Method and system for using processor enclaves and cache partitioning to assist a software cryptoprocessor
First Claim
Patent Images
1. A method for ensuring security of an application, comprising:
- loading a main portion of the application into a processor cache of a processor; and
under control of the application, logically partitioning the processor cache to create an enclave partition within an enclave and a main partition not within the enclave such that loading of a cache line into the enclave partition will not result in an eviction from the main partition due to the enclave partition serving as a backing store for the main partition, wherein the enclave partition serving as the backing store for the main partition comprises performing at least one read operation, for data, in a sequence comprising;
securely loading the data into the enclave partition; and
in response, copying a version of the data from the enclave partition into the main partition not within the enclave;
wherein the enclave;
comprises hardware-enforced protected region of an address space of a memory, andforms an extension of the address space.
2 Assignments
0 Petitions
Accused Products
Abstract
A processor cache is logically partitioned into a main partition, located in the cache itself, and an enclave partition, located within an enclave, that is, a hardware-enforced protected region of an address space of a memory. This extends the secure address space usable by and for an application such as a software cryptoprocessor that is to execute only in secure regions of cache or memory.
-
Citations
20 Claims
-
1. A method for ensuring security of an application, comprising:
-
loading a main portion of the application into a processor cache of a processor; and under control of the application, logically partitioning the processor cache to create an enclave partition within an enclave and a main partition not within the enclave such that loading of a cache line into the enclave partition will not result in an eviction from the main partition due to the enclave partition serving as a backing store for the main partition, wherein the enclave partition serving as the backing store for the main partition comprises performing at least one read operation, for data, in a sequence comprising; securely loading the data into the enclave partition; and in response, copying a version of the data from the enclave partition into the main partition not within the enclave; wherein the enclave; comprises hardware-enforced protected region of an address space of a memory, and forms an extension of the address space. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors, causing the one or more processors to:
-
load a portion of a software cryptoprocessor into a processor cache; and under control of the software cryptoprocessor, logically partition the processor cache to create an enclave partition within an enclave and a main partition not within the enclave, such that loading of a cache line into the enclave partition will not result in an eviction from the main partition due to performing at least one read operation, for data, in a sequence comprising; using a first way mask to securely load the data into the enclave partition; and in response, using a second way mask to copy a version of the data from the enclave partition into the main partition not within the enclave; wherein the enclave comprises a hardware-enforced protected region of an address space of a memory and forms an extension of the address space. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product having a non-transitory computer-readable storage medium storing computer-executable code configured to:
-
load a main portion of a software application into a processor cache of a processor, wherein, upon the loading, the processor is under control of the software application; and logically partition the processor cache to create an enclave partition within an enclave and a main partition not within the enclave, wherein the enclave partition serves as a backing store for the main partition such that loading of a cache line into the enclave partition will not result in an eviction from the main partition, and wherein the enclave comprises a hardware-enforced protected region of an address space of a memory and forms an extension of the address space usable for the software application. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification