公开(公告)号：US11520906B2

公开(公告)日：2022-12-06

申请号：US16830379

申请日：2020-03-26

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC: G06F21/60 ,  G06F3/06 ,  G06F12/1009 ,  G06F21/57 ,  G06F21/53

Abstract: A computer-readable medium comprises instructions that, when executed, cause a processor to execute an untrusted workload manager to manage execution of at least one guest workload. The instructions, when executed, also cause the processor to (i) receive a request from a guest workload managed by the untrusted workload manager to access a memory using a requested guest address; (ii) obtain, from the untrusted workload manager, a translated workload manager-provided hardware physical address to correspond to the requested guest address; (iii) determine whether a stored mapping exists for the translated workload manager-provided hardware physical address; (iv) in response to finding the stored mapping, determine whether a stored expected guest address from the stored mapping matches the requested guest address; and (v) if the stored expected guest address from the stored mapping matches the requested guest address, enable the guest workload to access contents of the translated workload-manager provided hardware physical address.

公开(公告)号：US11436018B2

公开(公告)日：2022-09-06

申请号：US17124813

申请日：2020-12-17

Applicant: Intel Corporation

Inventor： Eliezer Weissmann ,  Mark Charney ,  Michael Mishaeli ,  Robert Valentine ,  Itai Ravid ,  Jason W. Brandt ,  Gilbert Neiger ,  Baruch Chaikin ,  Efraim Rotem

IPC: G06F9/38 ,  G06F9/30

Abstract: Systems, methods, and apparatuses relating to instructions to reset software thread runtime property histories in a hardware processor are described. In one embodiment, a hardware processor includes a hardware guide scheduler comprising a plurality of software thread runtime property histories; a decoder to decode a single instruction into a decoded single instruction, the single instruction having a field that identifies a model-specific register; and an execution circuit to execute the decoded single instruction to check that an enable bit of the model-specific register is set, and when the enable bit is set, to reset the plurality of software thread runtime property histories of the hardware guide scheduler.

公开(公告)号：US20220138133A1

公开(公告)日：2022-05-05

申请号：US17462975

申请日：2021-08-31

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Rajesh M. Sankaran

IPC: G06F13/34

Abstract: Systems and methods for delivering interrupts to user-level applications. An example processing system comprises: a memory configured to store a plurality of user-level APIC data structures and a plurality of user-level interrupt handler address data structures corresponding to a plurality of user-level applications being executed by the processing system; and a processing core configured, responsive to receiving a notification of a user-level interrupt, to: set a pending interrupt bit flag having a position defined by an identifier of the user-level interrupt in a user-level APIC data structure associated with a user-level application that is currently being executed by the processing core, and invoke a user-level interrupt handler identified by a user-level interrupt handler address data structure associated with the user-level application, for a pending user-level interrupt having a highest priority among one or more pending user-level interrupts identified by the user-level APIC data structure.

公开(公告)号：US20210406201A1

公开(公告)日：2021-12-30

申请号：US17367349

申请日：2021-07-03

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. Mckeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53 ,  G06F8/41 ,  G06F9/455

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US11113217B2

公开(公告)日：2021-09-07

申请号：US16778227

申请日：2020-01-31

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Rajesh M. Sankaran

IPC: G06F13/34

Abstract: Systems and methods for delivering interrupts to user-level applications. An example processing system comprises: a memory configured to store a plurality of user-level APIC data structures and a plurality of user-level interrupt handler address data structures corresponding to a plurality of user-level applications being executed by the processing system; and a processing core configured, responsive to receiving a notification of a user-level interrupt, to: set a pending interrupt bit flag having a position defined by an identifier of the user-level interrupt in a user-level APIC data structure associated with a user-level application that is currently being executed by the processing core, and invoke a user-level interrupt handler identified by a user-level interrupt handler address data structure associated with the user-level application, for a pending user-level interrupt having a highest priority among one or more pending user-level interrupts identified by the user-level APIC data structure.

公开(公告)号：US20210224202A1

公开(公告)日：2021-07-22

申请号：US17222722

申请日：2021-04-05

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Hormuzd M. Khosravi ,  Gideon Gerzon ,  Barry E. Huntley ,  Gilbert Neiger ,  Ido Ouziel ,  Baiju Patel ,  Ravi L. Sahita ,  Amy L. Santoni ,  Ioannis T. Schoinas

IPC: G06F12/14 ,  H04L29/06 ,  H04L9/06 ,  H04L9/08

Abstract: In one embodiment, an apparatus comprises a processor to execute instruction(s), wherein the instructions comprise a memory access operation associated with a memory location of a memory. The apparatus further comprises a memory encryption controller to: identify the memory access operation; determine that the memory location is associated with a protected domain, wherein the protected domain is associated with a protected memory region of the memory, and wherein the protected domain is identified from a plurality of protected domains associated with a plurality of protected memory regions of the memory; identify an encryption key associated with the protected domain; perform a cryptography operation on data associated with the memory access operation, wherein the cryptography operation is performed based on the encryption key associated with the protected domain; and return a result of the cryptography operation, wherein the result is to be used for the memory access operation.

公开(公告)号：US11019061B2

公开(公告)日：2021-05-25

申请号：US16194648

申请日：2018-11-19

Applicant: Intel Corporation

Inventor： Barry E. Huntley ,  Gilbert Neiger ,  H. Peter Anvin ,  Asit K. Mallick ,  Adriaan Van De Ven ,  Scott D. Rodgers

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/74

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

公开(公告)号：US10885202B2

公开(公告)日：2021-01-05

申请号：US16123593

申请日：2018-09-06

Applicant: Intel Corporation

Inventor： Francis X. McKeen ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Simon P. Johnson ,  Vincent Scarlata ,  Michael A. Goldsmith ,  Ernie Brickell ,  Jiang Tao Li ,  Howard C. Herbert ,  Prashant Dewan ,  Stephen J. Tolopka ,  Gilbert Neiger ,  David Durham ,  Gary Graunke ,  Bernard Lint ,  Don A. Van Dyke ,  Joseph Cihula ,  Stalinselvaraj Jeyasingh ,  Stephen R. Van Doren ,  Dion Rodgers ,  John Garney ,  Asher Altman

IPC: G06F21/60 ,  G06F21/72 ,  G06F21/53

Abstract: A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed.

公开(公告)号：US20200349266A1

公开(公告)日：2020-11-05

申请号：US16934089

申请日：2020-07-21

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC: G06F21/60 ,  G06F3/06 ,  G06F21/57 ,  G06F21/53 ,  G06F12/1009

Abstract: A processor executes an untrusted VMM that manages execution of a guest workload. The processor also populates an entry in a memory ownership table for the guest workload. The memory ownership table is indexed by an original hardware physical address, the entry comprises an expected guest address that corresponds to the original hardware physical address, and the entry is encrypted with a key domain key. In response to receiving a request from the guest workload to access memory using a requested guest address, the processor (a) obtains, from the untrusted VMM, a hardware physical address that corresponds to the requested guest address; (b) uses that physical address as an index to find an entry in the memory ownership table; and (c) verifies whether the expected guest address from the found entry matches the requested guest address. Other embodiments are described and claimed.

公开(公告)号：US10671737B2

公开(公告)日：2020-06-02

申请号：US15808986

申请日：2017-11-10

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC: G06F11/30 ,  G06F21/60 ,  G06F3/06 ,  G06F12/1009 ,  G06F21/57 ,  G06F21/53

Abstract: In a public cloud environment, each consumer's/guest's workload is encrypted in a cloud service provider's (CSP's) server memory using a consumer-provided key unknown to the CSP's workload management software. An encrypted consumer/guest workload image is loaded into the CSP's server memory at a memory location specified by the CSP's workload management software. Based upon the CSP-designated memory location, the guest workload determines expected hardware physical addresses into which memory mapping structures and other types of consumer data should be loaded. These expected hardware physical addresses are specified by the guest workload in a memory ownership table (MOT), which is used to check that subsequently CSP-designated memory mappings are as expected. Memory ownership table entries also may be encrypted by the consumer-provided key unknown to the CSP.