Abstract: A programmable integrated circuit device includes a programmable core, a boot device configured to boot up the programmable core, and a one-time programmable memory module controlling life cycle states of the programmable integrated circuit device, including (i) an operational state during which programming resources of the programmable device are locked, and (ii) an inspection state in which the programming resources of the programmable device are accessible. The one-time programmable memory module is configured to allow unidirectional advance from the operational state to the inspection state, when authorized by a lock control circuit responsive to control signals from the boot device to authorize the unidirectional advance from the operational state to the inspection state. Authorization of the unidirectional advance may be limited to a time interval during a boot cycle of the programmable device. The unidirectional advance may be based on receipt of an authenticated request from a requester.

Abstract: A programmable integrated circuit device includes a programmable core, a boot device configured to boot up the programmable core, and a one-time programmable memory module controlling life cycle states of the programmable integrated circuit device, including (i) an operational state during which programming resources of the programmable device are locked, and (ii) an inspection state in which the programming resources of the programmable device are accessible. The one-time programmable memory module is configured to allow unidirectional advance from the operational state to the inspection state, when authorized by a lock control circuit responsive to control signals from the boot device to authorize the unidirectional advance from the operational state to the inspection state. Authorization of the unidirectional advance may be limited to a time interval during a boot cycle of the programmable device. The unidirectional advance may be based on receipt of an authenticated request from a requester.

Abstract: The present disclosure describes apparatuses and techniques for secure root key provisioning. In some aspects, a stream of entropy bits is generated based on analog noise. From the stream of entropy bits, entropy symbols are constructed and used to modulate bits of a unique chip identifier to provide a block of modulated symbols. A hash digest of the block of modulated symbols is then calculated to generate a device-level root key. This device-level root key written to a write-only register of a one-time programmable (OTP) memory controller for subsequent writing into an OTP memory. By so doing, unauthorized entities can be prevented from accessing the device-level root key during the secure key provisioning process.

Abstract: The present disclosure describes apparatuses and techniques for dynamic boot image streaming. In some aspects a memory controller that is streaming multiple boot images from a first memory to a second memory is stalled, a descriptor for streaming one of the multiple boot images from the first memory to a non-contiguous memory location is generated while the memory controller is stalled, and the memory controller is resumed effective to cause the memory controller to stream, based on the descriptor generated while the memory controller is stalled, the second boot image to the non-contiguous memory location.

Abstract: Embodiments include a method comprising: receiving, by a system-on-a-chip (SOC) from a host, a public key of a public/private key pair; generating a first hash value of the public key; authenticating the first hash value; in response to authenticating the first hash value, transmitting, by the SOC, a first nonce to the host; receiving a signed nonce from the host, the signed nonce being signed using a private key of the public/private key pair; decrypting, using the received public key, the signed nonce to generate a second nonce; based on the first nonce and the second nonce, authenticating the host; in response to authenticating the host, receiving, from the host, a command to configure one or more parameters of the SOC; and configuring the one or more parameters of the SOC.

Abstract: The present disclosure describes apparatuses and techniques for patching boot code of read-only memory (ROM). In some aspects, execution of boot code from a ROM is initiated to start a boot process of a device. Execution of the boot code from the ROM is then interrupted to enable execution of other boot code, such as corrected boot code or additional boot code, from another memory. Once the other boot code is executed, execution of the boot code from the ROM is resumed to continue booting the computing device. By so doing, the corrected boot code or additional boot code can be executed during the boot process effective to patch the boot code stored in the ROM.

Abstract: The present disclosure describes apparatuses and techniques for parallelizing boot operations. In some aspects, an operation transferring a boot image from a non-volatile memory to a volatile memory is initiated prior to completion an operation validating another boot image previously-transferred into the volatile memory. This can be effective to enable transfer operations and validation operations of boot images to be performed in parallel. By so doing, delays between the transfer and validation operations can be minimized thereby reducing device boot times.

Abstract: Systems, methods, and other embodiments associated with implementing security functions are described. According to one embodiment, a device includes a memory storing (i) a plurality of functions and (ii) a mapping of locations of the plurality of functions in the memory. The device includes a processing unit configured to, in response to a request by a process being executed by the processing unit, determine a location in the memory of a security function of the plurality of functions using the mapping. The processing unit is configured to execute the security function for the process from the memory according to the mapping.

Abstract: The present disclosure describes apparatuses and techniques for dynamic boot image streaming. In some aspects a memory controller that is streaming multiple boot images from a first memory to a second memory is stalled, a descriptor for streaming one of the multiple boot images from the first memory to a non-contiguous memory location is generated while the memory controller is stalled, and the memory controller is resumed effective to cause the memory controller to stream, based on the descriptor generated while the memory controller is stalled, the second boot image to the non-contiguous memory location.

Abstract: The present disclosure describes apparatuses and techniques for dynamic boot image streaming. In some aspects a memory controller that is streaming multiple boot images from a first memory to a second memory is stalled, a descriptor for streaming one of the multiple boot images from the first memory to a non-contiguous memory location is generated while the memory controller is stalled, and the memory controller is resumed effective to cause the memory controller to stream, based on the descriptor generated while the memory controller is stalled, the second boot image to the non-contiguous memory location.

Abstract: Systems, methods, and other embodiments associated with implementing security functions are described. According to one embodiment, a device includes a memory storing (i) a plurality of functions and (ii) a mapping of locations of the plurality of functions in the memory. The device includes a processing unit configured to, in response to a request by a process being executed by the processing unit, determine a location in the memory of a security function of the plurality of functions using the mapping. The processing unit is configured to execute the security function for the process from the memory according to the mapping.

Abstract: Systems, methods, and other embodiments associated with implementing security functions in a read-only memory (ROM) are described. According to one embodiment, an device includes a read-only memory (ROM) that stores (i) a plurality of security functions and (ii) a mapping of locations of the plurality of security functions in the ROM. The device also includes a processing unit configured to, in response to a request by a process being executed by the processing unit, determine a location in the ROM of a security function using the mapping, and execute the security function for the process from the ROM.

Abstract: Systems, methods, and other embodiments associated with a secure software resume from low power mode are described. According to one embodiment, a method includes receiving a request to enter a low power mode. In response to the request, the method includes storing a data section in LPDRM, performing a validation function on the data section to compute a validation value, and constructing a resume package that includes the validation value and a location of the data section in the LPDRM. The resume package is stored in the LPDRM for use in resuming operation after exiting low power mode.

Abstract: The present disclosure describes apparatuses and techniques for parallelizing boot operations. In some aspects, an operation transferring a boot image from a non-volatile memory to a volatile memory is initiated prior to completion an operation validating another boot image previously-transferred into the volatile memory. This can be effective to enable transfer operations and validation operations of boot images to be performed in parallel. By so doing, delays between the transfer and validation operations can be minimized thereby reducing device boot times.

Abstract: The present disclosure describes apparatuses and techniques for patching boot code of read-only memory (ROM). In some aspects, execution of boot code from a ROM is initiated to start a boot process of a device. Execution of the boot code from the ROM is then interrupted to enable execution of other boot code, such as corrected boot code or additional boot code, from another memory. Once the other boot code is executed, execution of the boot code from the ROM is resumed to continue booting the computing device. By so doing, the corrected boot code or additional boot code can be executed during the boot process effective to patch the boot code stored in the ROM.

Abstract: Systems, methods, and other embodiments associated with implementing security functions in a read-only memory (ROM) are described. According to one embodiment, an device includes a read-only memory (ROM) that stores (i) a plurality of security functions and (ii) a mapping of locations of the plurality of security functions in the ROM. The device also includes a processing unit configured to, in response to a request by a process being executed by the processing unit, determine a location in the ROM of a security function using the mapping, and execute the security function for the process from the ROM.