公开(公告)号：US10223121B2

公开(公告)日：2019-03-05

申请号：US15388744

申请日：2016-12-22

申请人： Intel Corporation

发明人： Ido Ouziel ,  Raanan Sade ,  Jacob Doweck

IPC分类号： G06F9/312 ,  G06F9/48 ,  G06F9/30 ,  G06F9/38

摘要： A processor includes a decoder, a data return buffer, and an execution unit. The decoder is to decode an instruction for a non-posted load into a decoded instruction for loading data from memory mapped input/output. The execution unit is for executing the decoded instruction. The execution is to start a timer, determine whether the timer exceeds a timeout threshold, allocate an entry in the data return buffer for the load, and determine whether an event arrived. The timer is to measure an amount of time taken to return the non-posted load instruction. The determination whether an event arrived is made in response to at least one of the allocation of the entry for the load, or a determination that the timer exceeds the timeout threshold.

公开(公告)号：US20190042671A1

公开(公告)日：2019-02-07

申请号：US15844529

申请日：2017-12-16

申请人： Intel Corporation

发明人： Dror Caspi ,  Ido Ouziel

IPC分类号： G06F17/50 ,  G06F12/1009

摘要： Technologies are provided in embodiments including a memory element to store a payload indicating an action to be performed associated with a remote action request (RAR) and a remote action handler circuit to identify the action to be performed, where the action includes invalidating one or more entries of a translation lookaside buffer (TLB), determine that the logical processor entered an enclave mode during a prior epoch, perform one or more condition checks on control and state pages of the enclave mode, and based on results of the one or more condition checks, adjust one or more variables associated with the logical processor to simulate the logical processor re-entering the enclave mode. Specific embodiments include the remote action handler circuit to invalidate an entry of the TLB based, at least in part, on the results of the one or more condition checks.

公开(公告)号：US20180181393A1

公开(公告)日：2018-06-28

申请号：US15388744

申请日：2016-12-22

申请人： Intel Corporation

发明人： Ido Ouziel ,  Raanan Sade ,  Jacob Doweck

IPC分类号： G06F9/30

CPC分类号： G06F9/30043 ,  G06F9/30189 ,  G06F9/383 ,  G06F9/3855 ,  G06F9/3857 ,  G06F9/4837 ,  G06F9/485 ,  G06F9/4887 ,  G06F13/00

摘要： A processor includes a decoder, a data return buffer, and an execution unit. The decoder is to decode an instruction for a non-posted load into a decoded instruction for loading data from memory mapped input/output. The execution unit is for executing the decoded instruction. The execution is to start a timer, determine whether the timer exceeds a timeout threshold, allocate an entry in the data return buffer for the load, and determine whether an event arrived. The timer is to measure an amount of time taken to return the non-posted load instruction. The determination whether an event arrived is made in response to at least one of the allocation of the entry for the load, or a determination that the timer exceeds the timeout threshold.

公开(公告)号：US09792222B2

公开(公告)日：2017-10-17

申请号：US14317571

申请日：2014-06-27

申请人： Intel Corporation

发明人： Ravi L. Sahita ,  Gilbert Neiger ,  David M. Durham ,  Vedvyas Shanbhogue ,  Michael Lemay ,  Ido Ouziel ,  Stanislav Shwartsman ,  Barry Huntley ,  Andrew V. Anderson

IPC分类号： G06F12/10 ,  G06F12/14 ,  G06F9/455 ,  G06F12/1009

CPC分类号： G06F12/1009 ,  G06F9/45558 ,  G06F12/145 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/651 ,  G06F2212/657 ,  Y02D10/13

摘要： Systems and methods for validating virtual address translation. An example processing system comprises: a processing core to execute a first application associated with a first privilege level and a second application associated with a second privilege level, wherein a first set of privileges associated with the first privilege level includes a second set of privileges associated with the second privilege level; and an address validation component to validate, in view of an address translation data structure maintained by the first application, a mapping of a first address defined in a first address space of the second application to a second address defined in a second address space of the second application.

公开(公告)号：US12021980B2

公开(公告)日：2024-06-25

申请号：US17465311

申请日：2021-09-02

申请人： Intel Corporation

发明人： Ido Ouziel ,  Arie Aharon ,  Dror Caspi ,  Baruch Chaikin ,  Jacob Doweck ,  Gideon Gerzon ,  Barry E. Huntley ,  Francis X. McKeen ,  Gilbert Neiger ,  Carlos V. Rozas ,  Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Assaf Zaltsman

IPC分类号： H04L9/08 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/60 ,  G06F21/62

CPC分类号： H04L9/088 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/602 ,  G06F21/62 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1044 ,  G06F2212/657

摘要： A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.

公开(公告)号：US11775447B2

公开(公告)日：2023-10-03

申请号：US17450597

申请日：2021-10-12

申请人： Intel Corporation

发明人： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC分类号： G06F12/14 ,  G06F21/53 ,  G06F3/06 ,  G06F21/78 ,  G06F21/82 ,  G06F21/60

CPC分类号： G06F12/1408 ,  G06F3/0623 ,  G06F12/145 ,  G06F21/53 ,  G06F21/602 ,  G06F21/78 ,  G06F21/82 ,  G06F2212/1052 ,  G06F2212/401 ,  G06F2212/402

摘要： In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US20210224202A1

公开(公告)日：2021-07-22

申请号：US17222722

申请日：2021-04-05

申请人： Intel Corporation

发明人： Siddhartha Chhabra ,  Hormuzd M. Khosravi ,  Gideon Gerzon ,  Barry E. Huntley ,  Gilbert Neiger ,  Ido Ouziel ,  Baiju Patel ,  Ravi L. Sahita ,  Amy L. Santoni ,  Ioannis T. Schoinas

IPC分类号： G06F12/14 ,  H04L29/06 ,  H04L9/06 ,  H04L9/08

摘要： In one embodiment, an apparatus comprises a processor to execute instruction(s), wherein the instructions comprise a memory access operation associated with a memory location of a memory. The apparatus further comprises a memory encryption controller to: identify the memory access operation; determine that the memory location is associated with a protected domain, wherein the protected domain is associated with a protected memory region of the memory, and wherein the protected domain is identified from a plurality of protected domains associated with a plurality of protected memory regions of the memory; identify an encryption key associated with the protected domain; perform a cryptography operation on data associated with the memory access operation, wherein the cryptography operation is performed based on the encryption key associated with the protected domain; and return a result of the cryptography operation, wherein the result is to be used for the memory access operation.

公开(公告)号：US20210200858A1

公开(公告)日：2021-07-01

申请号：US16729340

申请日：2019-12-28

申请人： Intel Corporation

发明人： Dror Caspi ,  Vedvyas Shanbhogue ,  Ido Ouziel ,  Francis McKeen ,  Baruch Chaikin ,  Carlos V. Rozas

IPC分类号： G06F21/53

摘要： Embodiments of processors, methods, and systems for executing code in a protected memory container by a trust domain are disclosed. In an embodiment, a processor includes a memory controller to enable creation of a trust domain and a core to enable the trust domain to execute code in a protected memory container.

公开(公告)号：US10216662B2

公开(公告)日：2019-02-26

申请号：US14866933

申请日：2015-09-26

申请人： Intel Corporation

发明人： Michael Mishaeli ,  Ido Ouziel ,  Baruch Chaikin ,  Yoav Zach

IPC分类号： G06F13/24 ,  G06F12/1027 ,  G06F12/0891

摘要： Embodiments of systems, apparatuses, and methods for remote action handling are describe. In an embodiment, a hardware apparatus comprises: a first register to store a memory address of a payload corresponding to an action to be performed associated with a remote action request (RAR) interrupt, a second register to store a memory address of an action list accessible by a plurality of processors, and a remote action handler circuit to identify a received RAR interrupt, perform an action of the received RAR interrupt, and signal acknowledgment to an initiating processor upon completion of the action.

公开(公告)号：US20230315857A1

公开(公告)日：2023-10-05

申请号：US18131199

申请日：2023-04-05

申请人： Intel Corporation

发明人： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC分类号： G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L9/40 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79

CPC分类号： G06F21/57 ,  G06F21/6218 ,  G06F12/1408 ,  H04L9/0618 ,  H04L63/061 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79 ,  G06F2009/45587

摘要： Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.