Memory inclusivity management in computing systems
US-2022414001-A1 · Dec 29, 2022 · US
Confidential compute architecture integrated with direct swap caching
US12353902B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12353902-B2 |
| Application number | US-202217716823-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 8, 2022 |
| Priority date | Apr 8, 2022 |
| Publication date | Jul 8, 2025 |
| Grant date | Jul 8, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods for a confidential compute architecture integrated with direct swap caching are described. An example method for managing a near memory and a far memory includes, in response to determining that the far memory contains an encrypted version of a first block of data, retrieving from the far memory the encrypted version of the first block of data, decrypting the first block of data using a first key for exclusive use by a first virtual machine associated with the system, and providing a decrypted version of the first block of data to the requestor. The method further includes swapping out a second block of data having an address conflict with the first block of data from the near memory to the far memory, where the second block of data is encrypted using a second key for exclusive use by a second virtual machine associated with the system.
First claim
Opening claim text (preview).
What is claimed: 1. A method for managing a system having a near memory and a far memory, the method comprising: receiving a read request from a requestor to read a first block of data that is either stored in the near memory or in the far memory, wherein the read request includes a first key associated with a first virtual machine corresponding to the system, wherein the first key is for exclusive use by the first virtual machine; in response to determining that the far memory contains an encrypted version of the first block of data: (1) retrieving from the far memory the encrypted version of the first block of data, decrypting the first block of data using the first key, and providing a decrypted version of the first block of data to the requestor, and (2) swapping out a second block of data having an address conflict with the first block of data from the near memory to the far memory, wherein the second block of data is encrypted using a second key associated with a second virtual machine corresponding to the system, and wherein the second key is for exclusive use by the second virtual machine; and analyzing a metadata portion associated with the first block of data, the metadata portion including: (1) first information related to whether the near memory contains the first block of data or whether the far memory contains the first block of data, (2) second information comprising a first trusted domain identifier value associated with the second block of data stored in the near memory, and (3) third information comprising a second trusted domain identifier value associated with the first block of data stored in the far memory, wherein each of the first trusted domain identifier value and the second trusted domain identifier value is managed by a near memory controller associated with the near memory regardless of whether the first block of data is stored in the near memory or the far memory. 2. The method of claim 1 , wherein determining that the far memory contains an encrypted version of the first block of data comprises analyzing the first information included in the metadata portion associated with the first block of data. 3. The method of claim 1 , wherein the far memory is associated with a far memory system having a root port and an endpoint separated by at least one physical link, and wherein a transaction over the at least one physical link corresponding to the read request is encrypted resulting in a double encryption of the first block of data during transit over the at least one physical link. 4. The method of claim 1 , wherein the far memory is associated with a far memory system having a root port and an endpoint separated by at least one physical link, and wherein the method further comprises performing an integrity check for a set of transactions between the root port and the endpoint over the at least one physical link. 5. The method of claim 1 , wherein neither the first trusted domain identifier value nor the second trusted domain identifier value is transmitted to the far memory. 6. The method of claim 1 , wherein the second information comprises a same trusted domain identifier value associated with the second block of data regardless of whether the second block of data is stored in the near memory or the far memory. 7. The method of claim 1 , wherein each of the first block of data and the second block of data comprises a cache line for a central processing unit (CPU) associated with the system. 8. A system having a near memory and a far memory, the system comprising: a near memory controller configured to receive a read request from a requestor to read a first block of data that is either stored in the near memory or in the far memory, wherein the read request includes a first key associated with a first virtual machine corresponding to the system, wherein the first key is for exclusive use by the first virtual machine; the near memory controller further configured to in response to determining that the far memory contains an encrypted version of the first block of data: (1) retrieve from the far memory the encrypted version of the first block of data, decrypting the first block of data using the first key, and provide a decrypted version of the first block of data to the requestor, and (2) swap out a second block of data having an address conflict with the first block of data from the near memory to the far memory, wherein the second block of data is encrypted using a second key associated with a second virtual machine corresponding to the system, and wherein the second key is for exclusive use by the second virtual machine; and wherein the near memory controller is further configured to analyze a metadata portion associated with the first block of data, the metadata portion having: (1) first information related to whether the near memory contains the first block of data or whether the far memory contains the first block of data, (2) second information comprising a first trusted domain identifier value associated with the second block of data stored in the near memory and (3) third information comprising a second trusted domain identifier value associated with the first block of data stored in the far memory, and wherein each of the first trusted domain identifier value and the second trusted domain identifier value is managed by the near memory controller regardless of whether the first block of data is stored in the near memory or the far memory. 9. The system of claim 8 , wherein as part of determining that the far memory contains an encrypted version of the first block of data, the near memory controller is further configured to analyze the first information included in the metadata portion associated with the first block of data. 10. The system of claim 8 , wherein the far memory is associated with a far memory system having a root port and an endpoint separated by at least one physical link, and wherein a transaction over the at least one physical link corresponding to the read request is encrypted by the far memory system, resulting in a double encryption of the first block of data during transit over the at least one physical link. 11. The system of claim 8 , wherein the far memory is associated with a far memory system having a root port and an endpoint separated by at least one physical link, and wherein, using a message authentication code, an integrity check is performed for any transactions over the at least one physical link. 12. The system of claim 8 , wherein neither the first trusted domain identifier value nor the second trusted domain identifier value is transmitted to the far memory. 13. The system of claim 8 , wherein the second information comprises a same trusted domain identifier value associated with the second block of data regardless of whether the second block of data is stored in the near memory or the far memory. 14. The system of claim 8 , wherein the system further comprises a central processing unit (CPU), and wherein each of the first block of data and the second block of data comprises a cache line for the CPU. 15. A method for managing a system having a near memory and a far memory, wherein the far memory is associated with a far memory system having a root port and an endpoint separated by at least one physical link, the method comprising: performing an integrity check for a set of transactions between the root port and the endpoint over the at least one physical link; receiving a read request from a requestor to read a first block of data that is either stored in the near memory or in the far memory, wherein the read request includes a first key associated with a first
Assignees
Inventors
Classifications
Memory management, e.g. access or allocation · CPC title
I/O management, e.g. providing access to device drivers or storage · CPC title
Distribution of virtual machine instances; Migration and load balancing · CPC title
adapted to multidimensional cache systems, e.g. set-associative, multicache, multiset or multilevel · CPC title
Key-lock mechanism · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12353902B2 cover?
- Systems and methods for a confidential compute architecture integrated with direct swap caching are described. An example method for managing a near memory and a far memory includes, in response to determining that the far memory contains an encrypted version of a first block of data, retrieving from the far memory the encrypted version of the first block of data, decrypting the first block of …
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 08 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).