Advertisement

Securing nonvolatile, nonresettable counters in embedded designs

Bernhard Linke

May 15, 2011

Bernhard LinkeMay 15, 2011

EPROM-emulation mode
A common feature of serial-interface EEPROMs is a page-write buffer, which lets you program an entire memory page in a single stroke. On receiving a write command, the system automatically loads the page-write buffer with data from the addressed memory page. For EPROM-emulation mode, the write buffer is implemented as a shift register (Figure 2 below).

The incoming new data (D-IN) feeds into an AND gate that combines it with buffer data (S-OUT) before it enters the buffer (S-IN). Thus, the AND gate ensures that a memory bit cannot be changed to 1 after it has been programmed to 0.

After a full cycle through all bits of the page, data in the buffer is again aligned with data in the memory page. Now the write cycle can be started, which copies the entire buffer back to the nonvolatile EEPROM.

Figure 2: EPROM Emulation writes the bitwise logical AND of new data and existing data back to the memory.
Counting in EPROM
Because EPROM bits can be changed only in one direction, a conventional counting code does not work. Instead, you must regard the entire memory array as a single entity of n bits. Initially, none of the n bits are programmed (all are 1).

To count an event, you must change one of the unprogrammed bits to 0. You could simply select the next bit to be programmed at random, but the scheme in Figure 3 below is easier to implement.

It starts with the least significant bit and continues in sequence until all the bits of that byte are programmed. It then programs the next byte bit by bit, and so on. In EPROM-emulation mode, a memory chip with 1024 bits is good for counting 1024 events.

Figure 3: Counting in EPROM requires a code for which every bit has the same place value.
Chips supporting EPROM-emulation mode
Although the EPROM-emulation mode is easy to implement, it requires the use of memory devices ranging from 1Kbit to 20Kbit densities which come with a unique factory programmed identification number [1] and make use of a master that can generate a message-authentication code based on a device-specific secret to gain write access.

Going with the flow (chart)
As an example, consider a DS2431 memory chip in which memory page 0 is configured to implement a 256-bit counter in EPROM-emulation mode. The 32-byte page can be updated in blocks of eight bytes each, using a 64-bit scratchpad as intermediate storage. The algorithm in Figure 4 below detects the first block with unprogrammed bits, increments the count value, and writes the block back to EEPROM.

Figure 4: This algorithm increments the counter in a 32-byte memory page.
Conclusion
EEPROMs that include EPROM-emulation mode are the product of choice for implementing nonvolatile, nonresettable counters. The serial number of the memory chip can be used to detect tampering—that is, replacing the memory chip with one that has a lower count value.

To prevent unauthorized incrementing of the counter, one should use a secure memory chip that requires a message-authentication code for write access.

References
1) Maxim Data sheets DS2431, DS28EC20, DS28E01, and DS28CN01.

Bernhard Linke, a principal member of the technical staff at Maxim Integrated Products since 2001 following Maxim’s acquisition of Dallas Semiconductor, which Bernhard joined in 1993. Before Dallas Semiconductor, he worked for Astek Elektronik Vertriebs GmbH, a distributor in Kaltenkirchen, Germany, and in various positions at Valvo Röhren- und Halbleiterwerke der Philips GmbH in Hamburg, Germany. In 1979 he received a Diplom-Ingenieur degree in Allgemeine Elektrotechnik from the Rheinisch-Westfälische Technische Hochschule in Aachen, Germany.

< Previous
Page 2 of 2
Next >

Loading comments...