Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: In one example of the technology, via a first independent execution environment of a set of independent execution environments in an integrated circuit, a first watchdog timer is caused to reset on a periodic basis. The set of independent execution environments is configured to have a defense-in-depth hierarchy. The set of independent execution environments includes a first independent execution environment and a second independent execution environment. The first independent execution environment is a most trusted execution environment on the integrated circuit. Via the second independent execution environment: a second watchdog timer is periodically caused to reset on a periodic basis. In response to the second watchdog timer timing out, an interrupt is communicated from the second watchdog timer to the first independent execution environment. In response to the first watchdog timer timing out, at least a portion of the integrated circuit is reset.

Abstract: The disclosed technology is generally directed to data security. In one example of the technology, data is stored in a memory. The memory includes a plurality of memory banks including a first memory bank and a second memory bank. At least a portion of the data is interleaved amongst at least two of the plurality of memory banks. Access is caused to be prevented to at least one of the plurality of memory banks while a debug mode or recovery mode is occurring. Also, access is caused to be prevented to the at least one of the plurality of memory banks starting with initial boot until a verification by a security complex is successful. The verification by the security complex includes the security complex verifying a signature.

Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: The disclosed technology is generally directed to peripheral access. In one example of the technology, stored configuration information is read. The stored configuration information is associated with mapping a plurality of independent execution environments to a plurality of peripherals such that the peripherals of the plurality of peripherals have corresponding independent execution environments of the plurality of independent execution environments. A configurable interrupt routing table is programmed based on the configuration information. An interrupt is received from a peripheral. The interrupt is routed to the corresponding independent execution environment based on the configurable interrupt routing table.

Abstract: In one example of the technology, via a first independent execution environment of a set of independent execution environments in an integrated circuit, a first watchdog timer is caused to reset on a periodic basis. The set of independent execution environments is configured to have a defense-in-depth hierarchy. The set of independent execution environments includes a first independent execution environment and a second independent execution environment. The first independent execution environment is a most trusted execution environment on the integrated circuit. Via the second independent execution environment: a second watchdog timer is periodically caused to reset on a periodic basis. In response to the second watchdog timer timing out, an interrupt is communicated from the second watchdog timer to the first independent execution environment. In response to the first watchdog timer timing out, at least a portion of the integrated circuit is reset.

Abstract: The disclosed technology is generally directed to data security. In one example of the technology, data is stored in a memory. The memory includes a plurality of memory banks including a first memory bank and a second memory bank. At least a portion of the data is interleaved amongst at least two of the plurality of memory banks. Access is caused to be prevented to at least one of the plurality of memory banks while a debug mode or recovery mode is occurring. Also, access is caused to be prevented to the at least one of the plurality of memory banks starting with initial boot until a verification by a security complex is successful. The verification by the security complex includes the security complex verifying a signature.

Abstract: The disclosed technology is generally directed to data security. In one example of the technology, data is stored in a memory. The memory includes a plurality of memory banks including a first memory bank and a second memory bank. At least a portion of the data is interleaved amongst at least two of the plurality of memory banks. Access is caused to be prevented to at least one of the plurality of memory banks while a debug mode or recovery mode is occurring. Also, access is caused to be prevented to the at least one of the plurality of memory banks starting with initial boot until a verification by a security complex is successful. The verification by the security complex includes the security complex verifying a signature.

Abstract: The disclosed technology is generally directed to peripheral access. In one example of the technology, stored configuration information is read. The stored configuration information is associated with mapping a plurality of independent execution environments to a plurality of peripherals such that the peripherals of the plurality of peripherals have corresponding independent execution environments of the plurality of independent execution environments. A configurable interrupt routing table is programmed based on the configuration information. An interrupt is received from a peripheral. The interrupt is routed to the corresponding independent execution environment based on the configurable interrupt routing table.

Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: The disclosed technology is generally directed to data security. In one example of the technology, data is stored in a memory. The memory includes a plurality of memory banks including a first memory bank and a second memory bank. At least a portion of the data is interleaved amongst at least two of the plurality of memory banks. Access is caused to be prevented to at least one of the plurality of memory banks while a debug mode or recovery mode is occurring. Also, access is caused to be prevented to the at least one of the plurality of memory banks starting with initial boot until a verification by a security complex is successful. The verification by the security complex includes the security complex verifying a signature.

Abstract: The disclosed technology is generally directed to peripheral access. In one example of the technology, stored configuration information is read. The stored configuration information is associated with mapping a plurality of independent execution environments to a plurality of peripherals such that the peripherals of the plurality of peripherals have corresponding independent execution environments of the plurality of independent execution environments. A configurable interrupt routing table is programmed based on the configuration information. An interrupt is received from a peripheral. The interrupt is routed to the corresponding independent execution environment based on the configurable interrupt routing table.

Abstract: Briefly stated, the disclosed technology is generally directed to integrated circuit (IC) technology for an IoT processor. In one example, multiple components may be tightly or otherwise integrated onto a single die, e.g., a single monolithic integrated circuit. In one basic example, the components may include a security processing unit and a radio. The components may also include one or more microprocessors (e.g., a processor capable of executing a high-level operating system), microcontrollers, secure memories, encryption components, peripheral interfaces, and/or the like. The security processing unit and/or the configuration of the components may enable, facilitate, or otherwise provide for security features such as tamper resistance, data security, and/or the like.