公开(公告)号：US07603551B2

公开(公告)日：2009-10-13

申请号：US10419121

申请日：2003-04-18

申请人： Kevin J. McGrath ,  Geoffrey S. Strongin ,  David S. Christie ,  William A. Hughes ,  Dale E. Gulick

发明人： Kevin J. McGrath ,  Geoffrey S. Strongin ,  David S. Christie ,  William A. Hughes ,  Dale E. Gulick

IPC分类号： G06F9/44 ,  H04L29/06

CPC分类号： G06F9/4403

摘要： The initialization of a computer system including a secure execution mode-capable processor includes storing a secure operating system code segment loader to a plurality of locations corresponding to a particular range of addresses within a system memory. The method also includes executing a security initialization instruction. Executing the security initialization instruction may cause several operations to be performed including transmitting a start transaction including a base address of the particular range of addresses. In addition, executing the security instruction may also cause another operation to be performed including retrieving the secure operating system code segment loader from the system memory and transmitting the secure operating system code segment loader for validation as a plurality of data transactions.

摘要翻译： 包括具有安全执行模式能力的处理器的计算机系统的初始化包括将安全操作系统代码段加载器存储到对应于系统存储器内的特定地址范围的多个位置。 该方法还包括执行安全初始化指令。 执行安全初始化指令可能导致执行若干操作，包括发送包括特定地址范围的基地址的开始事务。 此外，执行安全指令还可以引起执行另一操作，包括从系统存储器检索安全操作系统代码段加载器，并将安全操作系统代码段加载器发送为多个数据事务。

公开(公告)号：US07603550B2

公开(公告)日：2009-10-13

申请号：US10419082

申请日：2003-04-18

申请人： Kevin J. McGrath ,  Geoffrey S. Strongin ,  Dale E. Gulick ,  William A. Hughes ,  David S. Christie

发明人： Kevin J. McGrath ,  Geoffrey S. Strongin ,  Dale E. Gulick ,  William A. Hughes ,  David S. Christie

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： G06F9/4403 ,  G06F21/10 ,  G06F21/74

摘要： A computer system includes a processor which may initialize a secure execution mode by executing a security initialization instruction. Further, the processor may operate in the secure execution mode by executing a secure operating system code segment. The computer system also includes an input/output (I/O) interface coupled to the processor via an I/O link. The I/O interface may receive transactions performed as a result of the execution of the security initialization instruction. The transactions include at least a portion of the secure operating system code segment. The I/O interface may also determine whether the processor is a source of the transactions. The computer system further includes a security services processor coupled to the I/O interface via a peripheral bus. The I/O interface may convey the transactions to the security services processor dependent upon determining that the processor is the source of the transactions.

摘要翻译： 计算机系统包括可以通过执行安全初始化指令来初始化安全执行模式的处理器。 此外，处理器可以通过执行安全操作系统代码段在安全执行模式下操作。 计算机系统还包括通过I / O链路耦合到处理器的输入/输出（I / O）接口。 I / O接口可以接收由于执行安全初始化指令而执行的事务。 交易包括安全操作系统代码段的至少一部分。 I / O接口还可以确定处理器是否是事务的来源。 计算机系统还包括通过外围总线耦合到I / O接口的安全服务处理器。 取决于确定处理器是交易的来源，I / O接口可以将交易传达给安全服务处理器。

公开(公告)号：US07146477B1

公开(公告)日：2006-12-05

申请号：US10419090

申请日：2003-04-18

申请人： Geoffrey S. Strongin ,  David S. Christie ,  William A. Hughes ,  Kevin J. McGrath

发明人： Geoffrey S. Strongin ,  David S. Christie ,  William A. Hughes ,  Kevin J. McGrath

IPC分类号： G06F12/00

CPC分类号： G06F12/1475

摘要： A system is configured to selectively block peripheral accesses to system memory. The system includes a secure execution mode (SEM)-capable processor configured to operate in a trusted execution mode. The system also includes a system memory including a plurality of addressable locations. The system further includes a memory controller that may determine a source of an access request to one or more of the plurality of locations of the system memory. The memory controller may further allow the access request to proceed in response to determining that the source of the access request is the SEM-capable processor.

摘要翻译： 系统被配置为选择性地阻止对系统存储器的外围访问。 该系统包括被配置为以可信执行模式操作的安全执行模式（SEM）能力处理器。 该系统还包括包括多个可寻址位置的系统存储器。 系统还包括存储器控制器，其可以确定对系统存储器的多个位置中的一个或多个的访问请求的来源。 响应于确定访问请求的源是具有SEM能力的处理器，存储器控制器还可以允许访问请求继续进行。

公开(公告)号：US07210009B2

公开(公告)日：2007-04-24

申请号：US10654734

申请日：2003-09-04

申请人： Dale E. Gulick ,  Geoffrey S. Strongin ,  William A. Hughes

发明人： Dale E. Gulick ,  Geoffrey S. Strongin ,  William A. Hughes

IPC分类号： G06F12/12 ,  G06F12/16

CPC分类号： G06F21/74 ,  G06F21/79 ,  G06F2221/2105 ,  G06F2221/2143

摘要： A computer system includes a processor which may initialize a secure execution mode by executing a security initialization instruction. Further, the processor may operate in the secure execution mode by executing a secure operating system code segment. The computer system also includes a system memory configured to store data in a plurality of locations. The computer system also includes a memory controller which may selectively clear the data from a programmed range of the memory locations of the system memory when enabled in response to a reset of the processor.

摘要翻译： 计算机系统包括可以通过执行安全初始化指令来初始化安全执行模式的处理器。 此外，处理器可以通过执行安全操作系统代码段在安全执行模式下操作。 计算机系统还包括被配置为在多个位置存储数据的系统存储器。 计算机系统还包括存储器控制器，当响应于处理器的复位使能时，存储器控制器可以选择性地从系统存储器的存储器位置的编程范围中清除数据。

公开(公告)号：US07165135B1

公开(公告)日：2007-01-16

申请号：US10419122

申请日：2003-04-18

申请人： David S. Christie ,  Kevin J. McGrath ,  Geoffrey S. Strongin

发明人： David S. Christie ,  Kevin J. McGrath ,  Geoffrey S. Strongin

IPC分类号： G06F7/04

CPC分类号： G06F21/74

摘要： A method is provided for controlling interrupts in a secure execution mode-capable processor. The method includes detecting an interrupt and performing a predetermined routine in response to detecting the interrupt. The method further includes performing a second routine prior to performing the predetermined routine in response to detecting the interrupt depending upon whether the processor is operating in a secure execution mode.

摘要翻译： 提供了一种用于控制具有安全执行模式的处理器中的中断的方法。 该方法包括响应于检测到中断而检测中断并执行预定程序。 该方法还包括在执行预定例程之前执行第二例程以响应于根据处理器是否以安全执行模式操作来检测中断。

公开(公告)号：US07130951B1

公开(公告)日：2006-10-31

申请号：US10419091

申请日：2003-04-18

申请人： David S. Christie ,  Geoffrey S. Strongin ,  Kevin J. McGrath

发明人： David S. Christie ,  Geoffrey S. Strongin ,  Kevin J. McGrath

IPC分类号： G06F13/24 ,  H04L9/00

CPC分类号： G06F9/4812

摘要： A method of controlling a secure execution mode-capable processor includes allowing a plurality of interrupts to interrupt the secure execution mode-capable processor when the secure execution mode-capable processor is operating in a non-secure execution mode. The method also includes disabling the plurality of interrupts from interrupting the secure execution mode-capable processor when the secure execution mode-capable processor is operating in a secure execution mode.

摘要翻译： 控制具有安全执行模式的处理器的方法包括当具有安全执行模式的处理器在非安全执行模式下操作时允许多个中断来中断具有安全执行模式的处理器。 该方法还包括当安全执行模式处理器以安全执行模式操作时禁用多个中断来中断具有安全执行模式的处理器。

公开(公告)号：US07082507B1

公开(公告)日：2006-07-25

申请号：US10419086

申请日：2003-04-18

申请人： David S. Christie ,  Geoffrey S. Strongin ,  Kevin J. McGrath

发明人： David S. Christie ,  Geoffrey S. Strongin ,  Kevin J. McGrath

IPC分类号： G06F12/14

CPC分类号： G06F12/1491 ,  G06F12/10 ,  G06F12/145

摘要： A method of controlling access to an address translation data structure of a computer system. The computer system includes a processor having a normal execution mode and a secure execution mode. The method includes executing code and generating a linear address. During translation of the linear address into a physical address, the method also includes generating a read-only page fault exception during the normal execution mode in response to detecting a software invoked write access to an address translation data structure having a read/write attribute set to be read-only. The method further includes selectively generating either the read-only page fault exception or a security exception during the secure execution mode in response to detecting the software invoked write access.

摘要翻译： 一种控制对计算机系统的地址转换数据结构的访问的方法。 计算机系统包括具有正常执行模式和安全执行模式的处理器。 该方法包括执行代码并生成线性地址。 在将线性地址转换为物理地址期间，该方法还包括在正常执行模式期间响应于检测到具有读/写属性集的地址转换数据结构的软件调用写访问而产生只读页错误异常 是只读的。 该方法还包括响应于检测到软件调用的写访问而在安全执行模式期间选择性地生成只读页错误异常或安全异常。

公开(公告)号：US07496966B1

公开(公告)日：2009-02-24

申请号：US10419120

申请日：2003-04-18

申请人： Kevin J. McGrath ,  David S. Christie ,  Geoffrey S. Strongin

发明人： Kevin J. McGrath ,  David S. Christie ,  Geoffrey S. Strongin

IPC分类号： G06F7/04 ,  G06F12/00

CPC分类号： G06F9/4403 ,  G06F21/10 ,  G06F21/74

摘要： A method for controlling operation of a secure execution mode-capable processor includes receiving access requests to a plurality of addressable locations within a system memory. The method may further include preventing the access requests from completing in response to determining that the secure execution mode-capable processor is operating in a secure execution mode.

摘要翻译： 一种用于控制具有安全执行模式的处理器的操作的方法，包括：接收对系统存储器内的多个可寻址位置的访问请求。 所述方法可以进一步包括响应于确定具有安全执行模式的处理器在安全执行模式中操作来防止访问请求完成。

公开(公告)号：US07065654B1

公开(公告)日：2006-06-20

申请号：US09852372

申请日：2001-05-10

申请人： Dale E. Gulick ,  Geoffrey S. Strongin

发明人： Dale E. Gulick ,  Geoffrey S. Strongin

IPC分类号： H04L9/00

CPC分类号： G06F21/85 ,  G06F21/72

摘要： A system and method for secure computing. The system includes a processor, one or more secured assets coupled to the processor, and security hardware. The processor is configured to operate in various operating modes, including a secure operating mode. The security hardware is configured to control access to the secured assets dependant upon the operating mode of the processor. The security hardware is configured to allow access to the secure assets in the secure operating mode, preferably only in the secure operating mode. The method includes switching the computer system between operating modes, while allowing or restricting access to the secured assets based on the operating modes. The second operating mode comprises a secure operating mode. The method restricts access to the secured assets in the first operating mode and permits access to the secured assets in the secure operating mode.

摘要翻译： 一种用于安全计算的系统和方法。 该系统包括处理器，耦合到处理器的一个或多个安全资产以及安全硬件。 处理器被配置为在各种操作模式下操作，包括安全操作模式。 安全硬件被配置为根据处理器的操作模式控制对安全资产的访问。 安全硬件被配置为允许以安全操作模式访问安全资产，优选仅在安全操作模式下。 该方法包括在操作模式之间切换计算机系统，同时基于操作模式允许或限制对安全资产的访问。 第二操作模式包括安全操作模式。 该方法限制了在第一操作模式下对安全资产的访问，并允许以安全操作模式访问安全资产。

公开(公告)号：US07216362B1

公开(公告)日：2007-05-08

申请号：US09853395

申请日：2001-05-11

申请人： Geoffrey S. Strongin ,  Dale E. Gulick

发明人： Geoffrey S. Strongin ,  Dale E. Gulick

IPC分类号： G06F12/14 ,  G06F12/00 ,  G06F7/04 ,  G06F13/00

CPC分类号： G06F12/1441 ,  G06F7/582 ,  G06F12/1458 ,  G06F21/53 ,  G06F21/72

摘要： A method and system for enhanced security and manageability using secure storage. The system may include a crypto-processor and a memory coupled to receive memory transactions through the crypto-processor. The memory transactions are passed to the memory by the crypto-processor. The system may include a first processor, a second processor coupled to the first processor, and a storage device operably coupled to the first processor through the second processor. The second processor is configured to control access to the storage device. The method includes transmitting a request for a memory transaction for a storage location in the storage device and receiving the request for the memory transaction at the crypto-processor. The method also includes determining if the memory transaction is authorized for the storage location, and passing the request for the memory transaction to the storage device if the memory transaction is authorized for the storage location.

摘要翻译： 一种使用安全存储来增强安全性和可管理性的方法和系统。 该系统可以包括加密处理器和耦合以通过密码处理器接收存储器事务的存储器。 存储器事务由加密处理器传递到存储器。 该系统可以包括第一处理器，耦合到第一处理器的第二处理器，以及通过第二处理器可操作地耦合到第一处理器的存储设备。 第二处理器被配置为控制对存储设备的访问。 该方法包括向存储设备发送对存储位置的存储器事务的请求，并在密码处理器处接收对存储器事务的请求。 该方法还包括确定存储器事务是否被授权用于存储位置，并且如果存储器事务被授权用于存储位置，则将存储器事务的请求传递到存储设备。