Enforcing memory operand types using protection keys

What is claimed is: 1 . A processor system to provide sandbox execution support for protection key rights attacks, the processor system comprising: a processor core to execute a task associated with an untrusted application, the processor core to execute the task using a designated page of a memory; and a memory management unit, coupled to the processor core, the memory management unit to designate the page of the memory to support execution of the untrusted application, the memory management unit comprising: a storage unit to store a page table entry associated with a page of the memory, the page table entry including a protection key field that identifies a location of a protection key right (PKR) entry; and a PKR register including the PKR entry, the PKR entry including a set of bits; and wherein the memory management unit to, in response to a request to clear a bit of the set of bits of the PKR, deny the request to clear a bit of the set of bits of the PKR based on comparison with a PKR update mask. 2 . The processor system of claim 1 , wherein the page table entry further includes a PKR update mask enable field, wherein the memory management unit to allow the request to clear the execute disable bit responsive to the PKR update mask enable field being cleared. 3 . The processor system of claim 2 , wherein the memory management unit to retrieve the PKR update mask from a register responsive to the PKR update mask enable field being set. 4 . The processor system of claim 3 , wherein the memory management unit includes the register storing the PKR update mask. 5 . The processor system of claim 3 , wherein: the storage unit further to store a second page table entry associated with the designated page of the memory to support execution of the untrusted application, the second page table entry including the protection key field that identifies a location of a second PKR entry; and the PKR register including the second PKR entry, the second PKR entry including a second set of bits; and wherein the memory management unit to, in response to a second request to clear a bit of the second set of bits of the second PKR, allow the request to clear the bit of the second set of bits of the second PKR based on comparison with a second PKR update mask. 6 . The processor system of claim 1 , wherein the PKR register is associated with user PKRs. 7 . The processor system of claim 1 , wherein the processor core to operate in a 64-bit mode to execute the untrusted application. 8 . The processor system of claim 1 , wherein, prior to a start of execution of the untrusted application, the processor core to execute trusted code included in the designated page of the memory to support execution of the untrusted application, wherein the trusted code includes a branch to an instruction of a trusted page of the memory to clear bits of a PKR entry associated with the designated page of the memory to support execution of the untrusted application, wherein the memory management unit to allow the bits of the PKR entry to be cleared based on a set of bits in a PKR entry associated with the trusted page of the memory. 9 . The processor system of claim 1 , wherein the request to clear the bit of the set of bits of the PKR entry includes a request to clear one of an access disable bit, a write disable bit, or an execution disable bit. 10 . A processor system to provide sandbox execution support for protection key rights attacks, the processor system comprising: a processor core to execute a task associated with an untrusted application, the processor core to execute the task using a designated page of a memory; and a a memory management unit, coupled to the processor core, the memory management unit to designate the page of the memory to support execution of the untrusted application, the memory management unit comprising: a storage unit to store a page table entry associated with a page of the memory, the page table entry including a protection key field that identifies a location of a protection key right (PKR) entry and a field that enables a trusted PKR update page of the memory; and a PKR register including the PKR entry, the PKR entry including a set of bits; and wherein the memory management unit to, in response to a request to clear a bit of the set of bits of the PKR, generate a page fault in response to the request originating in a page other than the trusted PKR update page of the memory. 11 . The processor system of claim 10 , wherein the memory management unit to, in response to the field that enables the trusted PKR update page enable being set, retrieve, from a register, an identifier of the trusted PKR update page. 12 . The processor system of claim 11 , wherein the register is a control register. 13 . The processor system of claim 10 , wherein the memory management unit to allow access to the trusted PKR update page via a branch from the page of the memory to support execution of the untrusted application in response to the branch being an ENDBRANCH instruction. 14 . The processor system of claim 10 , wherein the processor core to deny access to the trusted PKR update page via a branch from the page of the memory to support execution of the untrusted application in response to the branch landing on an instruction other than an ENDBRANCH instruction. 15 . The processor system of claim 10 , wherein the processor core to operate in a 64-bit mode to execute the untrusted application. 16 . At least one machine-readable medium including instructions to provide sandbox execution support for protection key rights attacks, which when executed by a machine, cause the machine to: execute a task; store a page table entry associated with a page of a memory, the page table entry including a protection key field that identifies a location of a protection key rights (PKR) entry, the PKR entry including an entry to disable access for a plurality of effective segments; and in response to a request for access to a page of a memory, deny access to the page of the memory based on an operand having an effective segment attribute matching one of the plurality of effective segments in the PKR entry. 17 . The at least one machine-readable medium of claim 16 , further including instructions, which when executed by a machine, cause the machine to: categorize operands having effective segments different from all of the plurality of effective segments in the PKR entry into a first stack; categorize operands having effective segments that match one of the plurality of effective segments in the PKR entry into a second stack; allow access to a page of a memory for operands in the first stack; and deny access to a page of the memory for operands in the second stack. 18 . The at least one machine-readable medium of claim 17 , wherein the PKR entry of the PKR register further includes a stack operation enable (SOE) bit, wherein the at least one machine-readable medium further including instructions, which when executed by a machine, cause the machine to deny access to a page of a memory for operands on the first stack while the SOE bit is set. 19 . The at least one machine-readable medium of claim 17 , further including instructions, which when executed by a machine, cause the machine to: set the SOE bit of the PKR entry; set an access disable bit of the PKR entry; and only allow access to a page of a memory for operands that have an effective segment equal to a first type while the SOE bit is set. 20 . Th