TECHNICAL FIELD

The present disclosure relates to semiconductor fabrication, and more particularly, to a system to generate a device- specific authentication data based on fabrication characteristics.

BACKGROUND

Security has been, and continues to be, an area of primary focus for new development in various forms of electronic technology. Transactions including sensitive, confidential, etc. information are more frequently being conducted via electronic communication, and thus, the security of electronic devices is crucial to protect this information. Attackers (e.g., hackers) initially targeted devices at the software level in an attempt to gain control over a device, or at least access to information stored on the device. As software-based defenses were conceived to thwart these attacks, the hackers went deeper into the rings of protection to attack at higher privilege levels. In this manner, malicious code (e.g., malware) may be injected into a system at a higher privilege level than existing software-based protection (e.g., anti- virus protection, software firewalls, etc.), and may be able to overcome the existing software-based protection.

As a result of these more advanced attacks, device developers have started to devise hardware-based protection. This lower- level type protection may initiate before the software in a device such as, for example, the operating system (OS) is loaded, and may provide more substantial security in a device. However, ever-resourceful attackers are now devising new ways to attack the hardware of a device in order to overcome hardware -based defenses. For example, an attacker may attempt to alter (e.g., reprogram), replace, etc. an integrated circuit (IC) device in a system in which the IC device is installed to affect or change the behavior of the system. The resulting behavioral change may grant the attacker control over the system or at least access to information in the system. While existing IC devices may be protected by hardware-based coding, encryption, etc. to prevent these attacks, existing protections are programmed into the devices in manner that may be reverse engineered. In this manner, an attacker may devise a replacement IC device that may impersonate a known-good IC device, but may, in turn, affect systemic changes that render the security of the system compromised. BRIEF DESCRIPTION OF THE DRAWINGS

Features and advantages of various embodiments of the claimed subject matter will become apparent as the following Detailed Description proceeds, and upon reference to the Drawings, wherein like numerals designate like parts, and in which:

FIG. 1 illustrates an example integrated circuit device comprising at least hardware protection based on fabrication characteristics in accordance with at least one embodiment of the present disclosure;

FIG. 2 illustrates example hardware protection circuitry in accordance with at least one embodiment of the present disclosure;

FIG. 3 illustrates an example of fabrication characteristic unit structure and interpreter circuitry operation in accordance with at least one embodiment of the present disclosure;

FIG. 4 illustrates an alternative example of fabrication characteristic unit structure and interpreter circuitry operation in accordance with at least one embodiment of the present disclosure;

FIG. 5 illustrates example hardware protection circuitry including legacy interface circuitry in accordance with at least one embodiment of the present disclosure;

FIG. 6 illustrates example operations for fingerprint determination in accordance with at least one embodiment of the present disclosure;

FIG. 7 illustrates an example system that may employ a device such as illustrated in FIG. 1 in accordance with at least one embodiment of the present disclosure; and

FIG. 8 illustrates example operations for integrated circuit device authentication in accordance with at least one embodiment of the present disclosure.

Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications and variations thereof will be apparent to those skilled in the art.

DETAILED DESCRIPTION

This disclosure is directed hardware protection based on fabrication characteristics. In general, an integrated circuit (IC) device may be configured to determine a string of logical values or "fingerprint" based at least on fabrication characteristics of the device. An example device may comprise at least functional circuitry corresponding to the functional purpose of the device and hardware protection circuitry (HPC). Example HPC may include interpreter circuitry and fingerprint circuitry. For example, the interpreter circuitry may measure at least one parameter (e.g., voltage) of at least one electronic component in the fingerprint circuitry, and in at least one embodiment, may compare voltages measured from different components in the fingerprint circuitry and then assign a logical one or zero to the fingerprint string based on the results of each component comparison. Example electronic components may include transistors, resistors, etc. whose performance, may depend on the fabrication characteristics of the device. The resulting fingerprint string may be used by a system including the device to authenticate the device. A failure to authenticate the device may result in the execution of at least one security operation to protect the system from being compromised by the device.

In at least one embodiment, an example IC device may comprise at least a substrate, functional circuitry and HPC. The functional circuitry may be fabricated on the substrate. The HPC may also be fabricated on the substrate and may include, for example, at least fingerprint circuitry and interpreter circuitry to determine a fingerprint for the device based on fabrication characteristics of the fingerprint circuitry.

In at least one embodiment, the interpreter circuitry may be to measure at least one voltage corresponding to at least one fabrication characteristic unit (FCU) in the fingerprint circuitry. The at least one FCU may comprise at least one electronic component dedicated only to fingerprint determination in the device.

In the same or a different embodiment, the interpreter circuitry may be to compare voltages measured from at least two electronic components in the fingerprint circuitry. For example, a fingerprint string in the device may comprise logical values corresponding to each voltage comparison, and the interpreter circuitry may then be to assign a logical one to the fingerprint string if the two voltages satisfy a certain relationship and to assign a logical zero to the fingerprint string if the two voltages do not satisfy the certain relationship. The certain relationship may be, for example, that a first voltage of the two voltages is one of greater than or less than a second voltage of the two voltages. Alternatively, the certain relationship may be that an absolute value of a difference between the two voltages is one of greater than or less than a criteria value.

In the same or a different embodiment, the at least two electronic components may be transistors or resistors. Alternatively, the at least two electronic components may comprise groups of components each including at least a transistor coupled to a resistor. One of the at least two electronic components may be designated as a reference and each subsequent electronic component may be compared to the reference. In one example implementation, the interpreter circuitry may comprise at least comparison circuitry and fingerprint forming circuitry. The interpreter circuitry may also comprise at least one of multiplexer circuitry, decoder circuitry or secure storage circuitry. The interpreter circuitry may also comprise legacy interface circuitry to cause the fingerprint to be written to fuse circuitry within the device. Consistent with the present disclosure, a method for formulating a fingerprint for an IC device may comprise, for example, initializing an IC device, initializing fingerprint determination in the device and determining a fingerprint for the device based on fabrication characteristics of the device.

FIG. 1 illustrates an example integrated circuit device comprising at least hardware protection based on fabrication characteristics in accordance with at least one embodiment of the present disclosure. Initially, reference may be made to various semiconductor assemblies and/or structures such as a transistors, resistors, comparators, multiplexors, decoders, storage structures, etc. These example assemblies and/or structures have been referenced to provide a readily comprehensible perspective from which to understand the various embodiments disclosed herein, and are not intended to limit actual implementations to only these particular assemblies or structures. In addition, the inclusion of an apostrophe after an item number in a drawing figure (e.g., 100') may indicate that an example embodiment of the particular item is being shown. These example embodiments are not intended to limit the present disclosure to only what is illustrated, and have been presented herein merely for the sake of explanation.

Device 100 is illustrated in FIG. 1. Device 100 may be an IC device comprising, for example, one or more layers deposited via a series of semiconductor fabrication operations. Example technologies for depositing layers of semiconductor material may include, but are not limited to, molecular beam epitaxy (MBE), physical vapor deposition (PVD), chemical vapor deposition (CVD), electrochemical deposition (ECD), atomic layer deposition (ALD), etc. Junctions falling between layers may be modified to incorporate various features using photolithography. Device 100 may comprise, for example functional circuitry 102 and HPC 104. Functional circuitry 102 may perform at least one operation associated with the primary functionality of device 100. For example, functional circuitry 102 may include data storage areas for a read-only memory (ROM), data processing circuitry for a microprocessor, etc. The configuration, content, etc. of functional circuitry 102 may vary depending on device type, configuration, packaging, technology, power constraints (e.g., for mobile devices), etc.

Consistent with the present disclosure, HPC 104 may comprise at least interpreter circuitry 106 and fingerprint circuitry 108. Interpreter circuitry may determine at least one fabrication characteristic of fingerprint circuitry 108, which it may then use to formulate a fingerprint for device 100. As referenced herein, a "fabrication characteristic" may include parameters of operation of at least one electronic component in fingerprint circuitry 108 that may vary based on how device 100 is fabricated. For example, random dopant fluctuation (RDF) may differentiate every single transistor during fabrication, and thus, the performance of every single transistor may deviate from each other. The voltage, current, resistance, etc. may vary in each electronic component (e.g., transistor, resistor, etc.) fabricated in device 100 just based on the various nuances of the semiconductor fabrication process. Consistent with the present disclosure, these performance deviations may be utilized to encode a bit string or "fingerprint' unique to each device 100 without the need to explicitly program the bit string. Instead, the electronic components are inherently "programmed" to be different based on the fabrication process in a manner that is both unique to device 100 and cannot be duplicated.

The inability to replicate the fingerprint of device 100 in another device (e.g., so that the other device may impersonate device 100) is an important benefit of HPC 104. This may be accomplished by requiring that the fingerprint bit string for device 100 be generated based on measurements taken directly from electronic components in fingerprint circuitry 108. The measurement and generation of the fingerprint bit string may take place when, for example, device 100 is initialized, when a system in which device 100 is embedded is initialized, in response to a demand received from the system to device 100, etc. The measurements taken directly from fingerprint circuitry 108 may then be used to generate the fingerprint bit string, and thus, may not be replicated since they are based on characteristics that are specific to the manufacture of device 100. While example device 100 comprises fingerprint circuitry 108 dedicated only to fingerprint generation, in another embodiment consistent with the present disclosure fingerprint circuitry 108 may be omitted from device 100 and interpreter circuitry 106 may instead measure characteristics of electronic components within functional circuitry 102. In this manner, functional circuitry 102 may serve a dual purpose: to both perform the primary functionality associated with device 100 and also to provide one or more electronic components that may be measured for determining a fingerprint corresponding to device 100.

FIG. 2 illustrates example HPC in accordance with at least one embodiment of the present disclosure. Initially, circuitry shown with a dotted line in FIG. 2 may be optional in that the inclusion of the optional circuitry may be implementation dependent (e.g., based on device size, technology, packaging, constraints, the size of fingerprint circuitry 108', etc.). HPC 104' may comprise at least interpreter circuitry 106' and fingerprint circuitry 108'. Fingerprint circuitry 108' may include, for example, FCU 200A, FCU 200B, FCU 200C, FCU 200D...FCU 200n (collectively, FCU 200A...n). FCU 200A...n may each include at least one electronic component (e.g., a transistor, resistor or combinations thereof). At least two example component configurations for FCU 200A...n are illustrated in FIG. 3 and 4. In an example of operation, interpreter circuitry 104' may measure a characteristic of at least one component in each of FCU 200 A...n, and may use the measurements to generate a fingerprint bit string. Interpreter circuitry 106' may comprise, for example, multiplexer and/or decoder circuitry 202, comparison circuitry 204, fingerprint forming circuitry 206 and secure storage circuitry 208. Multiplexer and/or decoder circuitry 202 may include circuitry to select one or more FCU 200A...n (e.g., FCU 200A alone, FCU 200A and FCU200B, etc.) for processing by comparison circuitry 204. Comparison circuitry 204 may measure (and/or determine) a characteristic (e.g., voltage, current, resistance, capacitance, inductance, etc.) from each FCU 200 A...n and may perform a comparison between characteristics taken from the same FCU 200A...n, between characteristics taken from different FCUs 200A...n, etc. Consistent with the present disclosure, the results of the comparison may be translated into a logical value (e.g., a one "1" or a zero "0") that may then be provided to fingerprint forming circuitry 206. Fingerprint forming circuitry 206 may concatenate the logical values into a bit string that forms the fingerprint for device 100. In at least one embodiment, the resulting bit string may be stored in secure storage circuitry 208. Secure storage circuitry 208 may be an encrypted storage area or memory within HPC 104' for storing the fingerprint string for later access by, for example, a system into which device 100 is incorporated. For example, secure storage circuitry 208 may be encrypted in a manner that allows the system to decrypt and read the fingerprint string. The system may authenticate device 100 based on the fingerprint. In another embodiment, secure storage circuitry 208 may be omitted, and a system including device 100 may receive the fingerprint string directly from fingerprint forming circuitry 206.

FIG. 3 illustrates an example of fabrication characteristic unit structure and interpreter circuitry operation in accordance with at least one embodiment of the present disclosure. FCU 200A', 200B' ...200n' (collectively, FCU 200A' ...n') may each comprise circuitry to generate voltages that may be compared in comparison circuitry 204' . The circuitry in FCU 200A' ...n' may generally comprise at least one electronic component from which a voltage may be derived such as, for example, transistors, resistors or combinations thereof. A logical value (1 or 0) may be determined based on the results of each voltage comparison. Each of the logical values may be added to a bit string that may form a fingerprint for device 100.

For example, FCU 200A' may comprise at least transistor Ql and transistor Q2. A left-side voltage for FCU 200A' (VLA) and a right side voltage for RCU 200A' (VRA) may be generated based on a supply voltage (Vs) supplied to both transistors. Transistors Ql and Q2 may be switched "on" in that their gates may also be coupled to Vs. Consistent with the present disclosure, transistors Ql and Q2 may be coupled to at least resistor Rl and resistor R2, respectively. For example, the resistance values of resistors Rl and R2 may be selected to be just large enough to stabilize the operational characteristics of transistors Ql and Q2 from being affected by random variation. Similarly, FCU 200B' may generate a left-side voltage (VLB) and a right-side voltage (VRB) based on transistor Q3, transistor Q4, resistor R3 and R4, and FCU 200n' may generate a left-side voltage (VLn) and a right-side voltage (VRn) based on transistor Q5, transistor Q6, resistor R5 and R6. While only three FCUs 200A' ...n' are illustrated, the actual number of FCUs may be implementation dependent.

In an example of operation, circuitry in device 100 (e.g., comparison circuitry 204') may cause multiplexer or decoder circuitry 202' to select each of FCU 200A' ...n' in succession. For example, the selection of FCU 200A' may cause VLA and VLB to be provided to comparison circuitry 204', which may include example logic 300 for comparing the voltages received from FCU 200A'. As shown at 302, comparison circuitry 204' may compare the received left-side voltage (VL) to the received right-side voltage (VR). If, for example, VL is determined to be greater than VR (e.g., VL > VR), then a logical value of "1" may be passed to fingerprint forming circuitry 206' for assignment to the fingerprint bit string. Otherwise a logical value of "0" may be passed to fingerprint forming circuitry 206' . Alternative logic is shown at 304 wherein an absolute value of a difference between VL and VR (e.g., IVL-VRI), may be compared to a predetermined criteria value. If the absolute value is determined to be greater than the predetermined criteria value then a "1" may be passed to fingerprint forming circuitry. . Otherwise a logical value of "0" may be passed to fingerprint forming circuitry 206'. The logic shown at 302 and 304 are merely examples. Other logical relationships are possible consistent with the present disclosure.

Comparison circuitry 204' may then cause multiplexer or decoder circuitry 202' to traverse through FCU 200B' to compare VLB to VRB, and finally through FCU 200n' to compare VLn to VRn. Example results of these comparisons are illustrated in regard to fingerprint forming circuitry 206'. A bit corresponding to FCU 200A' may be a "1" since VLA was determined to be greater than VRA, a bit corresponding to FCU 200B ' may be a "1" since VLB was determined to be greater than VRB, and finally a bit corresponding to FCU 200n' may be a "0" since VLn was determined to be less than VRn. As a result, the fingerprint string may include 11...0 depending on the total number of FCUs 200A' ...n' .

FIG. 4 illustrates an alternative example of fabrication characteristic unit structure and interpreter circuitry operation in accordance with at least one embodiment of the present disclosure. In FIG. 4, each of FCU 200A' ...n' may be configured with circuitry that may only provide one characteristic (e.g., voltage). For example FCU 200A' may provide a voltage VI that correspond to a voltage drop over transistor Q7, FCU 200B' may provide a voltage V2 that correspond to a voltage drop over transistor Q8...FCU 200C may provide a voltage VI that correspond to a voltage drop over transistor Q9. While it may be possible for comparison circuitry 204 to compare FCUs 200A' ...n' to each other (e.g., VI may be compared to V2), another example implementation is presented in FIG. 2. Instead, each FCU 200A' ...n' may each be compared to a reference transistor Qref. Example logic 400 includes two logical relationships involving Vref (e.g., the voltage drop across Qref) and VI ... (e.g., the second value "VI" changes based on the FCU 200A' ...n' selected). Logical relationship 402 simply determines whether Vref > VI. If Vref is determined to be greater than VI, than a "1" may be passed to fingerprint forming circuitry 206' for assignment to a fingerprint bit string corresponding to device 100. Otherwise a "0" may be passed. Similarly, in logical example 404, if I Vref - VII is determined to be greater than a predetermined criteria value, then a "1" may be passed to fingerprint forming circuitry 206'. Otherwise, a "0" may be passed to fingerprint forming circuitry 206'. Fingerprint forming circuitry 206' may then concatenate the bits corresponding the comparisons between transistor Qref and FCUs 200A' ...n' to form a fingerprint bit string corresponding to device 100 (e.g., 10....0).

FIG. 5 illustrates example hardware protection circuitry including legacy interface circuitry in accordance with at least one embodiment of the present disclosure. FIG. 5 is substantially similar to the example configuration for HPC 104' that was disclosed in FIG. 2, but further incorporates at least legacy interface circuitry 500. Programmable fuse circuitry 502 may be used to protect the integrity of existing IC devices. Programmable fuses circuitry 502 may include, for example, programmable bits in an IC device (e.g., a bit array) that may be configured in a manner analogous to setting mechanical switches in a dual inline package (DIP) switch. Existing systems may be able to interact with programmable fuse circuitry 502 in authenticating an IC device, determining whether an IC device has been compromised, etc.

Consistent with the present disclosure, legacy interface circuitry 500 may be capable of programming programmable fuse circuitry 502 utilizing the fingerprint bit string of device 100. In this manner, the fingerprint determination circuitry, structures, methodologies, data, etc. described herein may be interact with legacy systems compatible with programmable fuse circuitry 502. Example legacy interface circuitry 500 may comprise at least an analog- to-digital converter (ADC) to convert analog data generated by the fingerprint determination circuitry into digital data. The resulting digital data may then be provided to, for example, programming circuitry within the programmable fuse circuitry for programming the fuses. FIG. 6 illustrates example operations for fingerprint determination in accordance with at least one embodiment of the present disclosure. Operations shown with dotted lines may be optional based on, for example, a configuration of a device for which a fingerprint is being determined, a configuration of a system that incorporates the device, etc. In operation 600 a device may be initialized, which may include powering on, rebooting, etc. the device itself, a system in which the device is incorporated, etc. Fingerprint determination may be initialized in operation 602. As part of fingerprint determination, a fingerprint bit may be determined for the next FCU in operation 604. Fingerprint bit determination may include, for example, comparing a characteristic for an FCU (e.g., a voltage measured from the FCU) to another characteristic measured from the FCU (e.g., another voltage), to a characteristic measured from another FCU (e.g., a voltage measured from another FCU), to a characteristic measured from a reference (e.g., a voltage measured from the reference), etc. While measuring voltage is utilized as an example herein, other characteristics may be measured consistent with the present disclosure. A logical value (e.g., a "1" or "0") may then be determined based on the comparison, and in operation 606 the logical value may be added to a fingerprint bit string.

A determination may then be made in operation 608 as to whether there are further FCU comparisons to perform to (e.g., to generate additional bits for the fingerprint bit string). A determination in operation 608 that there are additional FCU comparisons to perform may be followed by a return to operation 604 to perform the next comparison. If in operation 608 it is determined that all of the comparisons have been performed, then in operation 610 the fingerprint bit string may be output. Operation 612 pertains to optional operations that may be performed based on the configuration of the device/system. For example, the fingerprint bit string may be stored in device 100 (e.g., in secure memory circuitry), or may be converted into another format for use in programming programmable fuse circuitry also in the device.

FIG. 7 illustrates an example system that may employ a device such as illustrated in

FIG. 1 in accordance with at least one embodiment of the present disclosure. System 700 is an example of a platform in which one or more devices such as device 100 may be installed, and is not intended to limit the present disclosure to any particular manner of implementation. Examples of system 700 may include, but are not limited to, a mobile communication device such as a cellular handset or a smartphone based on the Android® OS from the Google Corporation, iOS® or Mac OS® from the Apple Corporation, Windows® OS from the Microsoft Corporation, Tizen® OS from the Linux Foundation, Firefox® OS from the Mozilla Project, Blackberry® OS from the Blackberry Corporation, Palm® OS from the Hewlett-Packard Corporation, Symbian® OS from the Symbian Foundation, etc., a mobile computing device such as a tablet computer like an iPad® from the Apple Corporation, Surface® from the Microsoft Corporation, Galaxy Tab® from the Samsung Corporation, Kindle® from the Amazon Corporation, etc., an Ultrabook® including a low-power chipset from the Intel Corporation, a netbook, a notebook, a laptop, a palmtop, etc., a typically stationary computing device such as a desktop computer, a server, a smart television, small form factor computing solutions (e.g., for space-limited applications, TV set-top boxes, etc.) like the Next Unit of Computing (NUC) platform from the Intel Corporation, etc.

System circuitry 702 may manage the operation of system 700. System circuitry 702 may include, for example, processing circuitry 704, memory circuitry 706, power circuitry 708, user interface circuitry 710 and communication interface circuitry 712. System 700 may further include communication module 714. While communication module 714 is illustrated as separate from system circuitry 702, the example configuration shown in FIG. 7 is provided merely for the sake of explanation. For example, some or all of the functionality associated with communication module 714 may also be incorporated into system circuitry 702.

In system 700, processing circuitry 704 may comprise one or more processors situated in separate components, or alternatively one or more cores in a single component (e.g., in a System-on-a-Chip (SoC) configuration), along with processor-related support circuitry (e.g., bridging interfaces, etc.). Example processors may include, but are not limited to, various x76-based microprocessors available from the Intel Corporation including those in the Pentium, Xeon, Itanium, Celeron, Atom, Quark, Core i-series, Core M-series product families, Advanced RISC (e.g., Reduced Instruction Set Computing) Machine or "ARM" processors, etc. Examples of support circuitry may include chipsets (e.g., Northbridge, Southbridge, etc. available from the Intel Corporation) configured to provide an interface through which processing circuitry 704 may interact with other system components that may be operating at different speeds, on different buses, etc. in system 700 . Moreover, some or all of the functionality commonly associated with the support circuitry may also be included in the same physical package as the processor (e.g., such as in the Sandy Bridge family of processors available from the Intel Corporation).

Processing circuitry 704 may be configured to execute various instructions in system 700. Instructions may include program code configured to cause processing circuitry 704 to perform activities related to reading data, writing data, processing data, formulating data, converting data, transforming data, etc. Information (e.g., instructions, data, etc.) may be stored in memory circuitry 706. Memory circuitry 706 may comprise random access memory (RAM) and/or read-only memory (ROM) in a fixed or removable format. RAM may include volatile memory configured to hold information during the operation of system 700 such as, for example, static RAM (SRAM) or Dynamic RAM (DRAM). ROM may include nonvolatile (NV) memory modules configured based on BIOS, UEFI, etc. to provide instructions when system 700 is activated, programmable memories such as electronic programmable ROMs (EPROMS), Flash, etc. Other fixed/removable memory may include, but are not limited to, magnetic memories such as, for example, floppy disks, hard drives, etc., electronic memories such as solid state flash memory (e.g., embedded multimedia card (eMMC), etc.), removable memory cards or sticks (e.g., micro storage device (uSD), USB, etc.), optical memories such as compact disc-based ROM (CD-ROM), Digital Video Disks (DVD), Blu- Ray Disks, etc.

Power circuitry 708 may include internal power sources (e.g., a battery, fuel cell, etc.) and/or external power sources (e.g., electromechanical or solar generator, power grid, external fuel cell, etc.), and related circuitry configured to supply system 700 with the power needed to operate. User interface circuitry 710 may include hardware and/or software to allow users to interact with system 700 such as, for example, various input mechanisms (e.g., microphones, switches, buttons, knobs, keyboards, speakers, touch- sensitive surfaces, one or more sensors configured to capture images and/or sense proximity, distance, motion, gestures, orientation, biometric data, etc.) and various output mechanisms (e.g., speakers, displays, lighted/flashing indicators, electromechanical components for vibration, motion, etc.). The hardware in user interface circuitry 710 may be incorporated within system 700 and/or may be coupled to system 700 via a wired or wireless communication medium. User interface circuitry 710 may be optional in certain circumstances such as, for example, a situation wherein system 700 is a server (e.g., rack server, blade server, etc.) that does not include user interface circuitry 710, and instead relies on another device (e.g., a management terminal) for user interface functionality.

Communication interface circuitry 712 may be configured to manage packet routing and other control functions for communication module 714, which may include resources configured to support wired and/or wireless communications. In some instances, system 700 may comprise more than one communication module 714 (e.g., including separate physical interface modules for wired protocols and/or wireless radios) managed by a centralized communication interface circuitry 712. Wired communications may include serial and parallel wired mediums such as, for example, Ethernet, USB, Firewire, Thunderbolt, Digital Video Interface (DVI), High-Definition Multimedia Interface (HDMI), etc. Wireless communications may include, for example, close-proximity wireless mediums (e.g., radio frequency (RF) such as based on the RF Identification (RFID)or Near Field Communications (NFC) standards, infrared (IR), etc.), short-range wireless mediums (e.g., Bluetooth, WLAN, Wi-Fi, etc.), long range wireless mediums (e.g., cellular wide-area radio communication technology, satellite -based communications, etc.), electronic communications via sound waves, etc. In one embodiment, communication interface circuitry 712 may be configured to prevent wireless communications that are active in communication module 714 from interfering with each other. In performing this function, communication interface circuitry 712 may schedule activities for communication module 714 based on, for example, the relative priority of messages awaiting transmission. While the embodiment disclosed in FIG. 7 illustrates communication interface circuitry 712 being separate from communication module 714, it may also be possible for the functionality of communication interface circuitry 712 and communication module 714 to be incorporated into the same module.

FIG. 8 illustrates example operations for integrated circuit device authentication in accordance with at least one embodiment of the present disclosure. In general, the fingerprint bit string may be utilized to authenticate device 100, to determine the integrity of device 100 (e.g., which may indicate if the security of device 100 has been comprised), etc. A "known- good" fingerprint may be recorded and stored for device 100 prior to integration in system 700 such as disclosed in FIG. 7. For example, during device manufacture a fingerprint may be determined for device 100 and stored by the manufacturer. This information may then be made available later via, for example, a cloud-based architecture (e.g., at least one server accessible via a network such as the Internet). System 700 may be able to retrieve stored fingerprint data from the cloud-based architecture during startup, and may use the retrieved fingerprint data to authenticate device 100. Alternatively, the fingerprint may be stored within each device itself (e.g., within secure storage circuitry 208). The fingerprint data may be temporarily accessible when device 100 is first powered up. System 800 may record the fingerprint information from device 100 during the initial power up, and then the fingerprint may be purged from security storage circuitry 208. During subsequent initializations, device 100 may generate a fingerprint based on fabrication characteristics, and the authenticity of device 100 may be determined by comparing the fingerprint generated during startup to the fingerprint data originally retrieved from secure storage circuitry 208. In another example implementation, the fingerprint data may be permanently stored in secure storage circuitry 208, and only systems 100 that comprise a certain configuration (e.g., including certain IC devices, chipsets, programs, etc.) may be able to access the stored fingerprint data. System 700 may use the stored fingerprint data to authenticate device 100 based on a fingerprint bit string generated by device 100 (e.g., such as described above).

In operations 800 to 810 a system may authenticate at least one device. In operation 800 the system may be initialized. The system may then receive a fingerprint from a device in operation 802. For example, the fingerprint received from the device may be generated employing operations such as disclosed in FIG. 6. In operation 804 the system may verify the fingerprint received from the device against a known-good fingerprint for the device. The known-good fingerprint may be obtained by the system in a manner such as described above. A determination may then be made in operation 806 as to whether the fingerprints matched. If in operation 806 it is determined that the fingerprints match, then the system may continue with initialization in operation 808. If in operation 806 it is determined that the fingerprints do not match, then in operation 810 a security exception may occur. An example security exception may interrupt the initialization of the device and/or the system, may trigger security safeguards in the system (e.g., lockouts, data encryption, etc.), may generate a notification to a user of the system, a manufacturer of the device/system, a reseller of the device/system regarding the failure to authenticate the device, etc. In at least one embodiment, operation 810 may be followed by operation 808 so that the system may continue with initialization despite the security exception. This may occur in instances where, for example, the security exception in operation 810 was able to protect the integrity of the system (e.g., to isolate any devices that could not be authenticated) without having to deactivate the entire system.

While FIG. 6 and 8 illustrate operations according to different embodiments, it is to be understood that not all of the operations depicted in FIG. 6 and 8 are necessary for other embodiments. Indeed, it is fully contemplated herein that in other embodiments of the present disclosure, the operations depicted in FIG. 6 and 8, and/or other operations described herein, may be combined in a manner not specifically shown in any of the drawings, but still fully consistent with the present disclosure. Thus, claims directed to features and/or operations that are not exactly shown in one drawing are deemed within the scope and content of the present disclosure.

As used in this application and in the claims, a list of items joined by the term

"and/or" can mean any combination of the listed items. For example, the phrase "A, B and/or C" can mean A; B; C; A and B; A and C; B and C; or A, B and C. As used in this application and in the claims, a list of items joined by the term "at least one of can mean any combination of the listed terms. For example, the phrases "at least one of A, B or C" can mean A; B; C; A and B; A and C; B and C; or A, B and C. As used in any embodiment herein, the terms "system" may refer to, for example, software, firmware and/or circuitry configured to perform any of the aforementioned operations. Software may be embodied as a software package, code, instructions, instruction sets and/or data recorded on non-transitory computer readable storage mediums. Firmware may be embodied as code, instructions or instruction sets and/or data that are hard-coded (e.g., nonvolatile) in memory devices. "Circuitry", as used in any embodiment herein, may comprise, for example, singly or in any combination, hardwired circuitry, programmable circuitry such as computer processors comprising one or more individual instruction processing cores, state machine circuitry, and/or firmware that stores instructions executed by programmable circuitry. The modules may, collectively or individually, be embodied as circuitry that forms part of a larger system, for example, an integrated circuit (IC), system on- chip (SoC), desktop computers, laptop computers, tablet computers, servers, smartphones, etc.

Any of the operations described herein may be implemented in a system that includes one or more storage mediums (e.g., non-transitory storage mediums) having stored thereon, individually or in combination, instructions that when executed by one or more processors perform the methods. Here, the processor may include, for example, a server CPU, a mobile device CPU, and/or other programmable circuitry. Also, it is intended that operations described herein may be distributed across a plurality of physical devices, such as processing structures at more than one different physical location. The storage medium may include any type of tangible medium, for example, any type of disk including hard disks, floppy disks, optical disks, compact disk read-only memories (CD-ROMs), compact disk rewritables (CD- RWs), and magneto-optical disks, semiconductor devices such as read-only memories (ROMs), random access memories (RAMs) such as dynamic and static RAMs, erasable programmable read-only memories (EPROMs), electrically erasable programmable read-only memories (EEPROMs), flash memories, Solid State Disks (SSDs), embedded multimedia cards (eMMCs), secure digital input/output (SDIO) cards, magnetic or optical cards, or any type of media suitable for storing electronic instructions. Other embodiments may be implemented as software modules executed by a programmable control device.

Thus, this disclosure is directed hardware protection based on fabrication

characteristics. In general, an integrated circuit (IC) device may be configured to determine a string of logical values or "fingerprint" based at least on fabrication characteristics of the device. An example device may comprise at least functional circuitry corresponding to the functional purpose of the device and hardware protection circuitry (HPC). Example HPC may include interpreter circuitry and fingerprint circuitry. For example, the interpreter circuitry may measure at least one parameter (e.g., voltage) of at least one electronic component in the fingerprint circuitry, and in at least one embodiment, may compare voltages measured from different components in the fingerprint circuitry and then assign a logical one or zero to the fingerprint string based on the results of each component comparison. Example electronic components may include transistors, resistors, etc. whose performance, may depend on the fabrication characteristics of the device.

The following examples pertain to further embodiments. The following examples of the present disclosure may comprise subject material such as a device, a method, at least one machine -readable medium for storing instructions that when executed cause a machine to perform acts based on the method, means for performing acts based on the method and/or a system for hardware protection based on fabrication characteristics.

According to example 1 there is provided an integrated circuit device. The device may comprise a substrate, functional circuitry fabricated on the substrate and hardware protection circuitry fabricated on the substrate, the hardware protection circuitry including at least fingerprint circuitry and interpreter circuitry to determine a fingerprint for the device based on fabrication characteristics of the fingerprint circuitry.

Example 2 may include the elements of example 1 , wherein the interpreter circuitry is to measure at least one voltage corresponding to at least one fabrication characteristic unit in the fingerprint circuitry.

Example 3 may include the elements of example 2, wherein the at least one fabrication characteristic unit comprises at least one electronic component dedicated only to fingerprint determination in the device.

Example 4 may include the elements of any of examples 1 to 3, wherein the interpreter circuitry is to compare voltages measured from at least two electronic components in the fingerprint circuitry.

Example 5 may include the elements of example 4, wherein a fingerprint string in the device comprises logical values corresponding to each voltage comparison and the interpreter circuitry is to assign a logical one to the fingerprint string if the two voltages satisfy a certain relationship, and to assign a logical zero to the fingerprint string if the two voltages do not satisfy the certain relationship.

Example 6 may include the elements of any of examples 4 to 5, wherein the certain relationship is that a first voltage of the two voltages is one of greater than or less than a second voltage of the two voltages. Example 7 may include the elements of any of examples 4 to 6, wherein the certain relationship is that an absolute value of a difference between the two voltages is one of greater than or less than a criteria value.

Example 8 may include the elements of any of examples 4 to 7, wherein the at least two electronic components are transistors or resistors.

Example 9 may include the elements of any of examples 4 to 8, wherein the at least two electronic components include at least one of transistors or resistors.

Example 10 may include the elements of any of examples 4 to 9, wherein the at least two electronic components comprise groups of components each including at least a transistor coupled to a resistor.

Example 11 may include the elements of any of examples 4 to 10, where one of the at least two electronic components is designated as a reference, and each subsequent electronic component is compared to the reference.

Example 12 may include the elements of any of examples 1 to 11, wherein the interpreter circuitry comprises at least comparison circuitry and fingerprint forming circuitry.

Example 13 may include the elements of any of examples 1 to 12, wherein the interpreter circuitry comprises at least one of multiplexer circuitry, decoder circuitry or secure storage circuitry.

Example 14 may include the elements of any of examples 1 to 13, wherein the interpreter circuitry comprises legacy interface circuitry to cause the fingerprint to be written to fuse circuitry within the device.

Example 15 may include the elements of any of examples 1 to 14, wherein the hardware protection circuitry is to provide the fingerprint to an external tracking system during manufacture of the integrated circuitry device.

Example 16 may include the elements of example 15, wherein a system including the integrated circuit device is to obtain the fingerprint from the external tracking system to authenticate the integrated circuit device.

According to example 17 there is provided a method for formulating a fingerprint for an integrated circuit device. The method may comprise initializing an integrated circuit device, initializing fingerprint determination in the device and determining a fingerprint for the device based on fabrication characteristics of the device.

Example 18 may include the elements of example 17, wherein determining a fingerprint based on fabrication characteristics comprises measuring a voltage for at least one electronic component in fingerprint circuitry in the device. Example 19 may include the elements of example 18, wherein determining a fingerprint based on fabrication characteristics comprises assigning a logical one to a fingerprint string in the device if a first voltage and a second voltage measured from the fingerprint circuitry satisfy a certain relationship, the fingerprint string including logical values corresponding to each voltage comparison and assigning a logical zero to the fingerprint string if the first voltage and the second voltage do not satisfy the certain relationship.

Example 20 may include the elements of example 19, wherein the certain relationship is that the first voltage is one of greater than or less than the second voltage.

Example 21 may include the elements of any of examples 19 to 20, wherein the certain relationship is that an absolute value of a difference between the first voltage and the second voltage is one of greater than or less than a certain criteria value.

Example 22 may include the elements of any of examples 19 to 21, and may further comprise storing the fingerprint string.

Example 23 may include the elements of any of examples 17 to 22, and may further comprise attempting, in a system including at least the device, to authenticate the device based on the fingerprint, performing at least one security operation in the system based on authentication failing and allowing the system to continue within initialization based on authentication succeeding.

Example 24 may include the elements of example 23, and may further comprise performing at least one activity associated with a security exception based on the authentication failing.

Example 25 may include the elements of any of examples 17 to 24, and may further comprise providing the fingerprint to an external system during manufacture of the integrated circuit device.

According to example 26 there is provided a system including at least a device, the system being arranged to perform the method of any of the above examples 17 to 25.

According to example 27 there is provided a chipset arranged to perform the method of any of the above examples 17 to 25.

According to example 28 there is provided at least one machine readable medium comprising a plurality of instructions that, in response to be being executed on a computing device, cause the computing device to carry out the method according to any of the above examples 17 to 25. According to example 29 there is provided at least one device configured for formulating a fingerprint, the at least one device being arranged to perform the method of any of the above examples 17 to 25.

According to example 30 there is provided a system for formulating a fingerprint for an integrated circuit device. The system may comprise means for initializing an integrated circuit device, means for initializing fingerprint determination in the device and means for determining a fingerprint for the device based on fabrication characteristics of the device.

Example 31 may include the elements of example 30, wherein the means for determining a fingerprint based on fabrication characteristics comprise means for measuring a voltage for at least one electronic component in fingerprint circuitry in the device.

Example 32 may include the elements of example 31 , wherein the means for determining a fingerprint based on fabrication characteristics comprise means for assigning a logical one to a fingerprint string in the device if a first voltage and a second voltage measured from the fingerprint circuitry satisfy a certain relationship, the fingerprint string including logical values corresponding to each voltage comparison and means for assigning a logical zero to the fingerprint string if the first voltage and the second voltage do not satisfy the certain relationship.

Example 33 may include the elements of example 32, wherein the certain relationship is that the first voltage is one of greater than or less than the second voltage.

Example 34 may include the elements of any of examples 32 to 33, wherein the certain relationship is that an absolute value of a difference between the first voltage and the second voltage is one of greater than or less than a certain criteria value.

Example 35 may include the elements of any of examples 32 to 34, and may further comprise means for storing the fingerprint string.

Example 36 may include the elements of any of examples 30 to 35, and may further comprise means for attempting, in a system including at least the device, to authenticate the device based on the fingerprint, means for performing at least one security operation in the system based on authentication failing and means for allowing the system to continue within initialization based on authentication succeeding.

Example 37 may include the elements of example 36, and may further comprise means for performing at least one activity associated with a security exception based on the authentication failing. Example 38 may include the elements of any of examples 30 to 36, and may further comprise means for providing the fingerprint to an external system during manufacture of the integrated circuit device.

The terms and expressions which have been employed herein are used as terms of description and not of limitation, and there is no intention, in the use of such terms and expressions, of excluding any equivalents of the features shown and described (or portions thereof), and it is recognized that various modifications are possible within the scope of the claims. Accordingly, the claims are intended to cover all such equivalents.