Systems and methods for policy execution processing

What is claimed is: 1. A method of processing instructions, comprising: (a) in a host processing domain, by a host processor: receiving at least one instruction comprising (i) operand information relating to one or more operands, and (ii) operation information indicative of an operation to be performed on the one or more operands; executing the operation indicated in the operation information on the one or more operands to generate operation output information; and providing, to a metadata processing domain, instruction information and the operation output information; and (b) in the metadata processing domain: by a tag processing unit: receiving, from the host processing domain, the instruction information and the operation output information; using the instruction information to obtain one or more input metadata tags associated with the at least one instruction; only upon satisfaction of a rule associated with the one or more input metadata tags, generating a shadow copy of a current state of the host processor and store the shadow copy of the current state of the host processor in a shadow register; and when the rule associated with the one or more input metadata tags has not been satisfied, unwinding the host processor according to a previous state that was stored in the shadow register. 2. The method of claim 1 , wherein the shadow copy of the current state of the host processor comprises write-back information received in connection with the at least one instruction. 3. The method of claim 1 , wherein the shadow copy of the current state of the host processor comprises a state of register files and control/status registers (CSRs). 4. The method of claim 1 , wherein the previous state that was stored in the shadow register is a most-recently-allowed state of the host processor that did not violate any policy. 5. The method of claim 1 , further comprising, in the metadata processing domain: by a write interlock: receiving, from the host processing domain, the operation output information; and placing the operation output information into a queue; by the tag processing unit: determining, in accordance with one or more policies being enforced and in accordance with the one or more input metadata tags associated with the at least one instruction, whether the at least one instruction is allowed; and responsive to a determination that the instruction is allowed, causing the queue of the write interlock to write to memory the operation output information in a manner that associates the operation output information with at least one output metadata tag. 6. The method of claim 5 , the tag processing unit comprises a rule cache configured to store one or more rule entries of at least one policy of the one or more policies enforced by the metadata processing domain. 7. The method of claim 6 , further comprising determining that the instruction is allowed by: determining that the rule cache stores a rule entry matching the one or more input metadata tags associated with the at least one instruction. 8. The method of claim 7 , further comprising, by the tag processing unit, using information stored in the rule entry to provide the at least one output metadata tag to be associated with the operation output information. 9. The method of claim 6 , the metadata processing domain comprises a policy execution processor, and the determination that the instruction is allowed comprises: determining that the rule cache does not store a rule entry matching the one or more input metadata tags associated with the at least one instruction; responsive to a determination that the rule cache does not store a rule entry matching the one or more input metadata tags associated with the at least one instruction, providing, to the policy execution processor, the one or more input metadata tags associated the at least one instruction; and receiving, from the policy execution processor, the at least one output metadata tag to be associated with the operation output information. 10. The method of claim 9 , the policy execution processor is configured to: receiving, from the tag processing unit, the one or more input metadata tags associated with the at least one instruction; policy code against the one or more input metadata tags associated with the at least one instruction to determine whether the at least one instruction is allowed; and responsive to a determination that the at least one instruction is allowed, installing, into the rule cache, a rule entry based on the one or more input metadata tags associated with the at least one instruction and the at least one output metadata tag. 11. The method of claim 9 , further comprising, by the policy execution processor, executing a secure boot operation, the policy execution processor comprising a boot Read Only Memory (ROM) that stores one or more public keys, and stores code that can (i) read an image from an external memory device, authenticate and decrypt the image using the one or more public keys, and enable the host processor to continue its boot process upon successful authentication and decryption. 12. The method of claim 11 , the boot operation comprises: at reset, the host processor remaining held in a reset state; the policy execution processor: (i) starting execution at its reset vector; (ii) booting policy software into its own memory space; (iii) configuring one or more memory fabric protection configuration registers to define memory regions that each initiator can access, to protect a region of memory to hold a policy data segment; (iv) initializing the policy data segment; (v) copying a boot-loader for the host processor from the external memory device into main memory; and (vii) releasing the host processor from the reset state. 13. The method of claim 5 , further comprising: by the host processor, providing, to the metadata processing domain, update information indicative of one or more updates to the host processor's state as a result of executing the at least one instruction; and by the metadata processing domain, responsive to a determination that the at least one instruction is allowed, using the update information to update a shadow register configured to store a shadow copy of the host processing domain as of a most-recently-allowed instruction. 14. The method of claim 13 , the at least one instruction comprises a first instruction, the instruction information comprises first instruction information, and the one or more input metadata tags comprise one or more first input metadata tags, and further comprising, by the tag processing unit: receiving, from the host processing domain, second instruction information relating to a second instruction executed by the host processor; using the second instruction information to obtain one or more second input metadata tags associated with the second instruction; determining, in accordance with the one or more policies being enforced and in accordance with the one or more second metadata tags associated with the second instruction, whether the second instruction is allowed; and responsive to a determination that the second instruction is not allowed, communicating one or more rollback signals to the host processing domain to restore a state of the host processing domain to the shadow copy of the host processing domain. 15. The method of claim 5 , the one or more input metadata tags are inaccessible to the host processor. 16. The method of claim 5 , the instruction information comprises at least one piece of information selected from a group consisting of: i