Abstract: Protection for a secure boot procedure can be provided in addition to cryptographic verification of boot firmware associated with the boot procedure. While the boot firmware is being verified and executed at a secure sub-system, an open sub-system can be put into a halt state, during which the open sub-system is prevented from performing the boot procedure. The open sub-system is still prevented from performing the boot procedure even if the boot firmware is verified and/or executed unless the open sub-system is put into the resume state again.

Abstract: Protection for a secure boot procedure can be provided in addition to cryptographic verification of boot firmware associated with the boot procedure. While the boot firmware is being verified, an open sub-system can be placed into a halt state, during which the open sub-system is prevented from performing the boot procedure. The open sub-system can be subsequently placed into a resume state to further perform the boot procedure when the boot firmware is verified. The open sub-system is still prevented from performing the boot procedure even if the boot firmware is verified unless the open sub-system is placed into the resume state again.

Abstract: Systems, apparatuses, and methods related to data identity recognition for semiconductor devices are described. A system includes a host and a memory device coupled to the host via an interconnect bus. The host includes a host security manager configured to encrypt data of a command, perform a memory integrity check, allow access to memory of a memory device corresponding to an address of a command based on which entity associated with the host sent the command, generate security keys, program security keys into the memory device, program encryption ranges, or any combination thereof. The memory device includes a memory encryption manager and a memory device security manager. The memory device security manager is configured to detect whether a command was sent from a trusted domain of the host or non-trusted domain of the host and identify which entity associated with the host initiated the command.

Abstract: An apparatus can include a number of memory devices and a controller coupled to one or more of the number of memory devices. The controller can be configured to determine whether a quantity of row activations directed to a row of the memory devices exceeds a row hammer criterion. The controller can be configured to select, responsive to determining that the row hammer criterion is met, a row hammer mitigation response from a plurality of row hammer mitigation responses available for initiation. The controller can be configured to initiate the selected row hammer mitigation response.

Abstract: Systems, apparatuses, and methods related to bloom filter implementation into a controller are described. A memory device is coupled to a memory controller. The memory controller is configured to implement a counting bloom filter, increment the counting bloom filter in response to a row activate command of the memory device, determine whether a value of the counting bloom filter exceeds a threshold value, and perform an action in response to the value exceeding the threshold value.

Abstract: A memory system can be provided with error detection capabilities at various levels and authentication and integrity check capabilities in parallel with data security schemes. The error detection capabilities can check for any errors not only on data paths within a memory controller, but also on data stored in memory devices. The authentication capabilities provided in parallel with the data security schemes can ensure/strengthen data integrity of the memory system to be compliant with standardized requirements and/or protocols, such as trusted execution engine security protocol (TSP).

Abstract: In some aspects, the techniques described herein relate to a device including: a datapath facilitating data transfers between a host device and a storage device; a firmware storage device storing a plurality of firmware tasks; and a processor, the processor including a hypervisor configured to: execute a given firmware task in the plurality of firmware tasks in a container, and control access to the datapath based on tags associated with instructions of the given firmware task.

Abstract: In some implementations, a system includes a set of servers configured to establish a set of virtual machines to provide a computing environment; a set of compute express link (CXL) interface components configured to communicate with the set of servers via a set of CXL interconnects; and a controller configured to at least one of: encrypt protocol data against a CXL interposer security threat associated with the set of CXL interconnects or a malicious extension security threat, provide a secure handshake verification of an identity of the set of CXL interface components, enforce a chain of trust rooted in hardware of the set of CXL interface components; restrict access to an area of memory of the set of CXL interface components that stores security data for verified or secured processes; or perform a security check and set up a set of security features of the set of CXL interface components.

Abstract: Implementations described herein relate to a device identifier composition engine (DICE) 3-layer architecture. In some implementations, a device may include a secure computing environment including a hardware root of trust (HRoT) DICE component. The secure computing environment may include a DICE layer 0 component configured to derive a DICE identity key. The secure computing environment may include a DICE layer 1 component configured to derive a DICE alias key based on the DICE identity key. The secure computing environment may include a controller configured to receive an update to firmware of a component. The controller may be configured to update the firmware of the component based on receiving the update. The controller may be configured to update one or more keys of the component or one or more keys of one or more components above the component in a layer stack.

Abstract: Methods, systems, and devices related to field firmware update (FFU). A first memory of a memory module may receive an encrypted segment of a FW package associated with FFU. A decrypted segment of the FW package may be stored by the first memory. A re-encrypted segment of the FW package may be stored by the first memory. The re-encrypted segment of the FW package may be communicated to a second memory of the memory module.

Abstract: Methods, systems, and devices for techniques for managing offline identity upgrades are described. A memory system may receive a command to update a device identifier for a device identifier composition engine (DICE) associated with the memory system. The memory system may generate an updated device identifier, at a first software layer of a set of software layers of the DICE, based on receiving the command. The memory system may decrypt a device specific key (DSK) stored at a read-only memory device of the memory system based on the received command, and sign the updated device identifier using the DSK based on decrypting the DSK. The memory system may execute one or more operations associated with the first software layer of the set of software layers of the DICE based on the signed updated device identifier.

Abstract: The present disclosure relates to apparatuses and methods for memory management. The disclosure further relates to an interface protocol for flash memory devices including at least a memory array and a memory controller coupled to the memory array. A host device is coupled to the memory device through a communication channel and a hardware and/or software full encryption-decryption scheme is adopted in the communication channel for data, addresses and commands exchanged between the host device and the memory array.

Abstract: A controller can be configured to enable a host to control media testing on a memory device. The interface between the host and the memory can be abstract, such that the host does not have direct control over the memory. Instead, the controller can provide translation between a host protocol, such as compute express link (CXL), and a memory protocol, such as a protocol to control a dual data rate (DDR) interface. The controller can enable media test capability discovery, configuration, and/or control for the host. The controller can enable media test result reporting from the memory to the host.

Abstract: An electronic device can be configured to enable a host to indirectly control testing associated with the electronic device. The interface between the host and the electronic device can be abstract, such that the host does not have direct control over the electronic device. Examples of the electronic device include a memory device and a power management integrated circuit. The electronic device can allow the host to discover a quantity of tests supported by the electronic device and corresponding test descriptors. The electronic device can interact with the host to configure tests and/or reporting of test results.

Abstract: Systems and methods for finite time counting period counting of infinite data streams is presented. In particular example systems and methods enable counting row accesses to a memory media device over predetermined time intervals in order to deterministically detect row hammer attacks on the memory media device. Example embodiments use two identical tables that are reset at times offset in relation to each other in a ping-pong manner in order to ensure that there exists no false negative detections. The counting techniques described in this disclosure can be used in various types of row hammer mitigation techniques and can be implemented in content addressable memory or another type of memory. The mitigation may be implemented on a per-bank basis, per-channel basis or per-memory media device basis. The memory media device may be a dynamic random access memory type device.

Abstract: Disclosed in some examples are methods, systems, and devices for authenticating a firmware object on a device and in some examples to safeguard the attestation process from the execution of malicious firmware. In some examples, a firmware update process may, in addition to updating the firmware on the device, write a hash of the authentic firmware code in a secure storage device (e.g., a register). This may be done in some examples in a protected environment (e.g., a trusted execution environment or a protected firmware update process). Upon first boot after the update, a firmware update checker compares the firmware object that is booted with the value of the secure storage device. If the values match, the alias certificate may be regenerated, and the boot continues. If the values do not match, then the alias certificate may not be regenerated, and the system may have an authenticity failure because the key and the certificate do not match.

Abstract: An energy-efficient and area-efficient, mitigation of errors in a memory media device that are caused by row hammer attacks and the like is described. The detection of errors is deterministically performed while maintaining, in an SRAM, a number of row access counters that is smaller than the total number of rows protected in the memory media device. The reduction of the number of required counters is achieved by aliasing a plurality of rows that are being protected to each counter. The mitigation may be implemented on a per-bank basis, per-channel basis or per-memory media device basis. The memory media device may be DRAM.

Abstract: Methods, systems, and devices related to determining whether a target address of a memory array associated with an access request is stored in a CAM. If the target address is stored in the CAM, the CAM may be updated to increment an access count of a target row corresponding to the target address. If the target row exceeds a first threshold value, rows of the memory array directly adjacent to the target row may be refreshed. If the target address is not stored in the CAM, the target address may be written to the CAM. The CAM may be updated to increment an access count of an address of a bank including the target row corresponding to the target address.

Abstract: Systems, apparatuses, and methods related to security management for a ferroelectric memory device are described. An example method can include receiving, at a memory controller and from a host, a command and firmware data. The memory controller can manage a non-volatile memory device, such as a ferroelectric memory device, and the host and the memory controller can communicate using a compute express link (CXL) protocol. The command can be executed to update firmware stored on the non-volatile memory device. The method can further include accessing a first public key from the non-volatile memory device. The method can further include validating the first public key with a second public key within the firmware data. The method can further include validating the firmware data. The method can further include verifying a security version of the firmware data. The method can further include updating the non-volatile memory device with the firmware data.

Abstract: The present disclosure relates to apparatuses and methods for memory management. The disclosure further relates to an interface protocol for flash memory devices including at least a memory array and a memory controller coupled to the memory array. A host device is coupled to the memory device through a communication channel and a hardware and/or software full encryption-decryption scheme is adopted in the communication channel for data, addresses and commands exchanged between the host device and the memory array.