Instructions and logic to fork processes of secure enclaves and establish child enclaves in a secure enclave page cache
First Claim
1. A processor comprising:
- an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, wherein the enclave page cache further comprises a second secure storage area;
a decode circuit to decode a first instruction of the parent process for execution by the processor to fork the parent process into a child process and establish a second secure enclave for the child process, the first instruction specifying the second secure storage area as an operand; and
one or more execution circuits to execute the decoded first instruction to;
copy the first secure control structure data in the enclave page cache from the first secure storage area in the enclave page cache to a second secure control structure data in the second secure storage area in the enclave page cache;
initialize the second secure control structure data with a unique enclave identifier associated with the child process; and
store a link to the first secure control structure data in the second secure control structure data.
0 Assignments
0 Petitions
Accused Products
Abstract
Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent'"'"'s SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
28 Citations
20 Claims
-
1. A processor comprising:
-
an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, wherein the enclave page cache further comprises a second secure storage area; a decode circuit to decode a first instruction of the parent process for execution by the processor to fork the parent process into a child process and establish a second secure enclave for the child process, the first instruction specifying the second secure storage area as an operand; and one or more execution circuits to execute the decoded first instruction to; copy the first secure control structure data in the enclave page cache from the first secure storage area in the enclave page cache to a second secure control structure data in the second secure storage area in the enclave page cache; initialize the second secure control structure data with a unique enclave identifier associated with the child process; and store a link to the first secure control structure data in the second secure control structure data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 16, 17)
-
-
9. A processor comprising:
-
an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, and to store a second secure control structure data in a second secure storage area allocated to a corresponding second secure enclave of a child process; a decode circuit to decode a first instruction for execution by the processor, the first instruction specifying the second secure storage area as an operand; and one or more execution circuits to execute the decoded first instruction to; copy the first secure control structure data from the first secure storage area to the second secure storage area; initialize the second secure control structure data with a unique enclave identifier associated with the child process; and store a link to the first secure control structure data in the second secure control structure data, wherein the child process is to execute a second instruction to; copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key; set an entry for an enclave page cache mapping to a partial completion status; and store a page state in the second secure storage area, if interrupted; and copy at least another one of the plurality of pages from the first secure storage area to the second secure storage area after an interruption.
-
-
10. A processor comprising:
-
an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, and to store a second secure control structure data in a second secure storage area allocated to a corresponding second secure enclave of a child process; a decode circuit to decode a first instruction for execution by the processor, the first instruction specifying the second secure storage area as an operand; and one or more execution circuits to execute the decoded first instruction to; copy the first secure control structure data from the first secure storage area to the second secure storage area; initialize the second secure control structure data with a unique enclave identifier associated with the child process; and store a link to the first secure control structure data in the second secure control structure data, wherein a system extension library is to execute a second instruction to; copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key; set an entry for an enclave page cache mapping to a partial completion status; and store a page state in the second secure storage area, if interrupted, the page state specifying an effective address; and copy at least another one of the plurality of pages from the first secure storage area to the second secure storage area after an interruption.
-
-
11. A processing system comprising:
-
an external memory device; and a processor coupled to the external memory device, the processor comprising;
comprising;an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, wherein the enclave page cache further comprises a second secure storage area; a decode circuit to decode a first instruction of the parent process for execution by the processor to fork the parent process into a child process and establish a second secure enclave for the child process, the first instruction specifying the second secure storage area as an operand; and one or more execution circuits to execute the decoded first instruction to; copy the first secure control structure data in the enclave page cache from the first secure storage area in the enclave page cache to a second secure control structure data in the second secure storage area in the enclave page cache; initialize the second secure control structure data with a unique enclave identifier associated with the child process; and store a link to the first secure control structure data in the second secure control structure data. - View Dependent Claims (12, 13, 14, 15)
-
-
18. A non-transitory machine readable medium storing instructions accessible to a processor, said instructions including a first instruction, which when read by the processor, causes the processor to:
-
decode the first instruction for execution by the processor, the first instruction specifying a second secure storage area as an operand; and execute the decoded first instruction to; copy a first secure control structure data from a first secure storage area to the second secure storage area, the first secure control structure corresponding to a first secure enclave of a parent process; initialize a second secure control structure data with a unique enclave identifier associated with a child process, the second secure control structure corresponding to a second secure enclave of the child process; and store a link to the first secure control structure data in the second secure control structure data, wherein the child process is to execute a second instruction to; copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key; set an entry for an enclave page cache mapping to a partial completion status; store a page state in the second secure storage area, if interrupted; and copy at least another one of the plurality of pages from the first secure storage area to the second secure storage area after an interruption. - View Dependent Claims (19, 20)
-
Specification