By Kurt Sowa
Numonyx Software Product Manager
This article highlights the key new features found in e.MMC* devices conforming to versions 4.3 or 4.4 of the e.MMC specification. Numonyx participates in the Joint Electronic Device Engineering Council (JEDEC) working groups developing these specifications, and Numonyx devices are JEDEC compliant. This article also discusses the implications of each of the following features on software:
- Reliable Write: Ensures that interrupted writes do not result in incomplete data.
- Password Usage: Provides a mechanism to control access to the e.MMC device.
- Secure Erase, Secure Trim: Ensures that an erase or trim operation completes before the e.MMC operation returns. This helps protect sensitive data by ensuring that the application can confirm that the erase or trim is complete.
- Secure Bad Block Management: Requires a secure purge be completed to help protect sensitive data.
- Trusted Access: Access authentication using a key and Hash Message Authentication Code (HMAC).
At first glance, reliable write sounds like it can solve one of the most vexing problems facing users of flash memory: reliability when power loss occurs. While reliable writes do simplify Power Loss Recovery (PLR) issues, it is not a complete solution.
A reliable write does not guarantee that a write will be completed. However, it does ensure that even with a power loss, the data from that write will never be undefined. Either the original data or the new data will be associated with the logical address of the write. The original data pointed to by a logical address must remain unchanged as the new data written to same logical address is programmed. This ensures that the target address never contains undefined data. Reliable writes can occur in a single 512B sector or in sector count multiples.
Reliable writes can be used to ensure that sectors are correctly written or discarded if incompletely written. While this can prevent corruption, which at its worst can bring down an entire system, it does not ensure that a sequence of operations is completed correctly. This means that the calling application still has the responsibility to manage the state of any operations where multiple operations are required to ensure validity.
The e.MMC 4.3 and later specifications allow the use of a password to protect the data on the card. The card powers up in a locked state once a password has been set. This prevents data from being accessed. The password is set or changed using the LOCK_UNLOCK command. This command is also used to lock and unlock the card.
Erase and trim are related operations used to manage obsolete data and recover space. An erase operation can be implicitly executed by the device as part of a write operation. An erase command is used to explicitly erase data from one or more erase groups. An erase group is a series of write blocks. A write block is the basic writable unit of the card. The size of erase groups and write blocks are card specific.
While a file system delete operation will mark a sector as free in the FAT table, no data is actually erased. The trim operation tells the e.MMC device that one or more write blocks (instead of erase groups used by the erase command) no longer hold valid data. This allows the e.MMC device to clean up (and reuse) the space occupied by those write blocks. A trim operation implies that write blocks in an erase group that are not marked for erase must be copied to another location before the erase is applied.
The secure version of these commands ensures that the calling application knows that the operation was finished by not returning until the command completed. Similar to the erase operation, the secure erase command purges erase groups. Secure trim purges write blocks within erase groups. However, blocks not marked for erase must be copied to another location first.
Secure erase/trim does not imply that password access or any authentication is used to confirm erase authorization. Instead, it is a foreground operation. A secure erase/trim is executed immediately, and the device waits until the erase is completed before it returns. This allows applications to more securely manage sensitive data.
Similar to the secure erase/trim commands, secure bad block management does not imply that authentication is used. If SECURE_BAD_BLK_MGMNT is set, a secure purge must be applied to the block before it is retired. Again, this allows for improved management of sensitive data.
The e.MMC 4.4 specification provides for a Replay Protected Memory Block Area (RPMB) partition. The size and attributes of this partition are defined by the memory manufacturer. An authentication key can be programmed, allowing only accesses signed with a message authentication code to read from or write to this area. Random number generation and access counting prevents command sequences from being captured and replayed to gain access. Trusted access helps protect sensitive data from being read or modified.
A common example of RPMB usage is to prevent unauthorized system changes by storing code and checksums to verify the integrity of system code prior to execution.
The functionality of e.MMC continues to increase. Reliable writes are used to improve system stability by preventing partial writes. Data Security can be enhanced with secure operations to ensure that partial operations do not leave sensitive data behind. In addition, trusted access provides a secure method to protect a region of flash from being read or modified. This can protect devices from unauthorized access or modification.
Numonyx offers devices compliant with JEDEC specifications for e.MMC. Contact your Numonyx sales representative for more information.