公开(公告)号：EP4379592A3

公开(公告)日：2024-08-28

申请号：EP24170687.8

申请日：2018-08-15

申请人： INTEL Corporation

发明人： Sahita, Ravi L. ,  Patel, Baiju V. ,  Huntley, Barry E. ,  Neiger, Gilbert ,  Khosravi, Hormuzd M. ,  Ouziel, Ido ,  Durham, David M. ,  Schoinas, Ioannis T. ,  Chhabra, Siddhartha ,  Rozas, Carlos V. ,  Gerzon, Gideon

IPC分类号： G06F21/71 ,  G06F21/79

CPC分类号： G06F21/71 ,  G06F21/79

摘要： Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, an apparatus comprises: a memory encryption engine to protect memory using encryption; and a processor to execute one or more instructions to allow a virtual machine manager (VMM) to manage a trust domain (TD). The processor is to support at least one of a first instruction to add a memory page to the TD, wherein execution of the first instruction is to use an address of TD control structure, an address of a source page, and an address of destination page to: copy the source memory page to the destination page using an encryption key identified in the TD control structure, a second instruction, wherein execution of the second instruction is to initialize the TD control structure for a TD and generate the encryption key, or a third instruction, wherein execution of the third instruction is to enter the TD and load a saved state of the TD from a data structure.

公开(公告)号：EP1939752B1

公开(公告)日：2010-07-07

申请号：EP07254933.0

申请日：2007-12-18

申请人： Intel Corporation

发明人： Buxton, Mark J. ,  Brickell, Ernest F. ,  Jacobson, Quinn A. ,  Wang, Hong ,  Patel, Baiju V.

IPC分类号： G06F12/08 ,  G06F12/14 ,  G06F9/38

CPC分类号： G06F12/0842 ,  G06F9/30047 ,  G06F12/1458 ,  G06F21/52 ,  G06F21/78

公开(公告)号：EP4325352A3

公开(公告)日：2024-06-19

申请号：EP24150660.9

申请日：2016-05-26

申请人： Intel Corporation

发明人： Shanbhogue, Vedvyas ,  Brandt, Jason W. ,  Sahita, Ravi L. ,  Huntley, Barry E. ,  Patel, Baiju V.

IPC分类号： G06F9/30 ,  G06F21/52 ,  G06F12/14 ,  G06F9/38

CPC分类号： G06F21/52 ,  G06F9/3861 ,  G06F9/30054 ,  G06F9/30101 ,  G06F9/30134 ,  G06F9/3806 ,  G06F12/1009 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/1063 ,  G06F12/1081 ,  G06F12/109 ,  G06F12/1491 ,  G06F2212/105220130101 ,  G06F2212/15120130101 ,  G06F2212/65120130101 ,  G06F2212/65720130101 ,  G06F9/30076 ,  G06F12/0811

摘要： Embodiments of the subject disclosure provide a processor and a system. The processor comprises: a shadow stack pointer, SSP, register to store a current SSP to identify a top of a current shadow stack; a decode unit to decode a restore shadow stack pointer instruction, the restore shadow stack pointer instruction to indicate a source operand that is to have a first SSP, the first SSP to identify a top of a first shadow stack; and an execution unit coupled with the decode unit, the execution unit, in response to the restore shadow stack pointer instruction, to: perform a plurality of security checks, including to determine whether a value derived from the first SSP is compatible with a value accessed from the first shadow stack; cause an exception, if at least one of the security checks fails; and restore an SSP to the SSP register to switch from the current shadow stack to the first shadow stack, if all of the security checks succeed.

公开(公告)号：EP1936500A2

公开(公告)日：2008-06-25

申请号：EP07254666.6

申请日：2007-11-30

申请人： Intel Corporation

发明人： Hankins, Richard A, ,  Wang, Hong ,  Aundhe, Shirish ,  Chinya, Gautham N. ,  Poulsen, David K. ,  Patel, Baiju V. ,  Shah, Sanjiv M.

IPC分类号： G06F9/48

CPC分类号： G06F9/4812 ,  G06F9/3851 ,  G06F9/3861

摘要： Methods, data structures, instructions, and techniques for structured exception handling for user-level threads in a multi-threading system are provided. Registered filter routines may be dispatched to a thread unit not managed by the operating system (OS). The dispatch may occur by allowing an OS-managed thread unit (proxy) to invoke the OS-provided structured exception handling service (including dispatcher) on behalf of the sequestered thread unit. Alternatively, an OS-managed thread unit may include dispatch code and may, without OS intervention, dispatch the filter routine to the sequestered thread unit. Other embodiments are also described and claimed.

公开(公告)号：EP3958160A1

公开(公告)日：2022-02-23

申请号：EP21201854.3

申请日：2019-05-24

申请人： INTEL Corporation

发明人： LeMay, Michael ,  Durham, David M. ,  Kounavis, Michael E. ,  Huntley, Barry E. ,  Shanbhogue, Vedvyas ,  Brandt, Jason W. ,  Triplett, Josh ,  Neiger, Gilbert ,  Grewal, Karanvir ,  Patel, Baiju V. ,  Zhuang, Ye ,  Tsai, Jr-Shian ,  Sukhomlinov, Vadim ,  Sahita, Ravi ,  Zhang, Mingwei ,  Farwell, James C. ,  Das, Amitabh ,  Bhuyan, Krishna

IPC分类号： G06F21/74 ,  G06F12/14 ,  G06F21/57 ,  H04L9/08 ,  H04L9/32 ,  G06F9/455 ,  G06F21/53

摘要： Disclosed embodiments relate to encoded inline capabilities. In one example, an apparatus comprises: a trusted execution environment to configure a plurality of compartments in an address space of memory, each compartment comprising a private memory and a pointer to an object in a shared heap of the plurality of compartments, wherein each compartment is isolated from other compartments, is unable to access the private memory of other compartments, and is unable to access any object in the shared heap that is solely assigned to another compartment; decode circuitry to decode a single instruction into a decoded single instruction, the single instruction comprising a pointer for a first compartment to a first object in the shared heap; and execution circuitry to execute the decoded single instruction to generate an encoded capability, based at least in part on the pointer to the first object, to allow access to the first object in the shared heap by a second compartment in response to the second compartment having the encoded capability.

公开(公告)号：EP4379592A2

公开(公告)日：2024-06-05

申请号：EP24170687.8

申请日：2018-08-15

申请人： INTEL Corporation

发明人： Sahita, Ravi L. ,  Patel, Baiju V. ,  Huntley, Barry E. ,  Neiger, Gilbert ,  Khosravi, Hormuzd M. ,  Ouziel, Ido ,  Durham, David M. ,  Schoinas, Ioannis T. ,  Chhabra, Siddhartha ,  Rozas, Carlos V. ,  Gerzon, Gideon

IPC分类号： G06F21/79

CPC分类号： G06F21/71 ,  G06F21/79

摘要： Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, an apparatus comprises: a memory encryption engine to protect memory using encryption; and a processor to execute one or more instructions to allow a virtual machine manager (VMM) to manage a trust domain (TD). The processor is to support at least one of a first instruction to add a memory page to the TD, wherein execution of the first instruction is to use an address of TD control structure, an address of a source page, and an address of destination page to: copy the source memory page to the destination page using an encryption key identified in the TD control structure, a second instruction, wherein execution of the second instruction is to initialize the TD control structure for a TD and generate the encryption key, or a third instruction, wherein execution of the third instruction is to enter the TD and load a saved state of the TD from a data structure.

公开(公告)号：EP4325352A2

公开(公告)日：2024-02-21

申请号：EP24150660.9

申请日：2016-05-26

申请人： Intel Corporation

发明人： Shanbhogue, Vedvyas ,  Brandt, Jason W. ,  Sahita, Ravi L. ,  Huntley, Barry E. ,  Patel, Baiju V.

IPC分类号： G06F9/38

摘要： Embodiments of the subject disclosure provide a processor and a system. The processor comprises: a shadow stack pointer, SSP, register to store a current SSP to identify a top of a current shadow stack; a decode unit to decode a restore shadow stack pointer instruction, the restore shadow stack pointer instruction to indicate a source operand that is to have a first SSP, the first SSP to identify a top of a first shadow stack; and an execution unit coupled with the decode unit, the execution unit, in response to the restore shadow stack pointer instruction, to: perform a plurality of security checks, including to determine whether a value derived from the first SSP is compatible with a value accessed from the first shadow stack; cause an exception, if at least one of the security checks fails; and restore an SSP to the SSP register to switch from the current shadow stack to the first shadow stack, if all of the security checks succeed.

公开(公告)号：EP4099158A1

公开(公告)日：2022-12-07

申请号：EP22184595.1

申请日：2016-05-26

申请人： INTEL Corporation

发明人： Shanbhogue, Vedvyas ,  Brandt, Jason W. ,  Sahita, Ravi L. ,  Huntley, Barry E. ,  Patel, Baiju V.

IPC分类号： G06F9/30 ,  G06F21/52 ,  G06F12/14 ,  G06F9/38

摘要： Embodiments of the subject disclosure provide a processor and a system. The processor comprises: a shadow stack pointer (SSP) register to store an SSP, including a first SSP to identify a top of a first shadow stack, the SSP register to indicate a current SSP for a current shadow stack; a decode unit to decode a shadow stack protection instruction, the shadow stack protection instruction to indicate a second SSP, the second SSP to identify a top of a second shadow stack; and an execution unit coupled with the decode unit. The execution unit, in response to the shadow stack protection instruction, is to perform a plurality of security checks, including to determine whether the second SSP is compatible with a value stored on the second shadow stack. If at least one of the security checks fail, the execution unit is further to: not make the second SSP the current SSP; and cause an exception. If all of the security checks succeed, the execution unit is further to: change the value; and update the SSP register to the second SSP to make the second SSP the current SSP.

公开(公告)号：EP3800546A1

公开(公告)日：2021-04-07

申请号：EP20209381.1

申请日：2016-05-26

申请人： Intel Corporation

发明人： Shanbhogue, Vedvyas ,  Brandt, Jason W. ,  Sahita, Ravi L. ,  Huntley, Barry E. ,  Patel, Baiju V.

IPC分类号： G06F9/30 ,  G06F21/52 ,  G06F12/14

摘要： Embodiments of the subject disclosure provide a processor and a system. The processor comprises: a shadow stack pointer, SSP, register, the SSP register to store a first SSP to identify a top of a first currently active shadow stack; a decode unit to decode a shadow stack protection instruction, the shadow stack protection instruction to indicate a second SSP, the second SSP to identify a top of a second shadow stack that the shadow stack protection instruction is attempting to switch to; and an execution unit coupled with the decode unit. The execution unit, in response to the shadow stack protection instruction, is to: perform one or more security checks, including to determine whether the second SSP indicated by the shadow stack protection instruction matches an SSP stored on the second shadow stack; if at least one of the security checks fail: not store the second SSP to the SSP register; and cause an exception; and if all of the security checks succeed: compromise the SSP stored on the second shadow stack; and store the second SSP to the SSP register.

公开(公告)号：EP1936500A3

公开(公告)日：2009-10-28

申请号：EP07254666.6

申请日：2007-11-30

申请人： Intel Corporation

发明人： Hankins, Richard A, ,  Wang, Hong ,  Aundhe, Shirish ,  Chinya, Gautham N. ,  Poulsen, David K. ,  Patel, Baiju V. ,  Shah, Sanjiv M.

IPC分类号： G06F9/48 ,  G06F9/38

CPC分类号： G06F9/4812 ,  G06F9/3851 ,  G06F9/3861

摘要： Methods, data structures, instructions, and techniques for structured exception handling for user-level threads in a multi-threading system are provided. Registered filter routines may be dispatched to a thread unit not managed by the operating system (OS). The dispatch may occur by allowing an OS-managed thread unit (proxy) to invoke the OS-provided structured exception handling service (including dispatcher) on behalf of the sequestered thread unit. Alternatively, an OS-managed thread unit may include dispatch code and may, without OS intervention, dispatch the filter routine to the sequestered thread unit. Other embodiments are also described and claimed.