公开(公告)号：US20190042117A1

公开(公告)日：2019-02-07

申请号：US16056490

申请日：2018-08-06

Applicant: INTEL CORPORATION

Inventor： KIRK D. BRANNOCK ,  BARRY E. HUNTLEY

IPC: G06F3/06 ,  G06F9/30 ,  G06F21/79 ,  G06F21/57 ,  G06F21/55

Abstract: Various embodiments are generally directed to an apparatus, method and other techniques for determining a region of the memory for which to store information, inserting the information into the region of the memory, and applying one or more characteristics to the region of the memory via an instruction set architecture (ISA) operation, the one or more characteristics comprising an immutable characteristic to prevent modification of the information in the region of the memory.

公开(公告)号：US20190042780A1

公开(公告)日：2019-02-07

申请号：US15941992

申请日：2018-03-30

Applicant: INTEL CORPORATION

Inventor： KIRK D. BRANNOCK ,  BARRY E. HUNTLEY

IPC: G06F21/62 ,  G06F21/64

Abstract: Various embodiments are generally directed to an apparatus, method and other techniques to detect an access request to access a computing resource while in a system management mode (SMM), determine a bit of a lock register is set to enable access to a bitmap associated with the computing resource, the bitmap to indicate an access policy for the computing resource, and determine whether the access request violate the access policy set in the bitmap. Embodiments may also include performing the access request if the access request does not violate the access policy, and causing a fault if the access request does violate the access policy.

公开(公告)号：US20170090966A1

公开(公告)日：2017-03-30

申请号：US14867761

申请日：2015-09-28

Applicant: Intel Corporation

Inventor： DEEPAK K. GUPTA ,  RAVI L. SAHITA ,  BARRY E. HUNTLEY

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/4557 ,  G06F2009/45575

Abstract: A processor comprises a register to store a first pointer to a context data structure specifying a virtual machine context, the context data structure comprising a first field to store a second pointer to a plurality of realm switch control structures (RSCSs), and an execution unit comprising a logic circuit to execute a virtual machine (VM) according to the virtual machine context, wherein the VM comprises a guest operating system (OS) comprising a plurality of kernel components, and wherein each RSCS of the plurality of RSCSs specifies a respective component context associated with a respective kernel component of the plurality of kernel components, and execute a first kernel component of the plurality of kernel components using a first component context specified by a first RSCS of the plurality of RSCSs.

公开(公告)号：US20160371191A1

公开(公告)日：2016-12-22

申请号：US15250787

申请日：2016-08-29

Applicant: Intel Corporation

Inventor： CARLOS V. ROZAS ,  ILYA ALEXANDROVICH ,  ITTAI ANATI ,  ALEX BERENZON ,  MICHAEL A. GOLDSMITH ,  BARRY E. HUNTLEY ,  ANTON IVANOV ,  SIMON P. JOHNSON ,  REBEKAH M. LESLIE-HURD ,  FRANCIS X. MCKEEN ,  GILBERT NEIGER ,  RINAT RAPPOPORT ,  SCOTT D. RODGERS ,  UDAY R. SAVAGAONKAR ,  VINCENT R. SCARLATA ,  VEDVYAS SHANBHOGUE ,  WESLEY H. SMITH ,  WILLIAM C. WOOD

IPC: G06F12/0875 ,  G06F12/1027

Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

Abstract translation: 说明和逻辑为安全的飞地页面缓存提供了高级分页功能。 实施例包括多个硬件线程或处理核心，用于存储分配给由硬件线程可访问的安全空间的共享页面地址的安全数据的高速缓存。 解码级将指定所述共享页地址的第一指令解码为操作数，并且执行单元标记对应于共享页地址的飞地页高速缓存映射的条目，以阻止所述第一或第二硬件线程中的任一个的新转换的创建 访问共享页面。 第二指令被解码以执行，第二指令指定所述安全飞地作为操作数，并且执行单元记录当前访问与安全飞地相对应的飞地页面高速缓存中的安全数据的硬件线程，并且当任何 的硬件线程退出安全飞地。

公开(公告)号：US20200159673A1

公开(公告)日：2020-05-21

申请号：US16686379

申请日：2019-11-18

Applicant: Intel Corporation

Inventor： RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  DAVID A. KOUFATY ,  ASIT K. MALLICK ,  ARUMUGAM THIYAGARAJAH ,  BARRY E. HUNTLEY ,  DEEPAK K. GUPTA ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  BAIJU V. PATEL

IPC: G06F12/14 ,  G06F9/455 ,  G06F12/1009 ,  G06F12/1027

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20160378490A1

公开(公告)日：2016-12-29

申请号：US14752079

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： MICHAEL LEMAY ,  DAVID M. DURHAM ,  BARRY E. HUNTLEY ,  VEDVYAS SHANBHOGUE ,  RAVI L. SAHITA ,  RAVI RAJWAR

IPC: G06F9/38 ,  G06F11/07

CPC classification number: G06F9/3802 ,  G06F9/3004 ,  G06F9/30076 ,  G06F9/30145 ,  G06F9/30167 ,  G06F9/30189 ,  G06F9/46 ,  G06F11/0745 ,  G06F11/0751

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for protecting confidential data with transactional processing in execute-only memory. The system may include a memory module configured to store an execute-only code page. The system may also include a transaction processor configured to enforce a transaction region associated with at least a portion of the code page. The system may further include a processor configured to execute a load instruction fetched from the code page, the load instruction configured to load at least a portion of the confidential data from an immediate operand of the load instruction if a transaction mode of the transaction region is enabled.

Abstract translation: 通常，本公开提供了用于在仅执行存储器中用事务处理保护机密数据的系统，设备，方法和计算机可读介质。 该系统可以包括被配置为存储仅执行代码页的存储器模块。 系统还可以包括配置成强制与代码页的至少一部分相关联的事务区域的事务处理器。 该系统还可以包括：处理器，其被配置为执行从代码页取出的加载指令，所述加载指令被配置为如果交易区域的交易模式是来自加载指令的即时操作数，则加载秘密数据的至少一部分 启用

公开(公告)号：US20210109684A1

公开(公告)日：2021-04-15

申请号：US17131731

申请日：2020-12-22

Applicant: Intel Corporation

Inventor： VEDVYAS SHANBHOGUE ,  JASON W. BRANDT ,  RAVI L. SAHITA ,  BARRY E. HUNTLEY ,  BAIJU V. PATEL

IPC: G06F3/06 ,  G06F9/30 ,  G06F21/52 ,  G06F9/38 ,  G06F12/1009 ,  G06F12/109 ,  G06F12/1027 ,  G06F12/1081 ,  G06F12/1045 ,  G06F12/14 ,  G06F12/1036

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

公开(公告)号：US20200310978A1

公开(公告)日：2020-10-01

申请号：US16367103

申请日：2019-03-27

Applicant: Intel Corporation

Inventor： SCOTT DION RODGERS ,  ROBERT S. CHAPPELL ,  BARRY E. HUNTLEY

IPC: G06F12/1009 ,  G06F12/1027 ,  G06F12/14

Abstract: An apparatus and method for managing different page tables for different privilege levels. For example, one embodiment of a processor comprises: a first control register to store a first base address associated with program code executed at a first privilege level; a second control register to store a second base address associated with program code executed at a second privilege level lower than the first privilege level; and address translation circuitry to identify a first base translation table using the first base address responsive to a first address translation request originating from the program code executed at the first privilege level and to identify a second base translation table using the second base address responsive to a second address translation request originating from the program code executed at the second privilege level.

公开(公告)号：US20170285987A1

公开(公告)日：2017-10-05

申请号：US15087566

申请日：2016-03-31

Applicant: INTEL CORPORATION

Inventor： KIRK D. BRANNOCK ,  BARRY E. HUNTLEY

IPC: G06F3/06 ,  G06F21/55 ,  G06F9/30

CPC classification number: G06F3/0622 ,  G06F3/0637 ,  G06F3/0644 ,  G06F3/0659 ,  G06F3/0673 ,  G06F9/3004 ,  G06F21/554 ,  G06F21/57 ,  G06F21/79 ,  G06F2221/034

Abstract: Various embodiments are generally directed to an apparatus, method and other techniques for determining a region of the memory for which to store information, inserting the information into the region of the memory, and applying one or more characteristics to the region of the memory via an instruction set architecture (ISA) operation, the one or more characteristics comprising an immutable characteristic to prevent modification of the information in the region of the memory.

公开(公告)号：US20160381050A1

公开(公告)日：2016-12-29

申请号：US14752221

申请日：2015-06-26

Applicant: INTEL CORPORATION

Inventor： VEDVYAS SHANBHOGUE ,  JASON W. BRANDT ,  RAVI L. SAHITA ,  BARRY E. HUNTLEY ,  BAIJU V. PATEL

IPC: H04L29/06 ,  G06F3/06 ,  G06F9/30

CPC classification number: G06F3/0673 ,  G06F3/0622 ,  G06F3/0629 ,  G06F9/30054 ,  G06F9/30101 ,  G06F9/30134 ,  G06F9/30145 ,  G06F9/3806 ,  G06F9/3861 ,  G06F12/1009 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/1063 ,  G06F12/1081 ,  G06F12/109 ,  G06F12/1491 ,  G06F21/52 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/651 ,  G06F2212/657

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

Abstract translation: 方面的处理器包括解码指令的解码单元。 处理器还包括与解码单元耦合的执行单元。 执行单元响应于该指令，是确定由于指令而尝试改变影子栈的影子堆栈指针将导致阴影堆栈指针超过允许的范围。 响应于确定对阴影堆栈指针的尝试改变将导致阴影堆栈指针超过允许的范围，执行单元也将采取异常。 公开了其他处理器，方法，系统和指令。