Patent Application
20250123769
The disclosure of Japanese Patent Application No. 2023-178393 filed on Oct. 16, 2023, including the specification, drawings and abstract is incorporated herein by reference in its entirety.
The present invention relates to a semiconductor device, for example, a semiconductor device equipped with a processor.
There are disclosed techniques listed below.
“Secure Application Programming in the presence of Side Channel Attacks”, [online], [Accessed on Sep. 26, 2023], Internet <URL: https://riscureprodstorage.blob.core.windows.net/production/2017/08/Riscure_Whitepaper_Side_Channel_Patterns.pdf>
Non-Patent Document 1 in “4.6 FAULT.DOUBLECHECK” discloses a method for implementing countermeasures against glitch attacks (FIA: Fault Injection attack) using software. Specifically, it discloses a method for double-checking the identity of data read at a certain point in time with data read after a fixed period of time, using software when utilizing important data.
For example, in a semiconductor device equipped with a processor or the like, or in other words, a semiconductor chip, at the time of chip startup, it is possible to perform various initial settings for the entire chip by transferring predetermined data from non-volatile memory to registers. Such transfer operations are also referred to as reset transfers. Among the initial setting items by reset transfer, there may be included the protection state of security. The processor starts up after completing various initial settings by such reset transfer.
On the other hand, as one of the methods of Fault Injection Attacks (FIA), for example, a method of inverting important data representing the protection state of security, etc., is mentioned. If such a glitch attack is carried out during reset transfer, for example, the protection state of security can be changed, allowing unauthorized control of the semiconductor chip, and leading to possible tampering or leakage of important data. As a countermeasure against glitch attacks, a method of performing a double check using software, as shown in Non-Patent Document 1, is known. However, this method can be applied after the processor has started and is in a state where software can be executed, but it is difficult to apply during reset transfer.
The embodiment described later is made in view of such matters, and other problems and novel features will become apparent from the description of this specification and the accompanying drawings.
A semiconductor device according to one embodiment includes a processor formed on a semiconductor chip, a memory controller including a memory unit, a register unit, and a comparison circuit, a reset data transfer controller that executes data transfer from the memory unit to the register unit at the time of chip startup, and a system controller. The memory unit has a first memory in which data necessary for the initial setting of the semiconductor chip is stored. The register unit has a first register referred to during the initial setting of the semiconductor chip, and a second register for verifying the first register. The reset data transfer controller executes data transfer N times, transferring data stored in the first memory to the first register at the first data transfer, and transferring data stored in the first memory to the second register at the Nth data transfer. The comparison circuit determines the match/mismatch between the data transferred to the first register and the data transferred to the second register, and outputs a determination result signal representing the determination result. The system controller, if the determination result signal indicates a match, starts the processor, and if it indicates a mismatch, causes the reset data transfer controller to execute the N times data transfer again.
According to one embodiment, it is possible to protect the semiconductor device from Fault Injection Attacks (FIA).
In the following embodiments, for convenience, when necessary, the description may be divided into a plurality of sections or embodiments. Except when specifically stated, these are not unrelated to each other; rather, one may be related to the other as a modification, detail, supplementary explanation, etc., of part or all of it. Also, in the following embodiments, when referring to the number of elements, etc. (including the number of elements, numerical values, quantities, ranges, etc.), unless specifically stated or clearly limited to a specific number in principle, it is not limited to that specific number and may be more or less than that specific number.
Furthermore, in the following embodiments, it goes without saying that the constituent elements (including element steps and the like) are not necessarily essential, except in cases where they are specifically stated or considered to be obviously essential in principle. Similarly, in the following embodiments, when referring to the shapes, positional relationships, etc., of components, unless specifically stated or considered not to be the case in principle, it is assumed to include those that are substantially approximate or similar to those shapes, etc. The same applies to the above numerical values and ranges.
Moreover, the circuit elements constituting each functional block of the embodiments are not particularly limited but are formed on a semiconductor substrate such as single-crystal silicon by known integrated circuit technologies, including CMOS (Complementary Metal-Oxide-Semiconductor).
Hereinafter, embodiments are described in detail with reference to the drawings. In all the drawings for explaining the embodiments, members having the same functions are denoted by the same reference numerals, and repetitive descriptions thereof are omitted. Also, in the following embodiments, descriptions of the same or similar parts will not be repeated in principle except when particularly necessary.
The various peripheral circuits PERI include various circuits required by the semiconductor device, such as communication interface circuits with the outside of the chip, analog-to-digital converters, digital-to-analog converters, etc. The system controller SYSC controls the power-on controller POC, processor PRC, memory controller MEMC, reset data transfer controller RDTC, and various peripheral circuits PERI, thereby controlling, for example, the operation sequence of the entire semiconductor chip CHP.
The power-on controller POC releases the reset state of the entire semiconductor chip CHP in response to power being supplied to the semiconductor chip CHP or in response to a reset signal from an external reset terminal. The processor PRC is, for example, a CPU (Central Processing Unit) and may further include a GPU (Graphics Processing Unit) or a DSP (Digital Signal Processor).
The memory controller MEMC includes a memory unit MEMU, a register unit REGU, and a comparison circuit CMP1. The memory controller MEMC primarily controls access to the memory unit MEMU or the register unit REGU. The memory unit MEMU includes, for example, a first memory MEM1a, a volatile memory RAM such as SRAM (Static Random Access Memory), and a non-volatile memory NVM such as MRAM (Magnetoresistive RAM) and flash memory. The register unit REGU includes a main register (first register) REGm and a sub-register (second register) REGs.
In the non-volatile memory NVM, for example, programs are stored. Such programs are copied from the non-volatile memory NVM to the volatile memory RAM. The processor PRC executes the program copied to the volatile memory RAM. The first memory MEM1a is composed of non-volatile memory that allows writing only once, in other words, is not rewritable, such as fuse ROM (Read Only Memory), OTP (One Time Programmable)-ROM, etc. The first memory MEM1a is pre-stored with data necessary for the initial setting of the semiconductor chip CHP, that is, initial setting data.
The initial setting data includes important data representing the security protection status, etc. As specific examples, the initial setting data may include the setting values of protection bits for commands, the setting values of protection bits for boot firmware, that is, values determining whether protection is enabled or disabled. The reset data transfer controller RDTC executes data transfer, that is, reset transfer from the memory unit MEMU to the register unit REGU at the startup of the semiconductor chip CHP.
As will be described in detail later, the reset data transfer controller RDTC transfers the data stored in the first memory MEM1a, that is, the initial setting data, to the main register REGm or the sub-register REGs by data transfer N times, where N is an integer greater than or equal to 2. The reset data transfer controller RDTC includes a random number generation circuit RNG to generate the value of N, the number of these data transfers, by random number.
Herein, the data DTm transferred to the main register REGm is referenced during the initial setting of the semiconductor chip CHP, for example, by a processor PRC or a system controller SYSC, among others. On the other hand, the sub-register REGs is provided for verifying the data DTm of the main register REGm. That is, a comparison circuit CMP1 within the memory controller MEMC determines the match/mismatch between the data DTm transferred to the main register REGm and the data DTs transferred to the sub-register REGs. Then, the comparison circuit CMP1 outputs a determination result signal RS, which represents the result of the determination, to the system controller SYSC.
In the power-on process (step S101), the power-on controller POC releases the reset state of the semiconductor chip CHP. In the reset transfer process (step S102), the reset data transfer controller RDTC performs data transfer from the memory unit MEMU to the register unit REGU, namely, the reset transfer of the initial setting data. In the processor startup determination process (step S103), the system controller SYSC determines whether the reset transfer has been executed correctly. Then, if the reset transfer has been executed correctly, in the processor startup process (step S104), the system controller SYSC starts the processor PRC.
In such a reset sequence, if a glitch attack (FIA) is carried out during the reset transfer, there is a risk that the data DTm in the main register REGm may be destroyed. For example, if the enable signal is attacked, the main register REGm cannot intake the data itself, and as a result, cannot retain the correct data. If the address signal is attacked, the correspondence between the data stored in the first memory MEM1a and the data stored in the main register REGm is mistaken, and as a result, the main register REGm cannot retain the correct data. If the data signal is attacked, the main register REGm intakes incorrect data, and as a result, cannot retain the correct data.
Thus, if the data DTm in the main register REGm is destroyed, and for example, the settings of the aforementioned protection bits are changed, it may result in unauthorized control of the semiconductor chip CHP, leading to potential leakage or tampering of software externally. Moreover, particularly, the reset transfer process (step S102) may become vulnerable to glitch attacks from the perspective of the ease of determining the timing of the attack. That is, an attacker can arbitrarily determine the start timing of step S101, for example, using an external reset terminal, and can also relatively easily grasp the start timing of the reset transfer process (step S102) that is executed immediately thereafter.
Therefore, in the method of the first embodiment, as shown in
In
Subsequently, the reset data transfer controller RDTC executes N times data transfer, that is, N times reset transfer (step S203). Specifically, as shown in
Next, the system controller SYSC executes the FIA error check (step S204). Specifically, as shown in
Then, the comparison circuit CMP1 outputs a determination result signal RS, which represents the result of the determination, to the system controller SYSC. In the event that the determination result signal RS indicates a mismatch (step S204: error present), the system controller SYSC initializes the reset transfer (step S205). Specifically, the system controller SYSC clears the values of each register contained in the memory controller MEMC and the reset data transfer controller RDTC, including the register unit REGU. Thereafter, the system controller SYSC returns to step S203 and causes the reset data transfer controller RDTC to execute the data transfer N times again.
On the other hand, if the determination result signal RS from the comparison circuit CMP1 indicates a match (step S204: no error), the system controller SYSC starts the processor PRC by releasing its reset state, among other actions (step S206). Furthermore, after executing the data transfer N times again via the reset data transfer controller RDTC following step S205, the system controller SYSC also starts the processor PRC if the determination result signal RS indicates a match. The processes of steps S204 and S205 correspond to the processor start determination process (step S103), and the process of step S206 corresponds to the processor start process (step S104).
Thus, the semiconductor chip CHP determines the presence of an FIA error by verifying the validity of the data DTm transferred first using the data DTs transferred for the Nth time during the reset transfer. If no FIA error is detected, the semiconductor chip CHP starts the processor PRC; if an FIA error is detected, it does not start the processor PRC. By not starting the processor PRC, the semiconductor device cannot be controlled illicitly, protecting the semiconductor device from glitch attacks (FIA).
On the other hand, using such a method, the conditions under which an FIA error detection might be missed are: (A) if attacks are carried out both during the first data transfer and the Nth data transfer, and (B) if the data alteration caused by the attacks is identical. The probability of both conditions (A) and (B) being met simultaneously is generally considered low. Especially, by sequentially changing the timing targeted for attacks using the random number N, the probability of meeting both conditions (A) and (B) simultaneously becomes significantly lower. As a result, if the initial setting data is destroyed by a glitch attack (FIA) during the reset transfer, it can be detected with a high probability.
It is also possible to sequentially verify the validity of the data DTm transferred for the first time using each of the data transferred from the second to the Nth time. In this case, it is substantially possible to verify whether a glitch attack has been carried out during the period of reset transfer. However, in such a method, FIA errors may be excessively detected. That is, even if a glitch attack has been carried out, there is no particular problem if the data DTm transferred for the first time is valid data. From this perspective, a method of verifying the validity of the data DTm transferred for the first time using the data DTs transferred for the Nth time, as shown in
Furthermore, here, in the sub-register REGs, the data DT from the first memory MEM1a is sequentially overwritten during the data transfer from the second to the Nth time. As a result, for example, compared to the case where a plurality of sub-registers corresponding to the data transfer from the second to the Nth time are provided, the area of the register can be reduced. In a glitch attack, not only the data in the destination register but also the data stored in the source memory can be attacked. In the configuration example shown in
When the reset data transfer controller RDTC receives the reset transfer start command (step S301: Yes), it generates a random number as the value of N using a random number generation circuit RNG (step S302). The reset data transfer controller RDTC also initializes the transfer count n to zero (step S303).
Subsequently, the reset data transfer controller RDTC sets the source to the first memory MEM1a, specifically, to the address where the initial setting data is stored in the first memory MEM1a (step S304). The reset data transfer controller RDTC also sets the destination to the main register REGm, specifically, for example, to the address assigned to the main register REGm (step S305).
Using such settings, the Reset Data Transfer Controller RDTC executes data transfer and updates the transfer count n (step S306). Specifically, the Reset Data Transfer Controller RDTC performs read access to the first memory MEM1a at the source and writes the read data into the main register REGm at the destination by enabling it.
Subsequently, the Reset Data Transfer Controller RDTC changes the destination to the sub-register REGs, specifically, for example, to the address assigned to the sub-register REGs (step S307). Using the changed settings, the Reset Data Transfer Controller RDTC executes data transfer and updates the transfer count n (step S308). Then, the Reset Data Transfer Controller RDTC repeats the process of step S308 until the transfer count n reaches N (step S309: No).
On the other hand, when the transfer count n reaches N (step S309: Yes), the Reset Data Transfer Controller RDTC outputs a reset transfer completion notification to the System Controller SYSC (step S310). Note that the information on the source and destination in steps S304, S305, S307 is, for example, fixedly determined on the circuit in advance.
As described above, in the method of the first embodiment, the presence or absence of FIA errors in the data stored in the main register REGm is detected using the main register REGm, the sub-register REGs, and the comparison circuit CMP1. If there is no FIA error, the processor PRC is activated. As a result, typically, the semiconductor device can be protected from glitch attacks (FIA).
In the method of the first embodiment described above, to prevent data destruction in the memory at the source, the memory at the source, namely the first memory MEM1a, is composed of an OTP-ROM or the like that cannot be rewritten. On the other hand, if the memory at the source is composed of a rewritable non-volatile memory, the identity of the data transferred to the register is maintained even if the data in the memory itself is destroyed, so an FIA error will not be detected. Therefore, some measures are required in case data destruction occurs in the memory at the source.
As a first point of difference, a memory unit MEMU comprises a first memory MEM1b, a second memory MEM2, and a volatile memory RAM. The first memory MEM1b, unlike in the case of
As shown in
As a second point of difference, a reset data transfer controller RDTC further comprises an ECC (Error Check and Correction) decoder ECC DEC and a comparison circuit (second comparison circuit) CMP2. The reset data transfer controller RDTC executes data transfer from the memory unit MEMU to the register unit REGU via the ECC decoder ECC DEC during reset transfer.
At this time, the ECC decoder ECC DEC determines whether error correction is possible based on the error correction code ECC added to the data DT, namely the initial setting data. If error correction is possible, for example, in the case of a 1-bit error, the ECC decoder ECC DEC transfers the data DT after error correction to the register unit REGU. On the other hand, if error correction is not possible, for example, in the case of a 2-bit error, the ECC decoder ECC DEC outputs an ECC error signal EER to the system controller SYSC.
The comparison circuit CMP2 determines whether the recovery count RR stored in the first memory MEM1b has reached a preset recovery count upper limit value RRlmt. The recovery count upper limit value RRlmt is stored in the second memory MEM2 here. If the recovery count RR reaches the upper limit value RRlmt, the comparison circuit CMP2 outputs a recovery error signal RER to the system controller SYSC. Although details will be described later, the system controller SYSC controls so that at least the processor PRC is not activated when the ECC error signal EER or the recovery error signal RER is input.
As a third point of difference, a data recovery unit DREU is provided outside of the semiconductor chip CHP. In detail, the data recovery unit DREU is, for example, provided in a higher-level device that manages the semiconductor chip CHP within a predetermined system including the semiconductor chip CHP. The data recovery unit DREU retains backup data of data DT. Then, the data recovery unit DREU transmits the backup data to the system controller SYSC in response to a data recovery request from the semiconductor chip CHP, specifically from the system controller SYSC. Thus, the system controller SYSC can correctly restore the data DT even if it becomes impossible to correct errors.
In
performs N times data transfer, that is, N times reset transfer (step S403). Specifically, as shown in
At this time, the ECC decoder ECC DEC determines the presence of errors and, if there are errors, whether error correction is possible based on the error correction code ECC added to the data DT. Then, if there are errors that can be corrected, the ECC decoder ECC DEC transfers the data DT after error correction to the main register REGm. On the other hand, if there are errors that cannot be corrected, the ECC decoder ECC_DEC outputs an ECC error signal EER to the system controller SYSC.
On the other hand, from the second to the Nth data transfer, the reset data transfer controller RDTC transfers the data DT stored in the first memory MEM1b, that is, the same initial setting data as the first time, to the sub-register REGs via the ECC decoder ECC DEC. The processing content of the ECC decoder ECC DEC at this time is the same as that during the first data transfer. Also, the data DT transferred is sequentially overwritten in the sub-register REGs, as in the case of
Subsequently, the system controller SYSC checks whether the recovery count RR has reached the upper limit RRlmt through a recovery count check (step S404). That is, the system controller SYSC determines whether it has received a recovery error signal RER from the comparison circuit (second comparison circuit) CMP2. If the recovery count RR has reached the upper limit RRlmt (step S404: RR=RRlmt), the system controller SYSC initializes the reset transfer in the same manner as in step
S205 of
On the other hand, if the recovery count RR has not reached the upper limit RRlmt (step S404: RR<RRlmt), the system controller SYSC performs an FIA error check based on the judgment result signal RS from the comparison circuit (first comparison circuit) CMP1, in the same manner as in step S204 of
On the other hand, if there is no FIA error (step S406: no error), the system controller SYSC performs an ECC error check (step S407). Specifically, the system controller SYSC determines whether it has received an ECC error signal EER from the ECC decoder ECC DEC during the period of N reset transfers in step S403. Here, if an ECC error signal EER is received (step S407: error present), the system controller SYSC performs data recovery processing, during which the recovery count RR is also updated (step S408).
Specifically, as shown in
On the other hand, in
Using such a method, even if the data DT in the first memory MEM1b is destroyed by a glitch attack (FIA), the processor PRC can be activated under the condition that the destruction is correctable by error correction and no FIA error arises from the comparison circuit CMP1. On the other hand, if uncorrectable destruction occurs in the data DT in the first memory MEM1b due to a glitch attack, or if an FIA error arises from the comparison circuit CMP1, the processor PRC will not be activated. This allows the semiconductor device to be appropriately protected from glitch attacks.
For example, an attacker may perform glitch attacks on the first memory MEM1b multiple times with varying conditions in search of a desired method of destruction. In this case, if uncorrectable destruction occurs in the data DT in the first memory MEM1b, the semiconductor device can be recovered from a failure state by performing data recovery and then restarting the semiconductor device. However, if recovery is allowed indefinitely, the attacker can perform glitch attacks on the first memory MEM1b indefinitely with varying conditions, increasing the likelihood of finding the desired method of destruction.
Therefore, here, a maximum number of recoveries RRlmt is set. When the number of recoveries RR reaches the maximum value RRlmt, activation of the processor PRC is thereafter prohibited. On the other hand, for example, if the maximum value RRlmt itself is rewritten to a large value, the maximum value RRlmt is effectively invalidated. Therefore, it is desirable that the maximum value RRlmt is stored in a second memory MEM2 that cannot be rewritten.
Also, in
As described above, by using the method of the second embodiment, it is possible to protect the semiconductor device from glitch attacks (FIA) in a manner similar to the first embodiment. Furthermore, even in the case where a rewritable non-volatile memory is applied to the memory of the source, protection can be realized. That is, not only limited to the destination register, but also in the case where a glitch attack is carried out on the memory of the source, appropriate protection can be realized.
Although the invention made by the present inventor has been specifically described based on the embodiment, the present invention is not limited to the embodiment described above, and it is needless to say that various modifications can be made without departing from the gist thereof.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2023-178393 | Oct 2023 | JP | national |
