What technology area does this patent fall under?

Primary CPC classification G06F12/1009. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jan 16 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Isolating guest code and data using multiple nested page tables

US9870324B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9870324-B2
Application number	US-201514798483-A
Country	US
Kind code	B2
Filing date	Jul 14, 2015
Priority date	Apr 9, 2015
Publication date	Jan 16, 2018
Grant date	Jan 16, 2018

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A hypervisor provides a guest operating system with a plurality of protection domains, including a root protection domain and one or more secure protection domains, and mechanisms for controlling the transitions between the protection domains. The guest physical memory region of a secure protection domain, which is mapped to host physical memory by secure nested page tables, stores secure guest code and data, and guest page tables for the secure guest code. When executing secure guest code, the guest page tables stored in the secure protection domain region are used for guest virtual to guest physical address translations, and the secure nested page tables are used for guest physical to host physical address translations.

First claim

Opening claim text (preview).

What is claimed is: 1. A method of isolating secure guest code to be executed in a guest that is configured in a host by a virtualization software, comprising: creating first page tables, which are used for guest physical to host physical address translations, that provide mappings to a first protected region of host physical memory where the secure guest code has been loaded; creating second page tables, which are used for guest physical to host physical address translations, that provide mappings to a second protected region of the host physical memory; storing third page tables, which are used for guest virtual to guest physical address translations, in the first protected region; storing fourth page tables, which are used for guest virtual to guest physical address translations, in the second protected region; and when execution is switched from a non-secure guest code, which is loaded into the second protected region, to the secure guest code, changing a first pointer value from one that points to the fourth page tables to one that points to the third page tables so that the third page tables are accessed for guest virtual to guest physical address translations, and changing a second pointer value from one that points to the second page tables to one that points to the first page tables so that the first page tables are accessed for guest physical to host physical address translations. 2. The method of claim 1 , wherein the first page tables include a mapping to a trampoline code that causes the execution switch from the non-secure guest code to the secure guest code when the trampoline code is called while the non-secure guest code is being executed, and the second page tables also include a mapping to the trampoline code. 3. The method of claim 2 , wherein the mapping to the trampoline code included in the second page tables has a control bit that prohibits writing to the host physical memory location into which the trampoline code has been loaded. 4. The method of claim 2 , further comprising: detecting an interrupt while executing the secure guest code; saving contents of guest registers and then clearing the contents of the guest registers; switching to the fourth page tables for guest virtual to guest physical address translations, and to the second page tables for guest physical to host physical address translations; delivering the interrupt to an interrupt handler in the guest; and after the interrupt handler completes execution, calling into the trampoline code to cause the execution switch back to the secure guest code. 5. The method of claim 1 , wherein the first page tables also include non-executable mappings to the second protected region. 6. The method of claim 5 , wherein the first page tables include a mapping to a helper function, and the helper function is invoked to access the host physical memory locations of the second protected region during execution of the secure guest code. 7. The method of claim 1 , wherein the first page tables further include a mapping to confidential data. 8. The method of claim 7 , wherein the confidential data is used as a cryptographic key for decrypting and encrypting data transmitted between the secure guest code and a module within the virtualization software. 9. The method of claim 1 , further comprising: performing signature verification on the secure guest code upon being notified that the secure guest code has been loaded into the host physical memory. 10. A non-transitory computer readable medium comprising instructions to be executed in a host including one or more processors and host physical memory to carry out a method of isolating secure guest code to be executed in a guest that is configured in the host by a virtualization software, said method comprising: creating first page tables, which are used for guest physical to host physical address translations, that provide mappings to a first protected region of host physical memory where the secure guest code has been loaded; creating second page tables, which are used for guest physical to host physical address translations, that provide mappings to a second protected region of the host physical memory that is distinct from the first protected region of the host physical memory; storing third page tables, which are used for guest virtual to guest physical address translations, in the first protected region; storing fourth page tables, which are used for guest virtual to guest physical address translations, in the second protected region; and when execution is switched from a non-secure guest code, which is loaded into the second protected region, to the secure guest code, changing a first pointer value from one that points to the fourth page tables to one that points to the third page tables so that the third page tables are accessed for guest virtual to guest physical address translations, and changing a second pointer value from one that points to the second page tables to one that points to the first page tables so that the first page tables are accessed for guest physical to host physical address translations. 11. The non-transitory computer readable medium of claim 10 , wherein the first page tables include a mapping to a trampoline code that causes the execution switch from the non-secure guest code to the secure guest code when the trampoline code is called while the non-secure guest code is being executed, and the second page tables also include a mapping to the trampoline code. 12. The non-transitory computer readable medium of claim 11 , wherein the mapping to the trampoline code included in the second page tables has a control bit that prohibits writing to the host physical memory location into which the trampoline code has been loaded. 13. The non-transitory computer readable medium of claim 11 , wherein the method further comprises: detecting an interrupt while executing the secure guest code; saving contents of guest registers and then clearing the contents of the guest registers; switching to the fourth page tables for guest virtual to guest physical address translations, and to the second page tables for guest physical to host physical address translations; delivering the interrupt to an interrupt handler in the guest; and after the interrupt handler completes execution, calling into the trampoline code to cause the execution switch back to the secure guest code. 14. The non-transitory computer readable medium of claim 10 , wherein the first page tables also include non-executable mappings to the second protected region. 15. The non-transitory computer readable medium of claim 14 , wherein the first page tables include a mapping to a helper function, and the helper function is invoked to access the host physical memory locations of the second protected region during execution of the secure guest code. 16. The non-transitory computer readable medium of claim 10 , wherein the first page tables further include a mapping to confidential data. 17. The non-transitory computer readable medium of claim 16 , wherein the confidential data is used as a cryptographic key for decrypting and encrypting data transmitted between the secure guest code and a module within the virtualization software. 18. The non-transitory computer readable medium of claim 10 , wherein the method further comprises: performing signature verification on the secure guest code upon being notified that the secure guest code has been loaded into the host physical memory. 19. A host including one or more processors and host phy

Assignees

Vmware Inc

Inventors

Classifications

G06F2212/151
Emulated environment, e.g. virtual machine · CPC title
G06F9/45558
Hypervisor-specific management and integration aspects · CPC title
G06F2212/1052
Security improvement · CPC title
G06F12/1009Primary
using page tables, e.g. page table structures · CPC title
G06F12/145Primary
the protection being virtual, e.g. for virtual blocks or segments before a translation mechanism · CPC title

Patent family

Related publications grouped by family.

View patent family 57111091

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9870324B2 cover?: A hypervisor provides a guest operating system with a plurality of protection domains, including a root protection domain and one or more secure protection domains, and mechanisms for controlling the transitions between the protection domains. The guest physical memory region of a secure protection domain, which is mapped to host physical memory by secure nested page tables, stores secure guest…
Who is the assignee on this patent?: Vmware Inc
What technology area does this patent fall under?: Primary CPC classification G06F12/1009. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jan 16 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).