Supporting oversubscription of guest enclave memory pages

US 10,324,862 B2
Filed: 09/30/2016
Issued: 06/18/2019
Est. Priority Date: 09/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying a target memory page in memory, wherein the target memory page is associated with a secure enclave of a virtual machine (VM);

receiving, by a processing device, a data structure comprising context information corresponding to the target memory page;

determining, by the processing device, that the target memory page is associated with one or more child memory pages;

identifying, by the processing device, a count of the one or more child memory pages based on the data structure;

determining, by the processing device, a state of the target memory page based on the data structure, the state indicating whether the target memory page comprises a parent memory page of the secure enclave of the VM that is linked to an active child memory page of the one or more child memory pages; and

generating an instruction to evict the target memory page from the secure enclave based on the state.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of the disclosure provide for supporting oversubscription of guest enclave memory pages. In one implementation, a processing device comprising a memory controller unit to access a secure enclave and a processor core, operatively coupled to the memory controller unit. The processing device is to identify a target memory page in memory. The target memory page is associated with a secure enclave of a virtual machine (VM). A data structure comprising context information corresponding to the target memory page is received. A state of the target memory page is determined based on the received data structure. The state indicating whether the target memory page is associated with at least one of: a child memory page or a parent memory page of the VM. Thereupon, an instruction to evict the target memory page from the secure enclave is generated based on the determined state.

Citations

20 Claims

1. A method comprising:
- identifying a target memory page in memory, wherein the target memory page is associated with a secure enclave of a virtual machine (VM);
  
  receiving, by a processing device, a data structure comprising context information corresponding to the target memory page;
  
  determining, by the processing device, that the target memory page is associated with one or more child memory pages;
  
  identifying, by the processing device, a count of the one or more child memory pages based on the data structure;
  
  determining, by the processing device, a state of the target memory page based on the data structure, the state indicating whether the target memory page comprises a parent memory page of the secure enclave of the VM that is linked to an active child memory page of the one or more child memory pages; and
  
  generating an instruction to evict the target memory page from the secure enclave based on the state.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - determining that the target memory page is associated with the parent memory page; and
      
      identifying an address pointer to the parent memory page within the secure enclave.
  - 3. The method of claim 2, further comprising updating the data structure to associate the target memory page with the address pointer to the memory parent page.
  - 4. The method of claim 1, wherein identifying the count of the one or more child memory pages further comprises reading a status bit flag, of the data structure, that is set to the count of the one or more child memory pages.
  - 5. The method of claim 1, further comprising identifying that the one or more child memory pages comprises a virtual child memory page based on the data structure.
  - 6. The method of claim 1, further comprising responsive to detecting that the count of the one or more child memory pages is zero, executing the instruction to evict the target memory page from memory.
  - 7. The method of claim 1, further comprising responsive to detecting that the count of the one or more child memory pages is not zero, selecting a second target memory page for oversubscription of the secure enclave.

8. A processing device comprising:
- a memory controller unit to access a secure enclave; and
  
  a processor core, operatively coupled to the memory controller unit, to;
  
  identify a target memory page to restore in a secure enclave of a virtual machine (VM);
  
  determine that the target memory page is associated with one or more child memory pages;
  
  receive a data structure comprising context information related to a parent memory page of the VM, wherein the parent memory page is present in the secure enclave;
  
  identify a count of the one or more child memory pages based on the data structure;
  
  determine, based on the data structure, whether the parent memory page is linked to an active child memory page, of the one or more child memory pages, within the secure enclave; and
  
  map, responsive to a determination that the parent memory page is linked to the active child memory page, the target memory page to the parent memory page.
- View Dependent Claims (9)
- - 9. The processing device of claim 8, wherein the processor core is further to restore information associated with the target memory page with the context information from the data structure related to the parent memory page.

10. A processing device comprising:
- a memory controller unit; and
  
  a processor core, operatively coupled to the memory controller unit, to;
  
  identify a target memory page in memory, wherein the target memory page is associated with a secure enclave of a virtual machine (VM);
  
  receive a data structure comprising context information corresponding to the target memory page;
  
  determine that the target memory page is associated with one or more child memory pages;
  
  identify a count of the one or more child memory pages based on the data structure;
  
  determine a state of the target memory page based on the data structure, the state indicating whether the target memory page comprises a parent memory page of the secure enclave of the VM that is linked to an active child memory page of the one or more child memory pages; and
  
  generate an instruction to evict the target memory page from the secure enclave based on the state.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The processing device of claim 10, wherein the processor core is further to:
    - determine that the target memory page is associated with the parent memory page; and
      
      identify an address pointer to the parent memory page within the secure enclave.
  - 12. The processing device of claim 11, wherein the processor core is further to update the data structure to associate the target memory page with the address pointer to the memory parent page.
  - 13. The processing device of claim 10, wherein to identify the count of the one or more child memory pages, the processor core is further to read a status bit flag, of the data structure, that is set to the count of the one or more child memory pages.
  - 14. The processing device of claim 10, wherein the processor core is further to identify that the one or more child memory pages comprises a virtual child memory page based on the data structure.
  - 15. The processing device of claim 10, wherein the processor core is further to responsive to detecting that the count of the one or more child memory pages is zero, execute the instruction to evict the target memory page from memory.
  - 16. The processing device of claim 10, wherein the processor core is further to responsive to detecting that the count of the one or more child memory pages is not zero, select a second target memory page for oversubscription of the secure enclave.

17. A non-transitory machine-readable storage medium including instructions that, when executed by a processing device, cause the processing device to:
- identify, by the processing device, a target memory page in memory, wherein the target memory page is associated with a secure enclave of a virtual machine (VM);
  
  receive a data structure comprising context information corresponding to the target memory page;
  
  determine that the target memory page is associated with one or more child memory pages;
  
  identify a count of the one or more child memory pages based on the data structure;
  
  determine a state of the target memory page based on the data structure, the state indicating whether the target memory page comprises a parent memory page of the secure enclave of the VM that is linked to an active child memory page of the one or more child memory pages; and
  
  generate an instruction to evict the target memory page from the secure enclave based on the state.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory machine-readable storage medium of claim 17, wherein the processing device is further to:
    - determine that the target memory page is associated with the parent memory page; and
      
      identify an address pointer to the parent memory page within the secure enclave.
  - 19. The non-transitory machine-readable storage medium of claim 18, wherein the processing device is further to update the data structure to associate the target memory page with the address pointer to the memory parent page.
  - 20. The non-transitory machine-readable storage medium of claim 17, wherein to identify the count of the one or more child memory pages, the processing device is further to read a status bit flag, of the data structure, that is set to the count of the one or more child memory pages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Leslie-Hurd, Rebekah M., McKeen, Francis X., Rozas, Carlos V., Neiger, Gilbert, Mallick, Asit K., Anati, Ittai, Alexandrovich, Ilya, Shanbhogue, Vedvyas, Chakrabarti, Somnath
Primary Examiner(s)
Bataille, Pierre Miche

Application Number

US15/282,300
Publication Number

US 20180095894A1
Time in Patent Office

991 Days
Field of Search

711133
US Class Current
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 3/0604   Improving or facilitating a...

G06F 3/0631   by allocating resources to ...

G06F 3/064   Management of blocks

G06F 3/0664   at device level, e.g. emula...

G06F 3/0665   at area level, e.g. provisi...

G06F 3/0673   Single storage device

G06F 9/45558   Hypervisor-specific managem...

Supporting oversubscription of guest enclave memory pages

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Supporting oversubscription of guest enclave memory pages

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links