-
公开(公告)号:US20240220297A1
公开(公告)日:2024-07-04
申请号:US18090740
申请日:2022-12-29
发明人: David Kaplan , Jelena Ilic , Nippon Raval , Philip Ng
IPC分类号: G06F9/455
CPC分类号: G06F9/45558 , G06F9/45545 , G06F2009/45579 , G06F2009/45587
摘要: Techniques for implementing programmable control by a guest virtual machine (VM) of interrupts at a processing system using a guest owned backing page are disclosed. The VM programs a guest owned backing page (e.g., a data structure in memory) that designates particular interrupts that are to be blocked. In response to detecting a designated interrupt, system hardware or software blocks the interrupt, rather than executing an interrupt handler to process the interrupt. The VM is thereby able to protect confidential information and program behavior with less risk of a malicious hypervisor failing to protect the VM from, e.g., unexpected or unwanted interrupts, thereby improving overall system security and predictability.
-
公开(公告)号:US11860797B2
公开(公告)日:2024-01-02
申请号:US17565666
申请日:2021-12-30
IPC分类号: G06F13/10 , G06F12/084 , G06F12/1081
CPC分类号: G06F13/102 , G06F12/084 , G06F12/1081 , G06F2212/603
摘要: Restricting peripheral device protocols in confidential compute architectures, the method including: receiving a first address translation request from a peripheral device supporting a first protocol, wherein the first protocol supports cache coherency between the peripheral device and a processor cache; determining that a confidential compute architecture is enabled; and providing, in response to the first address translation request, a response including an indication to the peripheral device to not use the first protocol.
-
3.发明申请公开(公告)号:US20220283946A1
公开(公告)日:2022-09-08
申请号:US17189844
申请日:2021-03-02
发明人: Philip Ng , Nippon Raval , BuHeng Xu , Rostislav S. Dobrin , Shawn Han
IPC分类号: G06F12/0831 , G06F12/02 , G06F12/1009 , G06F13/16 , G06F13/24
摘要: Methods, systems, and apparatuses provide support for multiple address spaces in order to facilitate data movement. One system includes a host processor; a memory; a data fabric coupled to the host processor and to the memory; a first input/output memory manage unit (IOMMU) and a second IOMMU, each of the first and second IOMMUs coupled to the data fabric; a first root port and a second root port, each of the first and second root ports coupled to a corresponding IOMMU of the first and second IOMMUs; and a first peripheral component endpoint and a second peripheral component endpoint, each of the first and second peripheral component endpoints coupled to a corresponding root port of the first and second root ports, wherein each of the first and second root ports comprises hardware control logic operative to: synchronize the first and second root ports.
-
公开(公告)号:US20240220429A1
公开(公告)日:2024-07-04
申请号:US18090601
申请日:2022-12-29
CPC分类号: G06F13/28 , G06F9/45558 , G06F21/57 , G06F2009/45579 , G06F2009/45587
摘要: A processor supports managing DMA accesses, in secure fashion, at an IOMMU. The IOMMU is configured to ensure that, for a given DMA request issued by an I/O device and associated with a particular executing VM, the device is bound to the VM according to a specified security registration process, and the request is targeted to a region of memory that has been assigned to the VM. The IOMMU thus prevents a malicious entity from accessing confidential information of a VM via DMA requests.
-
公开(公告)号:US20240220417A1
公开(公告)日:2024-07-04
申请号:US18090631
申请日:2022-12-29
发明人: David Kaplan , Jelena Ilic , Nippon Raval , Philip Ng
IPC分类号: G06F12/1036
CPC分类号: G06F12/1036 , G06F2212/1052
摘要: A computing device comprises a processor, a table walker, and a memory storing a segmented reverse map table in multiple non-contiguous portions of the memory. The table walker is configured to translate a virtual memory address specified by a memory access request to a physical memory address associated with the virtual memory address; and provide a requester associated with the memory access request with access to the associated physical memory address in response to an indication at the reverse map table that the requester is authorized to access the associated physical memory address.
-
公开(公告)号:US10509736B2
公开(公告)日:2019-12-17
申请号:US15949940
申请日:2018-04-10
发明人: Nippon Raval , David A. Kaplan , Philip Ng
IPC分类号: G06F12/10 , G06F12/14 , G06F12/1027 , G06F12/1009 , G06F9/455 , G06F12/1081 , G06F12/109 , G06F12/1018
摘要: An input-output (IO) memory management unit (IOMMU) uses a reverse map table (RMT) to ensure that address translations acquired from a nested page table are correct and that IO devices are permitted to access pages in a memory when performing memory accesses in a computing device. A translation lookaside buffer (TLB) flushing mechanism is used to invalidate address translation information in TLBs that are affected by changes in the RMT. A modified Address Translation Caching (ATC) mechanism may be used, in which only partial address translation information is provided to IO devices so that the RMT is checked when performing memory accesses for the IO devices using the cached address translation information.
-
公开(公告)号:US20240289151A1
公开(公告)日:2024-08-29
申请号:US18113912
申请日:2023-02-24
IPC分类号: G06F9/455
CPC分类号: G06F9/45558 , G06F2009/45579 , G06F2009/45583 , G06F2009/45587
摘要: A processor configured to execute one or more virtual machines (VMs) includes an input-output memory management unit (IOMMU) configured to handle memory-mapped input-output (MMIO) requests and direct memory access (DMA) requests from a processor core of the processor or one or more input/output (I/O) devices. In response to receiving an MMIO or DMA request, the IOMMU is configured to determine a VM associated with the request. The IOMMU then checks a security indicator field of an address space identifier (ASID) mask table to determine if the VM was previously the target of an attack by a malicious entity. In response to the VM previously being a target of an attack, the IOMMU denies the received MMIO or DMA request.
-
公开(公告)号:US20240220296A1
公开(公告)日:2024-07-04
申请号:US18090605
申请日:2022-12-29
IPC分类号: G06F9/455 , G06F12/1081
CPC分类号: G06F9/45558 , G06F12/1081 , G06F2009/45587
摘要: A processor manages memory-mapped input/output (MMIO) accesses, in secure fashion, at an input/output memory management unit (IOMMU). The processor is configured to ensure that, for a given MMIO request issued by a processor core and associated with a particular executing VM, the request is targeted to a MMIO address that has been assigned to the VM by a security module (e.g., a security co-processor). The processor thus prevents a malicious entity from accessing confidential information of a VM via MMIO requests.
-
9.发明公开公开(公告)号:US20240289150A1
公开(公告)日:2024-08-29
申请号:US18113655
申请日:2023-02-24
CPC分类号: G06F9/45558 , G06F13/4221 , G06F2009/45579 , G06F2213/0026
摘要: A processor includes a security processor and an input-output memory management unit (IOMMU). The security processor is configured to maintain device control information in a secure data structure and prevent a hypervisor from accessing the secure data structure. The IOMMU is configured to process at least one device request targeting a virtual machine from an input/output device based on the secure data structure.
-
10.发明授权公开(公告)号:US11550722B2
公开(公告)日:2023-01-10
申请号:US17189844
申请日:2021-03-02
发明人: Philip Ng , Nippon Raval , BuHeng Xu , Rostislav S. Dobrin , Shawn Han
IPC分类号: G06F12/00 , G06F12/0831 , G06F12/02 , G06F13/24 , G06F13/16 , G06F12/1009
摘要: Methods, systems, and apparatuses provide support for multiple address spaces in order to facilitate data movement. One system includes a host processor; a memory; a data fabric coupled to the host processor and to the memory; a first input/output memory manage unit (IOMMU) and a second IOMMU, each of the first and second IOMMUs coupled to the data fabric; a first root port and a second root port, each of the first and second root ports coupled to a corresponding IOMMU of the first and second IOMMUs; and a first peripheral component endpoint and a second peripheral component endpoint, each of the first and second peripheral component endpoints coupled to a corresponding root port of the first and second root ports, wherein each of the first and second root ports comprises hardware control logic operative to: synchronize the first and second root ports.
-
-
-
-
-
-
-
-
-
搜索结果
11 条记录 (耗时 0.016 秒)
