公开(公告)号：US10747682B2

公开(公告)日：2020-08-18

申请号：US15912363

申请日：2018-03-05

Applicant: Intel Corporation

Inventor： Steven M. Bennett ,  Andrew V. Anderson ,  Gilbert Neiger ,  Richard Uhlig ,  Scott Dion Rodgers ,  Rajesh M. Sankaran ,  Camron Rust ,  Sebastian Schoenberg

IPC: G06F12/00 ,  G06F12/1027 ,  G06F12/1009 ,  G06F12/1036 ,  G06F9/30 ,  G06F12/02 ,  G06F9/455 ,  G06F12/0875 ,  G06F12/1045

Abstract: A processor including logic to execute an instruction to synchronize a mapping from a physical address of a guest of a virtualization based system (guest physical address) to a physical address of the host of the virtualization based system (host physical address), and stored in a translation lookaside buffer (TLB), with a corresponding mapping stored in an extended paging table (EPT) of the virtualization based system.

公开(公告)号：US20200257828A1

公开(公告)日：2020-08-13

申请号：US16792941

申请日：2020-02-18

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/71 ,  H04L9/08 ,  G06F8/61 ,  G06F21/78 ,  G06F21/57 ,  G06F21/53 ,  G06F9/455

Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.

公开(公告)号：US20200257609A1

公开(公告)日：2020-08-13

申请号：US16787333

申请日：2020-02-11

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Andrew V. Anderson ,  Richard A. Uhlig ,  David M. Durham ,  Ronak Singhal ,  Xiangbin Wu ,  Sailesh Kottapalli

IPC: G06F11/34 ,  G06F9/455 ,  G06F13/24 ,  G06F11/30

Abstract: Embodiments of an invention for monitoring the operation of a processor are disclosed. In one embodiment, a system includes a processor and a hardware agent external to the processor. The processor includes virtualization logic to provide for the processor to operate in a root mode and in a non-root mode. The hardware agent is to verify operation of the processor in the non-root mode based on tracing information to be collected by a software agent to be executed by the processor in the root mode.

公开(公告)号：US10740249B2

公开(公告)日：2020-08-11

申请号：US16401889

申请日：2019-05-02

Applicant: Intel Corporation

Inventor： Jason W. Brandt ,  Sanjoy K. Mondal ,  Richard A. Uhlig ,  Gilbert Neiger ,  Robert T. George

IPC: G06F13/00 ,  G06F12/1036 ,  G06F9/48 ,  G06F12/1027 ,  G06F9/455 ,  G06F12/02 ,  G06F12/1045 ,  G06F12/12 ,  G06F12/0804 ,  G06F12/0891 ,  G06F12/109 ,  G06F12/123

Abstract: In one embodiment of the present invention, a method includes switching between a first address space and a second address space, determining if the second address space exists in a list of address spaces; and maintaining entries of the first address space in a translation buffer after the switching. In such manner, overhead associated with such a context switch may be reduced.

公开(公告)号：US20200226074A1

公开(公告)日：2020-07-16

申请号：US16831976

申请日：2020-03-27

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC: G06F12/14 ,  G06F21/53 ,  G06F21/78 ,  G06F3/06 ,  G06F21/60 ,  G06F21/82

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US20200159676A1

公开(公告)日：2020-05-21

申请号：US16722707

申请日：2019-12-20

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Ramya Jayaram Masti ,  Gilbert Neiger ,  Jason W. Brandt

IPC: G06F12/14 ,  G06F21/62

Abstract: Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

公开(公告)号：US10592421B2

公开(公告)日：2020-03-17

申请号：US15250787

申请日：2016-08-29

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Ilya Alexandrovich ,  Ittai Anati ,  Alex Berenzon ,  Michael A. Goldsmith ,  Barry E. Huntley ,  Anton Ivanov ,  Simon P. Johnson ,  Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Gilbert Neiger ,  Rinat Rappoport ,  Scott D. Rodgers ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Wesley H. Smith ,  William C. Wood

IPC: G06F12/00 ,  G06F12/08 ,  G06F13/00 ,  G06F12/0875 ,  G06F12/0808 ,  G06F12/1027

Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

公开(公告)号：US10409597B2

公开(公告)日：2019-09-10

申请号：US15972573

申请日：2018-05-07

Applicant: Intel Corporation

Inventor： Rebekah Leslie-Hurd ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Uday R. Savagaonkar ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis X. Mckeen ,  Michael A. Goldsmith ,  Ilya Alexandrovich ,  Alex Berenzon ,  Wesley H. Smith ,  Gilbert Neiger

IPC: G06F12/00 ,  G06F9/30 ,  G06F12/0875 ,  G06F9/44 ,  G06F12/084 ,  G06F12/14

Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.

公开(公告)号：US10402218B2

公开(公告)日：2019-09-03

申请号：US15251425

申请日：2016-08-30

Applicant: INTEL CORPORATION

Inventor： Vedvyas Shanbhogue ,  Gilbert Neiger ,  Arumugam Thiyagarajah

IPC: G06F11/30 ,  G06F9/455 ,  G06F11/22 ,  G06F12/14 ,  G06F12/1045

Abstract: A processor may include a register to store a bus-lock-disable bit and an execution unit to execute instructions. The execution unit may receive an instruction that includes a memory access request. The execution may further determine that the memory access request requires acquiring a bus lock, and, responsive to detecting that the bus-lock-disable bit indicates that bus locks are disabled, signal a fault to an operating system.

公开(公告)号：US10235301B2

公开(公告)日：2019-03-19

申请号：US15652028

申请日：2017-07-17

Applicant: INTEL CORPORATION

Inventor： Michael Lemay ,  David M. Durham ,  Andrew V. Anderson ,  Gilbert Neiger ,  Ravi L. Sahita

IPC: G06F9/455 ,  G06F12/1009 ,  G06F12/1027 ,  G06F12/14 ,  G06F21/00 ,  G06F21/53

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.