Employing intermediary structures for facilitating access to secure memory
US-2015370628-A1 · Dec 24, 2015 · US
Method and apparatus to allow secure guest access to extended page tables
US10437733B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10437733-B2 |
| Application number | US-201715647179-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 11, 2017 |
| Priority date | Dec 23, 2014 |
| Publication date | Oct 8, 2019 |
| Grant date | Oct 8, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An apparatus and method for efficient guest EPT manipulation. For example, one embodiment of a apparatus comprises: a hypervisor to create extended page table (EPT) mappings between a guest physical address (GPA) space and a host physical address (HPA) space; the hypervisor to create an EPT edit table and populate the EPT edit table with information related to permitted mappings between the GPA space and HPA space; a guest to read the EPT edit table to determine information related to the permitted mappings between the GPA space and HPA space, the guest to use the information to map one or more pages in the GPA space to one or more pages in the HPA space.
First claim
Opening claim text (preview).
What is claimed is: 1. An apparatus comprising: a processing module to execute instructions; a memory module; and a secure driver to: reserve a secure page cache in the memory module; generate a linear address manager mapping; execute an application; map linear addresses in an application page table to corresponding pseudo page addresses; load at least one application page into secure page cache slots; monitor the application to determine whether a virtual exception occurs; determine the virtual exception has occurred; receive a page fault corresponding to the virtual exception from the application; evict a victim secure page from the secure page cache, wherein to evict the victim secure page, the secure driver is further to: unmap at least one pseudo page address from the secure page cache slot corresponding to the evicted victim secure page; unload the evicted victim secure page from its secure page cache slot; and map a new linear address corresponding to the target application page to be loaded to a new pseudo page address; load a target application page in a secure page cache slot corresponding to the evicted victim secure page; and reconfigure the virtual exception to be handled by an operating system. 2. The apparatus of claim 1 , wherein to terminate the application, the secure driver is further to: stop execution of the application; release the linear addresses; and unload the secure page cache. 3. The apparatus of claim 1 , wherein to load a target application page in a secure page cache slot corresponding to the evicted victim secure page the secure driver is further to: map the new pseudo page address to the secure page cache slot; and load the target application page into the secure page cache slot. 4. A method comprising: reserving a secure page cache in a memory module; generating a linear address manager mapping; executing an application; mapping linear addresses in an application page table to corresponding pseudo page addresses; loading at least one application page into secure page cache slots; monitoring the application to determine whether a virtual exception occurs; determining the virtual exception has occurred; receiving a page fault corresponding to the virtual exception from the application; evicting a victim secure page from the secure page cache, wherein evicting includes: unmapping at least one pseudo page address from the secure page cache slot corresponding to the evicted victim secure page; unloading the evicted victim secure page from its secure page cache slot; and mapping a new linear address corresponding to the target application page to be loaded to a new pseudo page address; loading a target application page in a secure page cache slot corresponding to the evicted victim secure page; and reconfiguring the virtual exception to be handled by an operating system. 5. The method of claim 4 , wherein terminating the application further comprises: stopping execution of the application; releasing the linear addresses; and unloading the secure page cache. 6. The method of claim 4 , wherein loading a target application page in a secure page cache slot corresponding to the evicted victim secure page comprises: mapping the new pseudo page address to the secure page cache slot; and loading the target application page into the secure page cache slot. 7. An apparatus comprising: firmware to load a secure driver upon activation; and the secure driver to: reserve a secure page cache in a memory module; generate a linear address manager mapping; execute an application; map linear addresses in an application page table to corresponding pseudo page addresses; load at least one application page into secure page cache slots; monitor the application to determine whether a virtual exception occurs; determine the virtual exception has occurred; receive a page fault corresponding to the virtual exception from the application; evict a victim secure page from the secure page cache, wherein to evict the victim secure page, the secure driver is further to: unmap at least one pseudo page address from the secure page cache slot corresponding to the evicted victim secure page; unload the evicted victim secure page from its secure page cache slot; and map a new linear address corresponding to the target application page to be loaded to a new pseudo page address; load a target application page in a secure page cache slot corresponding to the evicted victim secure page; and reconfigure the virtual exception to be handled by an operating system. 8. The apparatus of claim 7 , wherein to terminate the application, the secure driver is further to: stop execution of the application; release the linear addresses; and unload the secure page cache.
Assignees
Inventors
Classifications
in a virtual system, e.g. with translation means · CPC title
Security improvement · CPC title
for multiple virtual address spaces, e.g. segmentation (G06F12/1045 takes precedence) · CPC title
- G06F12/1009Primary
using page tables, e.g. page table structures · CPC title
Hypervisor-specific management and integration aspects · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10437733B2 cover?
- An apparatus and method for efficient guest EPT manipulation. For example, one embodiment of a apparatus comprises: a hypervisor to create extended page table (EPT) mappings between a guest physical address (GPA) space and a host physical address (HPA) space; the hypervisor to create an EPT edit table and populate the EPT edit table with information related to permitted mappings between the GPA…
- Who is the assignee on this patent?
- Zmudzinski Krystof C, Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F12/1009. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Oct 08 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).