Smart Card Microcontrollers 83 Nevertheless, when clock multiplication or an internal clock generator is used, it must be

remembered that a higher clock rate causes a proportional increase in current consumption. As a rule, the relationship between clock frequency and current consumption is linear, which means that quadrupling the clock frequency (for example) also quadruples the current con- sumption. Particularly with battery-operated terminals, increased current consumption is not desirable.

An elegant solution to this problem is provided by ‘intelligent power management’ in the microcontroller, which involves communicating the maximum allowable current consumption to the control logic of the PLL. This logic then adjusts the PLL to operate in a frequency range that avoids exceeding the prescribed maximum current consumption, without any involvement by the processor. For instance, if the power-hungry NPU is switched into the processing loop, the internal clock frequency will be automatically reduced to prevent the current consumption from rising above the permissible value. Unfortunately, there is a small difficulty with this solution, which is that the specifications for smart cards for GSM and UMTS telecommuni- cations (presently) prohibit the use of free-running oscillators in smart card microcontrollers. This prohibition is based on fear of possible interference with the other circuitry in the mobile telephone. As long as these portions of the specifications continue to exist, it is not possible to use either a continuously adjustable internal clock frequency or an oscillator that is completely independent of the applied clock signal. However, these specifications do allow clock rate multipliers to be used, as long as the internal and external clock rates have a fixed relationship governed by predefined multiplication factors.

Processor speed is not the only bottleneck in smart cards. Data transmission rates, which are specified in the standards, and EEPROM write and erase times do not benefit from increased clock rates. This somewhat limits the advantage of increasing the clock rate. Nevertheless, it can be highly beneficial to use a smart card with an elevated internal clock rate for certain applications, particularly considering that the amount of additional circuitry (and thus area) required on the chip is small. For this reason, nearly all new types of smart card microcontrollers have internal clock multiplication capability.

external clock overfrequency detector overfrequency indication underfrequency indication underfrequency detector PLL oscillator CPU/system clock NPU clock timer clock PLL clock control logic divider 1 divider 2 divider 3

Figure 3.59 Block diagram of a possible internal clock multiplication circuit using a PLL oscillator followed by a divider to supply clock signals to the various microcontroller components. The clock for the NPU is often taken directly from the PLL without any division. If there are several timers in the microcontroller, each one usually has its own individually configurable predivider

DMA (direct memory access)

DMA components have been used for a long time in the PC realm. DMA makes it possible to copy or exchange data between two or more memory regions at high speed, independent of the processor and in part in parallel with the other activities of the processor. It is often also possible to independently fill a certain memory region with a predefined value. The main effect of a DMA unit is to offload the processor and thus allow certain routines to be fashioned more simply. Up to now, high-performance DMA components have been sporadically available in smart card microcontrollers.

Hardware-based memory management, firewalls and memory management units (MMUs)

The latest smart card operating systems allow executable machine code to be downloaded directly to the card.4 _{This code, which can then be run using a special command, can be} used for purposes such as executing a cryptographic function only known to the card issuer. However, it is in principle not possible to prevent such downloaded code from including a function for reading out secret data from the memory. Operating system manufacturers have been very careful to maintain the confidentiality of their system architectures and program code. The same is also true of secret keys and algorithms in various applications in the card. The public availability of such confidential information would have fatal consequences for an application provider. One administrative solution is to have every new program tested by an independent organization. However, even this cannot guarantee complete security, since a program that is not the same as the one that was tested could later be substituted for the certified program, or the program might be so secret that nobody other than the application provider is allowed to know about it.

One acceptable solution to this impasse is to equip the smart card microcontroller with a memory management unit (MMU). Such a unit monitors the memory boundaries of the current application program while it is running. The permitted memory region is defined by an operating system routine before the application is called, and it cannot be altered by the application program while it is running. This ensures that the application is completely encapsulated and cannot access memory areas forbidden to it. The barriers formed in this manner are called ‘firewalls’, in analogy to walls used for fire protection in buildings. If an application attempts to access another memory region from within a region demarcated by firewalls, it will fundamentally be prevented from doing so, and in addition any such attempt usually triggers an interrupt so the violation can be immediately detected.

Presently, very few smart card microcontrollers have MMUs, although they have been used for years in many other areas. Nonetheless, the importance of this supplementary hardware will greatly increase in the future, since it is the only practical way to securely isolate several applications sharing a single smart card.

Another aspect of MMUs is their ability to relocate physically addressable memory regions to any desired location within the logical memory space of the processor. To a certain extent,

3.4 Smart Card Microcontrollers 85