-
公开(公告)号:EP2801025B1
公开(公告)日:2018-10-24
申请号:EP12864336.8
申请日:2012-01-04
申请人: Intel Corporation
CPC分类号: G06F12/145 , G06F9/468 , G06F12/1425 , G06F2009/45583 , G06F2009/45587
摘要: Embodiments of techniques and systems for increasing efficiencies in computing systems using virtual memory are described. In embodiments, instructions which are located in two memory pages in a virtual memory system, such that one of the pages does not permit execution of the instructions located therein, are identified and then executed under temporary permissions that permit execution of the identified instructions. In various embodiments, the temporary permissions may come from modified virtual memory page tables, temporary virtual memory page tables which allow for execution, and/or emulators which have root access. In embodiments, per-core virtual memory page tables may be provided to allow two cores of a computer processor to operate in accordance with different memory access permissions. In embodiments, a physical page permission table may be utilized to provide for maintenance and tracking of per-physical-page memory access permissions. Other embodiments may be described and claimed.
-
公开(公告)号:EP3367287A1
公开(公告)日:2018-08-29
申请号:EP18152856.3
申请日:2018-01-22
申请人: INTEL Corporation
摘要: A host Virtual Machine Monitor (VMM) operates "blindly," without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.
-
3.发明公开
公开(公告)号:EP2691851A1
公开(公告)日:2014-02-05
申请号:EP11862405.5
申请日:2011-12-29
申请人: Intel Corporation
CPC分类号: G06F21/54 , G06F11/3644 , G06F21/566
摘要: Generally, this disclosure describes systems and methods for transparently instrumenting a computer process. The systems and methods are configured to allow instrumenting executable code while permitting legacy memory scanning tools to monitor corresponding uninstrumented executable code stored in memory.
-
公开(公告)号:EP4296877A3
公开(公告)日:2024-03-20
申请号:EP23209375.7
申请日:2020-02-07
申请人: INTEL Corporation
摘要: A processor comprising decode circuitry to decode a SEAMCALL instruction for a virtual machine monitor (VMM) in legacy VMX root operation mode; and execution circuitry to perform operations corresponding to the SEAMCALL instruction, including to: cause a virtual machine (VM) exit; transition the processor from the legacy VMX root operation mode to a secure arbitration mode (SEAM) VMX root operation mode, wherein a SEAM module is to be hosted in the SEAM VMX root operation mode; store a VMM state of the processor to a virtual machine control structure (VMCS); load a SEAM module state of the processor from the VMCS; inhibit system management interrupts (SMI) and non-maskable interrupts (NMI) in the SEAM VMX root operation mode; and invoke the SEAM module. A system comprising a system memory; and said processor as stated above.
-
公开(公告)号:EP3885958A1
公开(公告)日:2021-09-29
申请号:EP21175141.7
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, an apparatus comprises: a memory to store a data structure including a key identifier corresponding to an encryption key assigned to a first tenant workload, a guest physical address corresponding to a host physical memory page assigned to the first tenant workload, and metadata attributes for the host physical memory page; and a processor. The processor includes: an instruction decoder to decode a plurality of instructions, the plurality of instructions including a first instruction to create a tenant workload control structure and a second instruction to create a tenant workload thread control structure; and one or more execution units to execute one or more of the plurality of instructions to create a first tenant workload control structure for managing metadata of the first tenant workload, create a first tenant workload thread control structure for maintaining execution state of the first tenant workload. The data structure is access-controlled against software access. The first tenant workload thread control structure is access-controlled against software access. The host physical memory page is encrypted with the encryption key. The one or more execution units, when executing the first tenant workload using the guest physical address, are to reference the data structure to obtain the key identifier to allow the apparatus to access and decrypt the host physical memory page.
-
公开(公告)号:EP3825851A1
公开(公告)日:2021-05-26
申请号:EP20217437.1
申请日:2016-05-13
申请人: INTEL Corporation
发明人: BANGINWAR, Rajesh P. , NAROPANTH, Sumanth , NOTALAPATI PRABHAKARA, Sunil K. , SINGH, Surendra K. , MOHAN, Arvind , SAHITA, Ravi L. , MALHOTRA, Rahil , BAKSHI, Aman , KAMMA, Vasudevarao , NAYAK, Jyothi , THAKKAR, Vivek , PINTO, Royston A.
摘要: A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.
-
-
公开(公告)号:EP3657378A1
公开(公告)日:2020-05-27
申请号:EP20152004.6
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, the processing device includes a processing core to execute a tenant workload and a resource management capability to manage the tenant workload, the resource management capability including a hypervisor and the tenant workload including a virtual machine running on top of the hypervisor, and reference a micro-architectural structure a micro-architectural structure that is access-controlled against software access to obtain at least one key identifier, ID, corresponding to an encryption key assigned to the tenant workload, the key ID to allow the processing device to decrypt memory pages assigned to the tenant workload responsive to the processing device executing in the context of the tenant workload, the memory pages assigned to the tenant workload encrypted with the encryption key. The micro-architectural structure is to hold meta-data attributes for each physical memory page and the meta-data attributes are direct indexed by the physical page address of the physical memory page.
-
公开(公告)号:EP3457311A1
公开(公告)日:2019-03-20
申请号:EP18189207.6
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.
-
公开(公告)号:EP3210149A1
公开(公告)日:2017-08-30
申请号:EP15853035.2
申请日:2015-08-27
申请人: Intel Corporation
摘要: In one embodiment, a processor comprises: a first register to store a first bound value for a stack to be stored in a memory; a second register to store a second bound value for the stack; a checker logic to determine, prior to an exit point at a conclusion of a function to be executed on the processor, whether a value of a stack pointer is within a range between the first bound value and the second bound value; and a logic to prevent a return to a caller of the function if the stack pointer value is not within the range. Other embodiments are described and claimed.
摘要翻译: 在一个实施例中,一种处理器包括:第一寄存器,用于存储待存储在存储器中的堆栈的第一界限值; 第二寄存器,用于存储堆栈的第二边界值; 检验器逻辑,用于在处理器上执行的函数结束时的出口点之前确定堆栈指针的值是否在第一边界值和第二边界值之间的范围内; 以及一个逻辑,用于在堆栈指针值不在范围内时阻止返回函数的调用者。 描述并要求保护其他实施例。
-
-
-
-
-
-
-
-
-
搜索结果
35 条记录 (耗时 0.024 秒)
