Programming on-chip non-volatile memory in a secure processor using a sequence number
Abstract
A method may be executed by a secure processor having secure cryptography hardware implemented thereon. The method may be executed in a security kernel of a secure on-chip non-volatile (NV) memory coupled to the secure processor. The method may include: storing a rewritable state and a device private key based at least in part on a programmed secret seed and the rewritable state, the device private key being part of a cryptographic key pair comprising a public key associated with the device private key, and the rewritable state being a state of a secure application encrypted with the public key; providing one or more instructions to gather the device private key and from the private key datastore; and using the device private key to generate a device certificate, the device certificate providing the device with access to the secure application.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A device comprising:
a secure processor having secure cryptography hardware implemented thereon; a secure on-chip non-volatile (NV) memory coupled to the secure processor, a security kernel operated based on instructions from the secure processor being loaded to the secure on-chip NV memory, the security kernel comprising:
a private key datastore in which a device private key that is based at least in part on a programmed secret seed is stored, the device private key being part of a cryptographic key pair comprising a public key associated with the device private key;
an authenticated security Application Programming Interface (API) coupled to the private key datastore, the authenticated security API configured to receive a request for a device certificate that is originated from an application and provide the device certificate in response to the request;
a certificate construction engine coupled to the authenticated security API, the certificate construction engine configured to generate a device certificate using the device private key stored in the private key datastore, responsive to the request, the device certificate being transmitted out of the device for authorization of the device.
2 . The device of claim 1 , wherein the programmed secret seed is stored on on-chip read-only memory (ROM) coupled to the secure processor.
3 . The device of claim 1 , wherein the programmed secret seed is used to generate a pseudo-random number as the device private key.
4 . The device of claim 1 , wherein the cryptographic key pair comprises an elliptical cryptographic key pair.
5 . The device of claim 1 , wherein the certificate construction engine is further configured to compute the public key using the device private key stored in the private key datastore, and generate the device certificate using the public key computed from the device private key.
6 . The device of claim 1 , wherein a device ID, an issuer ID, and a signature that is generated based on the device private key are stored in the secure on-chip NV memory, and the certificate construction engine is further configured to read the device ID, the issuer ID, and the signature from the secure on-chip NV memory, and generates the device certificate also using the device ID, the issuer ID, and the signature that are read from the secure on-chip NV memory.
7 . The device of claim 1 , wherein a device ID, an issuer ID, and a signature that is generated based on the device private key are stored in the secure on-chip NV memory, and the certificate construction engine is further configured to read the device ID, the issuer ID, the signature from the secure on-chip NV memory, and generates the device certificate also using the device ID, the issuer ID, and the signature that are read from the secure on-chip NV memory, and the signature read from the secure on-chip NV memory is also transmitted out of the device along with the device certificate.
8 . The device of claim 1 , wherein the device private key comprises a variable key.
9 . The device of claim 1 , wherein the secure processor loads at least part of the security kernel into the secure on-chip memory in response to a start-up of the device.
10 . The device of claim 1 , wherein the device comprises a game console or a media player.
11 . A method executed by a device comprising a secure processor having secure cryptography hardware implemented thereon, the method executed in a security kernel loaded to a secure on-chip non-volatile (NV) memory coupled to the secure processor, the method comprising:
storing a device private key that is based at least in part on a programmed secret seed, the device private key being part of a cryptographic key pair comprising a public key associated with the device private key; receiving a request for a device certificate that is originated from an application; generating a device certificate using the device private key stored in the private key datastore, responsive to the request; providing the generated device certificate to the application, the provided device certificate being transmitted for authorization of the device.
12 . The method of claim 11 , wherein the programmed secret seed is stored on on-chip read-only memory (ROM) coupled to the secure processor.
13 . The method of claim 11 , wherein the programmed secret seed is used to generate a pseudo-random number as the device private key.
14 . The method of claim 11 , wherein the cryptographic key pair comprises an elliptical cryptographic key pair.
15 . The method of claim 11 , further comprising computing the public key using the device private key stored in the private key datastore, wherein the device certificate is generated using the public key computed from the device private key.
16 . The method of claim 11 , further comprising:
storing a device ID, an issuer ID, and a signature that is generated based on the device private key in the secure on-chip NV memory; reading the device ID, the issuer ID, and the signature from the secure on-chip NV memory, in response to the request, wherein the device certificate is generated also using the device ID, the issuer ID, and the signature that are read from the secure on-chip NV memory.
17 . The method of claim 11 , further comprising:
storing a device ID, an issuer ID, and a signature that is generated based on the device private key in the secure on-chip NV memory; reading the device ID, the issuer ID, and the signature from the secure on-chip NV memory, in response to the request, wherein the device certificate is generated also using the device ID, the issuer ID, and the signature that are read from the secure on-chip NV memory, and the signature read from the secure on-chip NV memory is also transmitted along with the device certificate.
18 . The method of claim 11 , wherein the device private key comprises a variable key.
19 . The method of claim 11 , further comprising loading at least part of the security kernel into the secure on-chip memory in response to a start-up of the device.
20 . The method of claim 11 , wherein the secure processor and the secure on-chip NV memory are incorporated into a game console or a media player.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.