Search

CN-114647852-B - Method for protecting a system such as a microcontroller and corresponding system

CN114647852BCN 114647852 BCN114647852 BCN 114647852BCN-114647852-B

Abstract

Embodiments of the present disclosure relate to methods of protecting systems, such as microcontrollers, and corresponding systems. A system comprising a processing unit, a memory configured to store at least a first set of instructions and a second set of instructions for execution by the processing unit, the processing unit configured to sequentially fetch the first set of instructions and the second set of instructions from the memory for their execution. The system further includes a controller including a first auxiliary memory configured to store protection criteria, a comparator configured to compare a storage address of each fetched instruction with the protection criteria, and control circuitry configured to trigger a protection mechanism in response to the storage address meeting the protection criteria, the protection mechanism including at least one prohibition of the processing unit executing at least a portion of the instructions of the first group again during execution of the instructions of the second group.

Inventors

  • F. Ruiler

Assignees

  • 意法半导体(大西部)公司

Dates

Publication Date
20260505
Application Date
20211216
Priority Date
20201217

Claims (20)

  1. 1. A method for protecting a system, the system comprising a processing unit and a memory storing at least a first set of instructions and a second set of instructions for execution by the processing unit, the method comprising: Fetching, by the processing unit, instructions of the first set of instructions and instructions of the second set of instructions in order from the memory for execution; comparing the memory address of each fetched instruction with a protection criterion, and In response to the compared storage address meeting the protection criterion, triggering a protection mechanism including at least one prohibition of the processing unit to execute again at least a portion of the fetched instructions of the first set of instructions during execution of the fetched instructions of the second set of instructions; The protection criterion is an address of a first instruction of the second set of instructions or an address of a last instruction of the first set of instructions and the protected instruction satisfies the protection criterion when the address of the protected instruction is the address of the first instruction of the second set of instructions or the address of the last instruction of the first set of instructions, respectively, or the protection criterion comprises a first address range and the protected instruction satisfies the protection criterion when the address of the protected instruction is outside the first address range.
  2. 2. The method of claim 1, wherein the system further comprises a communication bus and at least one master device connected on the bus, and the protection mechanism further comprises a prohibition of the at least one master device from accessing the at least a portion of the fetched instructions of the first set of instructions during execution of the fetched instructions of the second set of instructions.
  3. 3. The method of claim 1, wherein the first address range is an address range of instructions of the first set of instructions fetched.
  4. 4. The method of claim 1, wherein the protection mechanism comprises at least one prohibition of the processing unit executing again all instructions of the fetched instructions of the first set of instructions during execution of the fetched instructions of the second set of instructions, or includes prohibition of the at least one master device accessing all instructions of the fetched instructions of the first set of instructions during execution of the fetched instructions of the second set of instructions.
  5. 5. The method of claim 2, wherein the disabling of the re-execution of the portion of protected instructions by the processing unit or the disabling of the access of the portion of protected instructions by the at least one master device comprises: detecting a new request issued by the processing unit or by the at least one master to fetch the protected instruction from the memory, and An action is performed that prevents the new request to fetch the protected instruction from being provided.
  6. 6. The method of claim 5, wherein performing the action comprises resetting the system.
  7. 7. The method of claim 6, wherein performing the action comprises delivering a reference instruction to the processing unit or to the at least one master device instead of delivering the protected instruction.
  8. 8. The method of claim 5, wherein the at least a portion of the instructions of the first set of instructions fetched protected by the protection mechanism are stored at storage addresses belonging to at least one second address range, and detecting the new request to fetch the protected instructions comprises comparing the address of the protected instructions with the at least one second address range.
  9. 9. The method of claim 2, wherein the protection mechanism further comprises prohibiting access to at least one protected data stored in the memory for the processing unit or the at least one master device during execution of the second set of instructions.
  10. 10. The method of claim 9, wherein the prohibiting access comprises: Detecting a new request issued by the processing unit or by the at least one master device to fetch the protected data from the memory, and An action is performed that prevents the new request to extract the protected data from being provided.
  11. 11. The method of claim 10, wherein performing the action comprises resetting the system.
  12. 12. The method of claim 10, wherein performing the action comprises delivering baseline data to the processing unit or to the at least one master device instead of delivering the protected data.
  13. 13. The method of claim 10, wherein the at least one protected data protected by the protection mechanism is stored at a storage address belonging to at least one third address range, and detecting the new request to extract the protected data comprises comparing an address of the protected data with the at least one third address range.
  14. 14. The method of claim 1, wherein the system is a microcontroller, the first set of instructions comprises boot instructions, and the second set of instructions comprises instructions of an application.
  15. 15. An electronic system, comprising: a processing unit; a memory configured to store at least a first set of instructions and a second set of instructions for execution by the processing unit, wherein the processing unit is configured to fetch instructions of the first set of instructions and instructions of the second set of instructions in order from the memory for execution, and A controller, comprising: a first auxiliary memory configured to store protection criteria; A comparator configured to compare the memory address of each fetched instruction with the protection criterion, and A control circuit configured to trigger a protection mechanism in response to the storage address meeting the protection criterion, the protection mechanism including at least one prohibition of the processing unit to execute at least a portion of the fetched instructions of the first set of instructions again during execution of the fetched instructions of the second set of instructions; Wherein the protection criterion is an address of a first instruction of the second set of instructions or an address of a last instruction of the first set of instructions and the protected instruction satisfies the protection criterion when the address of the protected instruction is the address of the first instruction of the second set of instructions or the address of the last instruction of the first set of instructions, respectively, or wherein the protection criterion comprises a first address range and the protected instruction satisfies the protection criterion when the address of the protected instruction is outside the first address range.
  16. 16. The system of claim 15, further comprising a communication bus and at least one master device coupled to the bus, wherein the protection mechanism further comprises a prohibition of the at least one master device from accessing at least a portion of the fetched instructions of the first set of instructions during execution of the fetched instructions of the second set of instructions.
  17. 17. The system of claim 15, wherein the first address range is an address range of instructions of the first set of instructions fetched.
  18. 18. The system of claim 15, wherein the control circuitry is configured to at least prohibit the processing unit from re-executing all of the instructions of the first set of instructions fetched during execution of the instructions of the second set of instructions fetched, or at least prohibit the at least one master from accessing all of the instructions of the first set of instructions fetched during execution of the instructions of the second set of instructions fetched.
  19. 19. The system of claim 16, wherein to prohibit re-execution of the protected instruction of the portion by the processing unit or prohibit access to the protected instruction of the portion by the at least one master, the control circuitry is configured to: detecting a new request issued by the processing unit or by the at least one master to fetch the protected instruction from the memory, and An action is performed that prevents the new request to fetch the protected instruction from being provided.
  20. 20. The system of claim 19, wherein the control circuit is configured to perform the action by resetting the system.

Description

Method for protecting a system such as a microcontroller and corresponding system Cross Reference to Related Applications The present application claims the benefit of french patent application number 2013505 filed on 12 months 17 in 2020, which is incorporated herein by reference. Technical Field Embodiments and examples relate to electronic systems such as microcontrollers, particularly those that include memory, and more particularly to the protection of such systems, particularly the protection of boot instructions or initialization instructions of the system. Background With the development of the field of connection objects (e.g., home automation), the security of electronic systems has become more important. In particular, it is important to be able to ensure that the boot instructions contained in the memory and executed during the initialization of the system correspond well to the required instructions, not to instructions modified by malicious third parties. In fact, the secure boot instructions make it possible to guarantee a chain of trust that is established and maintained throughout the execution of the software instructions on the product. In addition, the secure boot instructions are used as a root of trust that confirms the authenticity and integrity of the user's application by using cryptographic functions prior to executing the application. Thus, there is a need to improve the protection of electronic systems such as microcontrollers, in particular to improve the security of boot instructions, in particular but not exclusively when they are incorporated in a connection object. Disclosure of Invention According to one embodiment and example, it is proposed to make the boot instructions of the microcontroller or at least a part of these instructions corresponding to the most critical services unusable once the application is booted, in order to prevent as much as possible the malware from reusing the coded services in the boot instructions in an unauthorized way aimed at jeopardizing the overall security of the product (e.g. the connection object, comprising such a microcontroller). According to one aspect, a method for protecting a system, such as a microcontroller, is presented. The system includes a processing unit, such as a processor core, and includes a memory storing at least a first set of instructions (e.g., boot instructions) and a second set of instructions (e.g., applications) that are executable by the processing unit. The method includes sequentially fetching, by a processing unit, instructions of the first set and instructions of the second set from memory for their execution. Further, the method includes comparing the memory address of each fetched instruction with protection criteria. Furthermore, if the storage address meets the protection criterion, the method provides for triggering of a protection mechanism comprising at least one prohibition of the processing unit executing at least a part of the instructions of the first group again during execution of the instructions of the second group. The system may include a communication bus and at least one master device, such as a Direct Memory Access (DMA) circuit, connected on the bus, and the protection mechanism further advantageously includes disabling at least one master device from accessing at least a portion of the instructions of the first group during execution of the instructions of the second group. Thus, the protection criterion is advantageously a criterion aimed at protecting at least a part of the first set of instructions. The instructions of the first group (i.e., the boot instructions) may execute normally as long as the protection criterion is not met. But once the instructions fetched from memory meet the protection criteria, access to at least a portion of the boot instructions, optionally the set of boot instructions, and optionally some sensitive data stored in memory, is locked for the application or any other sequence initiated by the master on the bus and during its execution. Furthermore, the comparison between the address of the fetched instruction and the protection criterion is advantageously automatically implemented. Similarly, such triggering of the protection mechanism is advantageously performed automatically once the protection criterion is met by implementing, for example, hardware circuitry (including, for example, hardwired logic, without having to use specific logic instructions). For defining the protection criterion, a plurality of solutions are possible, which may trigger the protection mechanism when the criterion is fulfilled. Thus, the protection criterion may be an address of a first instruction of the second set of instructions or an address of a last instruction of the first set of instructions. In this case, if the address of the instruction fetched from the memory is the address of the first instruction of the second group of instructions or the address of the last instru