Systems and Methods for Policy Execution Processing

What is claimed is: 1 . A processing system comprising: (a) a host processing domain comprising a host processor configured to: receive at least one instruction comprising (i) operand information relating to one or more operands, and (ii) operation information indicative of an operation to be performed on the one or more operands; execute the operation indicated in the operation information on the one or more operands to generate operation output information; and provide, to a metadata processing domain, instruction information and the operation output information; and (b) the metadata processing domain comprising: a tag processing unit configured to: receive, from the host processing domain, the instruction information and the operation output information; use the instruction information to obtain one or more input metadata tags associated with the at least one instruction; when a rule associated with the one or more input metadata tags has been satisfied, generate a shadow copy of a current state of the host processor and store the shadow copy of the current state of the host processor in a shadow register; and when the rule associated with the one or more input metadata tags has not been satisfied, unwind the host processor according to a previous state that was stored in the shadow register. 2 . The processing system of claim 1 , wherein the shadow copy of the current state of the host processor comprises write-back information received in connection with the at least one instruction. 3 . The processing system of claim 1 , wherein the shadow copy of the current state of the host processor comprises a state of register files and control/status registers (CSRs). 4 . The processing system of claim 1 , wherein the previous state that was stored in the shadow register is a most-recently-allowed state of the host processor that did not violate any policy. 5 . The processing system of claim 1 , wherein the metadata processing domain further comprises: a write interlock configured to: receive, from the host processing domain, the operation output information; and place the operation output information into a queue; wherein the tag processing unit is further configured to: determine, in accordance with one or more policies being enforced and in accordance with the one or more input metadata tags associated with the at least one instruction, whether the at least one instruction is allowed; and responsive to a determination that the instruction is allowed, cause the queue of the write interlock to write to memory the operation output information in a manner that associates the operation output information with at least one output metadata tag. 6 . The processing system of claim 5 , wherein the tag processing unit comprises a rule cache configured to store one or more rule entries of at least one policy of the one or more policies enforced by the metadata processing domain. 7 . The processing system of claim 6 , wherein the determination that the instruction is allowed comprises: determine that the rule cache stores a rule entry matching the one or more input metadata tags associated with the at least one instruction. 8 . The processing system of claim 7 , wherein the tag processing unit is configured to use information stored in the rule entry to provide the at least one output metadata tag to be associated with the operation output information. 9 . The processing system of claim 6 , wherein the metadata processing domain comprises a policy execution processor, and wherein the determination that the instruction is allowed comprises: determine that the rule cache does not store a rule entry matching the one or more input metadata tags associated with the at least one instruction; responsive to a determination that the rule cache does not store a rule entry matching the one or more input metadata tags associated with the at least one instruction, provide, to the policy execution processor, the one or more input metadata tags associated the at least one instruction; and receive, from the policy execution processor, the at least one output metadata tag to be associated with the operation output information. 10 . The processing system of claim 9 , wherein the policy execution processor is configured to: receive, from the tag processing unit, the one or more input metadata tags associated with the at least one instruction; execute policy code against the one or more input metadata tags associated with the at least one instruction to determine whether the at least one instruction is allowed; and responsive to a determination that the at least one instruction is allowed, install, into the rule cache, a rule entry based on the one or more input metadata tags associated with the at least one instruction and the at least one output metadata tag. 11 . The processing system of claim 9 , wherein the policy execution processor is configured to execute a secure boot operation, the policy execution processor comprising a boot Read Only Memory (ROM) that stores one or more public keys, and stores code that can (i) read an image from an external memory device, authenticate and decrypt the image using the one or more public keys, and enable the host processor to continue its boot process upon successful authentication and decryption. 12 . The processing system of claim 11 , wherein the boot operation comprises: at reset, the host processor remains held in a reset state; the policy execution processor: (i) starts execution at its reset vector; (ii) boots policy software into its own memory space; (iii) configure one or more memory fabric protection configuration registers to define memory regions that each initiator can access, to protect a region of memory to hold a policy data segment; (iv) initialize the policy data segment; (v) copy a boot-loader for the host processor from the external memory device into main memory; and (vii) release the host processor from the reset state. 13 . The processing system of claim 5 , wherein: the host processor is further configured to provide, to the metadata processing domain, update information indicative of one or more updates to the host processor's state as a result of executing the at least one instruction; and the metadata processing domain is further configured to, responsive to a determination that the at least one instruction is allowed, use the update information to update a shadow register configured to store a shadow copy of the host processing domain as of a most-recently-allowed instruction. 14 . The processing system of claim 13 , wherein the at least one instruction comprises a first instruction, the instruction information comprises first instruction information, and the one or more input metadata tags comprise one or more first input metadata tags, and wherein the tag processing unit is further configured to: receive, from the host processing domain, second instruction information relating to a second instruction executed by the host processor; use the second instruction information to obtain one or more second input metadata tags associated with the second instruction; determine, in accordance with the one or more policies being enforced and in accordance with the one or more second metadata tags associated with the second instruction, whether the second instruction is allowed; and responsive to a determination that the second instruction is not allowed, communicate one or more rollback signals to the host processing domain to restore a state of the host processing domain to the shadow copy of the host processing domain.