A secrecy system and a decryption method of on-chip data stream of nonvolatile FPGA are provided in the present invention. The nonvolatile memory module of the system is configured to only allow the full erase operation. After the full erase operation is finished, the nonvolatile memory module gets into the initial state. Only the operation to the nonvolatile memory module under the initial state is effective, and thereby the encryption region unit is arranged in the nonvolatile memory module. Only the decryption data written into the encryption region unit under the initial state can make the nonvolatile memory module to be readable, so that the decryption of the system is finished, which greatly improves the secrecy precision.

An apparatus has tag checking circuitry responsive to a target address to: identify a guard tag stored in a memory system in association with a block of one or more memory locations, the block containing a target memory location identified by the target address, perform a tag check based on the guard tag and an address tag associated with the target address, and in response to detecting a mismatch in the tag check, perform an error response action. The apparatus also has tag mapping storage circuitry to store mapping information indicative of a mapping between guard tag values and corresponding address tag values. The tag checking circuitry remaps at least one of the guard tag and the address tag based on the mapping information stored by the tag mapping storage circuitry to generate a remapped tag for use in the tag check.

Configuring an embedded device of a first type by means of a host device. The embedded device comprises a computing unit to provide configurable functionality according to input configuration items. The host device comprises an operating system to provide a means for communication with a number of predetermined types of embedded devices. The method includes coupling, via a coupling unit, the embedded device with the host device, including identifying the embedded device to the host device as a second type of device different from the first type or that operates in a different manner from the first type and is comprised of the predetermined types of embedded devices. The method includes presenting or offering a means for entering, retrieving, and supplying configuration items to the embedded device and receiving the configuration items by the computing unit, and performing configuration of the embedded device according to the received configuration items.

Configuring an embedded device of a first type by means of a host device. The embedded device comprises a computing unit to provide configurable functionality according to input configuration items. The host device comprises an operating system to provide a means for communication with a number of predetermined types of embedded devices. The method includes coupling, via a coupling unit, the embedded device with the host device, including identifying the embedded device to the host device as a second type of device different from the first type or that operates in a different manner from the first type and is comprised of the predetermined types of embedded devices. The method includes presenting or offering a means for entering, retrieving, and supplying configuration items to the embedded device and receiving the configuration items by the computing unit, and performing configuration of the embedded device according to the received configuration items.

A compute system includes a security processor, a component, a component memory, a first communication link, and a second communication link. The component memory stores machine readable instructions executable by the component. The first communication link communicatively couples the component memory to the security processor. The second communication link communicatively couples the component memory to the component. The security processor is to cryptographically authenticate the machine readable instructions stored in the component memory in a boot process.

A compute system includes a security processor, a component, a component memory, a first communication link, and a second communication link. The component memory stores machine readable instructions executable by the component. The first communication link communicatively couples the component memory to the security processor. The second communication link communicatively couples the component memory to the component. The security processor is to cryptographically authenticate the machine readable instructions stored in the component memory in a boot process.

A TPM is implemented in an SOC for thwarting PIN state replay attacks. Programmable fuses are used as a counter and an on-die RAM stores a blown-fuse count and a TPM state that includes a PIN-failure count and a fuse count. TPM initialization includes incrementing the TPM state PIN-failure count if the blown-fuse count is greater than the TPM state fuse count. Once a PIN is received, if the TPM state PIN-failure count satisfies a PIN failure policy and the PIN is correct, the TPM state PIN-failure count is cleared, and if the PIN is incorrect, a fuse is blown and the blown-fuse count is incremented. If the fuse blow fails, TPM activity is halted. If the fuse blow succeeds, the TPM state PIN-failure count is incremented and the TPM state fuse count is set equal to the blown-fuse count. The TPM state is saved to off-die non-volatile memory.

A method comprises generating, during an enrollment process conducted in a controlled environment, a dark bit mask comprising a plurality of state information values derived from a plurality of entropy sources at a plurality of operating conditions for an electronic device, and using at least a portion of the plurality of state information values to generate a set of challenge-response pairs for use in an authentication process for the electronic device.

A method comprises generating, during an enrollment process conducted in a controlled environment, a dark bit mask comprising a plurality of state information values derived from a plurality of entropy sources at a plurality of operating conditions for an electronic device, and using at least a portion of the plurality of state information values to generate a set of challenge-response pairs for use in an authentication process for the electronic device.

According to one embodiment, a memory system is connectable to a host including a first volatile memory and includes a non-volatile memory and a controller. The controller may use a first area of the first volatile memory as a temporary storage memory of data stored in the non-volatile memory and controls the non-volatile memory. The controller generates a first parity by using first data stored in the non-volatile memory and a key value to store the first data and the generated first parity in the first area. In the case of reading the first data stored in the first area, the controller reads the first data and the first parity to verify the read first data using the read first parity and the key value.