Protected container key management processors, methods, systems, and instructions
US-2018007051-A1 · Jan 4, 2018 · US
Processors, methods, systems, and instructions to determine whether to load encrypted copies of protected container pages into protected container memory
US11023622B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11023622-B2 |
| Application number | US-201916458016-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 29, 2019 |
| Priority date | Sep 23, 2016 |
| Publication date | Jun 1, 2021 |
| Grant date | Jun 1, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.
First claim
Opening claim text (preview).
What is claimed is: 1. A processor comprising: a die; a decode unit within the die to decode an instruction, the instruction to indicate a source memory location, within a protected memory, where a protected page is to be stored, and the instruction to indicate a destination memory location, outside of the protected memory; an execution unit, within the die and coupled with the decode unit, and including at least some circuitry, the execution unit to perform the instruction, wherein to perform the instruction includes to: encrypt a copy of the protected page; store the encrypted copy of the protected page from the source memory location to the destination memory location, while the protected page remains valid and accessible within the protected memory; and configure a value to indicate that the encrypted copy of the protected page was stored out of the protected memory while the protected page remained valid and accessible within the protected memory. 2. The processor of claim 1 , wherein the execution unit to perform the instruction is to encrypt the value with the copy of the protected page prior to the encrypted copy of the protected page being stored to the destination memory location. 3. The processor of claim 1 , wherein the execution unit to perform the instruction is encrypt the copy of the protected page with a migratable key that is not bound to a platform having the processor and is allowed to be migrated with the encrypted copy of the protected page away from the platform over a network. 4. The processor of claim 1 , wherein the execution unit to perform the instruction is perform at least one security check prior to the encrypted copy of the protected page being stored to the destination memory location. 5. The processor of claim 4 , wherein the at least one security check comprises a check to ensure that the protected page is write protected. 6. The processor of claim 4 , wherein the at least one security check further comprises a check to ensure that any cached address translations for the protected page after it has been write protected, including their access permissions, have been flushed from one or more translation lookaside buffers (TLBs) of the processor after a write protection of the protected page. 7. The processor of claim 1 , wherein the execution unit to perform the instruction is update a version of the protected page in a version structure. 8. The processor of claim 7 , wherein the version structure is to be used to store both versions of protected pages that are to have been live stored out as well as versions of protected pages that are to have been paged out through paging. 9. The processor of claim 1 , wherein the decode unit is to decode the instruction that is to indicate the source memory location, within the protected memory which is to be an enclave page cache, where the protected page which is to be a secure enclave page is to be stored. 10. A processor comprising: an interface to receive a control primitive, the control primitive to indicate a source memory location, within a protected memory, where a protected page is to be stored, and the control primitive to indicate a destination memory location, outside of the protected memory; a core coupled with the interface to perform the control primitive, including to: encrypt a copy of the protected page; store the encrypted copy of the protected page from the source memory location to the destination memory location, while the protected page remains valid and accessible within the protected memory; and configure a value to indicate that the encrypted copy of the protected page was stored out of the protected memory while the protected page remained valid and accessible within the protected memory. 11. The processor of claim 10 , wherein the core to perform the control primitive is to encrypt the copy of the protected page with a migratable key that is not bound to a platform having the processor and is allowed to be migrated with the encrypted copy of the protected page away from the platform over a network. 12. The processor of claim 10 , wherein the core to perform the control primitive is to encrypt the value with the copy of the protected page, prior to the storage of the encrypted copy of the protected page to the destination memory location. 13. The processor of claim 10 , wherein the core to perform the control primitive is to update a version of the protected page in a version structure. 14. The processor of claim 10 , wherein the core to perform the control primitive is to perform at least one security check prior to the storage of the copy of the protected page to the destination memory location. 15. A method performed by a processor comprising: accessing a protected page at a source memory location within a protected memory; encrypting a copy of the protected page; storing the encrypted copy of the protected page from the source memory location to destination memory location, while the protected page remains valid and accessible within the protected memory; and configuring a value to indicate that the encrypted copy of the protected page was stored out of the protected memory while the protected page remains valid and accessible within the protected memory. 16. The method of claim 15 , wherein said encrypting comprises encrypting the value with the copy of the protected page, prior to said storing the encrypted copy of the protected page to the destination memory location. 17. The method of claim 15 , wherein said encrypting comprises encrypting the copy of the protected page with a migratable key, and further comprising migrating the migratable key from a platform having the processor to a destination over a network. 18. The method of claim 15 , further comprising performing at least one security check prior to said storing the copy of the protected page to the destination memory location. 19. The method of claim 15 , further comprising updating a version of the protected page in a version structure. 20. The method of claim 15 , further comprising live migrating the encrypted copy of the protected page from a source computer system having the processor to a destination computer system over a network as part of a live migration.
Assignees
Inventors
Classifications
- G06F21/78Primary
to assure secure storage of data (address-based protection against unauthorised use of memory G06F12/14; record carriers for use with machines and with at least a part designed to carry digital markings G06K19/00) · CPC title
Instruction analysis, e.g. decoding, instruction word fields · CPC title
Protecting personal data, e.g. for financial or medical purposes · CPC title
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
in cryptographic circuits · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11023622B2 cover?
- A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected con…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/78. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jun 01 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).