Scalable access control checking for cross-address-space data movement

The invention claimed is: 1. An apparatus comprising: a memory to store an Inter-Domain Permissions Table (IDPT) having a plurality of entries, wherein a single entry of the IDPT is to provide a relationship between an access address space identifier and a plurality of submitter address space identifiers; and a hardware accelerator device to allow access to an access address space, corresponding to the access address space identifier, by one or more submitters, corresponding to the plurality of submitter address space identifiers, respectively, based at least in part on the relationship provided by the single entry of the IDPT, wherein allowing the access comprises finding the single entry within the IDPT, the single entry being capable of identifying the plurality of submitter address space identifiers including submitter address space identifiers that correspond to the one or more submitters. 2. The apparatus of claim 1 , wherein each of the access address space identifiers and the plurality of submitter address space identifiers is one of: a node identifier, machine identifier, network identifier, virtual-machine identifier, or a Process Address Space Identifier (PASID). 3. The apparatus of claim 1 , wherein the single entry of the IDPT is to store an identifier bitmap address. 4. The apparatus of claim 3 , wherein the identifier bitmap address is to point to an access control bitmap, wherein each bit in the access control bitmap is to indicate whether a submitter corresponding to that bit is allowed to use a corresponding IDPT entry. 5. The apparatus of claim 1 , wherein the single entry of the IDPT is to store one or more of: an identifier bitmap address, a window size, a window base, the access address space identifier, one or more of the plurality of submitter address space identifiers, a type identifier, a valid status identifier, one or more control fields, and one or more access permissions. 6. The apparatus of claim 1 , wherein, in a virtualized environment, for a guest operating system (OS) to utilize one or more capabilities of the IDPT, a virtual memory range bitmap is to be accessed by a hypervisor to restrict a set of access identifiers that the guest OS is allowed to access. 7. The apparatus of claim 6 , wherein system software is to manage one of allocation and configuration of the virtual memory range bitmap, wherein the system software is to utilize a sparse memory mapping to support physical memory mapping for actively used portions of the virtual memory range bitmap. 8. The apparatus of claim 7 , wherein the system software comprises an operating system. 9. The apparatus of claim 6 , wherein the virtual memory range bitmap is to be mapped through Input/Output Memory Management Unit (IOMMU) page tables. 10. The apparatus of claim 1 , wherein a processor, having one or more processor cores, comprises the hardware accelerator device and/or the memory. 11. One or more non-transitory computer-readable media comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to cause: a memory to store an Inter-Domain Permissions Table (IDPT) having a plurality of entries, wherein a single entry of the IDPT is to provide a relationship between an access address space identifier and a plurality of submitter address space identifiers; and a hardware accelerator device to allow access to an access address space, corresponding to the access address space identifier, by one or more submitters, corresponding to the plurality of submitter address space identifiers, respectively, based at least in part on the relationship provided by the single entry of the IDPT, wherein allowing the access comprises finding the single entry within the IDPT, the single entry being capable of identifying the plurality of submitter address space identifiers including submitter address space identifiers that correspond to the one or more submitters. 12. The one or more non-transitory computer-readable media of claim 11 , wherein each of the access address space identifiers or the plurality of submitter address space identifiers is one of: a node identifier, machine identifier, network identifier, virtual-machine identifier, or a Process Address Space Identifier (PASID). 13. The one or more non-transitory computer-readable media of claim 11 , further comprising one or more instructions that when executed on the one processor configure the processor to perform one or more operations to cause the single entry of the IDPT to store an identifier bitmap address. 14. The one or more non-transitory computer-readable media of claim 11 , further comprising one or more instructions that when executed on the one processor configure the processor to perform one or more operations, in a virtualized environment, for a guest operating system (OS) to utilize one or more capabilities of the IDPT, to cause a virtual memory range bitmap to be accessed by a hypervisor to restrict a set of access identifiers that the guest OS is allowed to access. 15. The one or more non-transitory computer-readable media of claim 14 , further comprising one or more instructions that when executed on the one processor configure the processor to perform one or more operations to cause system software to manage one of allocation and configuration of the virtual memory range bitmap, wherein the system software is to utilize a sparse memory mapping to support physical memory mapping for actively used portions of the virtual memory range bitmap. 16. A method comprising: storing in a memory an Inter-Domain Permissions Table (IDPT) having a plurality of entries, wherein a single entry of the IDPT provides a relationship between an access address space identifier and a plurality of submitter address space identifiers; and allowing access, at a hardware accelerator device, to an access address space, corresponding to the access address space identifier, by one or more submitters, corresponding to the plurality of submitter address space identifiers, respectively, based at least in part on the relationship provided by the single entry of the IDPT, wherein allowing the access comprises finding the single entry within the IDPT, the single entry being capable of identifying the plurality of submitter address space identifiers including submitter address space identifiers that correspond to the one or more submitters. 17. The method of claim 16 , wherein each of the access address space identifiers or the plurality of submitter address space identifiers is one of: a node identifier, machine identifier, network identifier, virtual-machine identifier, or a Process Address Space Identifier (PASID). 18. The method of claim 16 , further comprising the single entry of the IDPT storing an identifier bitmap address. 19. The method of claim 16 , further comprising, in a virtualized environment for a guest operating system (OS) to utilize one or more capabilities of the IDPT, a virtual memory range bitmap is to be accessed by a hypervisor to restrict a set of access identifiers that the guest OS is allowed to access. 20. The method of claim 16 , further comprising the single entry of the IDPT storing one or more of: an identifier bitmap address, a window size, a window base, the access address space identifier, one or more of the plurality of submitter address space identifiers, a type identifier, a valid status identifier, one or more control fields, and one or more access permissions.