implemented by controller 142 will be described with reference to
At operation 315 the partition logic 148 in controller 142 verifies a source and destination of the partition creation request. For example, at operation 315 the partition logic 148 may confirm that the partition creation request originated from an approved source and was directed to the correct SMM mailbox 146. If, at operation 320 the partition creation request is not verified then control passes to operation 330 and an error code is generated. The error code may be logged in memory and may be returned to the sender.
By contrast, if at operation 320 the partition creation request is verified then control passes to operation 325, at which the partition logic 148 determines whether there is sufficient space available to satisfy the partition creation request. By way of example, the partition logic 148 may enforce a threshold (based on an OEM policy) on the amount of memory which may be dedicated to a specific partition or to multiple partitions. The threshold may be static or dynamic and may be established by a manufacturer or other vendor. If, at operation 325, there is insufficient memory available to satisfy the partition creation request then control passes to operation 330 and an error code is generated. The error code may be logged in memory and may be returned to the sender.
By contrast, if at operation 325 there is sufficient memory available to accommodate the partition creation request then control passes to operation 335 and the partition logic 148 creates a partition in memory 150. At operation 340 the partition logic 148 generates a success code. The success code may be logged in memory and may be returned to the sender.
A partition deletion operation will be explained with reference to
At operation 355 the partition logic 148 in controller 142 verifies a source and destination of the partition deletion request. For example, at operation 355 the partition logic 148 may confirm that the partition deletion request originated from an approved source and was directed to the correct SMM mailbox 146. If, at operation 360 the partition deletion request is not verified then control passes to operation 365 and an error code is generated. The error code may be logged in memory and may be returned to the sender.
By contrast, if at operation 360 the partition deletion request is verified then control passes to operation 370 and the partition logic 148 deletes the partition in memory 150. At operation 375 the partition logic 148 generates a success code. The success code may be logged in memory and may be returned to the sender.
A partition write operation will be explained with reference to
At operation 415 the partition logic 148 in controller 142 verifies a source and destination of the partition write operation. For example, at operation 415 the partition logic 148 may confirm that the partition write request originated from an approved source and was directed to the correct SMM mailbox 146. If, at operation 420 the partition write operation is not verified then control passes to operation 425 and an error code is generated. The error code may be logged in memory and may be returned to the sender. In some examples a nonce sent from authorized user in SMM code can prove to partition memory controller the origin of the request to be used for authentication of the request. Alternatively, hardware signals from memory interface unit 124 to controller 142 travelling through system fabric 160 may be used to prove authenticity of the user request to controller 142 from processor system 110.
By contrast, if at operation 420 the partition write operation is verified then control passes to operation 430 and the partition logic 148 executes a write operation to the partition in memory 150. At operation 435 the partition creation logic generates a success code. The success code may be logged in memory and may be returned to the sender.
A partition read operation will be explained with reference to
At operation 455 the partition logic 148 in controller 142 verifies a source and destination of the partition read operation. For example, at operation 415 the partition logic 148 may confirm that the partition read request originated from an approved source and was directed to the correct SMM mailbox 146. If, at operation 460 the partition read operation is not verified then control passes to operation 465 and an error code is generated. The error code may be logged in memory and may be returned to the sender.
By contrast, if at operation 460 the partition read operation is verified then control passes to operation 470 and the partition logic 148 executes a read operation to the partition in memory 150. At operation 475 the partition creation logic 148 returns the data from the read operation to the sender.
Thus, the structure and operations described herein enable a controller 142 to implement secure data partition operations on a memory device. More particularly, the structure and operations described herein enable controller 142 to create a partition in a memory device, securely execute read and write operations to the partition, and to delete the partition. In some examples, the system management code in processor 100 may implement additional data encryption mechanisms for increased security of the partition data.
As described above, in some examples the electronic device may be embodied as a computer system.
A chipset 606 may also communicate with the interconnection network 604. The chipset 606 may include a memory control hub (MCH) 608. The MCH 608 may include a memory controller 610 that communicates with a memory 612 (which may be the same or similar to the memory 130 of
The MCH 608 may also include a graphics interface 614 that communicates with a display device 616. In one example, the graphics interface 614 may communicate with the display device 616 via an accelerated graphics port (AGP). In an example, the display 616 (such as a flat panel display) may communicate with the graphics interface 614 through, for example, a signal converter that translates a digital representation of an image stored in a storage device such as video memory or system memory into display signals that are interpreted and displayed by the display 616. The display signals produced by the display device may pass through various control devices before being interpreted by and subsequently displayed on the display 616.
A hub interface 618 may allow the MCH 608 and an input/output control hub (ICH) 620 to communicate. The ICH 620 may provide an interface to I/O device(s) that communicate with the computing system 600. The ICH 620 may communicate with a bus 622 through a peripheral bridge (or controller) 624, such as a peripheral component interconnect (PCI) bridge, a universal serial bus (USB) controller, or other types of peripheral bridges or controllers. The bridge 624 may provide a data path between the CPU 602 and peripheral devices. Other types of topologies may be utilized. Also, multiple buses may communicate with the ICH 620, e.g., through multiple bridges or controllers. Moreover, other peripherals in communication with the ICH 620 may include, in various examples, integrated drive electronics (IDE) or small computer system interface (SCSI) hard drive(s), USB port(s), a keyboard, a mouse, parallel port(s), serial port(s), floppy disk drive(s), digital output support (e.g., digital video interface (DVI)), or other devices.
The bus 622 may communicate with an audio device 626, one or more disk drive(s) 628, and a network interface device 630 (which is in communication with the computer network 603). Other devices may communicate via the bus 622. Also, various components (such as the network interface device 630) may communicate with the MCH 608 in some examples. In addition, the processor 602 and one or more other components discussed herein may be combined to form a single chip (e.g., to provide a System on Chip (SOC)). Furthermore, the graphics accelerator 616 may be included within the MCH 608 in other examples.
Furthermore, the computing system 600 may include volatile and/or nonvolatile memory (or storage). For example, nonvolatile memory may include one or more of the following: read-only memory (ROM), programmable ROM (PROM), erasable PROM (EPROM), electrically EPROM (EEPROM), a disk drive (e.g., 628), a floppy disk, a compact disk ROM (CD-ROM), a digital versatile disk (DVD), flash memory, a magneto-optical disk, or other types of nonvolatile machine-readable media that are capable of storing electronic data (e.g., including instructions).
In an example, the processor 702-1 may include one or more processor cores 706-1 through 706-M (referred to herein as “cores 706” or more generally as “core 706”), a shared cache 708, a router 710, and/or a processor control logic or unit 720. The processor cores 706 may be implemented on a single integrated circuit (IC) chip. Moreover, the chip may include one or more shared and/or private caches (such as cache 708), buses or interconnections (such as a bus or interconnection network 712), memory controllers, or other components.
In one example, the router 710 may be used to communicate between various components of the processor 702-1 and/or system 700. Moreover, the processor 702-1 may include more than one router 710. Furthermore, the multitude of routers 710 may be in communication to enable data routing between various components inside or outside of the processor 702-1.
The shared cache 708 may store data (e.g., including instructions) that are utilized by one or more components of the processor 702-1, such as the cores 706. For example, the shared cache 708 may locally cache data stored in a memory 714 for faster access by components of the processor 702. In an example, the cache 708 may include a mid-level cache (such as a level 2 (L2), a level 3 (L3), a level 4 (L4), or other levels of cache), a last level cache (LLC), and/or combinations thereof. Moreover, various components of the processor 702-1 may communicate with the shared cache 708 directly, through a bus (e.g., the bus 712), and/or a memory controller or hub. As shown in
As illustrated in
Additionally, the core 706 may include a schedule unit 806. The schedule unit 806 may perform various operations associated with storing decoded instructions (e.g., received from the decode unit 804) until the instructions are ready for dispatch, e.g., until all source values of a decoded instruction become available. In one example, the schedule unit 806 may schedule and/or issue (or dispatch) decoded instructions to an execution unit 808 for execution. The execution unit 808 may execute the dispatched instructions after they are decoded (e.g., by the decode unit 804) and dispatched (e.g., by the schedule unit 806). In an example, the execution unit 808 may include more than one execution unit. The execution unit 808 may also perform various arithmetic operations such as addition, subtraction, multiplication, and/or division, and may include one or more an arithmetic logic units (ALUs). In an example, a co-processor (not shown) may perform various arithmetic operations in conjunction with the execution unit 808.
Further, the execution unit 808 may execute instructions out-of-order. Hence, the processor core 706 may be an out-of-order processor core in one example. The core 706 may also include a retirement unit 810. The retirement unit 810 may retire executed instructions after they are committed. In an example, retirement of the executed instructions may result in processor state being committed from the execution of the instructions, physical registers used by the instructions being de-allocated, etc.
The core 706 may also include a bus unit 714 to enable communication between components of the processor core 706 and other components (such as the components discussed with reference to
Furthermore, even though
In some examples, one or more of the components discussed herein can be embodied as a System On Chip (SOC) device.
As illustrated in
The I/O interface 940 may be coupled to one or more I/O devices 970, e.g., via an interconnect and/or bus such as discussed herein with reference to other figures. I/O device(s) 970 may include one or more of a keyboard, a mouse, a touchpad, a display, an image/video capture device (such as a camera or camcorder/video recorder), a touch screen, a speaker, or the like.
As illustrated in
In an example, the processors 1002 and 1004 may be one of the processors 702 discussed with reference to
As shown in
The chipset 1020 may communicate with a bus 1040 using a point-to-point PtP interface circuit 1041. The bus 1040 may have one or more devices that communicate with it, such as a bus bridge 1042 and I/O devices 1043. Via a bus 1044, the bus bridge 1043 may communicate with other devices such as a keyboard/mouse 1045, communication devices 1046 (such as modems, network interface devices, or other communication devices that may communicate with the computer network 803), audio I/O device, and/or a data storage device 1048. The data storage device 1048 (which may be a hard disk drive or a NAND flash based solid state drive) may store code 1049 that may be executed by the processors 1002 and/or 1004.
The following examples pertain to further examples.
Example 1 is a controller comprising logic to receive, in a system management mode mailbox, a memory partition creation request from a system management mode interface, wherein the memory partition creation request comprises at least one characteristic of a memory partition, authenticate the partition creation request, and create a memory partition in a memory coupled to the controller in accordance with the at least one characteristic.
In Example 2, the subject matter of Example 1 can optionally include logic to verify a source of the partition creation request, and verify a destination of the partition creation request.
In Example 3, the subject matter of any one of Examples 1-2 can optionally include an arrangement in which the logic to authenticate the partition creation request comprises logic to verify a source of the partition creation request, and verify a destination of the partition creation request.
In Example 4, the subject matter of any one of Examples 1-3 can optionally include logic to generate an error code in response to an authentication failure or a determination that the partition size is not available for allocation to a partition.
In Example 5, the subject matter of any one of Examples 1-4 can optionally include logic to generate a success code after the memory partition is created.
In Example 6, the subject matter of any one of Examples 1-5 can optionally include logic to receive, in a system management mode mailbox, a write request to the memory partition from a system management mode interface, authenticate the write request, and write data into the memory partition.
In Example 7, the subject matter of any one of Examples 1-6 can optionally include logic to receive, in a system management mode mailbox, a read request to the memory partition from a system management mode interface, authenticate the read request, and read data from the memory partition.
In Example 8, the subject matter of any one of Examples 1-7 can optionally include logic to receive, in a system management mode mailbox, a delete request to delete the memory partition from a system management mode interface, authenticate the delete request, and delete the memory partition.
Example 9 is an apparatus comprising a non-volatile memory and a controller comprising logic to receive, in a system management mode mailbox, a memory partition creation request from a system management mode interface, wherein the memory partition creation request comprises at least one characteristic of a memory partition, authenticate the partition creation request, and create a memory partition in a memory coupled to the controller in accordance with the at least one characteristic.
In Example 10, the subject matter of Example 9 can optionally include logic to verify a source of the partition creation request, and verify a destination of the partition creation request.
In Example 11, the subject matter of any one of Examples 9-10 can optionally include an arrangement in which the logic to authenticate the partition creation request comprises logic to verify a source of the partition creation request, and verify a destination of the partition creation request.
In Example 12, the subject matter of any one of Examples 9-11 can optionally include logic to generate an error code in response to an authentication failure or a determination that the partition size is not available for allocation to a partition.
In Example 13, the subject matter of any one of Examples 9-12 can optionally include logic to generate a success code after the memory partition is created.
In Example 14, the subject matter of any one of Examples 9-13 can optionally include logic to receive, in a system management mode mailbox, a write request to the memory partition from a system management mode interface, authenticate the write request, and write data into the memory partition.
In Example 15, the subject matter of any one of Examples 9-14 can optionally include logic to receive, in a system management mode mailbox, a read request to the memory partition from a system management mode interface, authenticate the read request, and read data from the memory partition.
In Example 16, the subject matter of any one of Examples 9-15 can optionally include logic to receive, in a system management mode mailbox, a delete request to delete the memory partition from a system management mode interface, authenticate the delete request, and delete the memory partition.
Example 17 is an electronic device comprising logic to receive, in a system management mode mailbox, a memory partition creation request from a system management mode interface, wherein the memory partition creation request comprises at least one characteristic of a memory partition, authenticate the partition creation request, and create a memory partition in a memory coupled to the controller in accordance with the at least one characteristic.
In Example 18, the subject matter of Example 17 can optionally include logic to verify a source of the partition creation request, and verify a destination of the partition creation request.
In Example 19, the subject matter of any one of Examples 17-18 can optionally include an arrangement in which the logic to authenticate the partition creation request comprises logic to verify a source of the partition creation request, and verify a destination of the partition creation request.
In Example 20, the subject matter of any one of Examples 17-19 can optionally include logic to generate an error code in response to an authentication failure or a determination that the partition size is not available for allocation to a partition.
In Example 21, the subject matter of any one of Examples 17-20 can optionally include logic to generate a success code after the memory partition is created.
In Example 22, the subject matter of any one of Examples 17-21 can optionally include logic to receive, in a system management mode mailbox, a write request to the memory partition from a system management mode interface, authenticate the write request, and write data into the memory partition.
In Example 23, the subject matter of any one of Examples 17-22 can optionally include logic to receive, in a system management mode mailbox, a read request to the memory partition from a system management mode interface, authenticate the read request, and read data from the memory partition.
In Example 24, the subject matter of any one of Examples 17-23 can optionally include logic to receive, in a system management mode mailbox, a delete request to delete the memory partition from a system management mode interface, authenticate the delete request, and delete the memory partition.
In various examples, the operations discussed herein, e.g., with reference to
Reference in the specification to “one example” or “an example” means that a particular feature, structure, or characteristic described in connection with the example may be included in at least an implementation. The appearances of the phrase “in one example” in various places in the specification may or may not be all referring to the same example.
Also, in the description and claims, the terms “coupled” and “connected,” along with their derivatives, may be used. In some examples, “connected” may be used to indicate that two or more elements are in direct physical or electrical contact with each other. “Coupled” may mean that two or more elements are in direct physical or electrical contact. However, “coupled” may also mean that two or more elements may not be in direct contact with each other, but may still cooperate or interact with each other.
Thus, although examples have been described in language specific to structural features and/or methodological acts, it is to be understood that claimed subject matter may not be limited to the specific features or acts described. Rather, the specific features and acts are disclosed as sample forms of implementing the claimed subject matter.