公开(公告)号：US20200293668A1

公开(公告)日：2020-09-17

申请号：US16830379

申请日：2020-03-26

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC: G06F21/60 ,  G06F3/06 ,  G06F12/1009 ,  G06F21/57 ,  G06F21/53

Abstract: A computer-readable medium comprises instructions that, when executed, cause a processor to execute an untrusted workload manager to manage execution of at least one guest workload. The instructions, when executed, also cause the processor to (i) receive a request from a guest workload managed by the untrusted workload manager to access a memory using a requested guest address; (ii) obtain, from the untrusted workload manager, a translated workload manager-provided hardware physical address to correspond to the requested guest address; (iii) determine whether a stored mapping exists for the translated workload manager-provided hardware physical address; (iv) in response to finding the stored mapping, determine whether a stored expected guest address from the stored mapping matches the requested guest address; and (v) if the stored expected guest address from the stored mapping matches the requested guest address, enable the guest workload to access contents of the translated workload-manager provided hardware physical address.

公开(公告)号：US10768968B2

公开(公告)日：2020-09-08

申请号：US16147169

申请日：2018-09-28

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Geoffrey Strongin ,  Ramya Jayaram Masti

IPC: G06F12/10 ,  G06F9/455 ,  G06F12/1009

Abstract: A method includes receiving, by a processor from a virtual machine (VM) executed by the processor, an indication that a proper subset of a plurality of virtual memory pages of the VM are secure memory pages. The method further includes, responsive to determining the VM is attempting to access a first memory page, determining whether the proper subset comprises the first memory page. The method further includes, responsive to determining the proper subset comprises the first memory page: using first attributes specified by the VM for the first memory page; and ignoring second attributes specified by a virtual machine monitor (VMM) for the first memory page. The VMM is executed by the processor to manage the VM.

公开(公告)号：US20200264997A1

公开(公告)日：2020-08-20

申请号：US16778227

申请日：2020-01-31

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Rajesh M. Sankaran

IPC: G06F13/34

Abstract: Systems and methods for delivering interrupts to user-level applications. An example processing system comprises: a memory configured to store a plurality of user-level APIC data structures and a plurality of user-level interrupt handler address data structures corresponding to a plurality of user-level applications being executed by the processing system; and a processing core configured, responsive to receiving a notification of a user-level interrupt, to: set a pending interrupt bit flag having a position defined by an identifier of the user-level interrupt in a user-level APIC data structure associated with a user-level application that is currently being executed by the processing core, and invoke a user-level interrupt handler identified by a user-level interrupt handler address data structure associated with the user-level application, for a pending user-level interrupt having a highest priority among one or more pending user-level interrupts identified by the user-level APIC data structure.

公开(公告)号：US10713195B2

公开(公告)日：2020-07-14

申请号：US14997478

申请日：2016-01-15

Applicant: Intel Corporation

Inventor： Jr-Shian Tsai ,  Ravi L Sahita ,  Mesut A Ergin ,  Rajesh M Sankaran ,  Gilbert Neiger ,  Jun Nakajima ,  Edwin Verplanke ,  Barry E Huntley ,  Tsung-Yuan C Tai

IPC: G06F13/24 ,  G06F9/455

Abstract: Embodiments of an invention interrupts between virtual machines are disclosed. In an embodiment, a processor includes an instruction unit and an execution unit, both implemented at least partially in hardware of the processor. The instruction unit is to receive an instruction to send an interrupt to a target virtual machine. The execution unit is to execute the instruction on a sending virtual machine without exiting the sending virtual machine. Execution of the instruction includes using a handle specified by the instruction to find a posted interrupt descriptor.

公开(公告)号：US10657071B2

公开(公告)日：2020-05-19

申请号：US15714217

申请日：2017-09-25

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC: G06F12/14 ,  G06F21/60 ,  G06F21/82 ,  G06F3/06 ,  G06F21/53 ,  G06F21/78

Abstract: In one embodiment, a cryptographic circuit is adapted to receive a data line including at least an encrypted portion from a memory in response to a read request having a memory address from a first agent, obtain a key identifier for a key of the first agent from the data line, obtain the key using the key identifier, decrypt the at least encrypted portion of the data line using the key and send decrypted data of the at least encrypted portion of the data line to the first agent. Other embodiments are described and claimed.

公开(公告)号：US20200050471A1

公开(公告)日：2020-02-13

申请号：US16554885

申请日：2019-08-29

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Gilbert Neiger ,  Arumugam Thiyagarajah

IPC: G06F9/455 ,  G06F12/14 ,  G06F12/1045 ,  G06F11/30 ,  G06F11/22

Abstract: A processor may include a register to store a bus-lock-disable bit and an execution unit to execute instructions. The execution unit may receive an instruction that includes a memory access request. The execution may further determine that the memory access request requires acquiring a bus lock, and, responsive to detecting that the bus-lock-disable bit indicates that bus locks are disabled, signal a fault to an operating system.

公开(公告)号：US20190324920A1

公开(公告)日：2019-10-24

申请号：US16401889

申请日：2019-05-02

Applicant: Intel Corporation

Inventor： Jason W. Brandt ,  Sanjoy K. Mondal ,  Richard A. Uhlig ,  Gilbert Neiger ,  Robert T. George

IPC: G06F12/1036 ,  G06F12/1027 ,  G06F12/123 ,  G06F9/455 ,  G06F12/02 ,  G06F12/1045 ,  G06F12/12 ,  G06F9/48 ,  G06F12/0891 ,  G06F12/109 ,  G06F12/0804

Abstract: In one embodiment of the present invention, a method includes switching between a first address space and a second address space, determining if the second address space exists in a list of address spaces; and maintaining entries of the first address space in a translation buffer after the switching. In such manner, overhead associated with such a context switch may be reduced.

公开(公告)号：US10394595B2

公开(公告)日：2019-08-27

申请号：US15684002

申请日：2017-08-23

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Deepak K. Gupta ,  Ravi L. Sahita ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Joseph F. Cihula

IPC: G06F9/455 ,  G06F12/1009 ,  G06F12/1027

Abstract: A processor comprises a register to store a first reference to a context data structure specifying a virtual machine context, the context data structure comprising a second reference to a target array and an execution unit comprising a logic circuit to execute a virtual machine (VM) based on the virtual machine context, wherein the VM comprises a guest operating system (OS) associated with a page table comprising a first memory address mapping between a guest virtual address (GVA) space and a guest physical address (GPA) space, receive a request by the guest OS to switch from the first memory address mapping to a second memory address mapping, the request comprising an index value and a first root value, retrieve an entry, identified by the index value, from the target array, the entry comprising a second root value, and responsive to determining that the first root value matches the second root value, cause a switch from the first memory address mapping to the second memory address mapping.

公开(公告)号：US20190220625A1

公开(公告)日：2019-07-18

申请号：US16362887

申请日：2019-03-25

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/71 ,  H04L9/08 ,  G06F9/455 ,  G06F8/61 ,  G06F21/53 ,  G06F21/78 ,  G06F21/57

CPC classification number: G06F21/71 ,  G06F8/63 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  G06F2009/45579 ,  G06F2009/45587 ,  G06F2212/402 ,  G06F2221/2149 ,  H04L9/0822

Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.

公开(公告)号：US10303899B2

公开(公告)日：2019-05-28

申请号：US15444771

申请日：2017-02-28

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/00 ,  G06F21/71 ,  G06F9/455 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  H04L9/08 ,  G06F8/61

Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.