Host-convertible secure enclaves in memory that leverage multi-key total memory encryption with integrity

What is claimed is: 1. A processor comprising: a cryptographic engine to control access, using a secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally-protected memory regions; and a processor core coupled to the cryptographic engine, the processor core to: determine that a physical address associated with a request to access the memory corresponds to a secure page within the one or more memory range of the memory; determine that a first key ID located within the physical address does not match the secure region key ID; and issue a page fault and deny access to the secure page in the memory, wherein one of: the processor core further comprises a set of instructions in firmware that performs a basic input-output system (BIOS), wherein the processor core is to execute the set of instructions to: discover that a host-convertible secure region mode and a secure extensions mode are enabled, program a secure extensions key into the cryptographic engine to correspond to the secure region key ID, and reserve the one or more memory range of the memory for flexible conversion to the secure pages, or the processor core is further to map, using the secure key ID, a guest virtual address of the secure page to a second physical address within page tables and extended page tables, such that the second physical address contains the secure region key ID. 2. The processor of claim 1 , wherein the one is the processor core further comprises the set of instructions in firmware that performs the basic input-output system (BIOS), wherein the processor core is to execute the set of instructions to: discover that the host-convertible secure region mode and the secure extensions mode are enabled; program the secure extensions key into the cryptographic engine to correspond to the secure region key ID; and reserve the one or more memory range of the memory for flexible conversion to the secure pages. 3. The processor of claim 2 , wherein the processor core is further to execute memory check firmware to fail a memory check process in response to detection that the secure region key ID has not been allocated for use with the secure extensions key. 4. The processor of claim 2 , wherein the processor core is further to execute the set of instructions to allocate one of a plurality of key IDs for exclusive use as the secure region key ID. 5. The processor of claim 2 , wherein the processor core is further to execute a central processor unit identifier (CPUID) instruction, wherein the CPUID instruction having: first register inputs to determine the one or more memory range of the memory allocated for flexible conversion to secure pages; and second register inputs to determine the secure key ID and associated security properties. 6. The processor of claim 1 , wherein the one is the processor core is further to map, using the secure key ID, the guest virtual address of the secure page to the second physical address within page tables and extended page tables, such that the second physical address contains the secure region key ID. 7. A processor comprising: a cryptographic engine to control access, using a secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally protected memory regions; and a processor core coupled to the cryptographic engine, the processor core to: determine that a physical address associated with a request to access the memory corresponds to a non-secure page of the memory; determine that a first key ID, which is located within the physical address, matches the secure region key ID; and deny access to the non-secure page of the memory, wherein one of: the processor core is further to: replace the physical address in the request with an abort page address, which links to an abort page containing incorrect data, and allow access, by a system agent that issued the request, to the abort page, or the processor core further comprises a set of instructions in firmware that performs a basic input-output system (BIOS), wherein the processor core is to execute the set of instructions to: discover that a host-convertible secure region mode and a secure extensions mode are enabled, program a secure extensions key into the cryptographic engine to correspond to the secure region key ID, and reserve the one or more memory range of the memory for flexible conversion to the secure pages. 8. The processor of claim 7 , wherein the one is the processor core is further to: replace the physical address in the request with the abort page address, which links to the abort page containing incorrect data; and allow access, by the system agent that issued the request, to the abort page. 9. The processor of claim 7 , wherein the one is the processor core further comprises the set of instructions in firmware that performs the basic input-output system (BIOS), wherein the processor core is to execute the set of instructions to: discover that the host-convertible secure region mode and the secure extensions mode are enabled; program the secure extensions key into the cryptographic engine to correspond to the secure region key ID; and reserve the one or more memory range of the memory for flexible conversion to the secure pages. 10. The processor of claim 9 , wherein the processor core is further to execute the set of instructions to allocate one of a plurality of key IDs for exclusive use as the secure region key ID. 11. The processor of claim 9 , wherein the processor core is further to execute memory check firmware to fail a memory check process in response to detection that the secure region key ID has not been allocated for use with the secure extensions key. 12. The processor of claim 9 , wherein the processor core is further to execute a central processor unit identifier (CPUID) instruction, wherein the CPUID instruction having: first register inputs to determine the one or more memory range of the memory allocated for flexible conversion to secure pages; and second register inputs to determine the secure region key ID and associated security properties. 13. A system comprising: a cache and home agent (CHA) of a memory subsystem, the CHA to: set a mesh secure bit of a cache line in response to detection that a first key identifier (ID) in a physical address of the cache line matches a secure region key ID; and issue a write operation to memory for the cache line; and a cryptographic engine coupled to the CHA, wherein the cryptographic engine is to set a memory secure bit, which resides in metadata of the cache line in the memory, to a value of the mesh secure bit as part of completion of the write operation. 14. The system of claim 13 , wherein the cryptographic engine is further to: detect a read operation directed to the cache line stored in the memory; and to fulfill the read operation, return a poison bit to a requesting agent in response to detection of a mismatch between values of mesh secure bit and memory secure bit. 15. The system of claim 14 , wherein the cryptographic engine, to fulfill the read operation, is further to return a fixed pattern of data to the requesting agent. 16. The system of claim 13 , wherein the cryptographic engine is further to: detect a read operation directed to the cache line stored in the memory; and to fulfill the read operation, return data of the cache line to a requesting agent in response to a determination that values of the mesh secure bit and the memory se