TECHNICAL FIELD

[0001 ] The present disclosure relates to a method performed by a system comprising a secure processing sub-system having an internal non-volatile memory, and a non-volatile memory that is external to the secure processing sub-system. The external non-volatile memory can be used by the secure processing sub-system to store data. Such a system can be used for example in a smartphone, a communication device, a GPS receiver, an autonomous robot, an loT device, etc...

BACKGROUND

[0002] The secure processing sub-system, or secure processing element, or secure element, is a secure area that is for example part of an integrated circuit. It may include a separate processor or CPU (central processing unit), one or more memories, hardware means and/or software means to implement cryptographic functions such as encryption and/or decryption algorithm(s), signature and/or verification algorithm(s), an interface with the integrated circuit to send and receive data and/or commands to and from the integrated circuit, buses to connect the external memory via the integrated circuit. A power source and a clock generator provide power and a clock signal to the integrated circuit.

[0003] The secure processing sub-system may be implemented on an integrated circuit such as a system-on-chip (SoC), a chip or other similar device having a processor or CPU and one or more memories.

[0004] The amount of memory available in the secure processing sub-system may be limited. In some cases, the amount of the memory available in the integrated circuit is also limited due to the small size of the integrated circuit. As a result, the secure processing sub-system may use a non-volatile memory (NVM) that is external to the secure processing sub-system, and/or external to the integrated circuit, to store data. The confidentiality and the authenticity of the data stored in the external non-volatile memory may be ensured by the use of encryption, integrity and authentication mechanisms.

[0005] The data stored in the external non-volatile memory may undergo updates while the system is powered on. These updates may be followed up, for example in a volatile memory.

[0006] The power supply to the system may be temporarily interrupted, due to a power loss from the power source. Such a situation may occur when a battery used as the power source is being discharged or is removed.

[0007] An attacker may try to replace the current version of the data stored in the external non-volatile memory by an old copy of the data that is validly encrypted and authenticated, for example signed, by the secure processing sub-system, for example during a power interruption. Such an attack is referenced as a rollback or playback attack. It may allow the attacker to gain access to the secure processing sub-system and/or have the secure processing sub-system to perform an unauthorized action.

[0008] LIS2017/0329994 discloses a computing device comprising:

- a secure processing subsystem implemented on a SoC and including an internal non-volatile memory, such as an OTP memory;

- an external non-volatile memory that is external to the SoC and used by the secure processing sub-system to store data; and

- a power source, external to secure processing subsystem, to supply the secure processing subsystem.

[0009] The secure processing subsystem has a volatile memory and a nonvolatile memory, such as an OTP (one-time programmable) memory.

[0010] The volatile memory is used by the secure processing subsystem to store and maintain the data while power is supplied to the secure processing subsystem. In the event that power supply is lost or interrupted, the content of the volatile memory is lost. The secure processing sub-system maintains and updates data in the volatile memory but needs to offload the data to the external memory, that may be required later or for persistent storage, in the event of a power loss from the external power source.

[0011 ] For that purpose, the secure processing subsystem has an internal power source that is used as a secondary power source for providing power in the event that power from the external power source is lost. It can comprise a capacitor, a battery, or other device that can store electrical power and power the secure processing sub-system at least for a short period of time in the event of a power loss from the external power source.

[0012] Furthermore, an anti-replay counter ARC is used to prevent replay attacks on data stored in the external memory by the secure processing subsystem. The ARC value is maintained in the volatile memory of the secure processing sub-system while power is provided from the external power source. But, in an event indicative that power provided from the external power source has been lost or power loss is imminent, the ARC value is written from the volatile memory of the secure processing sub-system to the non-volatile memory of the secure processing sub-system. The internal power source provides the secure processing sub-system with sufficient power to allow it to write the current ARC value stored in the volatile memory into the internal nonvolatile memory.

[0013] In LIS2017/0329994, the secure processing sub-system of the computing device uses the ARC value to prevent attacks in which an attacker attempts to place data expired but otherwise valid in the external memory in an attempt to gain access to the secure processing sub-system and have the secure processing sub-system to perform some unauthorized action. To avoid replay attacks, the SoC relies on the ARC. When the computing device is powered on, the processor of the secure processing sub-system retrieves the ARC value from its internal non-volatile memory and stores the ARC value in its volatile memory. The ARC value is maintained in the volatile memory and updated each time data is written to the external memory, until a triggering event occurs that causes the processor of the secure processing sub-system to update the ARC value in the internal non-volatile memory with the current ARC value stored in the volatile memory. The ARC value in the volatile memory of the secure processing sub-system follows the updates of the data stored in the external memory. The triggering event indicates that the power from the external power source has been lost or may be lost. When the computing device is powered on again, the authenticity of the data stored in the external memory is checked by the secure processing sub-system using the ARC value stored in its internal non-volatile memory.

[0014] The approach disclosed in LIS2017/0329994 requires a secure detection of the triggering event and an internal power source with high security requirements. The technical implementation needs to be robust since all the power off events must be detected and the internal power source should be protected against any malicious attack. Furthermore, the addition of an internal power source in a secure processing sub-system is expensive and requires more space on the integrated circuit.

[0015] Therefore, there is a need for improving the situation. More precisely, there is a need to avoid a rollback or playback attack in a system including:

- a secure processing sub-system having an internal non-volatile memory,

- a non-volatile memory that is external to the secure processing sub-system; with a technical solution having a simpler and less expensive implementation, and requiring less space.

SUMMARY

[0016] The present disclosure concerns a method performed by a system including i) a secure processing sub-system having an internal non-volatile memory, ii) a non-volatile memory that is external to the secure processing sub-system; the method being characterized in that during each power cycle where data stored in the external non-volatile memory is updated, the secure processing sub-system executes a transaction by performing the following steps : . writing a first transaction data marking the start of the transaction in the internal non-volatile memory upon a first update of the data within the power cycle, and

. at the end of the power cycle, writing a second transaction data marking the end of said transaction to the internal non-volatile memory, and, at the beginning of any power cycle, the secure processing sub-system performs the steps of

. checking if a transaction is still pending in the internal non-volatile memory; and

. if a transaction is still pending, preventing to use the data stored in the external non-volatile memory.

[0017] A power cycle corresponds to a period while power is supplied from the power source to the system elements from the time the system is powered on and until the system is powered off.

[0018] In each power cycle where data stored in the external non-volatile memory is updated, a transaction is started in the internal non-volatile memory. When the power cycle is proceeding normally (i.e. , without unexpected power loss that may be caused by an attack), in the event of an expected imminent power interruption or power loss, a signal may be transmitted to the secure processing sub-system indicating that the power supply is going to be interrupted. When the power cycle ends normally, shortly before the expected power interruption, the secure processing sub-system ends or commits the transaction in the internal non-volatile memory by writing the second transaction data.

[0019] In case of an unexpected power loss, which can happen when the system is attacked, it is very likely that a signal indicating that power is going to be interrupted is not sent to the secure processing sub-system. In such a situation, the secure processing sub-system does not end properly the current transaction in the internal non-volatile memory. At the time that the device is next powered on, the secure processing system checks the transaction status in its internal non-volatile memory and, if a transaction is still pending, the secure processing sub-system cannot trust the data stored in the external nonvolatile memory and consequently prevents to use them. The present transaction-based mechanism allows to prevent a rollback and replay attack consisting in using an old version of the data stored in the external memory, which may be validly encrypted and/or authenticated.

[0020] In the present disclosure, it is assumed that, in normal circumstances, that is to say in a normal situation when no unexpected power loss that may be caused by an attack happens, the transaction can be properly closed shortly before the power interruption. But, when there is an unexpected power loss, that is typically caused by an attack, this can be detected later based on the transaction status that remains pending. For example, during an attack, the battery may suddenly be removed, and the secure processing sub-system does not have time to end the transaction in the internal non-volatile memory. As a result, the transaction remains pending in the internal non-volatile memory. At the time that the system is powered on again, it is detected that a transaction is still pending. Consequently, the content of the external nonvolatile memory is no longer trusted and used by the secure processing subsystem. The secure processing sub-system may still use internal functions and continue to operate.

[0021 ] In an embodiment, at the end of each power cycle where the data stored in the external non-volatile memory is updated, the secure processing subsystem writes into the internal non-volatile memory a version information of the updated data stored in the external non-volatile memory before ending the transaction.

[0022] In that case, at the beginning of any power cycle, after verifying that there is no pending transaction in the internal non-volatile memory, the secure processing sub-system verifies that the version of the data stored in the external non-volatile memory matches the version information in the internal non-volatile memory and, in a negative event, prevents to use the data stored in the external non-volatile memory.

[0023] If there is no pending transaction when the system is powered on, the secure processing sub-system performs another security check on the data stored in the external non-volatile memory by verifying if the version of the data stored in the external non-volatile memory corresponds to the data version information stored in the internal non-volatile memory. This allows to guarantee that the version of the data stored in the external memory is not an old version.

[0024] In an embodiment, at the end of the power cycle where the data stored in the external non-volatile memory is updated, the secure processing subsystem increments a version counter in the internal non-volatile memory and writes the version counter value into the external non-volatile memory. The use of a version counter in the internal non-volatile memory to follow the versions of the data stored in the external non-volatile memory allows to minimize the wear of the internal non-volatile memory.

[0025] In another embodiment, at the end of the power cycle where the data stored in the external non-volatile memory is updated, the secure processing sub-system computes a condensed representation of the updated data stored in the external non-volatile memory and writes said condensed representation into the internal non-volatile memory and into the external non-volatile memory.

[0026] In a first embodiment, the secure processing sub-system controls to . copy the data from the external non-volatile memory in a volatile memory, at the beginning of a power cycle,

. update the data in the volatile memory during the power cycle, and

. at the end of the power cycle, write the updated data to persist in memory from said volatile memory to the external non-volatile memory before ending the transaction. The use of a volatile memory to maintain and update the data during the power cycles allows to save programming time and to spare the external non-volatile memory. [0027] In a second embodiment, in each power cycle where the data stored in the external non-volatile memory is updated, the secure processing subsystem controls to

. update the data in the external non-volatile memory during the power cycle;

. at every update, write a data version information into a volatile memory and in the external non-volatile memory, and

. at the end of the power cycle, write the current data version information from the volatile memory to the internal non-volatile memory before ending the transaction. The present transaction-based mechanism also applies in case the data is updated in the external non-volatile memory.

[0028] The external non-volatile memory may have a first area and a second area, and, at the beginning of any power cycle, if a transaction is still pending, the secure processing sub-system may only prevent to use the data stored in the first area of the external non-volatile memory.

[0029] The secure processing sub-system can start and end a transaction in its internal non-volatile memory in different ways.

[0030] In a first example of implementation, the secure processing sub-system: . increments a value of a first counter in the internal non-volatile memory to write the first transaction data;

. increments a value of a second counter in the internal non-volatile memory to write the second transaction data, and, at the beginning of any power cycle:

. compares the respective values of the first and second counters to check if a transaction executed during a previous power cycle is still pending.

[0031 ] In a second example of implementation, the secure processing subsystem:

. increments a value of a counter in the internal non-volatile memory to write the first transaction data;

. increments a value of the same counter in the internal non-volatile memory to write the second transaction data; and, at the beginning of any power cycle,

. verifies the even or odd character of said counter value to check if a transaction executed during a previous power cycle is still pending.

[0032] In a third example of implementation, the secure processing subsystem:

. extracts a transaction start value from a value table, pre-stored in the secure processing sub-system, containing preselected transaction start values associated with pre-selected transaction end values and write the extracted start value to the internal non-volatile memory to write the first transaction data; . extracts the transaction end value associated with the extracted transaction start value from the value table and write the extracted transaction end value to the internal non-volatile memory to write the second transaction data; and, at the beginning of any power cycle:

. verifies that the transaction start value and the associated transaction end value are both written in the internal non-volatile memory to check if a transaction executed during a previous power cycle is still pending.

[0033] The above examples are non-limitative.

[0034] The present disclosure also concerns a system including i) a secure processing sub-system having an internal non-volatile memory, and ii) a non-volatile memory that is external to the secure processing sub-system; wherein the system has means to carry out the steps of the method previously defined.

[0035] The present disclosure further concerns a computer program comprising instructions which, when the program is executed by a computer, cause the computer to carry out the steps of the method previously defined.

BRIEF DESCRIPTION OF THE DRAWINGS

[0036] Other features, purposes and advantages of the disclosure will become more explicit by means of reading the detailed statement of the non-restrictive embodiments made with reference to the accompanying drawings. [0037] Figure 1 shows a functional block diagram of a system a secure processing sub-system, according to an embodiment.

[0038] Figure 2A-2B is a flow diagram of process updating data, according to an embodiment.

[0039] Figure 3 is a flow diagram of a process of starting a power cycle, according to an embodiment.

DETAILED DESCRIPTION

[0040] The present disclosure provides a transaction-based anti-replay or antirollback mechanism for a system including i) a secure processing sub-system having an internal non-volatile memory (NVM), and ii) a non-volatile memory (NVM), or persistent memory, that is external to the secure processing sub-system.

[0041 ] The secure processing sub-system may be implemented on an integrated circuit. It may be a secure area of the integrated circuit. Optionally, the non-volatile memory may be external to the integrated circuit.

[0042] Power supply to the system is provided by a power source. The power source may be external to the assembly, or system, comprising the secure processing sub-system and the external non-volatile memory. This assembly or system is supplied by the power source during power cycles between which power is interrupted. Any power cycle is started when the system (assembly) is powered on and ended when the system (assembly) is powered down or off. Each power cycle corresponds to a period while power is supplied from the power source to the system elements from the time the system is powered on and until the system is powered off.

[0043] The secure processing sub-system, that may be implemented on an integrated circuit, uses the external NVM to store data. The data stored in the external NVM may be updated over time during the power cycles. The anti- replay mechanism can be used to prevent rollback or replay attacks on the data stored in the external NVM. Indeed, an attacker may attempt to restore an old version of the data to the external NVM which is validly authenticated (for example validly signed), and/or encrypted by the secure processing subsystem in a rollback or replay attack. The present disclosure concerns an additional protection for the data stored in the external NVM. Accordingly, during each power cycle where the data is updated, a transaction processing is started upon a first update of the data within this power cycle, by writing a first transaction data in the internal NVM.

[0044] When the power cycle is regular or normal, that is to say when the power cycle is proceeding normally without undesired or unexpected power loss, that may happen suddenly, before the normal end of the power cycle, said power cycle ends in a predetermined or expected manner. In an embodiment, when the power cycle is regular or normal and therefore ends normally, the secure processing sub-system receives a signal indicating that a power interruption is imminent, at the end of the power cycle, before the power interruption.

[0045] When the power cycle ends normally, i.e. in an expected or predetermined manner, for example upon reception of a signal indicating that a power interruption is imminent, in case updated data must be kept in the external NVM, one or more required writing actions may be performed to update the internal NVM and, if needed, the external NVM in accordance with the current version of the updated data. Furthermore, at the end of the power cycle, in case power cycle ends normally, the transaction processing is committed, in other words validated or closed or ended, by the secure processing sub-system, by writing a second transaction data in the internal non-volatile memory. The second transaction data is advantageously written in the internal non-volatile memory after the required writing actions to update the internal NVM and, if needed, the external NVM in accordance with the current version of the updated data. [0046] In case of an undesired or unexpected power loss, for example caused by an attack during the power cycle, the power cycle does not end normally or in an expected manner. The unexpected power loss may happen suddenly, for example because a battery is suddenly removed. In an embodiment, the signal indicating that a power interruption is imminent is not received by the secure processing sub-system. In such a situation, the transaction is not ended. As a result, the second transaction data marking the end of the transaction is not written in the internal non-volatile memory.

[0047] After a power interruption, when the system is next powered on, the secure processing sub-system checks if a transaction processing is still pending, in other words if a transaction has been started but was not ended, or not committed, or not closed, in the internal NVM.

[0048] If no transaction processing is pending in the internal NVM, the version of the data (in other words the freshness of the data) that is stored in the external non-volatile memory can be trusted and used by the secure processing sub-system. In that case, the data stored in the external non-volatile memory can be further verified by checking the integrity, authenticity and/or confidentiality of the data by means of well-known verification algorithms.

[0049] If a transaction processing is still pending in the internal NVM, which means that the last transaction has been started but did not end correctly, the data stored in the external NVM cannot be trusted and used by the secure processing sub-system. In such a case, it is assumed that an attack may have been attempted and, for security reasons, the data stored in the external NVM is not trusted and consequently not used to prevent any rollback or playback attack.

[0050] Figure 1 shows a functional block diagram of a computing system 100, or computing device, including an integrated circuit 200, a secure processing sub-system 300 implemented on the integrated circuit 200, an external nonvolatile memory (NVM) 400, and a power source 600. [0051 ] The power source 600 powers the system 100, and may be external to the integrated circuit 200. It may comprise a battery or any other equipment for providing electrical power to the components of the integrated circuit 200.

[0052] The secure processing sub-system 300 may provide a secure execution environment, with a high level of security, including hardware and/or software means for implementing functions such as cryptographic functions and/or algorithms for example for encryption, decryption and/or authentication. The secure processing sub-system 300 may comprise a processor or CPU 301 , and one or more cryptographic accelerators 302, or co-processors, designed to perform cryptographic operations.

[0053] Furthermore, the secure processing sub-system 300 may have a software, or program instructions, component or module 306 to control the execution of a transaction processing, during each power cycle where data is updated, and of a process of verifying if a transaction is still pending in the internal NVM 303 and, in a positive event, preventing to use the data stored in the external NVM 400, as described later in the description of the method. The software 306 may run on the CPU 301 of the secure processing sub-system 300.

[0054] The secure processing sub-system 300 may comprise a non-volatile memory 303, such as an OTP (One Time Programmable) memory. The nonvolatile memory 303 is a persistent memory that maintains the data stored therein even in case of power interruption to the secure processing sub-system 300. The non-volatile memory 303 of the secure processing sub-system 300 is not limited to an OTP memory. It could be any other type of non-volatile memory, such as a MTP (multi-time programmable) memory or a flash memory.

[0055] In addition, optionally, the secure processing sub-system 300 may include a volatile memory 307 that may be used as a working memory.

[0056] The secure processing sub-system 300 can also have an integrated circuit interface 305 to communicate with the integrated circuit 200 in order to send and receive data and/or commands. Buses (not represented) can also be provided in the secure processing sub-system 300.

[0057] The integrated circuit 200 may be a system-on-chip (SOC), also referenced as a chip. As shown in figure 1 , it may include a processor or CPU 201 , hardware and/or software elements to implement one or more functions and/or applications represented by functional blocks 202 in figure 1. The functions and/or applications implemented on the integrated circuit 200 may depend on the functionality of the sub-system 300 or system 100.

[0058] The non-volatile memory (NVM) 400 is external to the secure processing sub-system 300. Optionally, it may be external to the integrated circuit 200. For example, it may be a flash memory. It may be connected to the secure processing sub-system 300 either directly or via the integrated circuit 200. This external NVM 400 is used by the secure processing sub-system 300 to store data in a persistent manner, even in case of power interruption. The data may include any type of data such as information or code. The nature of the data may depend on the functionality of the system 100 and/or the applications, functions, operations executed by the system 100. As example, the data can include an operating system, JAVA-OS, SIM applications, operator profiles, network authentication keys, loT applications, etc... These examples are only illustrative and non-limitative. In another embodiment, the non-volatile memory 400 could be implemented on the integrated circuit 200, preferably outside the secure processing sub-system 300.

[0059] Optionally, the system 100 may further comprise a volatile memory 500 used during the power cycles for the data updates, as described in more details later. The volatile memory 500 may be external to the integrated circuit 200. Alternatively, the volatile memory 500 could be implemented on the integrated circuit 200, preferably outside the secure processing sub-system 300.

[0060] Optionally, the system 100 may have an external memory 700 including one part or area of non-volatile memory, corresponding to the NVM 400, and one part or area of volatile memory, corresponding to the volatile memory 500. [0061 ] As previously indicated, the external NVM 400 is used by the secure processing sub-system 300 to store data. The data, stored in the external NVM 400, may be updated over time in some power cycles. The updates of the data may be monitored using the volatile memory 500 and/or the volatile memory 307, while the system 100 is powered. However, the content of the volatile memories 500 and 307 is erased or lost, when the power supply to the system 100 is interrupted. In case of power interruption, to persist the updated data in memory (in other words for persistent storage of the updated data), one or more writing actions to the internal NVM 303 and, if needed, to the external NVM memory 400 are performed, before interrupting the power supply and erasing the volatile memories 500 and/or 307, as described later in more details.

[0062] In a first embodiment, the data that is stored in the external NVM 400 may be copied into the volatile memory 500 at the beginning of each power cycle, and then maintained and updated in the volatile memory 500 during the power cycle. At the end of the power cycle, shortly before the power interruption, the updated data is written from the volatile memory 500 to the external non-volatile memory 400. In some cases, it is not desired to persist in memory, or keep in a persistent memory, all the updated data, but only a part of the updated data. In such cases, only the updated data to persist in memory may be written from the volatile memory to the external non-volatile memory 400.

[0063] In a second embodiment, the data may be maintained and updated in the external NVM 400 during the power cycles. Indeed, it is possible to update the data in the external NVM 400.

[0064] The programming time in a non-volatile memory is higher than in a volatile memory. Furthermore, using the external NVM 400 to store all the updates of the data, including transient updates, leads to a faster wear of the non-volatile memory 400. So, it is more relevant technically to use the volatile memory to update the data during the power cycles, according to the first embodiment, so as to spare the external non-volatile memory and reduce programming time.

[0065] Figure 2A is a flowchart 800 of a data updating process, according to an embodiment, performed during a power cycle Ci.

[0066] Let’s consider that, in the present embodiment, at the beginning of the power cycle Ci, the data initially stored in the non-volatile memory 400 is copied into the volatile memory 500. Then, during the power cycle Ci, the data is maintained and updated within the volatile memory 500. In other embodiments, the non-volatile memory 307 of the secure processing sub-system 300 may be used to store, maintain and update the data from the non-volatile memory, in addition to or instead of the volatile memory 500.

[0067] A first update of the data within the power cycle Ci, in a step 810, triggers the secure processing sub-system 300 to start a transaction processing. The transaction processing is started by writing into the internal NVM 303 a first transaction data, or start transaction data, marking the start of the transaction, in a step 820.

[0068] Then, during the power cycle Ci, the data may undergo one or more further updates, represented by a step 830. It should be noted that at least part of the updates may be transient updates. The data is updated within the volatile memory 500, in the step 830. The updates of the data in the volatile memory 500 may be done by the processor or CPU 201 of the integrated circuit 200. The secure processing sub-system 300 may prepare and secure the updated data in confidentiality, integrity, authenticity and freshness.

[0069] In a step 840, a power interruption is imminent. When the power cycle Ci ends normally, in an expected or predetermined manner, the secure processing sub-system 300 may be informed of this event by the integrated circuit 200. In an embodiment, the secure processing sub-system 300 may receive a signal indicating that a power interruption is imminent, for example from the integrated circuit 200. For example, the integrated circuit 200 may receive a signal from a battery controller indicating that a power loss from the battery 600 is imminent when the battery charge level is below a predefined threshold, and informs the secure processing sub-system 300.

[0070] The step 840 may be a triggering event to perform a step 850 of executing different actions of writing to the internal non-volatile memory 303 and to the external non-volatile memory 400 so as to update them in accordance with the updated data that needs to persist in memory during the power interruption. The step 850 may be performed by the secure processing sub-system 300, and/or by the integrated circuit 200 under control of the secure processing sub-system 300. The writing actions to update the internal and external non-volatile memories 303, 400 are illustrated in figure 2B and explained below:

- the updated data that the secure processing sub-system 300 wants to persist in memory may be written from the volatile memory 500 to the external nonvolatile memory 400, in a step 851 ;

- a version counter 304 may be incremented in the internal non-volatile memory 303, in a step 852;

- the incremented value of the version counter 304 may be added to the updated data within the external NVM 400, in a step 853.

[0071 ] The version counter 304 has the function of counting the power cycles with update of the data in the external non-volatile memory 400. It means that:

- if during a power cycle, there is no update, or change, of the data stored in the external non-volatile memory 40, the version counter 304 is not incremented; and

- if the data is updated several times during one power cycle with update of the data stored in the external non-volatile memory 400, the version counter 304 is only incremented once.

[0072] Thus, in operation, the version counter 304 may be incremented once at the end of each power cycle with update of the data stored in the external NVM 400. The version counter 304 does not need to be incremented each time the data is updated. It is sufficient that the version counter 304 counts the power cycles with update of the data stored in the external NVM 400.

[0073] The updated data that is stored in the external non-volatile memory 400 in the step 851 corresponds to a certain version of the data. The value of the version counter 304 corresponds to a version value for the data version stored in the external NVM 400.

[0074] For security reasons, the data stored in the external NVM 400 may be cryptographically encrypted and authenticated. Furthermore, the data may be stored in the external NVM 400 in association with metadata containing information on the stored data. The metadata may be cryptographically encrypted and/or authenticated. The authentication mechanism used for the data may be a hash-based signature, a block cipher based message authentication or an asymmetric cryptography based signature. In that case, the message authentication code and/or the signature is included in the metadata. More generally, the metadata may include any type of authentication data (also referenced as an integrity figure), such as a signature, a hash, a hash MAC, a digital fingerprint, etc... , allowing to verify the integrity and/or authenticity of the data stored in the external non-volatile memory 400. The counter value, also referenced as the data version value, or stored in the internal NVM 303 may be included in the authentication process and may also be added in the metadata.

[0075] Any other type of version information representative of the version of the updated data stored in the external NVM 400 could be used. For example, the version information of the data stored in the external NVM 400 may include a condensed representation of the data stored in the external NVM, such as a hash value, a hash MAC, a digital fingerprint, etc... The condensed representation of data corresponds to an integrity figure representing the data. At the end of the power cycle with update of the data stored in the external NVM 400, the secure processing sub-system 300 may compute the condensed representation of the updated data stored in the external NVM 400, and store, or write, this condensed information into the internal NVM 303 and into the external NVM 400.

[0076] If the power cycle Ci is proceeding normally, i.e. in a regular or expected or predetermined manner, the secure processing sub-system 300 ends the transaction processing at the normal end of the power cycle Ci by writing a second transaction data, or end transaction data, marking the end of the transaction, in the internal NVM 303, in a step 860. In an embodiment, after completion of all the required writing actions 851 , 852, 853 to update the internal and external non-volatile memories 303, 400 in the step 850, the transaction processing is closed, or committed, or ended, by writing the second transaction data, or end transaction data, marking the end of the transaction, in the internal NVM 303, in the step 860.

[0077] Finally, in a step 870, the power supply is interrupted, which marks the end of the regular or normal power cycle Ci.

[0078] The steps 810 to 870 are executed for each power cycle where the data stored in the non-volatile memory 400 is updated.

[0079] In case of an unexpected or undesired power loss, the power supply of the secure processing sub-system 300 is interrupted before the normal end of the power cycle Ci. In such a situation, the power cycle Ci is not ending normally (i.e., not in a predetermined or expected manner). In an embodiment, the secure processing sub-system 300 may not be informed that a power interruption is imminent by means of a received signal. In that case, the secure processing sub-system 300 does not end the transaction processing that has been previously started. As a result, the second transaction data, or end transaction data, is not written in the internal NVM 303.

[0080] There are different ways to write the first transaction data and the second transaction data marking the start and the end of a transaction processing, in the internal NVM 303, in the steps 820 and 860. The description below gives different examples of implementation. However, these examples are only illustrative and non-limitative. [0081 ] In a first example of implementation, the secure processing sub-system 300:

. increments a value of a first transaction counter in the internal non-volatile memory 303 to write the first transaction data in the step 820;

. increments a value of a second transaction counter in the internal non-volatile memory 303 to write the second transaction data in the step 860.

[0082] In a second example of implementation, the secure processing subsystem 300:

. increments a value of a transaction counter in the internal non-volatile memory 303 to write the first transaction data in the step 820;

. increments a value of the same transaction counter in the internal non-volatile memory 303 to write the second transaction data in the step 860.

[0083] In a third example of implementation, the secure processing sub-system 300:

. extracts a transaction start value from a value table, pre-stored in the secure processing sub-system, containing preselected transaction start values associated with pre-selected transaction end values and write the extracted start value to the internal non-volatile memory to write the first transaction data, in the step 820;

. extracts the transaction end value associated with the extracted transaction start value from the value table and write the extracted transaction end value to the internal non-volatile memory to write the second transaction data, in the step 860.

[0084] The transaction processing is executed by the secure processing subsystem 300 during each power cycle where the data stored in the external nonvolatile memory 400 is updated. It is started at a first update of the data and ended, or committed, after execution of required writing actions to update the internal non-volatile memory 303 and, if needed, the external non-volatile memory 400. The required writing actions may include writing updated data from the volatile memory 500 to the external non-volatile memory 400, writing a version information of the updated data stored in the volatile to the internal non-volatile memory 303, adding the same version information to the data stored in the external non-volatile memory 400, for example in metadata.

[0085] A process 900 of starting a power cycle according to an embodiment is illustrated in figure 3 and will now be described. This process may be executed each time the system 100 is power on, after a power interruption.

[0086] In figure 3, in a step 901 , the system 100 is powered on by the power source 600, in a further power cycle, after a power interruption.

[0087] In a next step 902, the secure processing sub-system 300 verifies if a transaction is still pending in the internal non-volatile memory 303. A pending transaction is a transaction that has been started in a previous power cycle, but has not been closed or committed. In such a situation, the internal nonvolatile memory 303 contains the first transaction data for the pending transaction, but fails to contain a second transaction data corresponding to, or consistent with, this first transaction data.

[0088] There are different ways to verify if a transaction is still pending in the internal non-volatile memory 303, depending on how the first transaction data and the second transaction data have been written into the internal NVM 303. Different examples of implementation for starting and ending a transaction processing have been previously described. It is described below how the secure processing sub-system 300 verifies if a transaction is still pending at the beginning of each power cycles, in these different examples of implementation.

[0089] In the first example of implementation with two transaction counters in the internal NVM 303, to verify if a transaction is still pending, the secure processing sub-system 300 compares the value of the first transaction counter and the value of the second transaction counter in the internal non-volatile memory 303 to check if a transaction executed during a previous power cycle is still pending. If the respective values of the two transaction counters are consistent with each other, typically identical, there is no pending transaction. In other words, the previous transaction has been committed. If the respective values of the two transaction counters are different, a transaction is still pending. In that case, the version of the data stored in the external non-volatile memory 400 is not trusted anymore and the data stored in the external nonvolatile memory 400 will not be used. If there is no pending transaction, the secure processing sub-system 300 can use the data stored in the external nonvolatile memory 400.

[0090] In the second example of implementation with one single transaction counter in the internal NVM 303, to verify if a transaction is still pending, the secure processing sub-system 300 verifies the even or odd character of the counter value to check if a transaction executed during a previous power cycle is still pending.

[0091 ] In the third example of implementation based on a value table, the secure processing sub-system 300 verifies that the transaction start value of the previous power cycle and the associated transaction end value are both written in the internal non-volatile memory 303 to check if a transaction executed during a previous power cycle is still pending.

[0092] If a transaction is still pending, the version of the data stored in the external non-volatile memory 400 is not trusted anymore by the secure processing sub-system 300, and the process goes to a countermeasure step 903 to prevent to use the data stored in the external non-volatile memory 400. In such a situation, the secure processing sub-system 300 considers that the data stored in the external non-volatile memory may have been replayed, due to a replay attack, or modified and cannot be trusted by the secure processing sub-system 300.

[0093] If there is no pending transaction in the step 902, the secure processing sub-system 300 can proceed with subsequent security checks related to the data stored in the external NVM 400.

[0094] Optionally, the secure processing sub-system 300 may verify the integrity and/or authenticity of the data stored in the external NVM 400, by verifying the signature or any other authentication and/or integrity element present in the metadata associated with the data, in a well-known manner, in a step 904.

[0095] If the integrity or authenticity check 904 fails, the process goes to a countermeasure step 905.

[0096] The secure processing sub-system 300 may also verify the version of the data stored in the external NVM 400, in a step 906, by checking if the version information stored in the internal non-volatile memory 303 matches the version of the data stored in the external non-volatile memory 400 in a step 908. For that purpose, the secure processing sub-system 300 may compare the version information present in the internal NVM 303 with the version information present in the external NVM 400 in association with the data stored therein, for example in the metadata associated with the stored data. As previously described, in an embodiment, the version information includes the value of a version counter 304 stored in the internal NVM 303. In another embodiment, the version information may include a condensed representation of the data stored in the external NVM 400. In any case, the version information present in the external NVM 400 should correspond to the version information stored in the internal NVM 303.

[0097] If the data version verification fails in the step 906, the process goes to a countermeasure step 907 to prevent to use the data stored in the external non-volatile memory 400. In such a situation, in other words in case the version information in the internal NVM 303 does not match the version of the data stored in the external NVM 400, the secure processing sub-system 300 considers that the data stored in the external non-volatile memory 400 may have been replayed, due to a replay attack.

[0098] If the data version of the data stored in the external NVM is successfully verified in the step 906, the secure processing sub-system 300 starts using the data stored in the external non-volatile memory 400. If the data is encrypted, the secure processing sub-system 300 decrypts the encrypted data. In an embodiment, the data stored in the external NVM 400 may also be copied into the volatile memory 500 to be used and updated by the secure processing subsystem 300 during the power cycle.

[0099] As previously explained, the process 900 of starting the power cycle may result in the execution of a countermeasure step in one of the following situations: a) a transaction is still pending, step 903; b) the integrity and/or authenticity of the data stored in the external NVM cannot be successfully verified, step 905; c) the version of the data stored in the external NVM is wrong, as it does not correspond to the version information stored in the internal NVM, step 907.

[0100] In the countermeasure steps 903, 905, 907, the secure processing subsystem 300 executes a countermeasure to prevent the use of the data stored in the external NVM 400, because the data cannot be trusted. For example, a countermeasure may consist in erasing the untrusted data from the external NVM 400, or in simply prohibiting the use of the external NVM 400. This can lead to a non-functional system.

[0101 ] Alternatively, the external NVM 400 may have a first area and a second area, and only the first area is protected by the transaction-based anti-replay mechanism of the present disclosure. Thus, at the beginning of any power cycle, if it is detected in one of the steps 902, 904, 906, that the data stored in the first area cannot be trusted, the secure processing sub-system only prevents to use the data stored in the first area of the external non-volatile memory. For example, when the system 100 is powered on after a power interruption and a transaction is still pending, only the first area is invalidated and its content can no longer be used, while the second area remains valid and its content can still be used. The second area may be protected using another anti-replay mechanism. For example, the first area could be designed to store data which is updated very often (e.g., telco counters), and the second area could be designed to store data less often updated (e.g., firmware). [0102] As previously indicated, in an embodiment, the data may be maintained and updated in the external NVM 400 during the power cycles, instead of being copied and updated in the volatile memory 500. In that case, optionally, at every update of the data in the external NVM 400, a data version information may be updated and written into a volatile memory, for example in the volatile memory 500 or in the volatile memory 307 of the secure processing subsystem 300, and stored in the external NVM 400 in association with the data stored therein, for example in the associated metadata, under control of the secure processing sub-system 300. Then, in case of an imminent power off, at the end of the power cycle, the secure processing sub-system 300 writes the current version information from the volatile memory 307 or 500 into the internal NVM 303.

[0103] The method of the present disclosure is a computer-implemented method.

[0104] The present disclosure also concerns

- a computer program comprising instructions which, when the program is executed by a computer, cause the computer to carry out the steps of the method previously described;

- a computer-readable medium having stored thereon the computer program.