公开(公告)号：US08706941B2

公开(公告)日：2014-04-22

申请号：US13916647

申请日：2013-06-13

Applicant: Advanced Micro Devices, Inc.

Inventor： Benjamin C. Serebrin ,  Rodney W. Schmidt ,  David A. Kaplan ,  Mark D. Hummel

IPC: G06F13/24 ,  G06F13/32

CPC classification number: G06F13/24 ,  G06F9/45558 ,  G06F9/4812 ,  G06F2009/45579

Abstract: In an embodiment, a device interrupt manager may be configured to receive an interrupt from a device that is assigned to a guest. The device interrupt manager may be configured to transmit an operation targeted to a memory location in a system memory to record the interrupt for a virtual processor within the guest, wherein the interrupt is to be delivered to the targeted virtual processor. In an embodiment, a virtual machine manager may be configured to detect that an interrupt has been recorded by the device interrupt manager for a virtual processor that is not currently executing. The virtual machine manager may be configured to schedule the virtual processor for execution on a hardware processor, or may prioritize the virtual processor for scheduling, in response to the interrupt.

Abstract translation: 在一个实施例中，设备中断管理器可以被配置为从分配给访客的设备接收中断。 设备中断管理器可以被配置为发送针对系统存储器中的存储器位置的操作以记录客户机内的虚拟处理器的中断，其中中断将被传递到目标虚拟处理器。 在一个实施例中，虚拟机管理器可以被配置为检测设备中断管理器对于当前未执行的虚拟处理器已经记录了中断。 虚拟机管理器可以被配置为调度虚拟处理器以在硬件处理器上执行，或者可以响应于该中断来优先处理虚拟处理器以进行调度。

公开(公告)号：US20130275638A1

公开(公告)日：2013-10-17

申请号：US13916647

申请日：2013-06-13

Applicant: Advanced Micro Devices, Inc.

Inventor： Benjamin C. Serebrin ,  Rodney W. Schmidt ,  David A. Kaplan ,  Mark D. Hummel

IPC: G06F13/24

CPC classification number: G06F13/24 ,  G06F9/45558 ,  G06F9/4812 ,  G06F2009/45579

Abstract: In an embodiment, a device interrupt manager may be configured to receive an interrupt from a device that is assigned to a guest. The device interrupt manager may be configured to transmit an operation targeted to a memory location in a system memory to record the interrupt for a virtual processor within the guest, wherein the interrupt is to be delivered to the targeted virtual processor. In an embodiment, a virtual machine manager may be configured to detect that an interrupt has been recorded by the device interrupt manager for a virtual processor that is not currently executing. The virtual machine manager may be configured to schedule the virtual processor for execution on a hardware processor, or may prioritize the virtual processor for scheduling, in response to the interrupt.

Abstract translation: 在一个实施例中，设备中断管理器可以被配置为从分配给访客的设备接收中断。 设备中断管理器可以被配置为发送针对系统存储器中的存储器位置的操作以记录客户机内的虚拟处理器的中断，其中中断将被传递到目标虚拟处理器。 在一个实施例中，虚拟机管理器可以被配置为检测设备中断管理器对于当前未执行的虚拟处理器已经记录了中断。 虚拟机管理器可以被配置为调度虚拟处理器以在硬件处理器上执行，或者可以响应于该中断来优先处理虚拟处理器以进行调度。

公开(公告)号：US20250130844A1

公开(公告)日：2025-04-24

申请号：US18926095

申请日：2024-10-24

Applicant: Advanced Micro Devices, Inc.

Inventor： Reshma Lal ,  David A. Kaplan ,  Jelena Ilic

IPC: G06F9/455

Abstract: A security framework for virtual machines is described. In one or more implementations, a hardware platform comprises physical computer hardware, the physical computer hardware including one or more processing units and one or more memories. The system also includes a virtual machine monitor configured to virtualize the physical computer hardware of the hardware platform to instantiate a plurality of framework-secure virtual machines. Further, the system includes a root framework-secure virtual machine instantiated by the virtual machine monitor. In accordance with the described techniques, the root framework-secure virtual machine is configured to control access to the hardware platform by the framework-secure virtual machines instantiated by the virtual machine monitor.

公开(公告)号：US10459850B2

公开(公告)日：2019-10-29

申请号：US15270231

申请日：2016-09-20

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan

IPC: G06F12/14 ,  G06F9/355 ,  G06F12/1009 ,  G06F9/455 ,  G06F21/62

Abstract: Systems, apparatuses, and methods for implementing virtualized process isolation are disclosed. A system includes a kernel and multiple guest virtual machines (VMs) executing on the system's processing hardware. Each guest VM includes a vShim layer for managing kernel accesses to user space and guest accesses to kernel space. The vShim layer also maintains a set of page tables separate from the kernel page tables. In one embodiment, data in the user space is encrypted and the kernel goes through the vShim layer to access user space data. When the kernel attempts to access a user space address, the kernel exits and the vShim layer is launched to process the request. If the kernel has permission to access the user space address, the vShim layer copies the data to a region in kernel space and then returns execution to the kernel. The vShim layer prevents the kernel from accessing the user space address if the kernel does not have permission to access the user space address. In one embodiment, the kernel space is unencrypted and the user space is encrypted. A state of a guest VM and the vShim layer may be stored in virtual machine control blocks (VMCBs) when exiting the guest VM or vShim layer.

公开(公告)号：US20180189190A1

公开(公告)日：2018-07-05

申请号：US15907593

申请日：2018-02-28

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan ,  Jeremy W. Powell ,  Thomas R. Woller

IPC: G06F12/1009 ,  G06F9/455

CPC classification number: G06F12/1009 ,  G06F9/45545 ,  G06F9/45558 ,  G06F12/1018 ,  G06F12/109 ,  G06F2009/45583 ,  G06F2212/1044 ,  G06F2212/151 ,  G06F2212/152 ,  G06F2212/657

Abstract: A computing device that handles address translations is described. The computing device includes a hardware table walker and a memory that stores a reverse map table and a plurality of pages of memory. The table walker is configured to use validated indicators in entries in the reverse map table to determine if page accesses are made to pages for which entries are validated. The table walker is further configured to use virtual machine permissions levels information in entries in the reverse map table determine if page accesses for specified operation types are permitted.

公开(公告)号：US09471799B2

公开(公告)日：2016-10-18

申请号：US14492786

申请日：2014-09-22

Applicant: Advanced Micro Devices, Inc.

Inventor： Joshua S. Schiffman ,  David A. Kaplan

IPC: G06F21/62 ,  G06F21/60

CPC classification number: G06F21/62 ,  G06F21/606 ,  G06F21/74 ,  G06F21/83

Abstract: A system and method are disclosed for securely receiving data from an input device coupled to a computing system. The system includes an interface configured to receive data from an input device, a coprocessor, and a host computer, wherein the host computer includes an input handler and a host processor. The host processor is configured to execute code in a normal mode and in a privileged mode. The host processor switches from the normal mode to the secure mode upon data being available from the interface while the host computer is in a secure input mode. The input handler receives the data from the interface and sends the received data to the coprocessor responsive to receiving the data while operating in the secure mode.

Abstract translation: 公开了用于从耦合到计算系统的输入设备安全地接收数据的系统和方法。 该系统包括被配置为从输入设备，协处理器和主计算机接收数据的接口，其中主机包括输入处理器和主机处理器。 主机处理器被配置为以正常模式和特权模式执行代码。 当主机处于安全输入模式时，主机处理器可以从接口获得数据，从正常模式切换到安全模式。 输入处理器接收来自接口的数据，并且响应于在安全模式下操作时接收数据而将接收到的数据发送到协处理器。

公开(公告)号：US20150248357A1

公开(公告)日：2015-09-03

申请号：US14494643

申请日：2014-09-24

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan ,  Thomas Roy Woller ,  Ronald Perez

IPC: G06F12/14

CPC classification number: G06F21/602 ,  G06F9/45558 ,  G06F12/1036 ,  G06F12/1408 ,  G06F21/53 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/402

Abstract: A processor employs a hardware encryption module in the processor's memory access path to cryptographically isolate secure information. In some embodiments, the encryption module is located at a memory controller (e.g. northbridge) of the processor, and each memory access provided to the memory controller indicates whether the access is a secure memory access, indicating the data associated with the memory access is designated for cryptographic protection, or a non-secure memory access. For secure memory accesses, the encryption module performs encryption (for write accesses) or decryption (for read accesses) of the data associated with the memory access.

Abstract translation: 处理器在处理器的存储器访问路径中使用硬件加密模块来加密地隔离安全信息。 在一些实施例中，加密模块位于处理器的存储器控​​制器（例如北桥）处，并且提供给存储器控制器的每个存储器访问指示访问是否是安全存储器访问，指示与存储器访问相关联的数据被指定 用于加密保护或非安全存储器访问。 对于安全存储器访问，加密模块对与存储器访问相关联的数据进行加密（用于写访问）或解密（用于读访问）。

公开(公告)号：US20140195576A1

公开(公告)日：2014-07-10

申请号：US13738899

申请日：2013-01-10

Applicant: ADVANCED MICRO DEVICES, INC.

Inventor： David A. Kaplan ,  Winthrop J. Wu

IPC: G06F7/58

CPC classification number: G06F7/588

Abstract: A random number generator may include an input configured to receive a plurality of entropy bits generated by an entropy source of a random number generator, wherein the random number generator is configured to generate a plurality of random numbers; and an entropy health monitor coupled with the input, wherein the entropy health monitor is configured to perform a corrective action based on the plurality of entropy bits.

Abstract translation: 随机数生成器可以包括被配置为接收由随机数发生器的熵源生成的多个熵位的输入，其中所述随机数生成器被配置为生成多个随机数; 以及与所述输入端耦合的熵健康监视器，其中所述熵健康监视器被配置为基于所述多个熵位执行校正动作。

公开(公告)号：US10768937B2

公开(公告)日：2020-09-08

申请号：US16046949

申请日：2018-07-26

Applicant: Advanced Micro Devices, Inc.

Inventor： Marius Evers ,  David A. Kaplan ,  Debjit Das Sarma

IPC: G06F9/30 ,  G06F9/38

Abstract: Overhead associated with verifying function return addresses to protect against security exploits is reduced by taking advantage of branch prediction mechanisms for predicting return addresses. More specifically, returning from a function includes popping a return address from a data stack. Well-known security exploits overwrite the return address on the data stack to hijack control flow. In some processors, a separate data structure referred to as a control stack is used to verify the data stack. When a return instruction is executed, the processor issues an exception if the return addresses on the control stack and the data stack are not identical. This overhead can be avoided by taking advantage of the return address stack, which is a data structure used by the branch predictor to predict return addresses. In most situations, if this prediction is correct, the above check does not need to occur, thus reducing the associated overhead.

公开(公告)号：US10509736B2

公开(公告)日：2019-12-17

申请号：US15949940

申请日：2018-04-10

Applicant: Advanced Micro Devices, Inc.

Inventor： Nippon Raval ,  David A. Kaplan ,  Philip Ng

IPC: G06F12/10 ,  G06F12/14 ,  G06F12/1027 ,  G06F12/1009 ,  G06F9/455 ,  G06F12/1081 ,  G06F12/109 ,  G06F12/1018

Abstract: An input-output (IO) memory management unit (IOMMU) uses a reverse map table (RMT) to ensure that address translations acquired from a nested page table are correct and that IO devices are permitted to access pages in a memory when performing memory accesses in a computing device. A translation lookaside buffer (TLB) flushing mechanism is used to invalidate address translation information in TLBs that are affected by changes in the RMT. A modified Address Translation Caching (ATC) mechanism may be used, in which only partial address translation information is provided to IO devices so that the RMT is checked when performing memory accesses for the IO devices using the cached address translation information.