Abstract: A programmable integrated circuit device includes a programmable core, a boot device configured to boot up the programmable core, and a one-time programmable memory module controlling life cycle states of the programmable integrated circuit device, including (i) an operational state during which programming resources of the programmable device are locked, and (ii) an inspection state in which the programming resources of the programmable device are accessible. The one-time programmable memory module is configured to allow unidirectional advance from the operational state to the inspection state, when authorized by a lock control circuit responsive to control signals from the boot device to authorize the unidirectional advance from the operational state to the inspection state. Authorization of the unidirectional advance may be limited to a time interval during a boot cycle of the programmable device. The unidirectional advance may be based on receipt of an authenticated request from a requester.

Abstract: An Integrated Circuit (IC) includes electronic circuitry, an electronic fuse (eFuse) and a protection circuit. The eFuse is configured to be selectably programmed to a logical state. The electronic circuitry is configured to read the eFuse and to operate in accordance with the logical state read from the eFuse. The eFuse has a first range of operational voltages, and the electronic circuitry has a second range of operational voltages that is broader than the first range of operational voltages. The protection circuit is configured to prevent the electronic circuitry from misreading the logical state of the eFuse due to a voltage supply to the IC falling within the second operational voltage range but outside the first operational voltage range.

Abstract: A self-encryption drive (SED) opens a communication session between the SED and a key management server. An identifier of the SED is sent to the key management server, where the identifier uniquely identifies a data structure in a database associated with the key management server and the data structure comprises a timestamp and a media encryption key (MEK). The data structure is received from the key management server, the data structure being wrapped with a shared session key associated with the communication session. The data structure is unwrapped with the shared session key and the MEK is stored only in the volatile memory of the SED based on the timestamp. Data is encrypted for storage in the non-volatile storage media of the SED based on the MEK stored only in the volatile memory of the self-encryption drive (SED). The MEK stored only in the volatile memory of the SED is erased to crypto-erase the SED.

Abstract: A self encryption drive (SED) receives a media encryption key (MEK) from a key management server. The MEK is stored only in volatile memory of the SED. Data is encrypted for storage in a non-volatile storage media of the SED based on the MEK. Further, the MEK is erased in the volatile memory to crypto-erase the SED by deleting all instances of the MEK stored by the SED.

Abstract: A programmable integrated circuit device includes a programmable core, a boot device configured to boot up the programmable core, and a one-time programmable memory module controlling life cycle states of the programmable integrated circuit device, including (i) an operational state during which programming resources of the programmable device are locked, and (ii) an inspection state in which the programming resources of the programmable device are accessible. The one-time programmable memory module is configured to allow unidirectional advance from the operational state to the inspection state, when authorized by a lock control circuit responsive to control signals from the boot device to authorize the unidirectional advance from the operational state to the inspection state. Authorization of the unidirectional advance may be limited to a time interval during a boot cycle of the programmable device. The unidirectional advance may be based on receipt of an authenticated request from a requester.

Abstract: A self encryption drive (SED) receives a media encryption key (MEK) from a key management server. The MEK is stored only in volatile memory of the SED. Data is encrypted for storage in a non-volatile storage media of the SED based on the MEK. Further, the MEK is erased in the volatile memory to crypto-erase the SED by deleting all instances of the MEK stored by the SED.

Abstract: A self-encryption drive (SED) opens a communication session between the SED and a key management server. An identifier of the SED is sent to the key management server, where the identifier uniquely identifies a data structure in a database associated with the key management server and the data structure comprises a timestamp and a media encryption key (MEK). The data structure is received from the key management server, the data structure being wrapped with a shared session key associated with the communication session. The data structure is unwrapped with the shared session key and the MEK is stored only in the volatile memory of the SED based on the timestamp. Data is encrypted for storage in the non-volatile storage media of the SED based on the MEK stored only in the volatile memory of the self-encryption drive (SED). The MEK stored only in the volatile memory of the SED is erased to crypto-erase the SED.

Abstract: The present disclosure describes apparatuses and techniques for secure root key provisioning. In some aspects, a stream of entropy bits is generated based on analog noise. From the stream of entropy bits, entropy symbols are constructed and used to modulate bits of a unique chip identifier to provide a block of modulated symbols. A hash digest of the block of modulated symbols is then calculated to generate a device-level root key. This device-level root key written to a write-only register of a one-time programmable (OTP) memory controller for subsequent writing into an OTP memory. By so doing, unauthorized entities can be prevented from accessing the device-level root key during the secure key provisioning process.

Abstract: Systems, devices, and techniques relating to remote debugging are described. A described device includes a first processor core configured to provide an application execution environment, memory coupled with the first processor core; a second processor core configured to provide a secure execution environment; and a communication interface coupled with the first processor core and the second processor core, the communication interface being configured to communicate with external devices, the communication interface being shared at least between the application execution environment and the secure execution environment.

Abstract: Embodiments include a method comprising: receiving, by a system-on-a-chip (SOC) from a host, a public key of a public/private key pair; generating a first hash value of the public key; authenticating the first hash value; in response to authenticating the first hash value, transmitting, by the SOC, a first nonce to the host; receiving a signed nonce from the host, the signed nonce being signed using a private key of the public/private key pair; decrypting, using the received public key, the signed nonce to generate a second nonce; based on the first nonce and the second nonce, authenticating the host; in response to authenticating the host, receiving, from the host, a command to configure one or more parameters of the SOC; and configuring the one or more parameters of the SOC.

Abstract: Systems, devices, and techniques relating to remote debugging are described. A described device includes a first processor core configured to provide an application execution environment, memory coupled with the first processor core; a second processor core configured to provide a secure execution environment; and a communication interface coupled with the first processor core and the second processor core, the communication interface being configured to communicate with external devices, the communication interface being shared at least between the application execution environment and the secure execution environment.

Abstract: An electronic device includes a boot memory, a hardware memory programmed with a signing key, and a processor configured to implement a fixed trusted module and a dynamic trusted image module. The fixed trusted module contains a digital certificate, which includes a platform key used to verify a first boot module, and a package verification key used to validate authenticity of an image update file. The dynamic trusted image module contains a platform certificate signed by the signing key. The platform certificate includes a platform verification key used to validate at least one of (i) a second boot module, (ii) an operating system loader, (iii) an operating system, or (iv) a file system. The platform certificate also includes image information associated with one or more images stored in the platform certificate, key information associated with one or more public keys, and electronic device-specific data.

Abstract: Systems and methods described herein provide a method for secured data transfer via inter-chip hopping buses. The method includes configuring a non-volatile storage element located within a first electronic component to be pre-programmed with a first unique identifier associated with a first electronic component. The method further includes configuring a first scramble pattern generator located within the first electronic component for generating a first scramble pattern based on a first counter value at runtime of the first electronic component. The method further includes configuring a first XOR gate located within the first electronic component to receive the first scramble pattern from the first scramble pattern generator and data from a transceiver buffer for generating output data to be transmitted out of the first electronic component.

Abstract: Dynamic processor core switching is described. In embodiments, a multi-core processor system can include a first processor core that executes computer instructions at a first processing rate, and can include at least a second processor core that executes the computer instructions at a second processing rate, where the second processing rate is different than the first processing rate. A core profiler can generate system profile data that is evaluated to determine when a core-switch manager initiates switching execution of the computer instructions from the first processor core to the second processor core while the computer instructions are being executed.

Abstract: A storage drive includes a first memory that stores first text. A first processor generates a first instruction to decrypt the first text. A cryptographic module includes a second memory, a cryptographic device, a memory module, and a second processor. The second memory is inaccessible to the first processor and stores a cryptographic key. The cryptographic device accesses the second memory to obtain the cryptographic key and based on the first instruction, decrypts the first text. The memory module stores a status of execution of the first instruction by the cryptographic device. The second processor, prior to the cryptographic device decrypting the first text, forwards the first instruction to the cryptographic device and stores the status of execution of the first instruction in the memory module. The memory module is connected between the first and second processors and isolates the first processor from the second processor.

Abstract: The present disclosure includes apparatus, systems, digital logic circuitry and techniques relating to data encoding. A method performed by a system on a chip (SOC) includes receiving data to be output to a memory unit external to the SOC. Also a key for scrambling the received data is received. A proper subset of the key is identified and used to scramble the received data. The scrambled data is output to the memory unit external to the SOC.

Abstract: Systems, methods, and other embodiments associated with reducing storage space used for cryptographic keys in a memory are described. According to one embodiment, an apparatus includes a non-volatile memory. The apparatus includes key logic configured to expand a seed value to form a key. The seed value is a sequence of random bits. The apparatus includes inspection logic configured to inspect the key to determine whether the key is valid for use as a cryptographic key. The key logic is configured to store the seed value in the non-volatile memory if the key is valid, and if the key is not valid, the key logic is configured to modify the seed value to form a modified seed value, to generate a new key from the modified seed value, and to repeat inspecting the new key and modifying the seed value until a valid key is determined.

Abstract: An over-the-air firmware update is accomplished in a secure manner using a two-step process. The first step uses an initial boot using a fixed boot program and an authenticated and verified secondary environment to complete starting of only authenticated code. After verifying a pending update, the second step is started with the electronic device being booted into an update mode with an update loader that has exclusive access to a signing key. A dummy update image is loaded into a temporary memory location and a hash is taken. A digital certificate is created corresponding to the update image and signed using the signing key. The update and digital certificate are atomically installed and the signing key is deactivated. Upon reboot, the new image is used for operation and is verified by the hash data and public key in the digital certificate.

Abstract: The present disclosure includes apparatus, systems, digital logic circuitry and techniques relating to data encoding. A method performed by a system on a chip (SOC) includes receiving data to be output to a memory unit external to the SOC. Also a key for scrambling the received data is received. A proper subset of the key is identified and used to scramble the received data. The scrambled data is output to the memory unit external to the SOC.

Abstract: Cryptographic apparatus having corresponding methods and computer-readable media comprise: a mailbox memory module to store cryptographic commands received from a client over a client bus, wherein the client is external to the cryptographic apparatus; and a secure processor to obtain the cryptographic commands from the mailbox memory module over a first secure internal bus, execute the cryptographic commands, and store a status of execution of the cryptographic commands in the mailbox memory module over the first secure internal bus, wherein the client obtains the status of the cryptographic commands from the mailbox memory module over the client bus.