What technology area does this patent fall under?

Primary CPC classification G06F12/0875. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jul 18 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Instructions and logic to fork processes of secure enclaves and establish child enclaves in a secure enclave page cache

US9710622B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9710622-B2
Application number	US-201514629132-A
Country	US
Kind code	B2
Filing date	Feb 23, 2015
Priority date	Feb 23, 2015
Publication date	Jul 18, 2017
Grant date	Jul 18, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.

First claim

Opening claim text (preview).

What is claimed is: 1. A processor comprising: hardware circuitry further comprising: an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, and to store a second secure control structure data in a second secure storage area allocated to a corresponding second secure enclave of a child process; a decode stage to decode a first instruction for execution by the processor, the first instruction specifying the second secure storage area as an operand; and one or more execution units, responsive to the decoded first instruction, to: copy the first secure control structure data from the first secure storage area to the second secure storage area; initialize the second secure control structure data with a unique enclave identifier associated with the child process; and record a second secure control structure link to the first secure control structure data in the second secure control structure data, wherein the second secure control structure data in the second secure storage area allocated to the corresponding second secure enclave of the child process cannot be used by an application unless the second secure control structure link to the first secure control structure data is removed from the second secure control structure data. 2. The processor of claim 1 , wherein the first secure storage area allocated to the corresponding first secure enclave of the parent process is to be associated with a first key and the second secure storage area allocated to the corresponding second secure enclave of the child process is also to be associated with the first key. 3. The processor of claim 1 , wherein the second secure control structure link recorded into the second secure control structure data comprises a first secure control structure unique enclave identifier of the first secure control structure data. 4. The processor of claim 1 , wherein the second secure control structure link recorded into the second secure control structure data comprises an effective address of the first secure control structure data in the first secure storage area. 5. The processor of claim 1 , the one or more execution units, further responsive to the decoded first instruction, to: copy application data and application code from the first secure storage area to the second storage secure area. 6. The processor of claim 1 , the one or more execution units, further responsive to the decoded first instruction, to: create the child process corresponding to the second secure enclave as a child of the parent process corresponding to the first secure enclave. 7. The processor of claim 1 , wherein the first instruction specifies an effective address for the second secure storage area as an indirect destination operand in a register, RCX. 8. The processor of claim 1 , wherein the first instruction specifies an effective address for the first secure storage area as an indirect source operand in a register, RBX. 9. A processor comprising: hardware circuitry further comprising: an enclave page cache to store secure data in a first secure storage area for a page address allocated to a corresponding first secure enclave, and to store a copy of the secure data in a second secure storage area for the page address, the second secure storage area being allocated to a corresponding second secure enclave; a decode stage to decode a first instruction for execution by the processor, the first instruction specifying the first secure storage area as an operand; and one or more execution units, responsive to the decoded first instruction, to: identify a link stored in a second secure control structure data for the second secure storage area to a first secure control structure data for the first secure storage area; and if the link is identified, copy the secure data from the first secure storage area in the enclave page cache to the second secure storage area in the enclave page cache, the one or more execution units are, further responsive to the decoded first instruction, to remove the link to the first secure control structure data for the first secure storage area from the second secure control structure data for the second secure storage area upon successful completion of the first instruction execution if an end-of-copying flag is set. 10. The processor of claim 9 , wherein the first secure storage area allocated to the corresponding first secure enclave is of a parent process to be associated with a first key and the second secure storage area allocated to the corresponding second secure enclave is of a child process also to be associated with the first key. 11. The processor of claim 9 , wherein the first instruction specifies the end-of-copying flag as an operand in a register, RDX. 12. The processor of claim 9 , wherein the first instruction specifies an effective address for the first secure storage area as an indirect operand in a register, RBX. 13. The processor of claim 12 , wherein the first instruction also specifies an effective address for the second secure storage area as an indirect operand in a register, RCX. 14. The processor of claim 9 , the one or more execution units, further responsive to the decoded first instruction, to: set an entry corresponding to an enclave page cache mapping for the page address to indicate a partial completion of the first instruction execution when the first instruction execution is being interrupted, and record a page state portion in the second secure storage area for the page corresponding to the page address when the first instruction execution is being interrupted. 15. The processor of claim 14 , wherein the page state portion includes a pointer to record a location to resume after the partial completion of the first instruction execution. 16. The processor of claim 14 , the decode stage to decode a second instruction for execution by the processor, the second instruction specifying the first secure storage area as an operand; and the one or more execution units, further responsive to the decoded second instruction, to: read the page state portion from the second secure storage area for the page corresponding to the page address when the entry corresponding to the enclave page cache mapping for the page address indicates a partial completion of copying the secure data from the first secure storage area to the second secure storage area set the entry corresponding to an enclave page cache mapping for the page address to indicate a partial completion of the second instruction execution when the second instruction execution is being interrupted, and record a second page state portion in the second secure storage area for the page corresponding to the page address when the second instruction execution is being interrupted. 17. A processing system comprising: an external memory; and a hardware processor further comprising: an enclave page cache to store a first secure control structure, and secure data for a page address, in a first secure storage area allocated to a corresponding first secure enclave of a parent process, and to store a second secure control structure, and a copy of the secure data for the page address, in a second secure storage area allocated to a corresponding second secure enclave of a child process; a decode stage to decode a first instruction for execution by the processor, the first instruction specifying at least the second secure storage area as an operand, and to decode a second instruction for execution by the processo

Assignees

Intel Corp

Inventors

Classifications

G06F12/0822
Copy directories (local copy tags for implementing a bus snooping protocol G06F12/0831) · CPC title
G06F12/0875Primary
with dedicated cache, e.g. instruction or stack · CPC title
G06F12/14
Protection against unauthorised use of memory {or access to memory} · CPC title
G06F12/1425Primary
the protection being physical, e.g. cell, word, block · CPC title
G06F13/24
using interrupt (G06F13/32 takes precedence) · CPC title

Patent family

Related publications grouped by family.

View patent family 56693183

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9710622B2 cover?: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of th…
Who is the assignee on this patent?: Intel Corp
What technology area does this patent fall under?: Primary CPC classification G06F12/0875. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jul 18 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).