Processor extensions to identify and avoid tracking conflicts between virtual machine monitor and guest virtual machine

US 10,180,854 B2
Filed: 09/28/2016
Issued: 01/15/2019
Est. Priority Date: 09/28/2016
Status: Active Grant

First Claim

Patent Images

1. A processing system, comprising:

an execution unit, communicatively coupled to an architecturally-protected memory comprising a secure page cache, the execution unit comprising a logic circuit to execute a virtual machine monitor (VMM) that supports a virtual machine (VM) comprising a guest operating system (OS) and to implement an architecturally-protected execution environment,wherein the logic circuit is to;

responsive to executing a blocking instruction by the guest OS directed at a first page stored in the architecturally-protected memory during a first time period identified by a value stored in a first counter, copy the value from the first counter to a second counter;

responsive to executing a first tracking instruction issued by the VMM, increment the value stored in the first counter; and

responsive to receiving a request to execute a second tracking instruction issued by the guest OS directed to a second page stored in the architecturally-protected memory and responsive to determining that the value stored in the first counter is greater than the value stored in the second counter, set a flag to indicate successful execution of the second tracking instruction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing system includes an execution unit, communicatively coupled to an architecturally-protected memory, the execution unit comprising a logic circuit to execute a virtual machine monitor (VMM) that supports a virtual machine (VM) comprising a guest operating system (OS) and to implement an architecturally-protected execution environment, wherein the logic circuit is to responsive to executing a blocking instruction by the guest OS directed at a first page stored in the architecturally-protected memory during a first time period identified by a value stored in a first counter, copy the value from the first counter to a second counter, responsive to executing a first tracking instruction issued by the VMM, increment the value stored in the first counter, and set a flag to indicate successful execution of the second tracking instruction.

7 Citations

18 Claims

1. A processing system, comprising:
- an execution unit, communicatively coupled to an architecturally-protected memory comprising a secure page cache, the execution unit comprising a logic circuit to execute a virtual machine monitor (VMM) that supports a virtual machine (VM) comprising a guest operating system (OS) and to implement an architecturally-protected execution environment,wherein the logic circuit is to;
  
  responsive to executing a blocking instruction by the guest OS directed at a first page stored in the architecturally-protected memory during a first time period identified by a value stored in a first counter, copy the value from the first counter to a second counter;
  
  responsive to executing a first tracking instruction issued by the VMM, increment the value stored in the first counter; and
  
  responsive to receiving a request to execute a second tracking instruction issued by the guest OS directed to a second page stored in the architecturally-protected memory and responsive to determining that the value stored in the first counter is greater than the value stored in the second counter, set a flag to indicate successful execution of the second tracking instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The processing system of claim 1, wherein the architecturally-protected environment is a secure enclave execution environment implemented on the logic circuit.
  - 3. The processing system of claim 1, wherein the first blocking instruction is to prevent creating a new memory mapping to the first page in a translation lookaside buffer (TLB) referenced in a control data structure.
  - 4. The processing system of claim 3, wherein the first tracking instruction is to track a number of logical processors associated with the VM having access to memory mappings to the first page in the TLB.
  - 5. The processing system of claim 4, wherein responsive to setting the flag to indicate the successful execution of the second tracking instruction, the guest OS is further to:
    - issue an inter-processor interrupt to request the logical processors to exit an application running in a secure enclave.
  - 6. The processing system of claim 1, wherein the secure page cache further comprises a control structure page comprising a first field to store the value of the first counter and comprises a secure page cache map structure comprising a second field to store the value of the second counter.
  - 7. The processing system of claim 1, wherein responsive to detecting that the flag indicates the successful execution, the logic circuit is further to execute an evicting instruction to evict the second page from the architecturally-protected memory.
  - 8. The processing system of claim 1, wherein the logic circuit is to:
    - responsive to executing the first tracking instruction by the VMM, store a number of logical processors referencing the architecturally-protected memory in a third counter.

9. A system-on-a-chip (SoC) comprising:
- an architecturally-protected memory; and
  
  an execution unit, communicatively coupled to the architecturally-protected memory comprising a secure page cache, the execution unit comprising a logic circuit to execute a virtual machine monitor (VMM) that supports a virtual machine (VM) comprising a guest operating system (OS) and to implement an architecturally-protected execution environment,wherein the logic circuit is to;
  
  responsive to executing a blocking instruction by the guest OS directed at a first page stored in the architecturally-protected memory during a first time period identified by a value stored in a first counter, copy the value from the first counter to a second counter;
  
  responsive to executing a first tracking instruction issued by the VMM, increment the value stored in the first counter; and
  
  responsive to receiving a request to execute a second tracking instruction issued by the guest OS directed to a second page stored in the architecturally-protected memory and responsive to determining that the value stored in the first counter is greater than the value stored in the second counter, set a flag to indicate successful execution of the second tracking instruction.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The SoC of claim 9, wherein the architecturally-protected environment is a secure enclave execution environment implemented on the logic circuit.
  - 11. The SoC of claim 9, wherein the first blocking instruction is to prevent creating a new memory mapping to the first page in a translation lookaside buffer (TLB) referenced in a control data structure.
  - 12. The SoC of claim 11, wherein the first tracking instruction is to track a number of logical processors associated with the VM having access to memory mappings to the first page in the TLB.
  - 13. The SoC of claim 12, wherein responsive to setting the flag to indicate the successful execution of the second tracking instruction, the guest OS is further to:
    - issue an inter-processor interrupts to request the logical processors to exit an application running in a secure enclave.
  - 14. The SoC of claim 9, wherein the secure page cache further comprises a control structure page comprising a first field to store the value of the first counter and comprises a secure page cache map structure comprising a second field to store the value of the second counter.
  - 15. The SoC of claim 9, wherein responsive to detecting that the flag indicates the successful execution, the logic circuit is further to execute an evicting instruction to evict the second page from the architecturally-protected memory.
  - 16. The SoC of claim 9, wherein the logic circuit is to:
    - responsive to executing the first tracking instruction by the VMM, store a number of logical processors referencing the architecturally-protected memory in a third counter.

17. A method comprising:
- executing, by a processor, a blocking instruction by a guest operating system (OS) supported by a virtual machine monitor (VMM) directed at a first page stored in an architecturally-protected memory during a first time period identified by a value stored in a first counter, wherein the architecturally-protected memory comprises a secure page cache;
  
  responsive to executing the blocking instruction, copying the value from the first counter to a second counter;
  
  responsive to executing a first tracking instruction issued by the VMM, incrementing the value stored in the first counter; and
  
  responsive to receiving a request to execute a second tracking instruction issued by the guest OS directed to a second page stored in the architecturally-protected memory and responsive to determining that the value stored in the first counter is greater than the value stored in the second counter, setting a flag to indicate successful execution of the second tracking instruction.
- View Dependent Claims (18)
- - 18. The method of claim 17, further comprising:
    - responsive to detecting the flag to indicate the successful execution, executing an evicting instruction to evict the second page from the architecturally-protected memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Leslie-Hurd, Rebekah M., Rozas, Carlos V., Caspi, Dror
Primary Examiner(s)
Zhao, Bing

Application Number

US15/278,592
Publication Number

US 20180088976A1
Time in Patent Office

839 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/3037   where the computing system ...

G06F 11/3055   Monitoring arrangements for...

G06F 11/34   Recording or statistical ev...

G06F 12/0828   with concurrent directory a...

G06F 12/1036   for multiple virtual addres...

G06F 12/1045   associated with a data cache

G06F 12/121   using replacement algorithms

G06F 12/1441   for a range

G06F 12/1491   in a hierarchical protectio...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 2201/88   Monitoring involving counting

G06F 2201/885   Monitoring specific for caches

G06F 2212/152   Virtualized environment, e....

G06F 2212/502   using adaptive policy

G06F 2212/60   Details of cache memory

G06F 2212/621   Coherency control relating ...

G06F 2212/656   Address space sharing

G06F 2212/657   Virtual address space manag...

G06F 2212/68 : Details of translation look...

G06F 9/45558 : Hypervisor-specific managem...

View All

Processor extensions to identify and avoid tracking conflicts between virtual machine monitor and guest virtual machine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Processor extensions to identify and avoid tracking conflicts between virtual machine monitor and guest virtual machine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links