公开(公告)号：US20240289150A1

公开(公告)日：2024-08-29

申请号：US18113655

申请日：2023-02-24

Applicant: ATI TECHNOLOGIES ULC ,  ADVANCED MICRO DEVICES, INC.

Inventor： Philip Ng ,  Nippon Raval ,  Jeremy W. Powell ,  Donald Matthews, JR. ,  David Kaplan

IPC: G06F9/455 ,  G06F13/42

CPC classification number: G06F9/45558 ,  G06F13/4221 ,  G06F2009/45579 ,  G06F2213/0026

Abstract: A processor includes a security processor and an input-output memory management unit (IOMMU). The security processor is configured to maintain device control information in a secure data structure and prevent a hypervisor from accessing the secure data structure. The IOMMU is configured to process at least one device request targeting a virtual machine from an input/output device based on the secure data structure.

公开(公告)号：US20240289151A1

公开(公告)日：2024-08-29

申请号：US18113912

申请日：2023-02-24

Applicant: ATI Technologies ULC ,  Advanced Micro Devices, Inc.

Inventor： Philip Ng ,  Nippon Raval ,  Jeremy W. Powell ,  Donald Matthews, JR. ,  David Kaplan

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: A processor configured to execute one or more virtual machines (VMs) includes an input-output memory management unit (IOMMU) configured to handle memory-mapped input-output (MMIO) requests and direct memory access (DMA) requests from a processor core of the processor or one or more input/output (I/O) devices. In response to receiving an MMIO or DMA request, the IOMMU is configured to determine a VM associated with the request. The IOMMU then checks a security indicator field of an address space identifier (ASID) mask table to determine if the VM was previously the target of an attack by a malicious entity. In response to the VM previously being a target of an attack, the IOMMU denies the received MMIO or DMA request.

公开(公告)号：US20240220296A1

公开(公告)日：2024-07-04

申请号：US18090605

申请日：2022-12-29

Applicant: ATI TECHNOLOGIES ULC ,  ADVANCED MICRO DEVICES, INC.

Inventor： Philip Ng ,  Nippon Raval ,  Jeremy W. Powell ,  Donald Matthews, JR. ,  David Kaplan

IPC: G06F9/455 ,  G06F12/1081

CPC classification number: G06F9/45558 ,  G06F12/1081 ,  G06F2009/45587

Abstract: A processor manages memory-mapped input/output (MMIO) accesses, in secure fashion, at an input/output memory management unit (IOMMU). The processor is configured to ensure that, for a given MMIO request issued by a processor core and associated with a particular executing VM, the request is targeted to a MMIO address that has been assigned to the VM by a security module (e.g., a security co-processor). The processor thus prevents a malicious entity from accessing confidential information of a VM via MMIO requests.

公开(公告)号：US20240220429A1

公开(公告)日：2024-07-04

申请号：US18090601

申请日：2022-12-29

Applicant: ATI TECHNOLOGIES ULC ,  ADVANCED MICRO DEVICES, INC.

Inventor： Philip Ng ,  Nippon Raval ,  Jeremy W. Powell ,  Donald Matthews, JR. ,  David Kaplan

IPC: G06F13/28 ,  G06F9/455 ,  G06F21/57

CPC classification number: G06F13/28 ,  G06F9/45558 ,  G06F21/57 ,  G06F2009/45579 ,  G06F2009/45587

Abstract: A processor supports managing DMA accesses, in secure fashion, at an IOMMU. The IOMMU is configured to ensure that, for a given DMA request issued by an I/O device and associated with a particular executing VM, the device is bound to the VM according to a specified security registration process, and the request is targeted to a region of memory that has been assigned to the VM. The IOMMU thus prevents a malicious entity from accessing confidential information of a VM via DMA requests.

公开(公告)号：US20180189190A1

公开(公告)日：2018-07-05

申请号：US15907593

申请日：2018-02-28

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan ,  Jeremy W. Powell ,  Thomas R. Woller

IPC: G06F12/1009 ,  G06F9/455

CPC classification number: G06F12/1009 ,  G06F9/45545 ,  G06F9/45558 ,  G06F12/1018 ,  G06F12/109 ,  G06F2009/45583 ,  G06F2212/1044 ,  G06F2212/151 ,  G06F2212/152 ,  G06F2212/657

Abstract: A computing device that handles address translations is described. The computing device includes a hardware table walker and a memory that stores a reverse map table and a plurality of pages of memory. The table walker is configured to use validated indicators in entries in the reverse map table to determine if page accesses are made to pages for which entries are validated. The table walker is further configured to use virtual machine permissions levels information in entries in the reverse map table determine if page accesses for specified operation types are permitted.

公开(公告)号：US10671422B2

公开(公告)日：2020-06-02

申请号：US15685861

申请日：2017-08-24

Applicant: Advanced Micro Devices, Inc.

Inventor： David Kaplan ,  Jeremy W. Powell ,  Richard Relph

IPC: G06F9/455

Abstract: A security module in a memory access path of a processor of a processing system protects secure information by verifying the contents of memory pages as they transition between one or more virtual machines (VMs) executing at the processor and a hypervisor that provides an interface between the VMs and the processing system's hardware. The security module of the processor is employed to monitor memory pages as they transition between one or more VMs and a hypervisor so that memory pages that have been altered by a hypervisor or other VM cannot be returned to the VM from which they were transitioned.

公开(公告)号：US10169244B2

公开(公告)日：2019-01-01

申请号：US15224302

申请日：2016-07-29

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan ,  Jeremy W. Powell ,  Thomas R. Woller

IPC: G06F12/10 ,  G06F12/1027 ,  G06F12/1009 ,  G06F9/455

Abstract: The described embodiments perform a method for handling memory accesses by virtual machines in a computing device. The described embodiments include a reverse map table (RMT) and a separate guest accessed pages table (GAPT) for each virtual machine. The RMT has a plurality of entries, each entry including information for identifying a virtual machine that is permitted to access an associated page of data in a memory. Each GAPT has a record of pages being accessed by a corresponding virtual machine. During operation, a table walker receives a request from a given virtual machine to translate a guest physical address to a system physical address. The table walker checks at least one of the RMT and a corresponding GAPT to determine whether the given virtual machine has access to a corresponding page. If not, the table walker terminates the translating. Otherwise, the table walker completes the translating.

公开(公告)号：US20170277898A1

公开(公告)日：2017-09-28

申请号：US15081126

申请日：2016-03-25

Applicant: Advanced Micro Devices, Inc.

Inventor： Jeremy W. Powell ,  David A. Kaplan ,  Jesse D. Larrew ,  Thomas R. Woller ,  Joshua Schiffman

IPC: G06F21/60 ,  G06F21/62

CPC classification number: G06F21/602 ,  G06F21/53 ,  G06F21/6209 ,  G06F21/6218

Abstract: A processor employs a security module to manage authentication and encryption keys for the processor. The security module can authenticate itself to other processing systems, such as processing systems providing software to be executed at the processor, can generate keys for encrypting address spaces for the provided software, and can securely import and export information at the encrypted address spaces to and from the processing system. By using a security module that is separate from the processor cores of the processor to perform these security operations, the processing system allows software executing on the processor cores to manage operations based on the authentication and encryption keys without being able to read the keys themselves, thereby preventing unauthorized access by malicious software to the keys.

公开(公告)号：US20240311167A1

公开(公告)日：2024-09-19

申请号：US18122505

申请日：2023-03-16

Applicant: Advanced Micro Devices, Inc.

Inventor： Jeremy W. Powell ,  David Kaplan

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45579 ,  G06F2009/45587

Abstract: A processor includes a virtual machine manager (VMM) configured to map a guest process address space identifier (PASID) associated with a virtual machine (VM) to a host PASID associated with a host machine of the VM. The processor further includes a processor core configured to maintain, responsive to the guest PASID being mapped to the host PASID, an entry in a PASID reverse mapping table (PMP) including one or more security attributes associated with the host PASID.

公开(公告)号：US20180032447A1

公开(公告)日：2018-02-01

申请号：US15417632

申请日：2017-01-27

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan ,  Jeremy W. Powell ,  Thomas R. Woller

IPC: G06F12/14 ,  G06F12/1009

CPC classification number: G06F12/1425 ,  G06F9/45558 ,  G06F9/52 ,  G06F12/1009 ,  G06F12/1483 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/65 ,  G06F2212/651

Abstract: A table walker receives, from a requesting entity, a request to translate a first address into a second address associated with a page of memory. During a corresponding table walk, when a lock indicator in an entry in a reverse map table (RMT) for the page is set to mark the entry in the RMT as locked, the table walker halts processing the request and performs a remedial action. In addition, when the request is associated with a write access of the page and an immutable indicator in the entry in the RMT is set to mark the page as immutable, the table walker halts processing the request and performs the remedial action. Otherwise, when the entry in the RMT is not locked and the page is not marked as immutable for a write access, the table walker continues processing the request.