公开(公告)号：US20160110298A1

公开(公告)日：2016-04-21

申请号：US14519648

申请日：2014-10-21

Applicant: Intel Corporation

Inventor： DAVID A. KOUFATY ,  GILBERT NEIGER ,  RAJESH M. SANKARAN ,  ANDREW V. ANDERSON ,  SUBRAMANYA R. DULLOOR ,  WERNER HAAS ,  JOSEPH NUZMAN

IPC: G06F12/14 ,  G06F21/62

CPC classification number: G06F12/1466 ,  G06F21/52 ,  G06F2212/1052

Abstract: A processing system includes a processing core to execute a task and a memory management unit, coupled to the core. The memory management unit includes a storage unit to store a page table entry including one or more identifiers of memory frames, a protection key, and an access mode bit indicating whether the one or more memory frames are accessible according to a user mode or according to a supervisor mode, a first permission register including a plurality of fields, each field comprising a set of bits reflecting a set of memory access permissions under the user mode, and a second permission register storing a plurality of fields, each field comprising a set of bits reflecting a set of memory access permissions under the supervisor mode.

Abstract translation: 处理系统包括执行任务的处理核心和耦合到核心的存储器管理单元。 存储器管理单元包括：存储单元，用于存储包括存储器帧的一个或多个标识符的页表项，保护密钥和指示一个或多个存储器帧是否可根据用户模式访问的访问模式位，或者根据 管理员模式，包括多个字段的第一允许寄存器，每个字段包括反映用户模式下的一组存储器访问许可的位数，以及存储多个字段的第二许可寄存器，每个字段包括一组 在管理员模式下反映一组内存访问权限的位。

公开(公告)号：US20170249261A1

公开(公告)日：2017-08-31

申请号：US15175348

申请日：2016-06-07

Applicant: Intel Corporation

Inventor： DAVID M. DURHAM ,  RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  ANDREW V. ANDERSON ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  ARUMUGAM THIYAGARAJAH ,  ASIT K. MALLICK ,  BARRY E. HUNTLEY ,  DAVID A. KOUFATY ,  DEEPAK K. GUPTA ,  BAIJU V. PATEL

IPC: G06F12/14 ,  G06F12/10 ,  G06F9/455

CPC classification number: G06F12/145 ,  G06F9/45533 ,  G06F12/1009 ,  G06F12/1027 ,  G06F21/78 ,  G06F2212/1016 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/656 ,  G06F2212/657

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20150378633A1

公开(公告)日：2015-12-31

申请号：US14320334

申请日：2014-06-30

Applicant: Intel Corporation

Inventor： RAVI L. SAHITA ,  VEDVYAS SHANBHOGUE ,  GILBERT NEIGER ,  JONATHAN EDWARDS ,  IDO OUZIEL ,  BARRY E. HUNTLEY ,  STANISLAV SHWARTSMAN ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  MICHAEL LEMAY

IPC: G06F3/06 ,  G06F9/455 ,  G06F12/10

CPC classification number: G06F9/45558 ,  G06F9/3004 ,  G06F9/30076 ,  G06F12/1009 ,  G06F2009/45583 ,  G06F2212/657

Abstract: An apparatus and method for fine grain memory protection. For example, one embodiment of a method comprises: performing a first lookup operation using a virtual address to identify a physical address of a memory page, the memory page comprising a plurality of sub-pages; determining whether sub-page permissions are enabled for the memory page; if sub-page permissions are enabled, then performing a second lookup operation to determine permissions associated with one or more of the sub-pages of the memory page; and implementing the permissions associated with the one or more sub-pages.

Abstract translation: 一种细粒度记忆保护装置和方法。 例如，方法的一个实施例包括：使用虚拟地址执行第一查找操作以识别存储器页面的物理地址，所述存储器页面包括多个子页面; 确定是否为所述存储器页启用子页面许可; 如果启用子页面许可，则执行第二查找操作以确定与存储器页面的一个或多个子页面相关联的许可; 以及实现与一个或多个子页面相关联的许可。

公开(公告)号：US20200159673A1

公开(公告)日：2020-05-21

申请号：US16686379

申请日：2019-11-18

Applicant: Intel Corporation

Inventor： RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  DAVID A. KOUFATY ,  ASIT K. MALLICK ,  ARUMUGAM THIYAGARAJAH ,  BARRY E. HUNTLEY ,  DEEPAK K. GUPTA ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  BAIJU V. PATEL

IPC: G06F12/14 ,  G06F9/455 ,  G06F12/1009 ,  G06F12/1027

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20170315926A1

公开(公告)日：2017-11-02

申请号：US15652028

申请日：2017-07-17

Applicant: INTEL CORPORATION

Inventor： MICHAEL LEMAY ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  GILBERT NEIGER ,  RAVI L. SAHITA

IPC: G06F12/1009 ,  G06F12/1027 ,  G06F21/00 ,  G06F9/455 ,  G06F12/14

CPC classification number: G06F12/1009 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/1027 ,  G06F12/1483 ,  G06F21/00 ,  G06F21/53 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1024 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/651 ,  G06F2212/657 ,  G06F2212/68 ,  G06F2221/2141

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.

公开(公告)号：US20160378678A1

公开(公告)日：2016-12-29

申请号：US14750982

申请日：2015-06-25

Applicant: Intel Corporation

Inventor： MICHAEL LEMAY ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  GILBERT NEIGER ,  RAVI L. SAHITA

IPC: G06F12/10 ,  G06F9/455 ,  G06F12/14

CPC classification number: G06F12/1009 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/1027 ,  G06F12/1483 ,  G06F21/00 ,  G06F21/53 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1024 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/651 ,  G06F2212/657 ,  G06F2212/68 ,  G06F2221/2141

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.

Abstract translation: 通常，本公开提供了用于页表编辑控制器的系统，方法和计算机可读介质，其被配置为通过操纵扩展页表来控制虚拟机（VM）客户软件对访客页表的访问。 该系统可以包括翻译后备缓冲器（TLB），以维护将一个或多个客户线性地址（GLA）锁定到一个或多个允许的访客物理地址（GPA）的策略; 页面处理器，用于根据访客页表更新TLB; 以及页表编辑控制（PTEC）模块，用于：识别将与所述策略相关联的GLA映射到第一GPA的所述访客页表的条目; 验证映射是否符合策略; 并且基于验证，应用于VM访客和页面移动处理器的受限辅助功能，将访客页面表放入多个受限访问状态之一。