JEDEC JESD227-2016 Embedded Multimediacard (eMMC) Security Extension.pdf

1、JEDEC STANDARD Embedded Multimediacard (eMMC) Security Extension JESD227 NOVEMBER 2016 JEDEC SOLID STATE TECHNOLOGY ASSOCIATION NOTICE JEDEC standards and publications contain material that has been prepared, reviewed, and approved through the JEDEC Board of Directors level and subsequently reviewed

2、 and approved by the JEDEC legal counsel. JEDEC standards and publications are designed to serve the public interest through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangeability and improvement of products, and assisting the purchaser in selecting and o

3、btaining with minimum delay the proper product for use by those other than JEDEC members, whether the standard is to be used either domestically or internationally. JEDEC standards and publications are adopted without regard to whether or not their adoption may involve patents or articles, materials

4、, or processes. By such action JEDEC does not assume any liability to any patent owner, nor does it assume any obligation whatever to parties adopting the JEDEC standards or publications. The information included in JEDEC standards and publications represents a sound approach to product specificatio

5、n and application, principally from the solid state device manufacturer viewpoint. Within the JEDEC organization there are procedures whereby a JEDEC standard or publication may be further processed and ultimately become an ANSI standard. No claims to be in conformance with this standard may be made

6、 unless all requirements stated in the standard are met. Inquiries, comments, and suggestions relative to the content of this JEDEC standard or publication should be addressed to JEDEC at the address below, or refer to www.jedec.org under Standards and Documents for alternative contact information.

7、Published by JEDEC Solid State Technology Association 2016 3103 North 10th Street Suite 240 South Arlington, VA 22201-2107 This document may be downloaded free of charge; however JEDEC retains the copyright on this material. By downloading this file the individual agrees not to charge for or resell

8、the resulting material. PRICE: Contact JEDEC Printed in the U.S.A. All rights reserved PLEASE! DONT VIOLATE THE LAW! This document is copyrighted by JEDEC and may not be reproduced without permission. For information, contact: JEDEC Solid State Technology Association 3103 North 10th Street Suite 240

9、 South Arlington, VA 22201-2107 or refer to www.jedec.org under Standards-Documents/Copyright Information. JEDEC Standard No. 225 -i- EMBEDDED MULTIMEDIACARD (eMMC) SECURITY EXTENSION Contents Foreword iii Introduction iii 1 Scope 1 2 Normative reference . 1 3 IEEE 1667 Functional Requirements . 2 3

10、.1 IEEE 1667 Overview . 2 3.2 IEEE 1667s split command structure . 2 3.3 IEEE 1667 structure . 2 3.4 Requirements for IEEE 1667 functionality in the eMMC security extension 3 4 TCG Storage Security Functional Requirements . 3 4.1 TCG Storage Security overview 3 4.2 Requirements for the TCG Storage C

11、ore in the eMMC security specification 4 4.3 Requirements for the TCG Storage Opal SSC in the eMMC security specification 4 4.3.1 Level 0 Discovery 4 4.3.2 Properties Requirements 9 4.4 Requirements for the TCG Storage DataStore Tables feature set in the eMMC security specification . 9 4.5 Requireme

12、nts for the TCG Storage Support Single User Mode feature set in the eMMC security specification . 10 4.6 Requirements for security characteristics for eMMC devices that support the security extension 10 5 eMMC Security Data Transport . 11 5.1 Extended Security Commands . 11 5.2 Discovery of Extended

13、 Security Commands Support 11 5.3 Atomicity of Extended Security Commands . 11 5.4 Data transport requirements specific to this Security Extension Standards . 11 6 Security Interactions with eMMC Operations 12 6.1 Security Support Restrictions on Partitions . 12 6.2 Authentication and Access Control

14、 Management on User Partition . 12 6.3 Dynamic Capacity 12 JEDEC Standard No. emmc -ii- 7 Error Handling . 12 7.1 IEEE 1667 errors . 12 7.1.1 PROTOCOL_RD, PROTOCOL_WR Command Out of Sequence 12 7.1.2 Silo Index mismatch in PROTOCOL_RD, PROTOCOL_WR . 13 7.1.3 PROTOCOL_RD, PROTOCOL_WR Transport Specif

15、ic Error . 13 7.2 eMMC Transport Errors . 13 7.2.1 PROTOCOL_RD, PROTOCOL_WR Transport Specific Error . 13 7.2.2 Unauthorized Access . 13 8 Configuration . 14 8.1 eMMC Partition Configuration 14 JEDEC Standard No. 225 -iii- Foreword This eMMC Security Extension Standard has been prepared by JEDEC as

16、an extension to the eMMC Electrical Standard, JESD84-B51. Introduction The eMMC Electrical Standard, JESD84-B51, defines a managed memory device capable of storing code and data. eMMC devices are intended to offer the performance and features required by mobile devices while maintaining low power co

17、nsumption. The eMMC device contains features that support high throughput for large data transfers and performance for small random data accesses more commonly found in code usage. It also contains many desirable features for mobile applications. This eMMC Security Extension Standard describes the r

18、equirements to implement security functionality described in IEEE1667, TCGCore, TCGOpal, TCGAddDST, TCGAddDST and TCGSIIS in an eMMC device. The document is considered an extension of the eMMC Electrical Standard, JESD84-B51, eMMC used as transport protocol for the security functionalities. There ar

19、e three external sets of requirements on the class of eMMC device that support this security extension: IEEE 1667 layer requirements, TCG layer requirements, and requirements related to eMMC security data transport and interaction with eMMC functionality. JEDEC Standard No. emmc -iv- JEDEC Standard

20、No. 225 Page 1 EMBEDDED MULTIMEDIACARD (eMMC) SECURITY EXTENSION (From JEDEC Board Ballot JCB-12-59, formulated under the cognizance of the JC-64.1 Subcommittee on Electrical Specifications and Command Protocols.) 1 Scope This document provides a comprehensive definition of the eMMC Security require

21、ments for implementation of IEEE 1667 and TCG Opal security functionality. It also provides design guidelines and defines a tool box of macro functions and algorithms intended to reduce design-in overhead. 2 Normative reference The following normative documents contain provisions that, through refer

22、ence in this text, constitute provisions of this standard. For dated references, subsequent amendments to, or revisions of, any of these publications do not apply. However, parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions

23、 of the normative documents indicated. For undated references, the latest edition of the normative document referred to applies. IEEE 1667 IEEE1667, IEEE P1667 2015 Standard for Discovery, Authentication, and Authorization in Host Attachments of Storage Devices Trusted Computing Group TCGCore, TCG S

24、torage Architecture Core Specification, Version 2.01, Revision 1.00 Trusted Computing Group TCGOpal, TCG Storage Security Subsystem Class: Opal Specification, Version 2.01, Revision 1.00 Trusted Computing Group TCGAddDST, TCG Storage Opal SSC Feature Set: Additional DataStore Tables Specification, V

25、ersion 1.00, Revision 1.00 Trusted Computing Group TCGSUM, TCG Storage Opal SSC Feature Set: Single User Mode Specification, Version 1.00, Revision 2.00 Trusted Computing Group TCGSIIS, TCG Storage Interface Interactions Specification (SIIS), Version 1.05, Revision 1.00 JEDEC JESD84-B51 eMMC, Embedd

26、ed Multi-Media Card (eMMC), Electrical Standard (5.0). JEDEC Standard No. 225 Page 2 3 IEEE 1667 Functional Requirements 3.1 IEEE 1667 Overview IEEE 1667 was designed to support native security protocols and tunneling of externally defined security protocols (e.g., TCG and Smart Cards) across multip

27、le transports (e.g., SCSI, USB, ATA). For a full description of IEEE 1667 see http:/ and http:/standards.ieee.org. 3.2 IEEE 1667s split command structure IEEE 1667 uses an output and input transport specific command pair to execute a single IEEE 1667 command. This command pairing only affects the se

28、curity protocols, and not the transports normal user data access commands. The output transport command consists of a transport specific command data block (CDB) and an associated output payload. Together, these include the IEEE 1667 command, any IEEE 1667 output parameters and any tunneled command/

29、data. This is followed by an input transport command with a transport specific CDB and an associated input payload. Together, these carry the same IEEE 1667 command, any IEEE 1667 input parameters, an IEEE 1667 status response, any tunneled input data, and any tunneled status information. In this sp

30、lit command process, the command is not executed in the output phase, but is executed in the input phase (i.e., after receipt of the input transport command) where status can be reported in the command payload. This split command structure was designed to enable two desirable features: the transport

31、 status, the IEEE 1667 command status and the tunneled protocol status are reported such that each can be processed by the appropriate driver layer; and the host OS can support a single security communication protocol that supports multiple transports and does not have to implement multiple security

32、-application-specific protocols in multiple transport drivers. 3.3 IEEE 1667 structure IEEE 1667 functionality is contained by a device in one or more IEEE 1667 Addressable Command Targets (ACT). Each ACT consists of one or more addressable IEEE 1667 command processing blocks called silos. Each IEEE

33、 1667 ACT is required to include one IEEE 1667 Probe silo which provides discovery of additional IEEE 1667 silos. Additional IEEE 1667 silos are optional in IEEE 1667. The IEEE 1667 TCG silo was designed to enable wrapping of the TCG Storage communications protocol within the IEEE 1667 communication

34、s protocol. The IEEE 1667 TCG silo provides an interface for capability discovery and communication with the underlying TCG Storage compliant security subsystem, a Trusted Peripheral (TPer). The IEEE 1667 TCG silo allows a host TCG application to communicate through any transport supported by IEEE 1

35、667 to a TPer without requiring native support of the TCG Storage communication protocols in the transport driver. Note that the while a TPer typically contains cryptographic functionality, the IEEE 1667 TCG silo does not; the 1667 TCG silo is a conduit to TCG functionality. JEDEC Standard No. 225 P

36、age 3 3.4 Requirements for IEEE 1667 functionality in the eMMC security extension An eMMC device which supports the eMMC security extension shall contain exactly one IEEE 1667 ACT which shall contain: exactly one IEEE 1667 Probe silo; exactly one IEEE 1667 TCG silo; and no additional IEEE 1667 silos

37、 The IEEE 1667 Probe silo of an eMMC device which supports the eMMC security extension shall return a status of Default Behavior upon successfully processing an IEEE 1667 Probe command The IEEE 1667 TCG silo of an eMMC device which supports the eMMC security extension shall support all defined TCG S

38、torage Silo commands and not only the Get Silo Capabilities command (see IEEE1667). 4 TCG Storage Security Functional Requirements 4.1 TCG Storage Security overview The TCG Storage Security specifications define an architecture that puts storage devices under the policy control of a trusted platform

39、 host. The TCG Storage Core specification TCGCore provides a general security framework The TCG Storage Security Subclass Opal TCGOpal provides a specific functional security set The TCG Storage Additional DataStore Tables feature set TCGAddDST adds specific functionality to the Opal SSC The TCG Sto

40、rage Single User Mode feature set TCGSUM adds specific functionality to the Opal SSC The TCG Storage Interface Interaction specification TCGSIIS provides a description of the functional interactions between the security subsystem and the external interface (e.g., eMMC) functionality. JEDEC Standard

41、No. 225 Page 4 4.2 Requirements for the TCG Storage Core in the eMMC security extension An eMMC device, compliant with this standard, shall implement TPer functionalities defined in TCGCore required to support: TCGOpal , TCGAddDST and TCGAddDST. In particular, it shall support: the Locking Feature (

42、0x0002); the TCG Stack reset; and the following Session Manager methods: TPer Properties Method; Start Session Method; Close Session Method. The device is not required to support the following features: Asynchronous protocol communication Creation or deletion of tables, and creation or deletion of t

43、able rows post-manufacturing 4.3 Requirements for the TCG Storage Opal SSC in the eMMC security extension An eMMC device which supports the eMMC security extension shall support the TCG Storage Opal SSC specification (see TCGOpal) and in particular: Geometry Reporting Feature in level 0 Discovery ab

44、ility to disable SID authority in the Admin SP; the Locking SP shall be created by the device manufacturer The device is not required to support the following features: Dynamic ComID Management RestrictedCommands (Object Table) 4.3.1 Level 0 Discovery eMMC devices, compliant with this standard, shal

45、l return the following elements in the Level 0 response as defined in TCGOpal: Level 0 Discovery Header TPer Feature Descriptor Locking Feature Descriptor Opal SSC Feature Descriptor Geometry Reporting 4.3.1.1 Level 0 Discovery Header See TCGOpal. JEDEC Standard No. 225 Page 5 4.3.1 Level 0 Discover

46、y (contd) 4.3.1.2 TPer Feature (Feature Code = 0x0001) eMMC devices, compliant with this standard, are not required to support: ComID management, buffer management, ACK/NACK, Asynchronous protocol. Table 0-1 is informative and shows Level 0 Discovery - TPer Feature Descriptor content for a device im

47、plementing the required features only. Table 0-1 Level 0 Discovery - TPer Feature Descriptor Bit Byte 7 6 5 4 3 2 1 0 0 (MSB) Feature Code = 0x0001 1 (LSB) 2 Version (1)Reserved 3 Length = 0x0C 4 Reserved ComID Mgmt Supported = 0 Reserved Streaming Supported = 1 Buffer Mgmt Supported = 0 ACK/NAK Sup

48、ported = 0 Async Supported = 0 Sync Supported = 1 5 - 15 Reserved NOTE 1 Version = 0x1 or any version that supports the defined features in TCGOpal. 4.3.1.3 Locking Feature (Feature Code = 0x0002) See TCGOpal. JEDEC Standard No. 225 Page 6 4.3.1 Level 0 Discovery (contd) 4.3.1.4 Geometry Reporting F

49、eature (Feature Code = 0x0003) This section defines requirements for some parameters of Geometry Reporting Feature Descriptor. Align For eMMC devices, compliant with this standard, the value of the AlignmentRequired column of the LockingInfo table shall be equal to TRUE, therefore the ALIGN bit shall be set to one. LogicalBlockSize LogicalBlockSize indicates the number of bytes in a logical block. LogicalBlo