Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: The disclosed technology is generally directed to protection against unauthorized code. In one example of the technology, a read request to a restricted region of memory is detected. The read request is associated with a first processor. In response to detecting the read request to the restricted region of memory, a data value that causes an exception in response to execution by the first processor is provided.

Abstract: In one example of the technology, via a first independent execution environment of a set of independent execution environments in an integrated circuit, a first watchdog timer is caused to reset on a periodic basis. The set of independent execution environments is configured to have a defense-in-depth hierarchy. The set of independent execution environments includes a first independent execution environment and a second independent execution environment. The first independent execution environment is a most trusted execution environment on the integrated circuit. Via the second independent execution environment: a second watchdog timer is periodically caused to reset on a periodic basis. In response to the second watchdog timer timing out, an interrupt is communicated from the second watchdog timer to the first independent execution environment. In response to the first watchdog timer timing out, at least a portion of the integrated circuit is reset.

Abstract: The disclosed technology is generally directed to data security. In one example of the technology, data is stored in a memory. The memory includes a plurality of memory banks including a first memory bank and a second memory bank. At least a portion of the data is interleaved amongst at least two of the plurality of memory banks. Access is caused to be prevented to at least one of the plurality of memory banks while a debug mode or recovery mode is occurring. Also, access is caused to be prevented to the at least one of the plurality of memory banks starting with initial boot until a verification by a security complex is successful. The verification by the security complex includes the security complex verifying a signature.

Abstract: The disclosed technology is generally directed to integrated circuit technology with defense-in-depth. In one example of the technology, an integrated circuit includes a set of independent execution environments including at least two independent execution environments. At least two of the independent execution environments are general purpose cores with differing capabilities. The independent execution environments in the set of independent execution environments are configured to have a defense-in-depth hierarchy.

Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: The disclosed technology is generally directed to peripheral access. In one example of the technology, stored configuration information is read. The stored configuration information is associated with mapping a plurality of independent execution environments to a plurality of peripherals such that the peripherals of the plurality of peripherals have corresponding independent execution environments of the plurality of independent execution environments. A configurable interrupt routing table is programmed based on the configuration information. An interrupt is received from a peripheral. The interrupt is routed to the corresponding independent execution environment based on the configurable interrupt routing table.

Abstract: In one example of the technology, via a first independent execution environment of a set of independent execution environments in an integrated circuit, a first watchdog timer is caused to reset on a periodic basis. The set of independent execution environments is configured to have a defense-in-depth hierarchy. The set of independent execution environments includes a first independent execution environment and a second independent execution environment. The first independent execution environment is a most trusted execution environment on the integrated circuit. Via the second independent execution environment: a second watchdog timer is periodically caused to reset on a periodic basis. In response to the second watchdog timer timing out, an interrupt is communicated from the second watchdog timer to the first independent execution environment. In response to the first watchdog timer timing out, at least a portion of the integrated circuit is reset.

Abstract: The disclosed technology is generally directed to protection against unauthorized code. In one example of the technology, a read request to a restricted region of memory is detected. The read request is associated with a first processor. In response to detecting the read request to the restricted region of memory, a data value that causes an exception in response to execution by the first processor is provided.

Abstract: The disclosed technology is generally directed to data security. In one example of the technology, data is stored in a memory. The memory includes a plurality of memory banks including a first memory bank and a second memory bank. At least a portion of the data is interleaved amongst at least two of the plurality of memory banks. Access is caused to be prevented to at least one of the plurality of memory banks while a debug mode or recovery mode is occurring. Also, access is caused to be prevented to the at least one of the plurality of memory banks starting with initial boot until a verification by a security complex is successful. The verification by the security complex includes the security complex verifying a signature.

Abstract: The disclosed technology is generally directed to data security. In one example of the technology, data is stored in a memory. The memory includes a plurality of memory banks including a first memory bank and a second memory bank. At least a portion of the data is interleaved amongst at least two of the plurality of memory banks. Access is caused to be prevented to at least one of the plurality of memory banks while a debug mode or recovery mode is occurring. Also, access is caused to be prevented to the at least one of the plurality of memory banks starting with initial boot until a verification by a security complex is successful. The verification by the security complex includes the security complex verifying a signature.

Abstract: The disclosed technology is generally directed to peripheral access. In one example of the technology, stored configuration information is read. The stored configuration information is associated with mapping a plurality of independent execution environments to a plurality of peripherals such that the peripherals of the plurality of peripherals have corresponding independent execution environments of the plurality of independent execution environments. A configurable interrupt routing table is programmed based on the configuration information. An interrupt is received from a peripheral. The interrupt is routed to the corresponding independent execution environment based on the configurable interrupt routing table.

Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: The disclosed technology is generally directed to data security. In one example of the technology, data is stored in a memory. The memory includes a plurality of memory banks including a first memory bank and a second memory bank. At least a portion of the data is interleaved amongst at least two of the plurality of memory banks. Access is caused to be prevented to at least one of the plurality of memory banks while a debug mode or recovery mode is occurring. Also, access is caused to be prevented to the at least one of the plurality of memory banks starting with initial boot until a verification by a security complex is successful. The verification by the security complex includes the security complex verifying a signature.

Abstract: The disclosed technology is generally directed to peripheral access. In one example of the technology, stored configuration information is read. The stored configuration information is associated with mapping a plurality of independent execution environments to a plurality of peripherals such that the peripherals of the plurality of peripherals have corresponding independent execution environments of the plurality of independent execution environments. A configurable interrupt routing table is programmed based on the configuration information. An interrupt is received from a peripheral. The interrupt is routed to the corresponding independent execution environment based on the configurable interrupt routing table.

Abstract: The disclosed technology is generally directed to integrated circuit technology with defense-in-depth. In one example of the technology, an integrated circuit includes a set of independent execution environments including at least two independent execution environments. At least two of the independent execution environments are general purpose cores with differing capabilities. The independent execution environments in the set of independent execution environments are configured to have a defense-in-depth hierarchy.

Abstract: A memory controller system for processing memory access requests comprising a first memory controller operable to address a first plurality of memory modules a second memory controller operable to address a second plurality of memory modules, the first and second memory controllers configurable to process a memory transaction in an operational mode of the memory controller system selected from the group consisting of an independent cell mode, a multiplexer-mode (mux-mode), and a lockstep mode, and a bus interface block operable to convey the memory transaction to both of the first and second memory controllers is provided.

Abstract: A method of determining whether to issue a pre-fetch transaction in a memory control system comprising generating a pre-fetch threshold dependent on a demand load of a memory controller, calculating a probability measure of pre-fetch accuracy, comparing the threshold with the calculated probability measure, and determining whether to issue a pre-fetch transaction based upon the comparison of the threshold with the calculated probability measure is provided. A pre-fetch apparatus implemented in a memory control system comprising a pre-fetch threshold generator operable to output a pre-fetch threshold in response to a signal indicative of a memory controller demand load, and a comparator circuit operable to compare the pre-fetch threshold and a probability measure of pre-fetch accuracy, wherein the pre-fetch apparatus issues a pre-fetch transaction on the basis of the comparison by the comparator is provided.

Abstract: A memory controller system for processing memory access requests comprising a first memory controller operable to address a first plurality of memory modules a second memory controller operable to address a second plurality of memory modules, the first and second memory controllers configurable to process a memory transaction in an operational mode of the memory controller system selected from the group consisting of an independent cell mode, a multiplexer-mode (mux-mode), and a lockstep mode, and a bus interface block operable to convey the memory transaction to both of the first and second memory controllers is provided.