Processors, methods, systems, and instructions to support live migration of protected containers

US 10,558,588 B2
Filed: 07/17/2017
Issued: 02/11/2020
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. A system on a chip comprising:

a decode unit to decode an instruction;

a circuit to access a control structure in response to the instruction, the control structure to store a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;

a cryptographic unit, in response to the instruction, to;

decrypt a copy of data with a first cryptographic key, the data to be within an encrypted portion of a virtual machine; and

encrypt the decrypted copy of the data with a second, different cryptographic key; and

a memory controller, in response to the instruction, to store the encrypted copy of the data after the encryption by the cryptographic unit to a memory location outside of the encrypted portion of the virtual machine, as part of a migration of the virtual machine from the source computer system to the destination computer system,wherein the system on a chip is to leave the data within the encrypted portion of the virtual machine valid and readable after the encrypted copy of the data has been stored to the memory location outside of the encrypted portion of the virtual machine.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

62 Citations

View as Search Results

25 Claims

1. A system on a chip comprising:
- a decode unit to decode an instruction;
  
  a circuit to access a control structure in response to the instruction, the control structure to store a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;
  
  a cryptographic unit, in response to the instruction, to;
  
  decrypt a copy of data with a first cryptographic key, the data to be within an encrypted portion of a virtual machine; and
  
  encrypt the decrypted copy of the data with a second, different cryptographic key; and
  
  a memory controller, in response to the instruction, to store the encrypted copy of the data after the encryption by the cryptographic unit to a memory location outside of the encrypted portion of the virtual machine, as part of a migration of the virtual machine from the source computer system to the destination computer system,wherein the system on a chip is to leave the data within the encrypted portion of the virtual machine valid and readable after the encrypted copy of the data has been stored to the memory location outside of the encrypted portion of the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system on a chip of claim 1, wherein the system on a chip is to perform message authentication code computations based on the copy of the data in response to the instruction, and wherein the second cryptographic key is one of the plurality of cryptographic keys capable of being migrated from the source computer system to the destination computer system.
  - 3. The system on a chip of claim 1, wherein the decode unit is to decode the instruction that implicitly indicates a register, the register to indicate additional instruction specification information.
  - 4. The system on a chip of claim 1, comprising logic responsive to at least three instructions that each indicate a different operation that is a part of a migration of the encrypted portion of the virtual machine.
  - 5. The system on a chip of claim 1, wherein the cryptographic unit is to decrypt the copy of the data while the data has a write protected state.
  - 6. The system on a chip of claim 1, wherein the system on a chip, in response to one or more instructions, is to ensure no writable permissions for the data are cached in a processor having the decode unit, while the data within the encrypted portion of the virtual machine has a write protected state, by ensuring all translations for the data within the encrypted portion of the virtual machine have been flushed from all translation lookaside buffers of the processor.

7. A method comprising:
- accessing a control structure in response to an instruction, the control structure storing a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;
  
  decrypting a copy of data with a first cryptographic key in response to the instruction, the data stored within an encrypted portion of a virtual machine; and
  
  encrypting the decrypted copy of the data with a second, different cryptographic key in response to the instruction;
  
  storing the encrypted copy of the data to a memory location outside of the encrypted portion of the virtual machine in response to the instruction; and
  
  leaving the data stored within the encrypted portion of the virtual machine valid and readable after said storing the encrypted copy of the data to the memory location outside of the encrypted portion of the virtual machine.
- View Dependent Claims (8)
- - 8. The method of claim 7, further comprising:
    - performing message authentication code computations based on the copy of the data in response to the instruction; and
      
      migrating the second cryptographic key from the source computer system to the destination computer system.

9. A system on a chip comprising:
- a decode unit to decode an instruction;
  
  a circuit to access a control structure in response to the instruction, the control structure to store a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;
  
  a cryptographic unit, in response to the instruction, to;
  
  decrypt a copy of data with a first cryptographic key, the data to be within an encrypted portion of a virtual machine; and
  
  encrypt the decrypted copy of the data with a second, different cryptographic key; and
  
  a memory controller, in response to the instruction, to store the encrypted copy of the data after the encryption by the cryptographic unit to a memory location outside of the encrypted portion of the virtual machine,wherein the system on a chip is to leave the data within the encrypted portion of the virtual machine valid and readable after the encrypted copy of the data has been stored to the memory location outside of the encrypted portion of the virtual machine.
- View Dependent Claims (10, 11, 12)
- - 10. The system on a chip of claim 9, wherein the system on a chip is to perform message authentication code computations based on the copy of the data in response to the instruction, and wherein the second cryptographic key is one of the plurality of cryptographic keys capable of being migrated from the source computer system to the destination computer system.
  - 11. The system on a chip of claim 9, wherein the decode unit is to decode the instruction that implicitly indicates a register, the register to indicate additional instruction specification information.
  - 12. The system on a chip of claim 9, wherein the cryptographic unit is to decrypt the copy of the data while the data has a write protected state, and wherein the system on a chip, in response to one or more instructions, is to ensure no writable permissions for the data are cached in a processor having the decode unit, while the data within the encrypted portion of the virtual machine has a write protected state, by ensuring all translations for the data within the encrypted portion of the virtual machine have been flushed from all translation lookaside buffers of the processor.

13. A system on a chip comprising:
- a decode unit to decode an instruction;
  
  an execution unit, in response to the instruction, to;
  
  access a control structure in response to the instruction, the control structure to store a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;
  
  decrypt a copy of data with a first cryptographic key, the data to be within an encrypted portion of a virtual machine;
  
  encrypt the decrypted copy of the data with a second, different cryptographic key; and
  
  store the encrypted copy of the data after the encryption by the execution unit to a memory location outside of the encrypted portion of the virtual machine,wherein the system on a chip is to leave the data within the encrypted portion of the virtual machine valid and readable after the encrypted copy of the data has been stored to the memory location outside of the encrypted portion of the virtual machine.
- View Dependent Claims (14, 15)
- - 14. The system on a chip of claim 13, wherein the execution unit, in response to the instruction, is to perform message authentication code computations based on the copy of the data, wherein the second cryptographic key is one of the plurality of cryptographic keys capable of being migrated from the source computer system to the destination computer system, and wherein the decode unit is to decode the instruction that implicitly indicates a register, the register to indicate additional instruction specification information.
  - 15. The system of a chip of claim 13, wherein the execution unit is to decrypt the copy of the data while the data has a write protected state, and wherein the system on a chip, in response to one or more instructions, is to ensure no writable permissions for the data are cached in a processor having the decode unit, while the data within the encrypted portion of the virtual machine has a write protected state, by ensuring all translations for the data within the encrypted portion of the virtual machine have been flushed from all translation lookaside buffers of the processor.

16. A system on a chip comprising:
- circuitry to decode an instruction;
  
  circuitry to access a control structure in response to the instruction, the control structure to store a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;
  
  circuitry to decrypt a copy of data with a first cryptographic key in response to the instruction, the data to be within an encrypted portion of a virtual machine;
  
  circuitry to encrypt the decrypted copy of the data with a second, different cryptographic key in response to the instruction; and
  
  circuitry to store the encrypted copy of the data, after the encryption by the circuitry to encrypt, to a memory location outside of the encrypted portion of the virtual machine, in response to the instruction, as part of a migration of the virtual machine from the source computer system to the destination computer system,wherein the system on a chip is to leave the data within the encrypted portion of the virtual machine valid and readable after the encrypted copy of the data has been stored to the memory location outside of the encrypted portion of the virtual machine.
- View Dependent Claims (17, 18, 19)
- - 17. The system on a chip of claim 16, comprising circuitry to perform message authentication code computations based on the copy of the data in response to the instruction, and wherein the second cryptographic key is one of the plurality of cryptographic keys capable of being migrated from the source computer system to the destination computer system.
  - 18. The system on a chip of claim 16, wherein the circuitry to decode the instruction is to decode the instruction that implicitly indicates a register, the register to indicate additional instruction specification information.
  - 19. The system on a chip of claim 16, wherein the circuitry to decrypt the copy of the data is to decrypt the copy of the data while the data has a write protected state, and wherein the system on a chip, in response to one or more instructions, is to ensure no writable permissions for the data are cached in a processor having the circuitry to decode the instruction, while the data within the encrypted portion of the virtual machine has a write protected state, by ensuring all translations for the data within the encrypted portion of the virtual machine have been flushed from all translation lookaside buffers of the processor.

20. A system on a chip having support for an operation to store an encrypted copy of data, within an encrypted portion of a virtual machine, to a memory location outside of the encrypted portion of the virtual machine, the system on a chip comprising:
- a decode unit to decode instructions;
  
  a circuit controlled as part of the operation to access a control structure, the control structure to store a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;
  
  a cryptographic unit, controlled as part of the operation, to;
  
  decrypt a copy of the data with a first cryptographic key, the data to be within the encrypted portion of the virtual machine; and
  
  encrypt the decrypted copy of the data with a second, different cryptographic key; and
  
  a memory controller, controlled as part of the operation, to store the encrypted copy of the data after the encryption by the cryptographic unit to the memory location outside of the encrypted portion of the virtual machine, as part of a migration of the virtual machine from the source computer system to the destination computer system,wherein the system on a chip is to leave the data within the encrypted portion of the virtual machine valid and readable after the encrypted copy of the data has been stored to the memory location outside of the encrypted portion of the virtual machine.
- View Dependent Claims (21, 22, 23)
- - 21. The system on a chip of claim 20, wherein the system on a chip is controlled as part of the operation to perform message authentication code computations based on the copy of the data, and wherein the second cryptographic key is one of the plurality of cryptographic keys capable of being migrated from the source computer system to the destination computer system.
  - 22. The system on a chip of claim 20, wherein the cryptographic unit is to decrypt the copy of the data while the data has a write protected state.
  - 23. The system on a chip of claim 20, wherein the system on a chip is controlled as part of the operation to ensure no writable permissions for the data are cached in a processor having the decode unit, while the data within the encrypted portion of the virtual machine has a write protected state, by ensuring all translations for the data within the encrypted portion of the virtual machine have been flushed from all translation lookaside buffers of the processor.

24. An article of manufacture comprising a non-transitory machine-readable storage medium, the non-transitory machine-readable storage medium storing instructions that when executed by a machine are to cause the machine to perform operations comprising to:
- access a control structure in response to the instructions, the control structure storing a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;
  
  decrypt a copy of data with a first cryptographic key in response to the instructions, the data stored within an encrypted portion of a virtual machine; and
  
  encrypt the decrypted copy of the data with a second, different cryptographic key in response to the instructions;
  
  store the encrypted copy of the data to a memory location outside of the encrypted portion of the virtual machine in response to the instructions; and
  
  leave the data stored within the encrypted portion of the virtual machine valid and readable after said storing the encrypted copy of the data to the memory location outside of the encrypted portion of the virtual machine.
- View Dependent Claims (25)
- - 25. The article of manufacture of claim 24, wherein the non-transitory machine-readable storage medium further stores instructions that when executed by the machine are to cause the machine to perform operations comprising to perform message authentication code computations based on the copy of the data in response to the instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Rozas, Carlos V., Vij, Mona, Leslie-Hurd, Rebekah M., Zmudzinski, Krystof C., Chakrabarti, Somnath, Mckeen, Francis X., Scarlata, Vincent R., Johnson, Simon P., Alexandrovich, Ilya, Neiger, Gilbert, Shanbhogue, Vedvyas, Anati, Ittai
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/651,771
Publication Number

US 20180004683A1
Time in Patent Office

939 Days
Field of Search

713190
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 12/1441   for a range

G06F 12/1483   using an access-table, e.g....

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 2212/1052   Security improvement

G06F 8/41   Compilation

G06F 9/30145   Instruction analysis, e.g. ...

G06F 9/45558   Hypervisor-specific managem...

Processors, methods, systems, and instructions to support live migration of protected containers

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Processors, methods, systems, and instructions to support live migration of protected containers

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others