In one embodiment, a processor includes a memory hierarchy and a core coupled to the memory hierarchy. The memory hierarchy stores encrypted data, and the core includes circuitry to access the encrypted data stored in the memory hierarchy, decrypt the encrypted data to yield decrypted data, perform an entropy test on the decrypted data, and update a processor state based on a result of the entropy test. The entropy test may include determining a number of data entities in the decrypted data whose values are equal to one another, determining a number of adjacent data entities in the decrypted data whose values are equal to one another, determining a number of data entities in the decrypted data whose values are equal to at least one special value from a set of special values, or determining a sum of n highest data entity value frequencies.

A processor includes a register to store an encoded pointer to a variable in stack memory. The encoded pointer includes an encrypted portion and a fixed plaintext portion of a memory address corresponding to the variable. The processor further includes circuitry to, in response to a memory access request for associated with the variable, decrypt the encrypted portion of the encoded pointer to obtain first upper address bits of the memory address and a memory allocation size for a variable, decode the encoded pointer to obtain the memory address, verify the memory address is valid based, at least in part on the memory allocation size, and in response to determining that the memory address is valid, allow the memory access request.

The invention relates to an electric arrangement, comprising: (a) functional modules, which can serve both as transaction initiators or transaction targets, whereby a transaction initiating functional module may need a transaction target functional module to execute a function for and on its behalf; (b) a first interconnect fabric connecting the functional modules and providing communication between those functional modules; wherein the (electric) arrangement being arranged in that a selected transaction initiation functional module has temporally exclusive access to transaction target functional module(s), executing a function for and on its behalf, to ensure that transaction initiating functional modules other than the selected transaction initiation functional module, have no uncontrolled access thereto, wherein said selected transaction initiation functional module being a hardware secure module.

The invention relates to an electric arrangement, comprising: (a) functional modules, which can serve both as transaction initiators or transaction targets, whereby a transaction initiating functional module may need a transaction target functional module to execute a function for and on its behalf; (b) a first interconnect fabric connecting the functional modules and providing communication between those functional modules; wherein the (electric) arrangement being arranged in that a selected transaction initiation functional module has temporally exclusive access to transaction target functional module(s), executing a function for and on its behalf, to ensure that transaction initiating functional modules other than the selected transaction initiation functional module, have no uncontrolled access thereto, wherein said selected transaction initiation functional module being a hardware secure module.

A computer-implemented method for providing a system-specific secret to a computing system having a plurality of computing components is disclosed. The method includes storing permanently a component-specific import key as part of a computing component and storing the component-specific import key in a manufacturing-side storage system. Upon a request for the system-specific secret for a computing system, the method includes identifying the computing component comprised in the computing system, retrieving a record relating to the identified computing component, determining the system-specific secret protected by a hardware security module and determining a system-specific auxiliary key. Furthermore, the method includes encrypting the system-specific auxiliary key with the retrieved component-specific import key, thereby creating a auxiliary key bundle, encrypting the system-specific secret and storing the auxiliary key bundle and a system record in a storage medium of the computing system.

A computer-implemented method for providing a system-specific secret to a computing system having a plurality of computing components is disclosed. The method includes storing permanently a component-specific import key as part of a computing component and storing the component-specific import key in a manufacturing-side storage system. Upon a request for the system-specific secret for a computing system, the method includes identifying the computing component comprised in the computing system, retrieving a record relating to the identified computing component, determining the system-specific secret protected by a hardware security module and determining a system-specific auxiliary key. Furthermore, the method includes encrypting the system-specific auxiliary key with the retrieved component-specific import key, thereby creating a auxiliary key bundle, encrypting the system-specific secret and storing the auxiliary key bundle and a system record in a storage medium of the computing system.

Disclosed herein is a data storage device comprising a data path and an access controller. The data path comprises a data port configured to transmit data between a host computer and the data storage device. The data storage device is configured to register with the host computer as a block data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine is connected between the data port and the storage medium and uses a cryptographic key to decrypt the encrypted user content data. The access controller generates a challenge for an authorized device; sends the challenge to the authorized device; receives a response to the challenge from the authorized device over the communication channel; calculates the cryptographic key based on the response; and provides the cryptographic key to the cryptography engine to decrypt the encrypted user content data stored on the storage medium.

Disclosed herein is a data storage device comprising a data path and an access controller. The data path comprises a data port configured to transmit data between a host computer and the data storage device. The data storage device is configured to register with the host computer as a block data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine is connected between the data port and the storage medium and uses a cryptographic key to decrypt the encrypted user content data. The access controller generates a challenge for an authorized device; sends the challenge to the authorized device; receives a response to the challenge from the authorized device over the communication channel; calculates the cryptographic key based on the response; and provides the cryptographic key to the cryptography engine to decrypt the encrypted user content data stored on the storage medium.

A secure programming system and method for provisioning and programming a target payload into a programmable device mounted in a programmer. The programmable devices are provisioned with a job package created by a user on a host system and deployed on a device programmer. The secure programming system supports a hardware security module on the host system that can be accessed remotely from the device programmer using coordinated sets of template and mechanism dictionaries linked to a security API coupled to the hardware security module.

A secure programming system and method for provisioning and programming a target payload into a programmable device mounted in a programmer. The programmable devices are provisioned with a job package created by a user on a host system and deployed on a device programmer. The secure programming system supports a hardware security module on the host system that can be accessed remotely from the device programmer using coordinated sets of template and mechanism dictionaries linked to a security API coupled to the hardware security module.