Abstract: It is described an electronic device, comprising a secure element domain that further comprises: i) a physical memory region configured to store a plurality of data sets; and ii) a control device, coupled to the physical memory region, and configured to transfer at least one data set away from the physical memory region, wherein transferring the data set comprises at least one of: a) transferring the data set as a first data blob to a virtual memory region of the secure element domain; b) off-loading the data set as a second data blob to an external domain.

Abstract: In accordance with a first aspect of the present disclosure, a system is provided for applying patches to executable codes, comprising: a plurality of execution environments configured to execute said codes in different execution contexts; a control unit configured to apply the patches to said codes; wherein the control unit is configured to apply a specific patch to a specific code upon or after an execution environment configured to execute said specific code switches to an execution context corresponding to said specific code. In accordance with other aspects of the present disclosure, a corresponding method is conceived for applying patches to executable codes, and a corresponding computer program is provided.

Abstract: There is described a method of managing memory in an electronic device, the method comprising creating a set of equally sized logical regions in a logical address space, each logical region comprising a plurality of consecutive logical addresses, and mapping a subset of consecutive logical addresses within each logical region to a set of physical addresses within a corresponding physical memory region, the subset of consecutive logical addresses comprising the first logical address within the logical region, said first logical address being mapped to a base address within the corresponding physical memory region. Furthermore, there is described a controller for managing memory in an electronic device and a method of determining a physical memory address in a physical memory region using such a controller.

Abstract: A current operating system that is stored in a persistent storage circuit of a secure element is replaced by receiving a set of migration rules that specify changes to a set of data object types. Based upon the set of migration rules, a migration engine identifies data objects stored in a persistent storage circuit and corresponding to the set of data object types. For each of the identified data objects: a subset of the migration rules are selected that correspond to a data object type that corresponds to a particular data object, and based upon the selected subset, the particular data object is transformed. A new operating system can then be enabled.

Abstract: There is described a method of managing memory in an electronic device, the method comprising creating a set of equally sized logical regions in a logical address space, each logical region comprising a plurality of consecutive logical addresses, and mapping a subset of consecutive logical addresses within each logical region to a set of physical addresses within a corresponding physical memory region, the subset of consecutive logical addresses comprising the first logical address within the logical region, said first logical address being mapped to a base address within the corresponding physical memory region. Furthermore, there is described a controller for managing memory in an electronic device and a method of determining a physical memory address in a physical memory region using such a controller.

Abstract: In accordance with a first aspect of the present disclosure, a system is provided for applying patches to executable codes, comprising: a plurality of execution environments configured to execute said codes in different execution contexts; a control unit configured to apply the patches to said codes; wherein the control unit is configured to apply a specific patch to a specific code upon or after an execution environment configured to execute said specific code switches to an execution context corresponding to said specific code. In accordance with other aspects of the present disclosure, a corresponding method is conceived for applying patches to executable codes, and a corresponding computer program is provided.

Abstract: Various embodiments relate to a method and apparatus for embedding an operating system in a smart card product, which is certified and which derives multiple variants from the operating system, the method including the steps of certifying, a target of evaluation, the target of evaluation including an OS core mask and a plurality of components which includes OS components and plugin placeholders, building, by an image builder tool, romized content and runtime content including at least one of the plurality of components and customizing which of the plurality of components to include on the smart card product.

Abstract: Various embodiments relate to a method and apparatus for embedding an operating system in a smart card product, which is certified and which derives multiple variants from the operating system, the method including the steps of certifying, a target of evaluation, the target of evaluation including an OS core mask and a plurality of components which includes OS components and plugin placeholders, building, by an image builder tool, romized content and runtime content including at least one of the plurality of components and customizing which of the plurality of components to include on the smart card product.

Abstract: There is disclosed a method of providing a software update to a secure element comprised in a host device, comprising converting the software update into a sequence of ciphertext blocks using a chained encryption scheme, and transmitting said sequence of ciphertext blocks to the host device. Furthermore, there is disclosed a method of installing a software update on a secure element comprised in a host device, comprising receiving, by the host device, a sequence of ciphertext blocks generated by a method of providing a software update of the kind set forth, converting said sequence of ciphertext blocks into the software update, and installing the software update on the secure element. Furthermore, corresponding computer program products and a corresponding host device are disclosed.

Abstract: A current operating system that is stored in a persistent storage circuit of a secure element is replaced by receiving a set of migration rules that specify changes to a set of data object types. Based upon the set of migration rules, a migration engine identifies data objects stored in a persistent storage circuit and corresponding to the set of data object types. For each of the identified data objects: a subset of the migration rules are selected that correspond to a data object type that corresponds to a particular data object, and based upon the selected subset, the particular data object is transformed. A new operating system can then be enabled.

Abstract: Aspects of various embodiments are directed to the communication of wireless data. In a particular embodiment, an apparatus includes a master/wireless communication circuit and a slave circuit that carries out a secure function. The master generates session initiation commands, and the slave is responsive to these commands by generating and storing a session ID. In response to the receipt and validation of user-input data, the slave accesses and locally stores the session ID. Upon the initiation of and/or during a wireless communication process, the slave again accesses the session ID and compares the accessed session ID with the locally stored session ID, and facilitates communication based on the comparison (e.g., communication is not permitted if the comparison does not indicate a match).

Abstract: A method for managing a secure element which is embedded into a host unit. The described method comprises (a) transmitting a request for a management script from the host unit to a program element of the secure element, (b) at the program element, generating a management script in accordance with the request and encrypting the generated management script, (c) transmitting the encrypted management script from the program element to the host unit, (d) transmitting the encrypted management script from the host unit to a secure domain of the secure element, and (e) at the secure domain, decrypting and executing the management script.

Abstract: Aspects of various embodiments are directed to the communication of wireless data. In a particular embodiment, an apparatus includes a master/wireless communication circuit and a slave circuit that carries out a secure function. The master generates session initiation commands, and the slave is responsive to these commands by generating and storing a session ID. In response to the receipt and validation of user-input data, the slave accesses and locally stores the session ID. Upon the initiation of and/or during a wireless communication process, the slave again accesses the session ID and compares the accessed session ID with the locally stored session ID, and facilitates communication based on the comparison (e.g., communication is not permitted if the comparison does not indicate a match).

Abstract: There is disclosed a method of providing a software update to a secure element comprised in a host device, comprising converting the software update into a sequence of ciphertext blocks using a chained encryption scheme, and transmitting said sequence of ciphertext blocks to the host device. Furthermore, there is disclosed a method of installing a software update on a secure element comprised in a host device, comprising receiving, by the host device, a sequence of ciphertext blocks generated by a method of providing a software update of the kind set forth, converting said sequence of ciphertext blocks into the software update, and installing the software update on the secure element. Furthermore, corresponding computer program products and a corresponding host device are disclosed.

Abstract: Aspects of various embodiments are directed to the communication of wireless data. In a particular embodiment, an apparatus includes a master/wireless communication circuit and a slave circuit that carries out a secure function. The master generates session initiation commands, and the slave is responsive to these commands by generating and storing a session ID. In response to the receipt and validation of user-input data, the slave accesses and locally stores the session ID. Upon the initiation of and/or during a wireless communication process, the slave again accesses the session ID and compares the accessed session ID with the locally stored session ID, and facilitates communication based on the comparison (e.g., communication is not permitted if the comparison does not indicate a match).

Abstract: Aspects of various embodiments are directed to the communication of wireless data. In a particular embodiment, an apparatus includes a master/wireless communication circuit and a slave circuit that carries out a secure function. The master generates session initiation commands, and the slave is responsive to these commands by generating and storing a session ID. In response to the receipt and validation of user-input data, the slave accesses and locally stores the session ID. Upon the initiation of and/or during a wireless communication process, the slave again accesses the session ID and compares the accessed session ID with the locally stored session ID, and facilitates communication based on the comparison (e.g., communication is not permitted if the comparison does not indicate a match).

Abstract: A method for managing a secure element which is embedded into a host unit. The described method comprises (a) transmitting a request for a management script from the host unit to a program element of the secure element, (b) at the program element, generating a management script in accordance with the request and encrypting the generated management script, (c) transmitting the encrypted management script from the program element to the host unit, (d) transmitting the encrypted management script from the host unit to a secure domain of the secure element, and (e) at the secure domain, decrypting and executing the management script.