-
公开(公告)号:EP3457311B1
公开(公告)日:2020-02-26
申请号:EP18189207.6
申请日:2018-08-15
申请人: INTEL Corporation
-
公开(公告)号:EP3885958A1
公开(公告)日:2021-09-29
申请号:EP21175141.7
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, an apparatus comprises: a memory to store a data structure including a key identifier corresponding to an encryption key assigned to a first tenant workload, a guest physical address corresponding to a host physical memory page assigned to the first tenant workload, and metadata attributes for the host physical memory page; and a processor. The processor includes: an instruction decoder to decode a plurality of instructions, the plurality of instructions including a first instruction to create a tenant workload control structure and a second instruction to create a tenant workload thread control structure; and one or more execution units to execute one or more of the plurality of instructions to create a first tenant workload control structure for managing metadata of the first tenant workload, create a first tenant workload thread control structure for maintaining execution state of the first tenant workload. The data structure is access-controlled against software access. The first tenant workload thread control structure is access-controlled against software access. The host physical memory page is encrypted with the encryption key. The one or more execution units, when executing the first tenant workload using the guest physical address, are to reference the data structure to obtain the key identifier to allow the apparatus to access and decrypt the host physical memory page.
-
公开(公告)号:EP3657378A1
公开(公告)日:2020-05-27
申请号:EP20152004.6
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, the processing device includes a processing core to execute a tenant workload and a resource management capability to manage the tenant workload, the resource management capability including a hypervisor and the tenant workload including a virtual machine running on top of the hypervisor, and reference a micro-architectural structure a micro-architectural structure that is access-controlled against software access to obtain at least one key identifier, ID, corresponding to an encryption key assigned to the tenant workload, the key ID to allow the processing device to decrypt memory pages assigned to the tenant workload responsive to the processing device executing in the context of the tenant workload, the memory pages assigned to the tenant workload encrypted with the encryption key. The micro-architectural structure is to hold meta-data attributes for each physical memory page and the meta-data attributes are direct indexed by the physical page address of the physical memory page.
-
公开(公告)号:EP3457311A1
公开(公告)日:2019-03-20
申请号:EP18189207.6
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.
-
-
-
搜索结果
4 条记录 (耗时 0.011 秒)
