Instructions and logic to fork processes of secure enclaves and establish child enclaves in a secure enclave page cache

US 10,089,447 B2
Filed: 06/13/2017
Issued: 10/02/2018
Est. Priority Date: 02/23/2015
Status: Active Grant

First Claim

Patent Images

1. A processor comprising:

an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, wherein the enclave page cache further comprises a second secure storage area;

a decode circuit to decode a first instruction of the parent process for execution by the processor to fork the parent process into a child process and establish a second secure enclave for the child process, the first instruction specifying the second secure storage area as an operand; and

one or more execution circuits to execute the decoded first instruction to;

copy the first secure control structure data in the enclave page cache from the first secure storage area in the enclave page cache to a second secure control structure data in the second secure storage area in the enclave page cache;

initialize the second secure control structure data with a unique enclave identifier associated with the child process; and

store a link to the first secure control structure data in the second secure control structure data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent'"'"'s SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.

28 Citations

View as Search Results

20 Claims

1. A processor comprising:
- an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, wherein the enclave page cache further comprises a second secure storage area;
  
  a decode circuit to decode a first instruction of the parent process for execution by the processor to fork the parent process into a child process and establish a second secure enclave for the child process, the first instruction specifying the second secure storage area as an operand; and
  
  one or more execution circuits to execute the decoded first instruction to;
  
  copy the first secure control structure data in the enclave page cache from the first secure storage area in the enclave page cache to a second secure control structure data in the second secure storage area in the enclave page cache;
  
  initialize the second secure control structure data with a unique enclave identifier associated with the child process; and
  
  store a link to the first secure control structure data in the second secure control structure data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 16, 17)
- - 2. The processor of claim 1, wherein the decode circuit is to further decode a second instruction for execution by the processor, the second instruction specifying an address of an unused secure enclave storage area as an operand, wherein the one or more execution circuits are to execute the decoded second instruction to:
    - copy the first secure control structure data from the first secure storage area to the unused secure enclave storage area at the address;
      
      initialize a new secure control structure data with a unique enclave identifier; and
      
      store a link to the first secure control structure in the new secure control structure data.
  - 3. The processor of claim 1, wherein the decode circuit is to further decode a second instruction and a third instruction for execution by the processor, wherein the one or more execution circuits are to execute the decoded second instruction to:
    - copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key;
      
      set an entry for an enclave page cache mapping to a partial completion status; and
      
      store a page state in the second secure storage area, if interrupted, the page state specifying an effective address, wherein the third instruction specifies the effective address of the second secure enclave as an operand, and wherein the one or more execution circuits execute the decoded third instruction to resume a copy operation to copy the plurality of pages from the first secure storage area at the effective address of the second secure storage area after an interruption.
  - 4. The processor of claim 1, wherein the first secure storage area allocated to the corresponding first secure enclave of the parent process is to be associated with a first key and the second secure storage area allocated to the corresponding second secure enclave of the child process is also to be associated with the first key.
  - 5. The processor of claim 1, wherein the link stored in the second secure control structure data comprises a first secure control structure unique enclave identifier of the first secure control structure data.
  - 6. The processor of claim 1, wherein the link stored in the second secure control structure data comprises an effective address of the first secure control structure data in the first secure storage area.
  - 7. The processor of claim 1, wherein the one or more execution circuits further execute the decoded first instruction to copy application data, application code, or both from the first secure storage area to the second storage secure area.
  - 8. The processor of claim 1, wherein the first instruction specifies at least one of an effective address for the second secure storage area as an indirect destination operand in a first register or an effective address for the second secure storage area as an indirect destination operand in a second register.
  - 16. The processor of claim 1, wherein the child process is to execute a second instruction to:
    - copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key;
      
      set an entry for an enclave page cache mapping to a partial completion status; and
      
      store a page state in the second secure storage area, if interrupted; and
      
      copy at least another one of the plurality of pages from the first secure storage area to the second secure storage area after an interruption.
  - 17. The processor of claim 1, wherein a system extension library is to execute a second instruction to:
    - copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key;
      
      set an entry for an enclave page cache mapping to a partial completion status; and
      
      store a page state in the second secure storage area, if interrupted, the page state specifying an effective address; and
      
      copy at least another one of the plurality of pages from the first secure storage area to the second secure storage area after an interruption.

9. A processor comprising:
- an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, and to store a second secure control structure data in a second secure storage area allocated to a corresponding second secure enclave of a child process;
  
  a decode circuit to decode a first instruction for execution by the processor, the first instruction specifying the second secure storage area as an operand; and
  
  one or more execution circuits to execute the decoded first instruction to;
  
  copy the first secure control structure data from the first secure storage area to the second secure storage area;
  
  initialize the second secure control structure data with a unique enclave identifier associated with the child process; and
  
  store a link to the first secure control structure data in the second secure control structure data, wherein the child process is to execute a second instruction to;
  
  copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key;
  
  set an entry for an enclave page cache mapping to a partial completion status; and
  
  store a page state in the second secure storage area, if interrupted; and
  
  copy at least another one of the plurality of pages from the first secure storage area to the second secure storage area after an interruption.

10. A processor comprising:
- an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, and to store a second secure control structure data in a second secure storage area allocated to a corresponding second secure enclave of a child process;
  
  a decode circuit to decode a first instruction for execution by the processor, the first instruction specifying the second secure storage area as an operand; and
  
  one or more execution circuits to execute the decoded first instruction to;
  
  copy the first secure control structure data from the first secure storage area to the second secure storage area;
  
  initialize the second secure control structure data with a unique enclave identifier associated with the child process; and
  
  store a link to the first secure control structure data in the second secure control structure data, wherein a system extension library is to execute a second instruction to;
  
  copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key;
  
  set an entry for an enclave page cache mapping to a partial completion status; and
  
  store a page state in the second secure storage area, if interrupted, the page state specifying an effective address; and
  
  copy at least another one of the plurality of pages from the first secure storage area to the second secure storage area after an interruption.

11. A processing system comprising:
- an external memory device; and
  
  a processor coupled to the external memory device, the processor comprising;
  
  comprising;
  
  an enclave page cache to store a first secure control structure data in a first secure storage area allocated to a corresponding first secure enclave of a parent process, wherein the enclave page cache further comprises a second secure storage area;
  
  a decode circuit to decode a first instruction of the parent process for execution by the processor to fork the parent process into a child process and establish a second secure enclave for the child process, the first instruction specifying the second secure storage area as an operand; and
  
  one or more execution circuits to execute the decoded first instruction to;
  
  copy the first secure control structure data in the enclave page cache from the first secure storage area in the enclave page cache to a second secure control structure data in the second secure storage area in the enclave page cache;
  
  initialize the second secure control structure data with a unique enclave identifier associated with the child process; and
  
  store a link to the first secure control structure data in the second secure control structure data.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The processing system of claim 11, further comprising a register set comprising a first register and a second register, wherein the first instruction specifies at least one of an effective address for the second secure storage area as an indirect destination operand in a first register or an effective address for the second secure storage area as an indirect destination operand in a second register.
  - 13. The processing system of claim 11, wherein the processor further comprises a read circuit and a write circuit.
  - 14. The processing system of claim 11, wherein the processor further comprises at least one of:
    - an encryption circuit;
      
      an integrity protection circuit;
      
      oran access control circuit.
  - 15. The processing system of claim 11, wherein the processor further comprises a translation lookaside buffer (TLB) comprising at least one translation to access the enclave page cache.

18. A non-transitory machine readable medium storing instructions accessible to a processor, said instructions including a first instruction, which when read by the processor, causes the processor to:
- decode the first instruction for execution by the processor, the first instruction specifying a second secure storage area as an operand; and
  
  execute the decoded first instruction to;
  
  copy a first secure control structure data from a first secure storage area to the second secure storage area, the first secure control structure corresponding to a first secure enclave of a parent process;
  
  initialize a second secure control structure data with a unique enclave identifier associated with a child process, the second secure control structure corresponding to a second secure enclave of the child process; and
  
  store a link to the first secure control structure data in the second secure control structure data, wherein the child process is to execute a second instruction to;
  
  copy at least one of a plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key;
  
  set an entry for an enclave page cache mapping to a partial completion status;
  
  store a page state in the second secure storage area, if interrupted; and
  
  copy at least another one of the plurality of pages from the first secure storage area to the second secure storage area after an interruption.
- View Dependent Claims (19, 20)
- - 19. The non-transitory machine readable medium of claim 18, further comprises a second instruction specifying an address of an unused secure enclave storage area as an operand, wherein the second instruction, which when read by the processor, causes the processor further to:
    - copy the first secure control structure data from the first secure storage area to the unused secure enclave storage area at the address;
      
      initialize a new secure control structure data with a unique enclave identifier; and
      
      store a link to the first secure control structure in the new secure control structure data.
  - 20. The non-transitory machine readable medium of claim 18, further comprises a second instruction and a third instruction, which when read by the processor, causes the processor further to:
    - decode a second instruction and a third instruction for execution by the processor;
      
      execute the decoded second instruction to;
      
      copy at least one of the plurality of pages from the first secure storage area to the second secure storage area where both the first secure enclave and the second secure enclave have a same key;
      
      set an entry for an enclave page cache mapping to a partial completion status; and
      
      store a page state in the second secure storage area, if interrupted, the page state specifying an effective address; and
      
      execute the decoded third instruction to resume a copy operation to copy the plurality of pages from the first secure storage area at an effective address of the second secure storage area after an interruption, wherein the third instruction specifies the effective address of the second secure enclave as an operand.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Pandey, Prashant, Vij, Mona, Chakrabarti, Somnath, Zmudzinski, Krystof C.
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US15/621,864
Publication Number

US 20170286645A1
Time in Patent Office

476 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0811   with multilevel cache hiera...

G06F 12/0822   Copy directories local copy...

G06F 12/0875   with dedicated cache, e.g. ...

G06F 12/14   Protection against unauthor...

G06F 12/1425   the protection being physic...

G06F 13/24   using interrupt G06F13/32 t...

G06F 21/12   Protecting executable software

G06F 2212/1052   Security improvement

G06F 2212/283   Plural cache memories

G06F 2212/452   Instruction code

Instructions and logic to fork processes of secure enclaves and establish child enclaves in a secure enclave page cache

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Instructions and logic to fork processes of secure enclaves and establish child enclaves in a secure enclave page cache

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links