System Memory Management Unit Architecture For Consolidated Management Of Virtual Machine Stage 1 Address Translations
US-2019026231-A1 · Jan 24, 2019 · US
Method and apparatus for establishing system-on-chip (SOC) security through memory management unit (MMU) virtualization
US10514943B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10514943-B2 |
| Application number | US-201615354791-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 17, 2016 |
| Priority date | Nov 17, 2016 |
| Publication date | Dec 24, 2019 |
| Grant date | Dec 24, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In an aspect, an apparatus that includes a first security domain and at least a second security domain obtains, at a virtual machine of the first security domain, a stream identifier associated with the second security domain. The apparatus generates, at the virtual machine of the first security domain, a command to map the stream identifier associated with the second security domain to a first address translation context. The apparatus maps, at a hypervisor device, the first address translation context to a second address translation context that is associated with the second security domain of the stream identifier. The apparatus processes a stream of memory access transactions that includes the stream identifier based on at least the first address translation context or the second address translation context.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for an apparatus that includes a first security domain and at least a second security domain, the method comprising: obtaining, at a virtual machine of the first security domain, a stream identifier associated with the second security domain; generating, at the virtual machine of the first security domain, a command to map the stream identifier associated with the second security domain to a first address translation context; mapping, at a hypervisor device, the first address translation context to a second address translation context that is associated with the second security domain of the stream identifier; and processing a stream of memory access transactions that includes the stream identifier based on at least the first address translation context or the second address translation context. 2. The method of claim 1 , further comprising: identifying, at the hypervisor device, a security domain of at least a second stream identifier already mapped to the first address translation context; and validating, at the hypervisor device, the generated command when the security domain of at least the second stream identifier is the same as the second security domain. 3. The method of claim 1 , further comprising: preventing, at the hypervisor device, the virtual machine from mapping a second stream identifier associated with a third security domain to the first address translation context when the third security domain is different from the second security domain. 4. The method of claim 1 , further comprising: setting, at the hypervisor device, a context bank attribute register to a fault value when a stream to context register corresponding to the context bank attribute register is empty. 5. The method of claim 1 , wherein the apparatus includes a single virtual machine, and wherein the single virtual machine is the virtual machine of the first security domain. 6. The method of claim 1 , further comprising: validating, at the hypervisor device, the generated command to map the stream identifier when the generated command to map the stream identifier is a write instruction to modify an empty stream to context register. 7. The method of claim 1 , wherein the command may be a write instruction to modify one or more registers configured to control memory address translation regimes in a memory management unit (MMU). 8. The method of claim 1 , wherein the stream identifier is generated by a master device that is configured to generate a plurality of stream identifiers associated with different security domains. 9. An apparatus comprising: a processing circuit that implements a virtual machine of a first security domain; and at least one master device of a second security domain, wherein the processing circuit is configured to: obtain, at the virtual machine of the first security domain, a stream identifier associated with the second security domain; generate, at the virtual machine of the first security domain, a command to map the stream identifier associated with the second security domain to a first address translation context; map the first address translation context to a second address translation context that is associated with the second security domain of the stream identifier; and process a stream of memory access transactions that includes the stream identifier based on at least the first address translation context or the second address translation context. 10. The apparatus of claim 9 , wherein the processing circuit is further configured to: identify a security domain of at least a second stream identifier already mapped to the first address translation context; and validate the generated command when the security domain of at least the second stream identifier is the same as the second security domain. 11. The apparatus of claim 9 , wherein the processing circuit is further configured to: prevent the virtual machine from mapping a second stream identifier associated with a third security domain to the first address translation context when the third security domain is different from the second security domain. 12. The apparatus of claim 9 , wherein the processing circuit is further configured to: set a context bank attribute register to a fault value when a stream to context register corresponding to the context bank attribute register is empty. 13. The apparatus of claim 9 , wherein the apparatus includes a single virtual machine, and wherein the single virtual machine is the virtual machine of the first security domain. 14. The apparatus of claim 9 , wherein the processing circuit is further configured to: validate the generated command to map the stream identifier when the generated command to map the stream identifier is a write instruction to modify an empty stream to context register. 15. The apparatus of claim 9 , wherein the command may be a write instruction to modify one or more registers configured to control memory address translation regimes in a memory management unit (MMU). 16. The apparatus of claim 9 , wherein the stream identifier is generated by a master device that is configured to generate a plurality of stream identifiers associated with different security domains. 17. An apparatus that includes a first security domain and at least a second security domain, the apparatus comprising: means for obtaining, at a virtual machine of the first security domain, a stream identifier associated with the second security domain; means for generating, at the virtual machine of the first security domain, a command to map the stream identifier associated with the second security domain to a first address translation context; means for mapping, at a hypervisor device, the first address translation context to a second address translation context that is associated with the second security domain of the stream identifier; and means for processing a stream of memory access transactions that includes the stream identifier based on at least the first address translation context or the second address translation context. 18. The apparatus of claim 17 , further comprising: means for identifying, at the hypervisor device, a security domain of at least a second stream identifier already mapped to the first address translation context; and means for validating, at the hypervisor device, the generated command when the security domain of at least the second stream identifier is the same as the second security domain. 19. The apparatus of claim 17 , further comprising: means for preventing, at the hypervisor device, the virtual machine from mapping a second stream identifier associated with a third security domain to the first address translation context when the third security domain is different from the second security domain. 20. The apparatus of claim 17 , further comprising: means for setting, at the hypervisor device, a context bank attribute register to a fault value when a stream to context register corresponding to the context bank attribute register is empty. 21. The apparatus of claim 17 , wherein the apparatus includes a single virtual machine, and wherein the single virtual machine is the virtual machine of the first security domain. 22. The apparatus of claim 17 , further comprising: means for validating, at the hypervisor device, the generated command to map the stream identifier when the generated command to map the stream identifier is a write instruction to modify an empty stream to con
Assignees
Inventors
Classifications
Isolation or security of virtual machine instances · CPC title
in semiconductor storage media, e.g. directly-addressable memories · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
- G06F9/45558Primary
Hypervisor-specific management and integration aspects · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10514943B2 cover?
- In an aspect, an apparatus that includes a first security domain and at least a second security domain obtains, at a virtual machine of the first security domain, a stream identifier associated with the second security domain. The apparatus generates, at the virtual machine of the first security domain, a command to map the stream identifier associated with the second security domain to a first…
- Who is the assignee on this patent?
- Qualcomm Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 24 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).