公开(公告)号：US20070192577A1

公开(公告)日：2007-08-16

申请号：US11340181

申请日：2006-01-24

申请人： Michael Kozuch ,  James Sutton ,  David Grawrock ,  Gilbert Neiger ,  Richard Uhlig ,  Bradley Burgess ,  David Poisner ,  Clifford Hall ,  Andy Glew ,  Lawrence Smith ,  Robert George

发明人： Michael Kozuch ,  James Sutton ,  David Grawrock ,  Gilbert Neiger ,  Richard Uhlig ,  Bradley Burgess ,  David Poisner ,  Clifford Hall ,  Andy Glew ,  Lawrence Smith ,  Robert George

IPC分类号： G06F15/177

CPC分类号： G06F21/57

摘要： An apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment are described. The method includes disregarding a received load secure region instruction when a currently active load secure region operation is detected. Otherwise, a memory protection element is directed, in response to the received load secure region instruction, to form a secure memory environment. Once directed, unauthorized read/write access to one or more protected memory regions are prohibited. Finally, a cryptographic hash value of the one or more protected memory regions is stored within a digest information repository as a secure software identification value. Once stored, outside agents may request access to a digitally signed software identification value to establish security verification of secure software within the secure memory environment.

摘要翻译： 描述了在多处理器环境内单方面加载安全操作系统的装置和方法。 该方法包括当检测到当前活动的负载安全区域操作时忽略接收到的负载安全区域指令。 否则，响应于接收到的负载安全区域指令，引导存储器保护元件以形成安全存储器环境。 一旦定向，就禁止对一个或多个受保护的存储器区域进行未经授权的读/写访问。 最后，一个或多个受保护的存储器区域的加密散列值作为安全的软件识别值存储在摘要信息库中。 一旦存储，外部代理可以请求访问数字签名的软件标识值以建立安全存储器环境内的安全软件的安全验证。

公开(公告)号：US07254707B2

公开(公告)日：2007-08-07

申请号：US11203538

申请日：2005-08-12

申请人： Howard C. Herbert ,  David W. Grawrock ,  Carl M. Ellison ,  Roger A. Golliver ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

发明人： Howard C. Herbert ,  David W. Grawrock ,  Carl M. Ellison ,  Roger A. Golliver ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

IPC分类号： H04L9/00

CPC分类号： G06F21/305 ,  G06F9/30189 ,  G06F12/1491 ,  G06F21/35 ,  G06F21/53 ,  G06F21/57 ,  G06F21/575 ,  G06F21/64 ,  G06F21/74 ,  G06F2221/2101 ,  G06F2221/2103 ,  G06F2221/2105 ,  G06F2221/2149

摘要： In one embodiment, a method of attestation involves a special mode of operation. The method comprises storing an audit log within protected memory of a platform. The audit log is a listing of data representing one or more software modules loaded into the platform. The audit log is retrieved from the protected memory in response to receiving an attestation request. Then, the retrieved audit log is digitally signed to produce a digital signature in response to the attestation request.

摘要翻译： 在一个实施例中，认证方法涉及特殊的操作模式。 该方法包括将审核日志存储在平台的受保护的存储器内。 审计日志是表示加载到平台中的一个或多个软件模块的数据列表。 响应于接收到认证请求，从受保护的存储器检索审核日志。 然后，检索的审核日志被数字签名以响应于认证请求产生数字签名。

公开(公告)号：US20070157197A1

公开(公告)日：2007-07-05

申请号：US11323114

申请日：2005-12-30

申请人： Gilbert Neiger ,  Rajesh Madukkarumukumana ,  Richard Uhlig ,  Udo Steinberg ,  Sebastian Schoenberg ,  Sridhar Muthrasanallur ,  Steven Bennett ,  Andrew Anderson ,  Erik Cota-Robles

发明人： Gilbert Neiger ,  Rajesh Madukkarumukumana ,  Richard Uhlig ,  Udo Steinberg ,  Sebastian Schoenberg ,  Sridhar Muthrasanallur ,  Steven Bennett ,  Andrew Anderson ,  Erik Cota-Robles

IPC分类号： G06F9/455

CPC分类号： G06F13/24 ,  G06F9/45533 ,  G06F9/4812

摘要： Embodiments of apparatuses, methods, and systems for delivering an interrupt to a virtual processor are disclosed. In one embodiment, an apparatus includes an interface to receive an interrupt request, delivery logic, and exit logic. The delivery logic is to determine, based on an attribute of the interrupt request, whether the interrupt request is to be delivered to the virtual processor. The exit logic is to transfer control to a host if the delivery logic determines that the interrupt request is not to be delivered to the virtual processor.

摘要翻译： 公开了用于向虚拟处理器递送中断的装置，方法和系统的实施例。 在一个实施例中，装置包括用于接收中断请求，传递逻辑和退出逻辑的接口。 交付逻辑是基于中断请求的属性来确定中断请求是否被传送到虚拟处理器。 如果传递逻辑确定中断请求不被传送到虚拟处理器，则出口逻辑是将控制传送到主机。

公开(公告)号：US07237051B2

公开(公告)日：2007-06-26

申请号：US10676887

申请日：2003-09-30

申请人： Steven M. Bennett ,  Erik Cota-Robles ,  Stalinselvaraj Jeyasingh ,  Gilbert Neiger ,  Richard Uhlig

发明人： Steven M. Bennett ,  Erik Cota-Robles ,  Stalinselvaraj Jeyasingh ,  Gilbert Neiger ,  Richard Uhlig

IPC分类号： G06F9/46

CPC分类号： G06F9/4812 ,  G06F9/45533

摘要： In one embodiment, a method includes recognizing an interrupt pending during an operation of guest software, determining that the interrupt is to cause a transition of control to a virtual machine monitor (VMM), determining whether the interrupt is to be acknowledged prior to the transition of control to the VMM, and if the interrupt is to be acknowledged, acknowledging the interrupt and transitioning control to the VMM.

摘要翻译： 在一个实施例中，一种方法包括在访客软件的操作期间识别中断等待，确定该中断将导致对虚拟机监视器（VMM）的控制转换，确定在转换之前中断是否被确认 控制到VMM，如果要确认中断，确认中断并将控制转换到VMM。

公开(公告)号：US07127548B2

公开(公告)日：2006-10-24

申请号：US10124641

申请日：2002-04-16

申请人： Steve Bennett ,  Andrew V. Anderson ,  Erik Cota-Robles ,  Stalinselvaraj Jeyasingh ,  Alain Kagi ,  Gilbert Neiger ,  Richard Uhlig ,  Michael A. Kozuch

发明人： Steve Bennett ,  Andrew V. Anderson ,  Erik Cota-Robles ,  Stalinselvaraj Jeyasingh ,  Alain Kagi ,  Gilbert Neiger ,  Richard Uhlig ,  Michael A. Kozuch

IPC分类号： G06F12/00

CPC分类号： G06F9/45533 ,  G06F9/468

摘要： In one embodiment, a command pertaining to one or more portions of a register is received from guest software. Further, a determination is made as to whether the guest software has access to all of the requested portions of the register based on indicators within a mask field that correspond to the requested portions of the register. If the guest software has access to all of the requested portions of the register, the command received from the guest software is executed on the requested portions of the register.

公开(公告)号：US07111176B1

公开(公告)日：2006-09-19

申请号：US09538954

申请日：2000-03-31

申请人： Carl M. Ellison ,  Roger A. Golliver ,  Howard C. Herbert ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

发明人： Carl M. Ellison ,  Roger A. Golliver ,  Howard C. Herbert ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

IPC分类号： G06F17/00

CPC分类号： G06F12/1491 ,  G06F21/71 ,  G06F2221/2105

摘要： The present invention is a method and apparatus to generates an isolated bus cycle for a transaction in a processor. A configuration storage contains configuration parameters to configure a processor in one of a normal execution mode and an isolated execution mode. An access generator circuit generates an isolated access signal using at least one of the isolated area parameters and access information in the transaction. The isolated access signal is asserted when the processor is configured in the isolated execution mode. A bus cycle decoder generates an isolated bus cycle corresponding to a destination in the transaction using the asserted isolated access signal and the access information.

摘要翻译： 本发明是一种用于为处理器中的事务生成隔离总线周期的方法和装置。 配置存储包含用于将处理器配置为正常执行模式和隔离执行模式之一的配置参数。 访问发生器电路使用交易中的隔离区域参数和访问信息中的至少一个来生成隔离访问信号。 当处理器配置为隔离执行模式时，隔离访问信号被断言。 总线周期解码器使用断言的隔离访问信号和访问信息来生成对应于交易中的目的地的隔离总线周期。

公开(公告)号：US07085935B1

公开(公告)日：2006-08-01

申请号：US09668408

申请日：2000-09-22

申请人： Carl M. Ellison ,  Roger A. Golliver ,  Howard C. Herbert ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

发明人： Carl M. Ellison ,  Roger A. Golliver ,  Howard C. Herbert ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

IPC分类号： G08F13/14

CPC分类号： G06F12/1491

摘要： A chipset is initialized in a secure environment for an isolated execution mode by an initialization storage. The secure environment has a plurality of executive entities and is associated with an isolated memory area accessible by at least one processor. The at least one processor has a plurality of threads and operates in one of a normal execution mode and the isolated execution mode. The executive entities include a processor executive (PE) handler. PE handler data corresponding to the PE handler are stored in a PE handler storage. The PE handler data include a PE handler image to be loaded into the isolated memory area after the chipset is initialized. The loaded PE handler image corresponds to the PE handler.

公开(公告)号：US07073042B2

公开(公告)日：2006-07-04

申请号：US10319900

申请日：2002-12-12

申请人： Richard Uhlig ,  Gilbert Neiger ,  Erik Cota-Robles ,  Stalinselvaraj Jeyasingh ,  Alain Kagi ,  Michael Kozuch ,  Steven M Bennett

发明人： Richard Uhlig ,  Gilbert Neiger ,  Erik Cota-Robles ,  Stalinselvaraj Jeyasingh ,  Alain Kagi ,  Michael Kozuch ,  Steven M Bennett

IPC分类号： G06F12/10

CPC分类号： G06F12/145 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/109

摘要： In one embodiment, when it is determined that a modification of content of an active address translation data structure is required, an entry in the active address translation data structure is modified to conform to a corresponding entry in a guest address translation data structure. During the modification, a bit field including one or more access control indicators in the entry of the active address translation data structure is not overwritten with corresponding data from the guest address translation data structure.

摘要翻译： 在一个实施例中，当确定需要修改活动地址转换数据结构的内容时，修改活动地址转换数据结构中的条目以符合访客地址转换数据结构中的对应条目。 在修改期间，包含活动地址转换数据结构条目中的一个或多个访问控制指示符的比特字段不会被来自访客地址转换数据结构的相应数据所覆盖。

公开(公告)号：US07020738B2

公开(公告)日：2006-03-28

申请号：US10676737

申请日：2003-09-30

申请人： Gilbert Neiger ,  Stephen Chou ,  Erik Cota-Robles ,  Stalinselvaraj Jevasingh ,  Alain Kagi ,  Michael Kozuch ,  Richard Uhlig ,  Sebastian Schoenberg

发明人： Gilbert Neiger ,  Stephen Chou ,  Erik Cota-Robles ,  Stalinselvaraj Jevasingh ,  Alain Kagi ,  Michael Kozuch ,  Richard Uhlig ,  Sebastian Schoenberg

IPC分类号： G06F13/00

CPC分类号： G06F9/45558 ,  G06F12/0284 ,  G06F12/109 ,  G06F2009/45583

摘要： One embodiment of the invention is method for resolving address space conflicts between a virtual machine monitor and a guest operating system. The method includes allocating an address space for the operating system and an address space for the monitor. The method also includes mapping a portion of the monitor into the address space allocated for the operating system and the address space allocated for the monitor, and locating another portion of the monitor in the address space allocated for the monitor. The method also includes detecting that the operating system attempts to access a region occupied by the portion of the monitor within the address space allocated for the operating system, and relocating that portion of the monitor within that address space to allow the operating system to access the region previously occupied by that portion of the monitor.

摘要翻译： 本发明的一个实施例是用于解决虚拟机监视器和客户操作系统之间的地址空间冲突的方法。 该方法包括为操作系统分配地址空间和用于监视器的地址空间。 该方法还包括将监视器的一部分映射到为操作系统分配的地址空间和为监视器分配的地址空间，以及将监视器的另一部分定位在为监视器分配的地址空间中。 该方法还包括检测操作系统尝试访问由分配给操作系统的地址空间内的监视器部分占据的区域，以及将该监视器的该部分重新定位在该地址空间内，以允许操作系统访问 以前由监视器的该部分占据的区域。

公开(公告)号：US06996748B2

公开(公告)日：2006-02-07

申请号：US10184798

申请日：2002-06-29

申请人： Richard Uhlig ,  Andrew V. Anderson ,  Steve Bennett ,  Erik Cota-Robles ,  Stalinselvaraj Jeyasingh ,  Alain Kagi ,  Gilbert Neiger

发明人： Richard Uhlig ,  Andrew V. Anderson ,  Steve Bennett ,  Erik Cota-Robles ,  Stalinselvaraj Jeyasingh ,  Alain Kagi ,  Gilbert Neiger

IPC分类号： G06F11/00

CPC分类号： G06F11/0712 ,  G06F11/0751

摘要： In one embodiment, fault information relating to a fault associated with the operation of guest software is received. Further, a determination is made as to whether the fault information satisfies one or more fault filtering criteria. If the determination is positive, the guest software is permitted to disregard the fault.

摘要翻译： 在一个实施例中，接收到与客户软件的操作相关联的故障的故障信息。 此外，确定故障信息是否满足一个或多个故障过滤标准。 如果确定是肯定的，则客户软件被允许忽略该故障。