Computer system including a secure execution mode-capable CPU and a security services processor connected via a secure communication path
    1.
    发明授权
    Computer system including a secure execution mode-capable CPU and a security services processor connected via a secure communication path 有权
    计算机系统包括安全执行模式的CPU和通过安全通信路径连接的安全服务处理器

    公开(公告)号:US07603550B2

    公开(公告)日:2009-10-13

    申请号:US10419082

    申请日:2003-04-18

    IPC分类号: H04L9/00 H04L9/32

    摘要: A computer system includes a processor which may initialize a secure execution mode by executing a security initialization instruction. Further, the processor may operate in the secure execution mode by executing a secure operating system code segment. The computer system also includes an input/output (I/O) interface coupled to the processor via an I/O link. The I/O interface may receive transactions performed as a result of the execution of the security initialization instruction. The transactions include at least a portion of the secure operating system code segment. The I/O interface may also determine whether the processor is a source of the transactions. The computer system further includes a security services processor coupled to the I/O interface via a peripheral bus. The I/O interface may convey the transactions to the security services processor dependent upon determining that the processor is the source of the transactions.

    摘要翻译: 计算机系统包括可以通过执行安全初始化指令来初始化安全执行模式的处理器。 此外,处理器可以通过执行安全操作系统代码段在安全执行模式下操作。 计算机系统还包括通过I / O链路耦合到处理器的输入/输出(I / O)接口。 I / O接口可以接收由于执行安全初始化指令而执行的事务。 交易包括安全操作系统代码段的至少一部分。 I / O接口还可以确定处理器是否是事务的来源。 计算机系统还包括通过外围总线耦合到I / O接口的安全服务处理器。 取决于确定处理器是交易的来源,I / O接口可以将交易传达给安全服务处理器。

    Initialization of a computer system including a secure execution mode-capable processor
    2.
    发明授权
    Initialization of a computer system including a secure execution mode-capable processor 有权
    包括安全执行模式处理器的计算机系统的初始化

    公开(公告)号:US07603551B2

    公开(公告)日:2009-10-13

    申请号:US10419121

    申请日:2003-04-18

    IPC分类号: G06F9/44 H04L29/06

    CPC分类号: G06F9/4403

    摘要: The initialization of a computer system including a secure execution mode-capable processor includes storing a secure operating system code segment loader to a plurality of locations corresponding to a particular range of addresses within a system memory. The method also includes executing a security initialization instruction. Executing the security initialization instruction may cause several operations to be performed including transmitting a start transaction including a base address of the particular range of addresses. In addition, executing the security instruction may also cause another operation to be performed including retrieving the secure operating system code segment loader from the system memory and transmitting the secure operating system code segment loader for validation as a plurality of data transactions.

    摘要翻译: 包括具有安全执行模式能力的处理器的计算机系统的初始化包括将安全操作系统代码段加载器存储到对应于系统存储器内的特定地址范围的多个位置。 该方法还包括执行安全初始化指令。 执行安全初始化指令可能导致执行若干操作,包括发送包括特定地址范围的基地址的开始事务。 此外,执行安全指令还可以引起执行另一操作,包括从系统存储器检索安全操作系统代码段加载器,并将安全操作系统代码段加载器发送为多个数据事务。

    Mechanism for selectively blocking peripheral device accesses to system memory
    3.
    发明授权
    Mechanism for selectively blocking peripheral device accesses to system memory 有权
    选择性地阻止外围设备访问系统内存的机制

    公开(公告)号:US07146477B1

    公开(公告)日:2006-12-05

    申请号:US10419090

    申请日:2003-04-18

    IPC分类号: G06F12/00

    CPC分类号: G06F12/1475

    摘要: A system is configured to selectively block peripheral accesses to system memory. The system includes a secure execution mode (SEM)-capable processor configured to operate in a trusted execution mode. The system also includes a system memory including a plurality of addressable locations. The system further includes a memory controller that may determine a source of an access request to one or more of the plurality of locations of the system memory. The memory controller may further allow the access request to proceed in response to determining that the source of the access request is the SEM-capable processor.

    摘要翻译: 系统被配置为选择性地阻止对系统存储器的外围访问。 该系统包括被配置为以可信执行模式操作的安全执行模式(SEM)能力处理器。 该系统还包括包括多个可寻址位置的系统存储器。 系统还包括存储器控制器,其可以确定对系统存储器的多个位置中的一个或多个的访问请求的来源。 响应于确定访问请求的源是具有SEM能力的处理器,存储器控制器还可以允许访问请求继续进行。

    Method and apparatus for controlling interrupts in a secure execution mode-capable processor
    4.
    发明授权
    Method and apparatus for controlling interrupts in a secure execution mode-capable processor 有权
    用于控制具有安全执行模式的处理器中的中断的方法和装置

    公开(公告)号:US07165135B1

    公开(公告)日:2007-01-16

    申请号:US10419122

    申请日:2003-04-18

    IPC分类号: G06F7/04

    CPC分类号: G06F21/74

    摘要: A method is provided for controlling interrupts in a secure execution mode-capable processor. The method includes detecting an interrupt and performing a predetermined routine in response to detecting the interrupt. The method further includes performing a second routine prior to performing the predetermined routine in response to detecting the interrupt depending upon whether the processor is operating in a secure execution mode.

    摘要翻译: 提供了一种用于控制具有安全执行模式的处理器中的中断的方法。 该方法包括响应于检测到中断而检测中断并执行预定程序。 该方法还包括在执行预定例程之前执行第二例程以响应于根据处理器是否以安全执行模式操作来检测中断。

    Method for selectively disabling interrupts on a secure execution mode-capable processor
    5.
    发明授权
    Method for selectively disabling interrupts on a secure execution mode-capable processor 有权
    用于选择性地禁用具有安全执行模式的处理器上的中断的方法

    公开(公告)号:US07130951B1

    公开(公告)日:2006-10-31

    申请号:US10419091

    申请日:2003-04-18

    IPC分类号: G06F13/24 H04L9/00

    CPC分类号: G06F9/4812

    摘要: A method of controlling a secure execution mode-capable processor includes allowing a plurality of interrupts to interrupt the secure execution mode-capable processor when the secure execution mode-capable processor is operating in a non-secure execution mode. The method also includes disabling the plurality of interrupts from interrupting the secure execution mode-capable processor when the secure execution mode-capable processor is operating in a secure execution mode.

    摘要翻译: 控制具有安全执行模式的处理器的方法包括当具有安全执行模式的处理器在非安全执行模式下操作时允许多个中断来中断具有安全执行模式的处理器。 该方法还包括当安全执行模式处理器以安全执行模式操作时禁用多个中断来中断具有安全执行模式的处理器。

    Method of controlling access to an address translation data structure of a computer system
    6.
    发明授权
    Method of controlling access to an address translation data structure of a computer system 有权
    控制对计算机系统的地址转换数据结构的访问的方法

    公开(公告)号:US07082507B1

    公开(公告)日:2006-07-25

    申请号:US10419086

    申请日:2003-04-18

    IPC分类号: G06F12/14

    摘要: A method of controlling access to an address translation data structure of a computer system. The computer system includes a processor having a normal execution mode and a secure execution mode. The method includes executing code and generating a linear address. During translation of the linear address into a physical address, the method also includes generating a read-only page fault exception during the normal execution mode in response to detecting a software invoked write access to an address translation data structure having a read/write attribute set to be read-only. The method further includes selectively generating either the read-only page fault exception or a security exception during the secure execution mode in response to detecting the software invoked write access.

    摘要翻译: 一种控制对计算机系统的地址转换数据结构的访问的方法。 计算机系统包括具有正常执行模式和安全执行模式的处理器。 该方法包括执行代码并生成线性地址。 在将线性地址转换为物理地址期间,该方法还包括在正常执行模式期间响应于检测到具有读/写属性集的地址转换数据结构的软件调用写访问而产生只读页错误异常 是只读的。 该方法还包括响应于检测到软件调用的写访问而在安全执行模式期间选择性地生成只读页错误异常或安全异常。

    Method and apparatus for storing and retrieving security attributes
    8.
    发明授权
    Method and apparatus for storing and retrieving security attributes 有权
    用于存储和检索安全属性的方法和装置

    公开(公告)号:US06785790B1

    公开(公告)日:2004-08-31

    申请号:US10157503

    申请日:2002-05-29

    IPC分类号: G06F1214

    CPC分类号: G06F12/1475

    摘要: An apparatus is provided for providing security in a computer system. The apparatus comprises an address generator, a multi-level lookup table, and a cache. The address generator is adapted for producing an address associated with a memory location in the computer system. The multi-level lookup table is adapted for receiving at least a portion of said address and delivering security attributes stored therein associated with said address, wherein the security attributes are associated with each page of memory in the computer system. The cache is a high-speed memory that contains a subset of the information contained in the multi-level lookup table, and may be used to speed the overall retrieval of the requested security attributes when the requested information is present in the cache.

    摘要翻译: 提供了一种用于在计算机系统中提供安全性的装置。 该装置包括地址发生器,多级查找表和高速缓存。 地址生成器适于产生与计算机系统中的存储器位置相关联的地址。 所述多级查找表适于接收所述地址的至少一部分并且传送与所述地址相关联的其他存储的安全属性,其中所述安全属性与所述计算机系统中的每个存储器页相关联。 高速缓存是包含多级查找表中包含的信息的子集的高速存储器,并且当所请求的信息存在于高速缓存中时,可用于加速所请求的安全属性的整体检索。

    Uniform register addressing using prefix byte
    10.
    发明授权
    Uniform register addressing using prefix byte 有权
    使用前缀字节统一寄存器寻址

    公开(公告)号:US06981132B2

    公开(公告)日:2005-12-27

    申请号:US09825183

    申请日:2001-04-02

    IPC分类号: G06F9/30 G06F9/318

    摘要: A processor changes the mapping of register addresses to registers dependent on an instruction field. In one particular embodiment, the mapping may be changed for byte addressing of the registers. A register mapping in which each register address maps to either the least significant byte or the next least significant byte of a subset of the registers may be supported, as well as a register mapping in which each register address maps to the least significant byte of each register, in one implementation. In one particular implementation, the instruction field may be a prefix field (e.g. a prefix byte). The processor may provide for uniform addressing of registers (e.g. byte addressing of the registers) responsive to a prefix field, in other embodiments, irrespective of the addressing provided if the prefix field is not included, or is encoded differently than the encoding which results in the uniform addressing.

    摘要翻译: 处理器根据指令字段改变寄存器地址到寄存器的映射。 在一个特定实施例中,可以改变寄存器的字节寻址的映射。 每个寄存器地址映射到寄存器子集的最低有效字节或下一个最低有效字节的寄存器映射,以及寄存器映射,其中每个寄存器地址映射到每个寄存器地址的最低有效字节 在一个实现中注册。 在一个特定实现中,指令字段可以是前缀字段(例如前缀字节)。 响应于前缀字段,处理器可以提供对前缀字段的寄存器的均匀寻址(例如寄存器的字节寻址),而在其他实施例中,无论如果前缀字段不包括提供的寻址,或者编码的方式不同于导致 统一寻址。