SECURE TESTING OF SEMICONDUCTOR DEVICE
A method includes testing, by a processor, a secure portion of a semiconductor device through a first interface between the processor and the semiconductor device; and sending, by the processor, a pass or fail indication of a result of the testing of the secure portion of the semiconductor device to the tester through a second interface between the processor and the tester.
The technical field of the present disclosure relates to information security and, in particular to secure testing of semiconductor devices.
BACKGROUNDMaintaining security in processors can be critical for various reasons. Such security may be desirable to maintain secrecy of certain aspects of proprietary code, prevent malicious code from interfering with processing and avoid unintended interaction with other processing code.
For a more complete understanding of various examples, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:
In various embodiments, a semiconductor device, such as a chip or chipset, that may be used in various communication devices is provided. Semiconductor devices may include various components, such as circuitry, memory, etc. Some semiconductor devices may include an embedded flash memory which may be used to store various processing code, for example.
In various embodiments described herein, a semiconductor device, such as a chip or a chipset, may be manufactured without an embedded flash memory. Instead, an external flash memory may be coupled to the semiconductor device subsequent to fabrication and testing of the semiconductor device. In other examples, the embedded flash memory may be included in the semiconductor device prior to testing.
Referring now to
Referring again to the secure zone 110, a secure processing code, also known as an image, may be generated and encrypted to produce encrypted processing code, or an encrypted image 130. The encrypted image 130 may include, for example, operating system patches for customization of the destination semiconductor device. In various embodiments, the encrypted image 130 may also include, without limitation, customized or pre-personalized applets or confidential customer data.
In encrypting the image, various encryption strategies may be used. For example, in one embodiment, the code is encrypted using the Triple Data Encryption Standard (3DES) algorithm. In one embodiment, in order to facilitate customization or pre-personalization of a destination device, an identifier associated with a device or a set of devices may be used in the encryption process. For example, a serial number or a set of serial numbers may be used as the identifier.
Referring now to the testing facility 150, as noted above, the fabricated semiconductor devices are delivered to testing facility 150 from the fabrication facility 140 for testing. Additionally, a hardware security module (HSM) 120 containing certain encryption keys may be delivered to the testing facility. In this regard, the HSM 120 may be a hardware component which includes encryption keys associated with the encrypted image 130. As described below, the encryption keys may be used for testing of a secure portion of a semiconductor device using the HSM.
The semiconductor devices s are tested by operators at the testing facility 150 through one or more tests 152. Upon successful completion of the testing, the HSM places (e.g., writes, stores or injects) the encryption keys into the semiconductor device 154. As described below, the keys may be injected into a secure portion of the semiconductor device. The semiconductor devices, such as the semiconductor device 190, may then be delivered to an original equipment manufacturer (OEM) 160 for implementing, for example, into a communication device.
The encrypted image 130 is typically stored on a flash memory. As noted above, in various embodiments, the semiconductor device design may not include an embedded flash memory. Accordingly, in accordance with the illustrated example of
The semiconductor device 190 fabricated using the manufacturing flow 100 to the OEM 160 includes a non-secure portion 192, also referred to herein as a peripheral processing system (PPS), and a secure portion 194, also referred to herein as a secure processing system (SPS). The secure portion 194 may include functionality associated with secure processing by the semiconductor device 190. For example, as illustrated in
As illustrated in
Thus, the semiconductor device 190 may be securely customized, or pre-personalized, in the secure zone. For example, the encrypted image 130 may be associated with a specific semiconductor device, and the encryption keys used to decrypt the encrypted image at the secure portion 194 of the semiconductor device 190 may also be accordingly associated with the specific semiconductor device. In one example, the encryption keys may be associated with, for example, a serial number of the target semiconductor device. Thus, the verification may ensure that the pre-personalization of the encrypted image 130 corresponds to the proper semiconductor device 190. The secure portion 194 may then re-encrypt the image for writing to the flash memory 170 (arrow 186). In this regard, the re-encryption by the secure portion 194 may be accomplished using encryption keys that may be generated by the secure portion 194 and that may be unique to each semiconductor device.
Since the encryption keys are generated by the secure portion 194 and may be unique to each semiconductor device, they may be unknown to any other entity and may thus be unbreakable. Therefore, the encrypted image 130 may be securely delivered to an external flash memory 170.
In other embodiments, as illustrated in
Referring now to
In another embodiment, the encrypted image is written to a flash memory (block 16) during, for example, manufacturing of the flash memory. The flash memory with the encrypted image may then be delivered to the OEM for coupling to a semiconductor device (block 18).
At the OEM, the encrypted image may be decrypted in a secure portion of the semiconductor device (block 20) by, for example, code provided in the secure portion to perform decryption using the encryption key. As noted above with reference to
Referring now to
In various examples, sensitive information, such as test keys or encryption keys to be injected into a secure portion, may be provided in the HSM 120. In this regard, test keys may include encryption keys that are used specifically for testing of the DUT and may not be injected into the DUT for any later use. Additionally, other encryption keys that are injected into the secure portion may be used to decrypt and verify an encrypted image, as described above. In various examples, when a load board having one or more DUTs and one or more HSMs 120 is removed from the tester 210, all sensitive information is securely removed from the tester 210.
Referring again to
In various examples, the testing of the non-secure portion 192 may be performed by the tester 210, while testing of the secure portion 194 may be performed by the HSM 120 without providing access to the secure portion to the tester 210. Thus, as illustrated in the example of
For testing of the secure portion 194, the secure portion 194 may be isolated from the tester 210. As illustrated in the example of
In one example, as illustrated in
Thus, in accordance with the examples of
Upon completion of the testing, the load board is removed from the tester. Along with the load board, all secure information (e.g., the secure portion 194 of the semiconductor device 190 and the test keys for testing of the secure portion) are also removed. Thus, the tester 210 is never provided with access to any secure information. For example, the test keys and encryption keys provided in the HSM 120 are kept isolated from the tester 210.
Referring now to
Referring again to
The secure portion of the semiconductor device may then be tested by the HSM using a test key which may have been provided with the HSM (block 614). For example, as noted above, in various examples, test keys and/or other secure information may be provided in the HSM 120. Thus, during the testing, all secure information is kept isolated from the tester. Further, as noted above, a simple “pass” or “fail” indication of the results of the testing of the secure portion may be communicated by the HSM 120 to the tester 210 through the second interface 126.
In various examples, the HSM may inject encryption keys into the secure portion (block 616). As noted above, the HSM may include secure information, such as encryption keys, that are injected into the secure portion. Again, this allows isolation of all secure information from the tester during testing. The encryption keys may be used to decrypt processing code, such as the encrypted image 130, as illustrated by the arrow 184 in
The HSM may position a relay switch, such as relay switch 230 of
The various diagrams may depict an example architectural or other configuration for the various embodiments, which is done to aid in understanding the features and functionality that can be included in embodiments. The present disclosure is not restricted to the illustrated example architectures or configurations, and the desired features can be implemented using a variety of alternative architectures and configurations. Indeed, it will be apparent to one of skill in the art how alternative functional, logical or physical partitioning and configurations can be implemented to implement various embodiments. Also, a multitude of different constituent module names other than those depicted herein can be applied to the various partitions. Additionally, with regard to flow diagrams, operational descriptions and method claims, the order in which the steps are presented herein shall not mandate that various embodiments be implemented to perform the recited functionality in the same order unless the context dictates otherwise.
It should be understood that the various features, aspects and/or functionality described in one or more of the individual embodiments are not limited in their applicability to the particular embodiment with which they are described, but instead can be applied, alone or in various combinations, to one or more of the other embodiments, whether or not such embodiments are described and whether or not such features, aspects and/or functionality are presented as being a part of a described embodiment. Thus, the breadth and scope of the present disclosure should not be limited by any of the above-described exemplary embodiments.
Terms and phrases used in this document, and variations thereof, unless otherwise expressly stated, should be construed as open ended as opposed to limiting. As examples of the foregoing: the term “including” should be read as meaning “including, without limitation” or the like; the term “example” is used to provide exemplary instances of the item in discussion, not an exhaustive or limiting list thereof; the terms “a” or “an” should be read as meaning “at least one,” “one or more” or the like; and adjectives such as “conventional,” “traditional,” “normal,” “standard,” “known” and terms of similar meaning should not be construed as limiting the item described to a given time period or to an item available as of a given time, but instead should be read to encompass conventional, traditional, normal, or standard technologies that may be available or known now or at any time in the future. Likewise, where this document refers to technologies that would be apparent or known to one of ordinary skill in the art, such technologies encompass those apparent or known to the skilled artisan now or at any time in the future.
Additionally, the various embodiments set forth herein are described in terms of exemplary block diagrams, flow charts and other illustrations. As will become apparent to one of ordinary skill in the art after reading this document, the illustrated embodiments and their various alternatives can be implemented without confinement to the illustrated examples. For example, block diagrams and their accompanying description should not be construed as mandating a particular architecture or configuration.
Moreover, various embodiments described herein are described in the general context of method steps or processes, which may be implemented in one embodiment by a computer program product, embodied in, e.g., a non-transitory computer-readable memory, including computer-executable instructions, such as program code, executed by computers in networked environments. A computer-readable memory may include removable and non-removable storage devices including, but not limited to, Read Only Memory (ROM), Random Access Memory (RAM), compact discs (CDs), digital versatile discs (DVD), etc. Generally, program modules may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer-executable instructions, associated data structures, and program modules represent examples of program code for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps or processes.
As used herein, the term module can describe a given unit of functionality that can be performed in accordance with one or more embodiments. As used herein, a module might be implemented utilizing any form of hardware, software, or a combination thereof. For example, one or more processors, controllers, application-specific integrated circuits (ASICs), programmable logic arrays (PLAs), programmable array logic (PALs), complex programmable logic devices (CPLDs), field-programmable gate arrays (FPGAs), logical components, software routines or other mechanisms might be implemented to make up a module. In implementation, the various modules described herein might be implemented as discrete modules or the functions and features described can be shared in part or in total among one or more modules. In other words, as would be apparent to one of ordinary skill in the art after reading this description, the various features and functionality described herein may be implemented in any given application and can be implemented in one or more separate or shared modules in various combinations and permutations. Even though various features or elements of functionality may be individually described or claimed as separate modules, one of ordinary skill in the art will understand that these features and functionality can be shared among one or more common software and hardware elements, and such description shall not require or imply that separate hardware or software components are used to implement such features or functionality. Where components or modules of the invention are implemented in whole or in part using software, in one embodiment, these software elements can be implemented to operate with a computing or processing module capable of carrying out the functionality described with respect thereto. The presence of broadening words and phrases such as “one or more,” “at least,” “but not limited to” or other like phrases in some instances shall not be read to mean that the narrower case is intended or required in instances where such broadening phrases may be absent.
Claims
1. An apparatus, comprising:
- a first interface configured to communicate with a semiconductor device;
- a second interface configured to communicate with a tester; and
- a processor configured to test a secure portion of the semiconductor device,
- wherein the processor is configured to send a result of testing of the secure portion of the semiconductor device to the tester through the second interface.
2. The apparatus of claim 1, wherein the processor is configured to provide an encryption key into the secure portion, the encryption key being associated with a processing code.
3. The apparatus of claim 1, wherein the processor is configured to isolate the tester from the secure portion of the semiconductor device.
4. The apparatus of claim 1, wherein the processor includes a test key configured to facilitate testing of the secure portion.
5. The apparatus of claim 1, further comprising:
- a relay switch configured to selectively allow communication between the tester and a non-secure portion of the semiconductor device.
6. The apparatus of claim 5, wherein the relay switch is configured to selectively allow the tester to test the non-secure portion of the semiconductor device.
7. The apparatus of claim 5, wherein the processor is configured to receive instructions from the tester to operate the relay switch.
8. The apparatus of claim 5, wherein the relay switch is configured to isolate the tester from the secure portion of the semiconductor device.
9. The apparatus of claim 5, wherein the communication between the tester and the non-secure portion of the semiconductor device passes through the first interface and the second interface.
10. A method, comprising:
- testing, by a processor, a secure portion of a semiconductor device through a first interface between the processor and the semiconductor device; and
- sending, by the processor, a pass or fail indication of a result of the testing of the secure portion of the semiconductor device to the tester through a second interface between the processor and the tester.
11. The method of claim 10, further comprising:
- providing, by the processor, an encryption key into the secure portion, the encryption key being associated with a processing code.
12. The method of claim 10, further comprising isolating the tester from the secure portion of the semiconductor device.
13. The method of claim 10, wherein the testing the secure portion comprises using a test key by the processor to facilitate testing the secure portion.
14. The method of claim 10, further comprising:
- operating a relay switch to allow communication between the tester and a non-secure portion of the semiconductor device.
15. The method of claim 14, wherein operating the relay switch is responsive to receiving, by the processor, instructions from the tester to operate the relay switch.
16. A computer program product, embodied on a non-transitory computer-readable medium, comprising:
- computer code for testing a secure portion of a device by a processor; and
- computer code for sending results of the testing from the processor to a tester, wherein the results include an indication of pass or fail, and wherein the tester is isolated from the secure portion of the device.
17. The computer program product of claim 16, further comprising:
- computer code for allowing communication between the tester and a non-secure portion of the device.
18. The computer program product of claim 17, wherein the computer code for allowing communication between the tester and the non-secure portion of the device comprises:
- computer code for operating a relay switch.
19. The computer program product of claim 18, further comprising:
- computer code for receiving instructions from the tester to operate the relay switch.
20. The computer program product of claim 16, wherein the computer code for testing the secure portion comprises:
- computer code for using a test key to facilitate testing the secure portion.
Type: Application
Filed: Mar 18, 2013
Publication Date: Jun 5, 2014
Inventors: Mark Leonard Buer (Payson, AZ), Norayr Norik Dzhendzhapanyan (Diamond Bar, CA)
Application Number: 13/846,718
International Classification: G06F 21/60 (20060101);