CN118093503A - Method for managing isolation of resources of a system-on-chip and corresponding system-on-chip - Google Patents
Method for managing isolation of resources of a system-on-chip and corresponding system-on-chip Download PDFInfo
- Publication number
- CN118093503A CN118093503A CN202311569888.6A CN202311569888A CN118093503A CN 118093503 A CN118093503 A CN 118093503A CN 202311569888 A CN202311569888 A CN 202311569888A CN 118093503 A CN118093503 A CN 118093503A
- Authority
- CN
- China
- Prior art keywords
- resource
- transaction
- auxiliary
- blocking
- notification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 title claims description 32
- 230000000903 blocking effect Effects 0.000 claims abstract description 29
- 230000004044 response Effects 0.000 claims description 20
- 230000006870 function Effects 0.000 description 12
- 230000008901 benefit Effects 0.000 description 7
- 238000001514 detection method Methods 0.000 description 7
- 230000004913 activation Effects 0.000 description 4
- 230000009849 deactivation Effects 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000002950 deficient Effects 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- LHMQDVIHBXWNII-UHFFFAOYSA-N 3-amino-4-methoxy-n-phenylbenzamide Chemical compound C1=C(N)C(OC)=CC=C1C(=O)NC1=CC=CC=C1 LHMQDVIHBXWNII-UHFFFAOYSA-N 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/76—Architectures of general purpose stored program computers
- G06F15/78—Architectures of general purpose stored program computers comprising a single central processing unit
- G06F15/7807—System on chip, i.e. computer system on a single chip; System in package, i.e. computer system on one or more chips in a single package
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/14—Handling requests for interconnection or transfer
- G06F13/20—Handling requests for interconnection or transfer for access to input/output bus
- G06F13/24—Handling requests for interconnection or transfer for access to input/output bus using interrupt
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Debugging And Monitoring (AREA)
Abstract
A system on a chip comprising: at least one master device; at least one slave resource; an interconnect bus including an error notification channel; and a resource isolation system including, for each resource, a protection circuit configured to block or transmit transactions addressed to the resource according to access rights of the resource and access rights of transactions addressed to the resource via the interconnect bus. The protection circuit is capable of generating a notification signal on an error notification channel of the interconnect bus in case of blocking the transaction.
Description
Cross Reference to Related Applications
The present application claims the benefit of priority from French patent application No. 2212348 entitled "METHOD FOR MANAGING THE RESOURCE ISOLATION IN A SYSTEM-ON-CHIP, AND CORRESPONDING SYSTEM-ON-CHIP," filed ON 25 at 11 of 2022, which is incorporated herein by reference in its entirety.
Technical Field
Implementations and embodiments of the present invention relate to integrated circuits, particularly to systems on chip, such as microcontrollers or microprocessors, and more particularly to techniques for isolating resources belonging to a system on chip.
Background
To ensure the reliability of the system-on-chip, resource isolation techniques allow restricting access to particular secondary (i.e., auxiliary) resources by one or more primary (i.e., primary) devices. When a transaction issued by a master to a slave (i.e., auxiliary) resource does not meet established access restrictions, we refer to as an "illegitimate" access.
For example, publication FR 3103586 A1 (2021, 5, 28) describes a technique for managing these access restrictions that is easy to set up and implement, especially when such management is dynamic, i.e. it depends on the different applications of the system on chip.
In conventional resource isolation techniques, typically only one "trusted domain" (which is typically responsible for managing restrictions and access rights) is informed of illegal access to a resource by the mechanism used to manage the illegal access.
Thus, from the perspective of the device that has issued the transaction at the origin (origin), detection of illegal accesses is typically silent, as illegal write accesses are typically ignored, while illegal rights accesses typically receive a "0" that can be read as read content.
This may lead to difficulties in the debugging process, as it is possible to know which resources have been illegally accessed, but not which context to pass (i.e. by which master or access right).
Furthermore, in some products it may be necessary to stop the defective master immediately, which is conventionally not possible to stop immediately, since the trusted domain should first handle the error before deciding what should be done.
Finally, when a defective master is not informed of the error, it may repeat the same error and may disrupt the stability of the system, for example by accumulating incorrect configuration in registers. In some cases, this behavior may be unacceptable.
Disclosure of Invention
Accordingly, there is a need to overcome the above problems, in particular to provide a solution allowing the following operations: the master associated with the illegitimate access error is immediately notified and the context in which the illegitimate access error has occurred, and possibly the code line, are identified.
Furthermore, it is desirable to be able to set an illegitimate access management solution, for example by a user, in particular in order to configure the accuracy in such a way that the detection of an illegitimate access is notified.
In this regard, embodiments and implementations propose generating notification signals directly transmitted to an associated master on an error notification channel of an interconnect bus of a system-on-chip in the event of an illegitimate access.
Further, embodiments and implementations provide for selecting behavior for each resource in order to decide whether an illegal access should be silent or cause generation of a notification signal.
Thus, according to one aspect, there is provided a system on a chip comprising: at least one master device; at least one slave resource; an interconnect bus including an error notification channel; and a resource isolation system including, for each resource, a protection circuit configured to block or transmit transactions addressed to the resource according to access rights of the resource and access rights of transactions addressed to the resource via the interconnect bus. The protection circuit is capable of generating a notification signal on an error notification channel of the interconnect bus in case of blocking the transaction.
For example, the protection circuit is configured to address the notification signal to a master device at the origin of the blocked transaction.
For example, an interconnection bus is a system coupled between a master and a slave resource that allows transactions, such as write or read transactions, to be routed between the master and slave resources.
For example, a notification signal transmitted on an error notification channel of an interconnect bus may be intended to generate a reaction, advantageously an immediate reaction, of the master at the origin of the blocked transaction.
The reaction of the master may include interrupting the ongoing data transfer or stopping the ongoing process (at the origin of the illegitimate access) by forcing a data abort exception to be generated.
Advantageously, the reaction of the master may allow recovery of addresses that have caused illegal accesses. In particular, the forced generation of a data-abort exception may indeed allow identifying addresses where the data-abort exception has been generated. For example, data abort management procedures may generally be provided for respective access rights levels (e.g., non-secure and secure).
The use (or reuse) of existing error notification channels on the interconnect bus by the protection circuit may also avoid multiplication of the connection lines dedicated to the resource isolation system. In particular, it should be noted that it is the protection circuitry, rather than the resources, that is able to use the above-described error notification channel of the bus. Indeed, it is in fact the case that a transaction is blocked, and therefore for resources that ignore the existence of the transaction entirely, the protection circuit is able to generate a notification signal on the error notification channel of the bus. Thus, in addition to the resource, the error notification channel of the bus is "overloaded" by the protection circuit, for example, because the protection circuit is able to use the channel independent of the resource, which may be generally intended to be used by the resource independent of the protection circuit.
According to one embodiment, the resource isolation system comprises, for each resource, a location in a set of configuration registers for containing the setting data of the notification, the protection circuitry of each resource being configured to generate or not generate the above-mentioned notification signal in case of blocking a transaction addressed to the resource, depending on the setting data of the notification for the resource.
Thus, the additional accuracy of detecting illegitimate accesses obtained by the notification signal on the error notification channel of the bus may be activated or deactivated according to the need in terms of resource isolation, e.g. selected by the user. In fact, for each resource and depending on the use of the product, it may be desirable to benefit from good control and high security, and thus activate the notification signal in case of blocking the transaction; or conversely, to facilitate simplicity or performance and to deactivate the signal so as not to use the error notification channel of the bus or interrupt the master.
According to one embodiment, the system on chip comprises a trusted master and the resource isolation system comprises a central management unit capable of generating an interrupt signal addressed to the trusted master in case any one of the at least one protection circuits blocks a transaction.
In fact, the use of notification signals on the error notification channel of the interconnection bus is compatible in combination with the central management of illegal accesses using interrupts transmitted to the trusted master.
According to one embodiment, the resource isolation system comprises, for each resource, a location in a set of configuration registers intended to contain the setting data of the interrupt, the central management unit being configured to generate or not generate the above-mentioned interrupt signal in case of blocking of a transaction addressed to the resource, depending on the setting data of the interrupt for the resource.
Thus, here, the interrupt signal may be activated or deactivated as required in terms of resource isolation, e.g., selected by a user.
Also, in conjunction with the notified setting data, the system-on-chip may include four levels of accuracy in detecting illegal access, which may be selected by a user, for example, according to the needs of the resource isolation aspect.
According to another aspect, there is provided a method for managing resource isolation of a system on chip, wherein: the system-on-chip comprises at least one master device, at least one slave resource, and an interaction bus comprising an error notification channel; and the method includes, for each resource, an implementation of protection, the implementation of protection including: the method comprises blocking or transmitting transactions addressed to the resource based on access rights of the resource and access rights of transactions addressed to the resource via the interconnect bus, and generating a notification signal on an error notification channel of the interconnect bus if the transaction is blocked.
According to one implementation, the notification signal is addressed to the master device at the origin of the blocked transaction.
According to one implementation, the notified setting data for each resource is contained in a set of configuration registers, and the notification signal is generated or not generated in the event that a transaction addressed to that resource is blocked, depending on the notified setting data for each resource.
According to one implementation, a system on a chip includes a trusted master, and the method includes: in case a transaction addressed to any one of the at least one resource is blocked, an interrupt signal addressed to the trusted master is generated.
According to one implementation, the interrupt's setting data is contained in a set of configuration registers for each resource, and the interrupt signal is generated or not generated in the event that a transaction addressed to that resource is blocked, depending on the interrupt's setting data for each resource.
Drawings
Other advantages and features of the invention will become apparent from a review of the detailed description of non-limiting embodiments and implementations, and from the accompanying drawings, in which:
FIG. 1 is a block diagram of an embodiment of a system on a chip;
FIG. 2 is a flow chart of an embodiment method;
FIG. 3 is an example of a configuration register; and
Fig. 4 is a table showing the possibility of selection of accuracy in an illegitimate access notification.
Detailed Description
Fig. 1 schematically illustrates an embodiment of a system on chip SOC, such as a microcontroller or microprocessor, comprising at least one master (i.e. primary) device MSTR and at least one slave (i.e. secondary) resource RES capable of communicating via an interconnection BUS.
For example, the master devices TDMSTR, MSTR may include: a processor or central processing unit "CPU" (meaning "central processing unit") adapted to implement software functions; or other master device, such as means for direct memory access "DMA" (meaning "direct memory access").
In this example, the system on chip SOC also includes a so-called "trusted" master TDMSTR, which is responsible for, among other things, the configuration and management of access rights defining the isolation rules, which access rights are established by the resource isolation system RIF described in more detail below.
For example, the resources may include I2C type (representing an "internal integrated circuit") or SPI type (representing a "serial peripheral interface"), UART type (representing a "universal asynchronous receiver/transmitter"), real time clock "RTC" type (representing a real time clock) peripheral, or a memory type, such as an internal memory of a system on a chip or an interface for memory external to the system on a chip.
The interconnect BUS is coupled between the master and slave resources and allows routing transactions (e.g., write or read transactions) and more generally information between the master MSTR and slave resources RES on channels that may have dedicated functions.
For example, the interconnect bus may be of the "AXI" type (representing an "advanced extensible interface") or of the "AHB" type (representing an "advanced high-performance bus"), and the bus may be of the "AMBA" type (representing an "advanced microcontroller bus architecture") microcontroller bus type.
In particular, the interconnect BUS includes an error notification channel RREP that is intended to transmit response information from the resource after receiving a read or write transaction, for example. For example, the response information may be encoded on 2 bits to enable the transfer of 4 different states. For example, in the event that a transaction has been successfully received but is not understood from the resource, one of the possible information RREPs may be intended to communicate an error notification by the slave resource.
The system-on-chip SOC comprises a resource isolation system RIF configured to restrict access of one or more master devices to a specific slave resource, in particular according to access rights defined in this respect.
For example, among the access rights that may define the resource isolation rules, a definition of favorable and non-favorable environments, and possibly accumulated secure and non-secure environments, and possibly partition (compartmentalization) identifiers may be provided.
The concept of environment and secure/non-secure and advantageous/non-advantageous access rights is well known to the person skilled in the art and the concept of partitioning identifiers is specifically taught in publication FR 3103586 A1 (2021, 5, 28). When the access rights of the transaction are inconsistent with the access rights of the recipient resource, we refer to as "illegitimate" access.
For example, the resource isolation system RIF of a system-on-chip may be incorporated into the resource isolation technique described in publication FR 3103586 A1 (2021, 5, 28). In particular, the resource isolation system RIF comprises, for each resource RES, a protection circuit RISUP (sometimes referred to as a "firewall") which RISUP is configured to block or transfer transactions addressed to the resource RES via the interconnection BUS according to the above-mentioned access rights of the resource and the above-mentioned access rights of the transaction.
Furthermore, according to a general feature of the present specification, the protection circuit RISUP may generate the notification signal ilac_bus on the error notification path RREP of the interconnect BUS in case of blocking a transaction.
In this regard, reference is made to fig. 2. Fig. 2 illustrates a method 200 implemented by the protection circuit RISUP in a resource isolation management RIF of a system on chip SOC described with reference to fig. 1.
Thus, the implementation of protection 200 for each resource includes: upon receipt of a transaction 210 originating from the interconnect BUS, the access rights of the transaction are verified 220 with respect to the access rights of the resource.
Based on verification 220, transaction 210 may be transferred 230 to a downstream resource RES or blocked 240 by an upstream protection circuit RISUP. And, if the transaction is blocked 240, a notification signal ilac_bus is generated 250 by the protection circuit RISUP on the error notification path RREP of the interconnect BUS.
Referring again to fig. 1. Advantageously, the notification signal ilac_bus is addressed to the master MSTR at the origin of the blocked transaction, by means of a routing mechanism of the BUS.
For example, in this regard, the notification signal may include the information described above that is intended to convey an error notification from the resource on the error notification path RREP, where the transaction has been successfully received.
It should be noted that in this example, the error notification path RREP of the bus is generally intended to be used by the resource RES (as indicated by the arrow in the broken line) rather than by the protection circuit RISUP itself. However, in this case, it is actually the protection circuit RISUP itself that generates the notification signal ilac_bus on the error notification channel of the BUS. Indeed, in the case of blocking 240 a transaction, the resource RES is not informed of the existence of the transaction and therefore cannot generate the notification signal ilac_bus.
Thus, the error notification channel of the bus RREP is referred to as "overloaded" because it is connected and can be used independently by two different circuits, both the protection circuit RISUP and the resource RES. In particular, the use or "reuse" of the error notification path RREP of the interconnect BUS by the protection circuit RISUP allows avoiding the introduction of additional connection lines for the resource isolation system RIF.
Furthermore, the notification signal ilac_bus may be intended to generate a reaction, advantageously an immediate reaction, of the master MSTR at the origin of the blocked transaction.
The reaction of the master MSTR may include interrupting the ongoing data transfer or stopping the ongoing process (at the origin of the illegal access) by forcing a data abort exception. Advantageously, the forced generation of a data abort exception allows identification of the address for which an illegal access has occurred. For example, data abort management procedures may generally be provided for respective access rights levels (e.g., non-secure and secure).
Furthermore, the resource isolation system RIF may be configured to concomitantly generate an interrupt signal ilac_ INTRPT addressed to the trusted master TRMSTR in case any one of the protection circuits RISUP of the protection circuits RISUP of the different peripheral devices (at least one peripheral device) of the system on chip SOC prevents transactions.
For example, interrupt signal ILAC INTRPT may be communicated to trusted master TDMSTR via a routing mechanism of the interconnect BUS.
In this regard, the resource isolation system RIF may comprise a central unit IAC for managing illegal accesses, for example, within the control device RIFSC of the resource isolation system.
In this case, the protection circuit RISUP of the resource RES is configured to generate a detection signal ILAC of an illegal access (or to block a corresponding transaction) and to transmit the detection signal to the central unit IAC for managing the illegal access.
Further, the central unit IAC for managing illegal access is configured to generate an interrupt ilac_ INTRPT addressed to the trusted master TDMSTR in the case of receiving an illegal access detection signal ILAC transmitted by any one of the protection circuits RISUP.
Furthermore, the resource isolation system RIF may advantageously comprise a configuration register CFGREG, for example within the control device RIFSC of the resource isolation system, which CFGREG can contain configuration information CONFIG of the elements of the resource isolation system RIF (in particular the protection circuit RISUP and the central management unit IAC).
In this regard, reference is made to fig. 3.
Fig. 3 shows an example of configuration registers CFGREG _ RESy dedicated to resource "RESy" of the system on chip SOC, respectively.
Configuration register CFGREG _ RESy contains 32 locations "0" to "31" for containing setup data related to isolation of the resource for the corresponding resource RES.
For example and optionally, location "0" may allow defining the secure or non-secure access rights SEC of the resource, while location "1" may allow defining the advantageous or non-advantageous access rights PRIV of the resource.
Further, for example, locations "4" through "6" may allow for inclusion of a partition identifier for a resource.
In an advantageous embodiment of the resource isolation system RIF, the configuration register CFGREG _ RESy contains a location "8", which is intended to contain the notified setting data ilac_bus_cfg.
The notified setup data ilac_bus_cfg allows illegal access to the notification ilac_bus function via the error notification channel RREP of the interconnect BUS to be activated or deactivated (e.g., when it is stored at a value of "1" or "0", respectively).
For example, the user may store the value of the notified setting data ilac_bus_cfg in order to select the accuracy of the illegal access notification that he wishes to benefit from, and optionally for each resource RES of the system on chip SOC.
For example, the value of the notified settings data ilac_bus_cfg may also be stored by an access rights setting procedure, which is typically performed by trusted master TDMSTR at system-on-chip SOC start-up.
Accordingly, the operation of the protection circuit RISUP of each resource RES is configured according to the setting data ilac_bus_cfg contained in the corresponding position "8" of the configuration register.
In this regard, the protection circuit RISUP is configured to: if the notified setting data ilac_bus_cfg is activated (e.g. at "1") for a resource, the notification signal ilac_bus is generated in case a transaction addressed to the resource is blocked, and if the notified setting data ilac_bus_cfg is deactivated (e.g. at "0") for the resource, the notification signal ilac_bus is not generated.
Furthermore, in case the resource isolation system RIF comprises a central unit IAC for managing illegal accesses, as previously described, the configuration register CFGREG _ RESy may advantageously contain a position "9", which is intended to contain the setting data of the interrupt ilac_ INTRPT _cfg.
The setting data of the interrupt ilac_ INTRPT _cfg allows to activate or deactivate (for example when it is stored at a value of "1" or "0", respectively) the function of the central unit IAC for managing illegal accesses, which generates an interrupt ilac_ INTRPT to the trusted master TDMSTR in case of illegal access detection and for each of the resources RES, respectively.
For example, the value of the setting data of the interrupt ILAC INTRPT CFG may be stored by the user, again here in order to select the accuracy of the illegal access notification that he wishes to benefit from, and further optionally for each resource RES of the system on chip SOC.
Therefore, for each resource RES, the operation of the central unit IAC for managing illegal accesses is specifically configured according to the setting data ilac_ INTRPT _cfg contained in the corresponding position "9" of the configuration register.
In this regard, the central unit IAC for managing illegal access is configured for each resource so as to: if the setting data for the interrupt ILAC INTRPT CFG for the resource is activated (e.g., at "1"), then an interrupt signal ILAC INTRPT is generated if the transaction addressed to the resource is blocked; and if the setting data of the interrupt ilac_ INTRPT _cfg for the resource is disabled (e.g., at "0"), not generating the interrupt signal ilac_ INTRPT.
Fig. 4 shows a table illustrating the possibilities of selection of accuracy in the illegal access notification of the embodiments of the system on chip SOC described previously with reference to fig. 1 to 3.
For each resource, different accuracies of the illegitimate access notification are defined by configuring the setting data ilac_bus_cfg and the setting data of the interruption ilac_ INTRPT _cfg of the notification, respectively.
The four accuracies of the illegal access notification are specified by the numbers 1,2,3,4 according to ascending order.
The first accuracy "1" corresponds to silence in the case of an illegitimate access, and is defined by the deactivation "ilac_ INTRPT _cfg=0" of the interrupt function of the trusted master TDMSTR and the deactivation "ilac_bus_cfg=0" of the notification function of the failed master MSTR (i.e., the master that has generated the transaction at the origin of the illegitimate access).
The second accuracy "2" corresponds to a notification issued only to the trusted master TDMSTR, and is defined by the activation of the interrupt function of the trusted master TDMSTR "ilac_ INTRPT _cfg=1" and the deactivation of the notification function of the failed master MSTR "ilac_bus_cfg=0".
The third accuracy "3" corresponds to a notification issued only to the faulty master MSTR, and is defined by the deactivation of the interrupt function of the trusted master TDMSTR "ilac_ INTRPT _cfg=0" and the activation of the notification function of the faulty master MSTR "ilac_bus_cfg=1".
The fourth accuracy "4" corresponds to the notification issued to both trusted master TDMSTR and failed master MSTR, and is defined by activation of the interrupt function of trusted master TDMSTR "ilac_ INTRPT _cfg=1" and activation of the notification function of failed master MSTR "ilac_bus_cfg=1".
In summary, a particularly advantageous accuracy of the detection of illegal accesses obtained by means of the notification signal ilac_bus on the error notification channel of the BUS RREP may be activated or deactivated according to the need in terms of resource isolation, for example selected by the user.
Advantageously, this selection can also be accomplished concomitantly with the configuration of the interrupt signal ILAC INTRPT without generating information redundancy.
The selection of the configuration of the accuracy of the illegal access notification may be done dynamically during use of the system on chip, e.g. with maximum accuracy during a design or debugging phase of a program using the resources of the system on chip SOC, and with lower accuracy during end use of the system on chip SOC.
More generally, depending on the functionality of the resource and dynamically on the system on chip and its use of the resource, may benefit from good control and high security or benefit from simplicity or performance.
Claims (20)
1. A system on a chip SoC comprising:
A main circuit;
Auxiliary resources;
an interconnect bus including an error notification channel, the interconnect bus configured to couple the primary circuit to the secondary resource; and
A resource isolation system comprising protection circuitry for the auxiliary resource, the protection circuitry configured to:
Transmitting or blocking the transaction based on the access rights of the auxiliary resource and the access rights of the transaction addressed to the auxiliary resource via the interconnect bus, and
A notification signal is generated on the error notification channel in response to the protection circuit blocking the transaction.
2. The SoC of claim 1, wherein the transaction that is blocked originates from the host circuit, and wherein the protection circuit is configured to address the notification signal to the host circuit.
3. The SoC of claim 1, wherein the resource isolation system comprises, for the auxiliary resource: a set of configuration resources for containing setting data for a notification, the protection circuitry being configured to generate the notification signal in response to blocking the transaction addressed to the secondary resource in dependence on the setting data for the notification of the secondary resource.
4. The SoC of claim 1, further comprising a trusted master circuit coupled to the interconnect bus, the resource isolation system comprising a central management unit configured to generate an interrupt signal addressed to the trusted master circuit in response to the protection circuit blocking the transaction.
5. The SoC of claim 4, wherein the resource isolation system comprises, for the auxiliary resource: a set of configuration registers for containing setting data for an interrupt, the central management unit being configured to generate the interrupt signal in response to blocking the transaction addressed to the auxiliary resource in dependence on the setting data for an interrupt.
6. The SoC of claim 1, wherein the resource isolation system comprises, for the auxiliary resource: a set of configuration resources for containing setting data for notifications, and a set of configuration registers for containing setting data for interrupts.
7. The SoC of claim 6, further comprising a trusted master circuit coupled to the interconnect bus, the resource isolation system comprising a central management unit configured to generate an interrupt signal addressed to the trusted master circuit in response to the protection circuit blocking the transaction, and wherein the protection circuit is configured to generate the notification signal in response to blocking the transaction addressed to the auxiliary resource in accordance with the setting data for the notification of the auxiliary resource.
8. A method, comprising:
Transmitting or blocking transactions addressed to auxiliary resources of a system on chip SoC by protection circuitry of a resource isolation system in the SoC, the SoC further comprising a main circuit coupled to the auxiliary resources via an interconnect bus of the SoC, the protection circuit being associated with the auxiliary resources, depending on access rights of the auxiliary resources and of transactions addressed to the auxiliary resources via the interconnect bus of the SoC; and
A notification signal is generated on an error notification channel of the interconnect bus in response to the protection circuit blocking the transaction.
9. The method of claim 8, wherein the transaction that is blocked originates from the master circuit, the method further comprising: the notification signal is addressed to the main circuit by the protection circuit.
10. The method of claim 8, wherein for the auxiliary resource, the resource isolation system comprises: a set of configuration resources for containing settings data for a notification, the method further comprising: the notification signal is generated by the protection circuitry in response to blocking the transaction addressed to the auxiliary resource in accordance with the setting data for the notification of the auxiliary resource.
11. The method of claim 8, wherein the SoC further comprises a trusted master circuit coupled to the interconnect bus, the resource isolation system further comprising a central management unit, the method further comprising: an interrupt signal addressed to the trusted master is generated by the central management unit in response to the protection circuit blocking the transaction.
12. The method of claim 11, wherein the resource isolation system comprises, for the auxiliary resource: a set of configuration registers for containing setting data for an interrupt, the method further comprising: the interrupt signal is generated by the central management unit in response to blocking the transaction addressed to the auxiliary resource in accordance with the setting data for the interrupt.
13. The method of claim 8, wherein the resource isolation system comprises, for the auxiliary resource: a set of configuration resources for containing setting data for notifications, and a set of configuration registers for containing setting data for interrupts.
14. The method of claim 13, wherein the SoC further comprises a trusted master circuit coupled to the interconnect bus, the resource isolation system further comprising a central management unit, the method further comprising:
generating, by the central management unit, an interrupt signal addressed to the trusted master circuit in response to the protection circuit blocking the transaction; and
The notification signal is generated by the protection circuitry in response to blocking the transaction addressed to the auxiliary resource in accordance with the setting data for the notification of the auxiliary resource.
15. An apparatus comprising a system-on-chip SoC, the SoC comprising:
Auxiliary resources;
an interconnect bus including an error notification channel, the interconnect bus being coupled to the auxiliary resource; and
A resource isolation system comprising protection circuitry for the auxiliary resource, the protection circuitry configured to:
Transmitting or blocking the transaction based on the access rights of the auxiliary resource and the access rights of the transaction addressed to the auxiliary resource via the interconnect bus, and
A notification signal is generated on the error notification channel in response to the protection circuit blocking the transaction.
16. The device of claim 15, further comprising a primary circuit coupled to the auxiliary resource via the interconnect bus, wherein the transaction that is blocked originates from the primary circuit, and wherein the protection circuit is configured to address the notification signal to the primary circuit.
17. The apparatus of claim 15, wherein the resource isolation system comprises, for the auxiliary resource: a set of configuration resources for containing setting data for a notification, the protection circuitry being configured to generate the notification signal in response to blocking the transaction addressed to the secondary resource in dependence on the setting data for the notification of the secondary resource.
18. The device of claim 15, wherein the SoC further comprises a trusted master circuit coupled to the interconnect bus, the resource isolation system comprising a central management unit configured to generate an interrupt signal addressed to the trusted master circuit in response to the protection circuit blocking the transaction.
19. The apparatus of claim 18, wherein the resource isolation system comprises, for the auxiliary resource: a set of configuration registers for containing setting data for an interrupt, the central management unit being configured to generate the interrupt signal in response to blocking the transaction addressed to the auxiliary resource in dependence on the setting data for an interrupt.
20. The apparatus of claim 15, wherein the SoC further comprises a trusted master circuit coupled to the interconnect bus, the resource isolation system comprising a central management unit,
Wherein the resource isolation system comprises, for the auxiliary resource: a set of configuration resources for containing setup data for notifications, a set of configuration registers for containing setup data for interrupts, and
Wherein the protection circuit is configured to generate the notification signal in response to blocking the transaction addressed to the auxiliary resource in accordance with the setting data for the notification of the auxiliary resource, and
Wherein the central management unit is configured to generate an interrupt signal addressed to the trusted master in response to the protection circuit blocking the transaction.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR2212348 | 2022-11-25 | ||
| US18/514,812 | 2023-11-20 | ||
| US18/514,812 US20240176689A1 (en) | 2022-11-25 | 2023-11-20 | Method for managing the isolation of resources of a system-on-chip, and corresponding system-on-chip |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118093503A true CN118093503A (en) | 2024-05-28 |
Family
ID=91142815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311569888.6A Pending CN118093503A (en) | 2022-11-25 | 2023-11-23 | Method for managing isolation of resources of a system-on-chip and corresponding system-on-chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118093503A (en) |
-
2023
- 2023-11-23 CN CN202311569888.6A patent/CN118093503A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8537848B2 (en) | Flexibly integrating endpoint logic into varied platforms | |
| US8069288B2 (en) | Mechanism to flexibly support multiple device numbers on point-to-point interconnect upstream ports | |
| JP5182771B2 (en) | Reset conversion in shared I / O | |
| US20140223052A1 (en) | System and method for slave-based memory protection | |
| CN108132910B (en) | System interconnect and system on chip with system interconnect | |
| US20110320670A1 (en) | Connected input/output hub management | |
| JP2006523347A (en) | Data processing system and method having peripheral device access protection | |
| JP2020035419A (en) | Error checking for primary signal transmitted between first and second clock domains | |
| JP2001222503A (en) | Peripheral equipment control system | |
| KR20200087679A (en) | An interrupt controller and method of operation of an interrupt controller | |
| CN113505016A (en) | Bus transmission fault detection method, bus system and chip | |
| CN112602086A (en) | Secure peripheral interconnect | |
| US7028132B2 (en) | Distributed peer-to-peer communication for interconnect busses of a computer system | |
| CN118093503A (en) | Method for managing isolation of resources of a system-on-chip and corresponding system-on-chip | |
| CN114925386B (en) | Data processing method, computer device, data processing system and storage medium | |
| US20240176689A1 (en) | Method for managing the isolation of resources of a system-on-chip, and corresponding system-on-chip | |
| CN114915499A (en) | Data transmission method, related device, system and computer readable storage medium | |
| KR100801759B1 (en) | Device and system for debugging device using control bus | |
| US20240320359A1 (en) | System-on-chip including resource isolation framework and countermeasure circuit, and corresponding method | |
| CN118689836A (en) | On-chip system including a resource isolation framework and countermeasure circuitry, and corresponding method | |
| US20240176863A1 (en) | System-on-chip including a resource isolation system and method for managing the corresponding resource isolation | |
| US20060117226A1 (en) | Data communication system and data communication method | |
| JP3401729B2 (en) | Split bus control circuit | |
| CA1293328C (en) | Remote services console for digital data processing system | |
| EP4145318A1 (en) | System and method for monitoring delivery of messages passed between processes from different operating systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |