Processors, methods, systems, and instructions to determine whether to load encrypted copies of protected container pages into protected container memory

US 10,346,641 B2
Filed: 09/23/2016
Issued: 07/09/2019
Est. Priority Date: 09/23/2016
Status: Active Grant

First Claim

Patent Images

1. A processor comprising:

a die;

a decode unit included on the die to decode an instruction that is to indicate a source encrypted copy of a protected container page that is to be stored in a regular memory, and that is to indicate a destination page that is to be in a first protected container memory; and

an execution unit, included on the die and coupled with the decode unit, and including at least some hardware, the execution unit, in response to the instruction, to;

determine whether the protected container page was live stored out, while able to remain useable in, protected container type memory; and

perform a given security check, before a determination to store the protected container page to the destination page, if the determination is that the protected container page was live stored out;

ornot perform the given security check, if the determination is that the protected container page was not live stored out.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.

17 Citations

25 Claims

1. A processor comprising:
- a die;
  
  a decode unit included on the die to decode an instruction that is to indicate a source encrypted copy of a protected container page that is to be stored in a regular memory, and that is to indicate a destination page that is to be in a first protected container memory; and
  
  an execution unit, included on the die and coupled with the decode unit, and including at least some hardware, the execution unit, in response to the instruction, to;
  
  determine whether the protected container page was live stored out, while able to remain useable in, protected container type memory; and
  
  perform a given security check, before a determination to store the protected container page to the destination page, if the determination is that the protected container page was live stored out;
  
  ornot perform the given security check, if the determination is that the protected container page was not live stored out.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The processor of claim 1, wherein the execution unit, in response to the instruction, is to determine whether the protected container page was live stored out including to determine whether a value indicates that the protected container page was live stored out.
  - 3. The processor of claim 2, wherein the value is to be encrypted with the source encrypted copy of the protected container page.
  - 4. The processor of claim 2, wherein the value is to be stored in the first protected container memory.
  - 5. The processor of claim 2, wherein the decode unit is to decode a second instruction, and wherein the processor is to perform the second instruction to:
    - live store the protected container page out of the protected container type memory; and
      
      configure the value to indicate that the protected container page was live stored out.
  - 6. The processor of claim 1, wherein the execution unit, in response to the instruction, is to perform the given security check including to determine whether a live protected container page group store operation, which is to have been used to store a group of protected container pages including the protected container page out of the protected container type memory, is to have been completed.
  - 7. The processor of claim 6, wherein the execution unit, in response to the instruction, is to determine not to store the protected container page to the destination page when the determination is that the live protected container page group store operation is not to have been completed.
  - 8. The processor of claim 6, wherein the live protected container page group store operation is to be completed when all protected container pages of a protected container have been stored out of the protected container type memory which is to be of a source computer system.
  - 9. The processor of claim 6, wherein the live protected container page group store operation is to be completed when all protected container pages of a protected container have been stored out of the protected container type memory which is to be of a source computer system to the regular memory which is to be of a destination computer system.
  - 10. The processor of claim 6, wherein to determine whether the live protected container page group store operation is to have been completed includes to compare a snapshot value with a current value, wherein the snapshot value is to have been taken at a time when, and is not to have been updated since, the protected container page was live stored out, and wherein the current value is to have been taken at a current time, and is to have been updated since the protected container page was live stored out, if thereafter the live protected container page group store operation is to have been completed.
  - 11. The processor of claim 10, wherein the snapshot value is to be encrypted with the encrypted copy of the protected container page, and wherein the current value is to be stored in the regular memory.
  - 12. The processor of claim 1, wherein the execution unit, in response to the instruction, is also to access a version of the protected container page from a version structure, wherein the version structure is to be used to store both versions of protected container pages that are to have been live stored out as well as versions of protected container pages that are to have been paged out through paging.
  - 13. The processor of claim 1, wherein the decode unit is to decode the instruction that is to indicate the source encrypted copy of the protected container page which is to be a secure enclave page, and that is to indicate the destination page that is to be in the first protected container memory which is to be an enclave page cache.

14. A processor comprising:
- an interface to receive a control primitive; and
  
  a core coupled with the interface, in response to the control primitive, to;
  
  access an encrypted copy of a protected container page that is to be stored in a regular memory;
  
  determine whether the protected container page was live stored out, while able to remain useable in, a second protected container memory; and
  
  perform a given security check, before determining to store the protected container page to a destination page that is to be in a first protected container memory, if the determination is that the protected container page is to have been live stored out;
  
  ornot perform the given security check, if the determination is that the protected container page is not to have been live stored out.
- View Dependent Claims (15, 16)
- - 15. The processor of claim 14, wherein the core, in response to the control primitive, is to determine whether the protected container page was live stored out including to determine whether a value, which is to be one of encrypted with the encrypted copy of the protected container page and stored in the first protected container memory, is to indicate that the protected container page was live stored out.
  - 16. The processor of claim 14, wherein the core, in response to the control primitive, is to perform the given security check including to determine whether a live protected container page group store operation, which is to have been used to store a group of protected container pages including the protected container page out of the second protected container memory, is to have been completed.

17. A method performed by a processor comprising:
- accessing an encrypted copy of a protected container page stored in a regular memory;
  
  determining whether the protected container page was live stored out, while able to remain useable in, protected container type memory; and
  
  performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out;
  
  ornot performing the given security check, if it was determined that the protected container page was not live stored out.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein said determining comprises determining whether a value, which is one of encrypted with the encrypted copy of the protected container page and stored in the first protected container memory, indicates that the protected container page was live stored out.
  - 19. The method of claim 17, wherein said determining comprises determining that the protected container page was live stored, and wherein said performing the given security check including determining whether a live protected container page group store operation, which was used to store a group of protected container pages including the protected container page out of the protected container type memory, has completed.
  - 20. The method of claim 19, wherein the live protected container page group store operation comprises a live migration of all protected container pages of a protected container from the protected container type memory, from which the protected container page was live stored out, and which is to be of a source computer system, to the regular memory, which is to be of a destination computer system.

21. A computer system comprising:
- an interconnect;
  
  a processor coupled with the interconnect, the processor to receive an instruction that is to indicate a source encrypted copy of a protected container page that is to be stored in a regular memory, and that is to indicate a destination page that is to be in a first protected container memory, the processor, in response to the instruction, to;
  
  determine whether the protected container page was live stored out, while able to remain useable in, protected container type memory; and
  
  perform a given security check, before a determination to store the protected container page to the destination page, if the determination is that the protected container page was live stored out, wherein the given security check is to include a determination whether a live protected container page group store operation, which is to have been used to store a group of protected container pages including the protected container page out of the protected container type memory, is to have been completed;
  
  ornot perform the given security check, if the determination is that the protected container page was not live stored out; and
  
  a memory coupled with the interconnect, the memory storing a set of instructions, the set of instructions, when executed by the processor, to cause the processor to perform operations comprising;
  
  store an indication that the live protected container page group store operation has been completed when it has been completed.
- View Dependent Claims (22)
- - 22. The computer system of claim 21, wherein the processor, in response to the instruction, is to determine whether the protected container page was live stored out including to determine whether a value, which is to be one of encrypted with the encrypted copy of the protected container page and stored in the first protected container memory, indicates that the protected container page was live stored out.

23. An article of manufacture comprising a non-transitory machine-readable storage medium, the non-transitory machine-readable storage medium storing one or more instructions that, if performed by a machine, are to cause the machine to perform operations comprising:
- access an encrypted copy of a protected container page that is to be stored in a regular memory;
  
  determine whether the protected container page was live stored out, while able to remain useable in, protected container type memory; and
  
  perform a given security check, before a determination to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out;
  
  ornot perform the given security check, if it was determined that the protected container page was not live stored out.
- View Dependent Claims (24, 25)
- - 24. The article of manufacture of claim 23, wherein the one or more instructions to cause the machine to determine whether the protected container page was live stored out comprises one or more instructions to cause the machine to determine whether a value, which is to be one of encrypted with the encrypted copy of the protected container page and stored in the first protected container memory, is to indicate that the protected container page was live stored out.
  - 25. The article of manufacture of claim 23, wherein the one or more instructions to cause the machine to perform the given security check comprise one or more instructions to cause the machine to determine whether a live protected container page group store operation, which is to have been used to store a group of protected container pages including the protected container page out of the protected container type memory, is to have been completed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Rozas, Carlos V., Vij, Mona, Chakrabarti, Somnath
Primary Examiner(s)
Naghdali, Khalil

Application Number

US15/274,217
Publication Number

US 20180089468A1
Time in Patent Office

1,019 Days
Field of Search

713193
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/6245   Protecting personal data, e...

G06F 21/78   to assure secure storage of...

G06F 9/30145   Instruction analysis, e.g. ...

Processors, methods, systems, and instructions to determine whether to load encrypted copies of protected container pages into protected container memory

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Processors, methods, systems, and instructions to determine whether to load encrypted copies of protected container pages into protected container memory

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links