The present disclosure generally relates to memory access, and more particularly, to transferring secure information between memory and one or more input/output peripherals.
Many modern devices, such as personal computers, laptops computers, personal digital assistants, media playing and/or recording devices, cell phones, and other suitable devices, store and utilize secure information. Secure information can include, for example, digital rights management content (e.g. video, audio, game content, etc.), financial information (e.g. personal accounts, transactional information, etc.), private information (e.g. schedules, contact lists, etc.) and other suitable information. In addition, secure information can be used to bind a cellular phone to a particular network. As such, protection of the secure information is important to prevent, among other things, content and device theft.
In order to protect such secure information, it is important to control transfer of information between input/output peripherals and memory containing the secure information. In one method, a processor switches into and out of a trusted mode of operation in order to transfer information between the input output peripherals and the memory containing the secure information. However, switching the processor into and out of the trusted mode of operation to transfer information is time consuming.
As such, it is desirable, among other things, to provide a system for transferring secure information between an input/output peripheral and memory that does not require a processor to switch into and out of a trusted mode of operation.
The disclosure will be more readily understood in view of the following description when accompanied by the below figures, wherein like reference numerals represent like elements:
In one example, a secure memory access system includes a memory control module, at least one direct memory access module, and a plurality of input/output interface modules. The direct memory access module transfers information between all of the input/output interface modules and the memory control module in response to transfer configuration information. The transfer information can include, among other things, source address information, destination address information, packet size information, and other suitable information.
Among other advantages, the secure memory access system provides a layer of security between all of the I/O peripherals and memory. Furthermore, access to secure memory space is transparent to both the direct memory access module and all of the I/O peripherals. As such, the I/O peripherals do not need to be transitioned into and out of a trusted mode of operation as required by prior art security schemes. Other advantages will be recognized by those of ordinary skill in the art.
In one example, the secure memory access system includes memory, operatively coupled to the memory control module, that includes secure storage space. The direct memory access module transfers information between all of the input/output interface modules and the secure storage space in response to the transfer configuration information.
In one example, the secure memory access system includes at least one processing module. The processing module selectively provides the transfer configuration information based on trusted interface information. The trusted interface information includes address information for at least a portion of the input/output interface modules. As such, the processing module provides the transfer configuration information for the portion of input/output interface modules in response to an information transfer request. In one example, a register stores the trusted interface information.
As used herein, the term “module” can include an electronic circuit, one or more processors (e.g., shared, dedicated, or group of processors such as but not limited to microprocessors, DSPs, or central processing units) and memory that execute one or more software or firmware programs, combinational logic circuits, an ASIC, and/or other suitable components that provide the described functionality. Additionally, as will be appreciated by those of ordinary skill in the art, the operation, design, and organization, of a “module” can be described in a hardware description language such as Verilog™, VHDL, or other suitable hardware description languages.
Referring now to
During operation, the secure memory access system 104 transfers information between the memory 102 and the I/O peripherals 106. In addition, the secure memory access system 104 selectively transfers secure information between the I/O peripherals 106 and the secure space 108 based on trusted interface information, which can be stored within the secure memory access system 104. Because the secure memory access system 104 selectively transfers secure information between the I/O peripherals 106 and the secure space 108, access to the secure space 108 is transparent to the I/O peripherals 106. In addition, the secure memory access system 104 becomes a single point of access to memory 102, which makes it easier to control access to the secure space 108.
Referring now to
The memory access module 202 can include one or more direct memory access modules 206. In addition, in some embodiments, one or more of the I/O interface modules 204 can include one or more of the direct memory access modules 206. Each of the direct memory access modules 206 include one or more direct memory access registers 207 that receive and store transfer configuration information used to transfer information between the memory control module 200 and the I/O interface modules 204.
The memory access module 202 is operatively coupled to the control module 200 and all of the I/O interface modules 204. As such, the direct memory access modules 206 are operatively coupled to the I/O interface modules 204. Each of the I/O interface modules 204 is operatively coupled to a respective one of the I/O peripherals 106. The memory control module 200 is operatively coupled to the memory 102.
The secure memory access system 104 also includes a processing module 208 and a trusted I/O peripheral register 210. The processing module 208 is operatively coupled to the memory control module 200, the trusted I/O peripheral register 210, and the direct memory access modules 206 of the memory access module 202.
The trusted I/O peripheral register 210 includes trusted interface information 212. The trusted interface information 212 can include, among other things, addresses defining the secure space 108, a list of I/O peripherals 106 (or I/O interface modules 204) deemed trusted (and/or non-trusted in some embodiments), and permissions (e.g. read, write, read-write) associated with the listed I/O peripherals 106 (or I/O interface modules 204). In one embodiment, the processing module 208 can access the trusted interface information 212 when it is operating in a trusted mode of operation.
The processing module 208 uses the trusted interface information 212 to determine whether a particular I/O peripheral 106 (or in some embodiments a particular I/O interface module 204) is trusted and therefore can exchange secure information with the secure space 108. The processing module 208 can also use the trusted interface information 212 to control the type of exchange (e.g. read, write, read-write) based on the permissions associated with the particular I/O peripheral 106 (or I/O interface modules 204).
During operation, the processing module 208 selectively provides transfer configuration information 214 (e.g. source address information, destination address information, packet size, etc.) to the direct memory access modules 206 in response to an information transfer request from one or more of the I/O peripherals 106 (e.g. via a respective one of the I/O interface modules 204). In one embodiment, the processing module 208 provides the transfer configuration information 214 when it is in a trusted mode of operation.
The processing module 208 provides transfer configuration information 214 based on the trusted interface information 212. For example, if one of the I/O peripherals 106 (or I/O interface modules 204) requests access to the secure space 108 and that particular I/O peripheral 106 (or I/O interface modules 204) is defined in the trusted interface information 214, the processing module 208 provides the transfer configuration information 214. However, if in this example, that particular I/O peripheral 106 (or I/O interface modules 204) is not defined in the trusted interface information 214, the processing module 208 does not provide the transfer configuration information 214. Those of ordinary skill in the art will appreciate that rather than defining particular I/O peripherals 106 (or I/O interface modules 204) deemed to be trusted within the trusted interface information 214, particular I/O peripherals 106 (or I/O interface modules 204) that are deemed to be non-trusted can be defined if desired.
In addition, if for example, one of the I/O peripherals 106 (or I/O interface modules 204) requests to access other areas of the memory 102 (e.g. non-secure space), the processing module 208 provides the transfer configuration information 214 to the memory access module 202 in response to the information transfer request without regard to the trusted interface information 212.
The memory access module 202 transfers information between all of the I/O peripherals 106 and the memory control module 200 in response to the transfer configuration information 214. More specifically, a respective one of the direct memory access modules 206 transfers information between all of the respective I/O interface modules 204 and the memory control module 200 in response to the transfer configuration information 214. In addition, as previously noted, the processing module 208 provides the transfer configuration information 214 to the memory access module 202 in response to requests from the I/O peripherals 106 (or I/O interface modules 204) included in the trusted interface information 212. As such, the memory access module 202 (e.g. a respective one or more direct memory access modules 206) transfers information between all of the I/O peripherals 106 (or all of the I/O interface modules 204) and the secure space 108 in response to the trusted configuration information 214.
In this manner, the secure memory access system 104 efficiently manages I/O peripheral 106 access to the secure space 108 within the memory 102. Because the secure memory access system 104 manages access to the secure space 108, none of the I/O peripherals 106 have direct access to the secure space 108. As such, a layer of security between all of the I/O peripherals 106 and the secure space 108 is provided. Furthermore, access to the secure space 108 is transparent to the I/O peripherals 106 due to the processing module 208 selectively providing the transfer configuration information 214 based on the trusted interface information 212. Because access to the secure space 108 is transparent to the I/O peripherals 106, they do not need to transition into and out of a secure mode of operation as required by prior art security schemes.
Referring now to
The bridge circuit 304 is operatively coupled to the main processing module 302, the memory 102, the secure memory access system 104, and the graphics module 306. The bridge circuit 304 transfers information (e.g. data and control) between the respective components to which it is operatively coupled. As known in the art, the graphics module 306 receives graphics information 310 and provides display information 312 based thereon. The display 308, which can be any suitable display such as an LCD, LED, CRT, plasma, or other suitable display, provides an image 314 that can be viewed by a user in response to the display information 312.
The device 300, when connected to one or more I/O peripherals 106, can transfer information between the memory 102 and all the peripherals 106 via the secure memory access system 104. In this manner, the secure memory access system 104 can selectively transfer information between the secure space 108 and one or more of the I/O peripherals 106 based on the trusted interface information 212.
As noted above, among other advantages, the secure memory access system 104 provides a layer of security between all of the I/O peripherals 106 and the secure space 108. Furthermore, access to the secure space 108 is transparent to the I/O peripherals 106 due to the processing module 208 selectively providing the transfer configuration information 214 based on the trusted interface information 212. As such, access to the secure space 108 is transparent to the I/O peripherals 106 and they do not need to transition into and out of a secure mode of operation as required by prior art security schemes. Other advantages will be recognized by those of ordinary skill in the art.
Also, integrated circuit design systems (e.g., work stations) are known that create integrated circuits based on executable information stored on a computer readable memory such as but not limited to CDROM, RAM, other forms of ROM, hard drives, distributed memory etc. The information may include data representing (e.g., compiled or otherwise represented) any suitable language such as, but not limited to, hardware descriptor language or other suitable language. As such, the “module” described herein may also be produced as integrated circuits by such systems. For example an integrated circuit may be created for use in a display using information stored on a computer readable medium that when executed cause the integrated circuit design system to create a secure memory access system that includes a memory control module, at least one direct memory access module, and a plurality of input-output interface modules. The direct memory access module transfers information between all of the input/output interface modules and the memory control module in response to trusted configuration information. Integrated circuits having a “module” that performs other operations described herein may also be suitable produced.
While this disclosure includes particular examples, it is to be understood that the disclosure is not so limited. Numerous modifications, changes, variations, substitutions, and equivalents will occur to those skilled in the art without departing from the spirit and scope of the present disclosure upon a study of the drawings, the specification, and the following claims.