Scalable processor-assisted guest physical address translation
US-2019042467-A1 · Feb 7, 2019 · US
Apparatus and method for secure memory access using trust domains
US10761996B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10761996-B2 |
| Application number | US-201816147191-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 28, 2018 |
| Priority date | Sep 28, 2018 |
| Publication date | Sep 1, 2020 |
| Grant date | Sep 1, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.
First claim
Opening claim text (preview).
What is claimed is: 1. An apparatus comprising: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain, wherein the execution circuitry is to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain; and address translation circuitry to use the PASID to identify a first set of one or more translation tables to translate a guest virtual address to a guest physical address, and the address translation circuitry to further use a first trusted domain identifier uniquely identifying the first trusted domain to identify a second set of one or more translation tables to translate the guest physical address to a host physical address within the first trusted domain. 2. The apparatus of claim 1 wherein the second set of translation tables comprise a secure extended page table (SEPT). 3. The apparatus of claim 1 wherein the execution circuitry is to execute a third one or more of the instructions to assign the first trusted domain to one or more devices. 4. The apparatus of claim 3 wherein the one or more devices are identified by a requestor ID comprising a bus value, a device value, and a function value. 5. The apparatus of claim 4 wherein the first set of translation tables comprise a root table and a context table. 6. The apparatus of claim 5 wherein the address translation circuitry is to identify an entry in the root table using the bus value, the entry identifying a first context table. 7. The apparatus of claim 6 wherein the address translation circuitry is to identify an entry in the first context table using at least one of the device value and/or the function value, the entry to identify the PASID. 8. The apparatus of claim 7 wherein the address translation circuitry is to use a first portion of the PASID to identify an entry in a PASID directory and to use a second portion of the PASID combined with the entry in the PASID directory to identify a PASID table. 9. The apparatus of claim 8 wherein the address translation circuitry is to use an entry in the PASID table to identify the first set of one or more translation tables. 10. A method comprising: establishing a first trusted domain using a trusted domain key to encrypt memory pages within the first trusted domain; associating a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain; identifying a first set of one or more translation tables using the PASID; translating a guest virtual address to a guest physical address using the first set of one or more translation tables; and identifying a second set of one or more translation tables to translate the guest physical address to a host physical address within the first trusted domain using a first trusted domain identifier which uniquely identifies the first trusted domain. 11. The method of claim 10 wherein the second set of translation tables comprise a secure extended page table (SEPT). 12. The method of claim 10 wherein the method further comprises executing a third one or more of the instructions to assign the first trusted domain to one or more devices. 13. The method of claim 12 wherein the one or more devices are identified by a requestor ID comprising a bus value, a device value, and a function value. 14. The method of claim 13 wherein the first set of translation tables comprise a root table and a context table. 15. The method of claim 14 wherein the method further comprises identifying an entry in the root table using the bus value, the entry identifying a first context table. 16. The method of claim 15 wherein the method further comprises identifying an entry in the first context table using at least one of the device value and the function value, the entry to identify the PASID. 17. The method of claim 16 wherein a first portion of the PASID is used to identify an entry in a PASID directory and a second portion of the PASID combined with the entry in the PASID directory is used to identify a PASID table. 18. The method of claim 17 wherein an entry in the PASID table is used to identify the first set of one or more translation tables. 19. A non-transitory machine-readable medium having program code stored thereon which, when executed by a machine causes the machine to perform the operations of: establishing a first trusted domain using a trusted domain key to encrypt memory pages within the first trusted domain; associating a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain; identifying a first set of one or more translation tables using the PASID; translating a guest virtual address to a guest physical address using the first set of one or more translation tables; and identifying a second set of one or more translation tables to translate the guest physical address to a host physical address within the first trusted domain using a first trusted domain identifier which uniquely identifies the first trusted domain. 20. The non-transitory machine-readable medium of claim 19 wherein the second set of translation tables comprise a secure extended page table (SEPT). 21. The non-transitory machine-readable medium of claim 19 wherein the operations further comprise executing a third one or more of the instructions to assign the first trusted domain to one or more devices. 22. The non-transitory machine-readable medium of claim 21 wherein the one or more devices are identified by a requestor ID comprising a bus value, a device value, and a function value. 23. The non-transitory machine-readable medium of claim 22 wherein the first set of translation tables comprise a root table and a context table. 24. The non-transitory machine-readable medium of claim 23 wherein the operations further comprise identifying an entry in the root table using the bus value, the entry identifying a first context table. 25. The non-transitory machine-readable medium of claim 24 wherein the operations further comprise identifying an entry in the first context table using at least one of the device value and the function value, the entry to identify the PASID. 26. The non-transitory machine-readable medium of claim 25 wherein a first portion of the PASID is used to identify an entry in a PASID directory and a second portion of the PASID combined with the entry in the PASID directory is used to identify a PASID table. 27. The non-transitory machine-readable medium of claim 26 wherein an entry in the PASID table is used to identify the first set of one or more translation tables.
Assignees
Inventors
Classifications
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
- G06F21/57Primary
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
to perform miscellaneous control operations, e.g. NOP · CPC title
Hypervisor-specific management and integration aspects · CPC title
Memory management, e.g. access or allocation · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10761996B2 cover?
- Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted dom…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/57. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Sep 01 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).