公开(公告)号：US20140297962A1

公开(公告)日：2014-10-02

申请号：US13854107

申请日：2013-03-31

申请人： CARLOS V ROZAS ,  ILYA ALEXANDROVICH ,  ITTAI ANATI ,  ALEX BERENZON ,  MICHAEL A GOLDSMITH ,  BARRY E HUNTLEY ,  ANTON IVANOV ,  SIMON P JOHNSON ,  REBEKAH M. LESLIE-HURD ,  FRANCIS X. MCKEEN ,  GILBERT NEIGER ,  RINAT RAPPOPORT ,  SCOTT DION RODGERS ,  UDAY R. SAVAGAONKAR ,  VINCENT R. SCARLATA ,  VEDVYAS SHANBHOGUE ,  WESLEY H SMITH ,  WILLIAM COLIN WOOD

发明人： CARLOS V ROZAS ,  ILYA ALEXANDROVICH ,  ITTAI ANATI ,  ALEX BERENZON ,  MICHAEL A GOLDSMITH ,  BARRY E HUNTLEY ,  ANTON IVANOV ,  SIMON P JOHNSON ,  REBEKAH M. LESLIE-HURD ,  FRANCIS X. MCKEEN ,  GILBERT NEIGER ,  RINAT RAPPOPORT ,  SCOTT DION RODGERS ,  UDAY R. SAVAGAONKAR ,  VINCENT R. SCARLATA ,  VEDVYAS SHANBHOGUE ,  WESLEY H SMITH ,  WILLIAM COLIN WOOD

IPC分类号： G06F12/08 ,  G06F12/10

CPC分类号： G06F12/0875 ,  G06F12/0808 ,  G06F12/1027 ,  G06F2212/1016 ,  G06F2212/402

摘要： Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

摘要翻译： 说明和逻辑为安全的飞地页面缓存提供了高级分页功能。 实施例包括多个硬件线程或处理核心，用于存储分配给由硬件线程可访问的安全空间的共享页面地址的安全数据的高速缓存。 解码级将指定所述共享页地址的第一指令解码为操作数，并且执行单元标记对应于共享页地址的飞地页高速缓存映射的条目，以阻止所述第一或第二硬件线程中的任一个的新转换的创建 访问共享页面。 第二指令被解码以执行，第二指令指定所述安全飞地作为操作数，并且执行单元记录当前访问与安全飞地相对应的飞地页面缓存中的安全数据的硬件线程，并且当任何 的硬件线程退出安全飞地。

公开(公告)号：US20180004675A1

公开(公告)日：2018-01-04

申请号：US15200796

申请日：2016-07-01

申请人： VEDVYAS SHANBHOGUE ,  ITTAI ANATI ,  FRANCIS X. MCKEEN ,  KRYSTOF C. ZMUDZINSKI ,  MELTEM OZSOY

发明人： VEDVYAS SHANBHOGUE ,  ITTAI ANATI ,  FRANCIS X. MCKEEN ,  KRYSTOF C. ZMUDZINSKI ,  MELTEM OZSOY

IPC分类号： G06F12/1009 ,  G06F12/14 ,  G06F12/0802 ,  G06F3/06

CPC分类号： G06F12/1009 ,  G06F3/0623 ,  G06F3/0631 ,  G06F3/0673 ,  G06F12/1425 ,  G06F12/1475 ,  G06F2212/1052 ,  G06F2212/657

摘要： Apparatuses, methods and storage medium associated with application execution enclave memory page cache management, are disclosed herein. In embodiments, an apparatus may include a processor with processor supports for application execution enclaves; memory organized into a plurality of host physical memory pages; and a virtual machine monitor to be operated by the processor to manage operation of virtual machines. Management of operation of the virtual machines may include facilitation of mapping of virtual machine-physical memory pages of the virtual machines to the host physical memory pages, including maintenance of an unallocated subset of the host physical memory pages to receive increased security protection for selective allocation to the virtual machines, for virtualization and selective allocation to application execution enclaves of applications of the virtual machines. Other embodiments may be described and/or claimed.

公开(公告)号：US20140189261A1

公开(公告)日：2014-07-03

申请号：US13729439

申请日：2012-12-28

申请人： GUR HILDESHEIM ,  SHLOMO RAIKIN ,  ITTAI ANATI ,  GIDEON GERZON ,  HISHAM SHAFI ,  ALEX BERENZON ,  GEOFFREY S. STRONGIN ,  IRIS SORANI

发明人： GUR HILDESHEIM ,  SHLOMO RAIKIN ,  ITTAI ANATI ,  GIDEON GERZON ,  HISHAM SHAFI ,  ALEX BERENZON ,  GEOFFREY S. STRONGIN ,  IRIS SORANI

IPC分类号： G06F12/14

CPC分类号： G06F12/1027 ,  G06F12/1441 ,  G06F12/145 ,  G06F2212/1052

摘要： A processor of an aspect includes operation mode check logic to determine whether to allow an attempted access to an operation mode and access type protected memory based on an operation mode that is to indicate whether the attempted access is by an on-die processor logic. Access type check logic is to determine whether to allow the attempted access to the operation mode and access type protected memory based on an access type of the attempted access to the operation mode and access type protected memory. Protection logic is coupled with the operation mode check logic and is coupled with the access type check logic. The protection logic is to deny the attempted access to the operation mode and access type protected memory if at least one of the operation mode check logic and the access type check logic determines not to allow the attempted access.

摘要翻译： 一方面的处理器包括操作模式检查逻辑，用于基于用于指示尝试访问是否由片上处理器逻辑的操作模式来确定是否允许尝试访问操作模式和访问类型受保护存储器。 访问类型检查逻辑是基于尝试访问操作模式和访问类型受保护的存储器的访问类型来确定是否允许尝试访问操作模式和访问类型受保护的存储器。 保护逻辑与操作模式检查逻辑耦合，并与访问类型检查逻辑耦合。 如果操作模式检查逻辑和访问类型检查逻辑中的至少一个确定不允许尝试访问，则保护逻辑是拒绝尝试访问操作模式和访问类型保护的存储器。

公开(公告)号：US20120079285A1

公开(公告)日：2012-03-29

申请号：US12890365

申请日：2010-09-24

申请人： SHAY GUERON ,  GIDEON GERZON ,  ITTAI ANATI ,  JACOB DOWECK ,  MOSHE MAOR

发明人： SHAY GUERON ,  GIDEON GERZON ,  ITTAI ANATI ,  JACOB DOWECK ,  MOSHE MAOR

IPC分类号： G06F12/14

CPC分类号： G06F12/1408 ,  G06F21/52 ,  G06F21/64

摘要： A method and apparatus for protecting against hardware attacks on system memory is provided. A mode of operation for block ciphers enhances the standard XTS-AES mode of operation to perform memory encryption by extending a tweak to include a “time stamp” indicator. An incrementing mechanism using the “time stamp” indicator generates a tweak which separates different contexts over different times such that the effect of “Type 2 replay attacks” is mitigated.

摘要翻译： 提供了一种用于防止对系统存储器的硬件​​攻击的方法和装置。 分组密码的操作模式增强了标准的XTS-AES操作模式，通过扩展调整以包括“时间戳”指示符来执行存储器加密。 使用“时间戳”指示符的增量机制产生了在不同时间分离不同上下文的调整，使得“类型2重放攻击”的效果得到缓解。