System and method providing region-granular, hardware-controlled memory encryption

US 20030188178A1
Filed: 03/27/2002
Published: 10/02/2003
Est. Priority Date: 03/27/2002
Status: Active Grant

First Claim

Patent Images

1. A memory, comprising:

at least one storage location coupled to receive a block of data and a corresponding encryption indicator for the block of data, wherein the block of data corresponds to a selected memory region, and wherein the encryption indicator indicates whether the data corresponding to the selected memory region is encrypted; and

an encryption/decryption unit for encrypting and decrypting data, wherein the encryption/decryption unit is configured to decrypt the block of data dependent upon the encryption indicator before the block of data is stored in the storage location.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A memory, system, and method for providing security for data stored within a memory and arranged within a plurality of memory regions. The method includes receiving an address within a selected memory region and using the address to access an encryption indicator. The encryption indicator indicates whether data stored in the selected memory page are encrypted. The method also includes receiving a block of data from the selected memory region and the encryption indicator and decrypting the block of data dependent upon the encryption indicator.

83 Citations

View as Search Results

42 Claims

1. A memory, comprising:
- at least one storage location coupled to receive a block of data and a corresponding encryption indicator for the block of data, wherein the block of data corresponds to a selected memory region, and wherein the encryption indicator indicates whether the data corresponding to the selected memory region is encrypted; and
  
  an encryption/decryption unit for encrypting and decrypting data, wherein the encryption/decryption unit is configured to decrypt the block of data dependent upon the encryption indicator before the block of data is stored in the storage location.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The memory as recited in claim 1, wherein the block of data comprises a plurality of data units stored within contiguous locations of the external memory.
  - 3. The memory as recited in claim 2, wherein the selected memory region corresponds to one of a memory page, a memory segment, or a base-band pair.
  - 4. The memory as recited in claim 1, wherein the encryption indicator is an encrypt memory bit.
  - 5. The memory as recited in claim 4, wherein the encrypt memory bit is obtained by accessing at least one security attribute data structure stored within the external memory.
  - 6. The memory as recited in claim 1, wherein the memory comprises a cache, wherein the cache is coupled to receive the block of data and the corresponding encryption indicator from the selected memory region in the external memory.
  - 7. The memory as recited in claim 6, wherein the cache includes a plurality of cache memory entries for storing blocks of data and a plurality of cache directory entries for storing data needed to access the blocks of data, and wherein each of the cache directory entries corresponds to a different one of the cache memory entries, and wherein each of the cache directory entries includes an encrypt data bit indicating whether or not a block of data stored in the corresponding cache memory entry is to be encrypted before being stored in the external memory.
  - 8. The memory as recited in claim 7, wherein when a block of data stored in a given cache memory entry is to be stored in the memory, the cache unit is configured to use the encryption/decryption unit to encrypt the block of data dependent upon the encrypt data bit in the cache directory entry corresponding to the given cache memory entry before storing the block of data in the memory.

9. A system, comprising:
- a memory management unit (MMU) operably coupled to a memory and configured to manage the memory, wherein the MMU is configurable to manage the memory such that the memory stores data arranged within a plurality of memory regions;
  
  a security check unit coupled to receive a physical address within a selected memory region and configured to use the physical address to access at least one security attribute data structure located in the memory in order to obtain an encryption indicator, and wherein the encryption indicator indicates whether data stored in the selected memory region is encrypted, and wherein the security check unit is configured to provide the encryption indicator to an encryption/decryption unit; and
  
  a cache unit coupled to receive a block of data obtained from the selected memory region and the encryption indicator, wherein the cache unit comprises the encryption/decryption unit, wherein the encryption/decryption unit is configured to decrypt the block of data dependent upon the encryption indicator before storing the block of data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 24, 26, 27, 28, 29, 30, 32, 33, 34, 35, 36, 38, 39, 40, 41, 42)
- - 10. The system as recited in claim 9, wherein the block of data comprises a plurality of data units stored within contiguous locations of the memory.
  - 11. The memory as recited in claim 10, wherein the selected memory region corresponds to one of a memory page, a memory segment, or a base-band pair.
  - 12. The system as recited in claim 9, wherein the at least one security attribute data structure comprises a security attribute table directory and a security attribute table, and wherein the security attribute table comprises a security attribute table entry, and wherein the encryption indicator is an encrypt memory bit in the security attribute table entry.
  - 13. The system as recited in claim 9, wherein the cache unit includes a plurality of cache memory entries for storing blocks of data and a plurality of cache directory entries for storing data needed to access the blocks of data, and wherein each of the cache directory entries corresponds to a different one of the cache memory entries, and wherein each of the cache directory entries includes an encrypt data bit indicating whether or not a block of data stored in the corresponding cache memory entry is to be encrypted before being stored in the memory.
  - 14. The system as recited in claim 13, wherein when a block of data stored in a given cache memory entry is to be stored in the memory, the cache unit is configured to use the encryption/decryption unit to encrypt the block of data dependent upon the encrypt data bit in the cache directory entry corresponding to the given cache memory entry before storing the block of data in the memory.
  - 15. The system as recited in claim 9, wherein the security check unit is coupled to receive the physical address within the selected memory region and security attributes of the selected memory region, and wherein the security check unit is configured to use the physical address to access the at least one security attribute data structure located in the memory in order to obtain an additional security attribute of the selected memory region and the encryption indicator, and to generate a fault signal dependent upon the security attributes of selected memory region and the additional security attribute of the selected memory region.
  - 16. The system as recited in claim 15, wherein the security attributes of the selected memory region comprise a user/supervisor (U/S) bit and a read/write (R/W) bit as defined by the x86 processor architecture.
  - 17. The system as recited in claim 15, wherein the additional security attribute comprises a secure page (SP) bit, and wherein the SP bit indicates whether the selected memory region is a secure region.
  - 18. The system as recited in claim 15, wherein the fault signal is a general protection fault (GPF) signal as defined by the x86 processor architecture.
  - 19. The system as recited in claim 9, wherein the security check unit is comprised within the MMU.
  - 20. The system as recited in claim 9, wherein the MMU, the security check unit, and the cache unit are comprised within a processor.
  - 22. The computer system as recited in claim 20, wherein the block of data comprises a plurality of data units stored within contiguous locations of the memory.
  - 24. The computer system as recited in claim 20, wherein the at least one security attribute data structure comprises a security attribute table directory and a security attribute table, and wherein the security attribute table comprises a security attribute table entry, and wherein the encryption indicator is an encrypt memory bit in the security attribute table entry.
  - 26. The method as recited in claim 24, further comprising:
    - storing the block of data.
  - 27. The method as recited in claim 24, wherein receiving the block of data from the selected memory region and the encryption indicator comprises receiving a plurality of data units D stored within contiguous locations from the selected memory region and the encryption indicator, and wherein decrypting the block of data dependent upon the encryption indicator further comprises decrypting the plurality of data units stored within contiguous locations dependent upon the encryption indicator.
  - 28. The method as recited in claim 24, wherein receiving the address within the selected memory region comprises receiving a physical address within the selected memory region, and wherein using the address to access the encryption indicator comprises using the physical address to access the encryption indicator.
  - 29. The method as recited in claim 27, wherein using the physical address to access an encryption indicator further comprises using the physical address to access at least one security attribute data structure located in the memory to obtain the encryption indicator.
  - 30. The method as recited in claim 28, wherein comprises using the physical address to access at least one security attribute data structure located in the memory to obtain the encryption indicator further comprises using the physical address to access a security attribute table entry comprising an encrypted memory bit.
  - 32. The machine readable medium as recited in claim 30, the method further comprising:
    - storing the block of data.
  - 33. The machine readable medium as recited in claim 30, wherein receiving the block of data from the selected memory region and the encryption indicator comprises receiving a plurality of data units stored within contiguous locations from the selected memory region and the encryption indicator, and wherein decrypting the block of data dependent upon the encryption indicator further comprises decrypting the plurality of data units stored within contiguous locations dependent upon the encryption indicator.
  - 34. The machine readable medium as recited in claim 30, wherein receiving the address within the selected memory region comprises receiving a physical address within the selected memory region, and wherein using the address to access the encryption indicator comprises using the physical address to access the encryption indicator.
  - 35. The machine readable medium as recited in claim 33, wherein using the physical address to access an encryption indicator further comprises using the physical address to access at least one security attribute data structure located in the memory to obtain the encryption indicator.
  - 36. The machine readable medium as recited in claim 34, wherein using the physical address to access at least one security attribute data structure located in the memory to obtain the encryption indicator further comprises using the physical address to access a security attribute table entry comprising an encrypted memory bit.
  - 38. The system as recited in claim 36, further comprising:
    - means for storing the block of data.
  - 39. The system as recited in claim 36, wherein the means for receiving the block of data from the selected memory region and the encryption indicator comprises means for receiving a plurality of data units stored within contiguous locations from the selected memory region and the encryption indicator, and wherein the means for decrypting the block of data dependent upon the encryption indicator further comprises means for decrypting the plurality of data units stored within contiguous locations dependent upon the encryption indicator.
  - 40. The system as recited in claim 36, wherein the means for receiving the address within the selected memory region comprises means for receiving a physical address within the selected memory region, and wherein the means for using the address to access the encryption indicator comprises means for using the physical address to access the encryption indicator.
  - 41. The system as recited in claim 39, wherein the means for using the physical address to access an encryption indicator further comprises means for using the physical address to access at least one security attribute data structure located in the memory to obtain the encryption indicator.
  - 42. The system as recited in claim 40, wherein the means for using the physical address to access at least one security attribute data structure located in the memory to obtain the encryption indicator further comprises means for using the physical address to access a security attribute table entry comprising an encrypted memory bit.

21. A computer system, comprising:
- a memory for storing data, wherein the data includes instructions;
  
  a memory management unit (MMU) operably coupled to a memory and configured to manage the memory, wherein the MMU is configurable to manage the memory such that the memory stores data arranged within a plurality of memory regions;
  
  a security check unit coupled to receive a physical address within a selected memory region and configured to use the physical address to access at least one security attribute data structure located in the memory in order to obtain an encryption indicator, and wherein the encryption indicator indicates whether data stored in the selected memory region is encrypted, and wherein the security check unit is configured to provide the encryption indicator to an encryption/decryption unit; and
  
  a cache unit coupled to receive a block of data obtained from the selected memory region and the encryption indicator, wherein the cache unit comprises the encryption/decryption unit, wherein the encryption/decryption unit is configured to decrypt the block of data dependent upon the encryption indicator before storing the block of data.
- View Dependent Claims (23)
- - 23. The memory as recited in claim 21, wherein the selected memory region corresponds to one of a memory page, a memory segment, or a base-band pair.

25. A method for providing security for data stored within a memory, wherein the data are arranged within a plurality of memory regions, the method comprising:
- receiving an address within a selected memory region;
  
  using the address to access an encryption indicator, wherein the encryption indicator indicates whether or not data stored in the selected memory page is encrypted;
  
  receiving a block of data from the selected memory region and the encryption indicator;
  
  decrypting the block of data dependent upon the encryption indicator; and

31. A machine readable medium encoded with instructions that, when executed by a computer system, perform a method for providing security for data stored within a memory and arranged within a plurality of memory regions, the method comprising:
- receiving an address within a selected memory region;
  
  using the address to access an encryption indicator, wherein the encryption indicator indicates whether or not data stored in the selected memory page is encrypted;
  
  receiving a block of data from the selected memory region and the encryption indicator; and
  
  decrypting the block of data dependent upon the encryption indicator.

37. A system, comprising:
- means for receiving an address within a selected memory region in a memory;
  
  means for using the address to access an encryption indicator, wherein the encryption indicator indicates whether or not data stored in a selected memory page is encrypted;
  
  means for receiving a block of data from the selected memory region and the encryption indicator;
  
  means for decrypting the block of data dependent upon the encryption indicator; and

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MediaTek, Inc.
Original Assignee
GlobalFoundries, Inc.
Inventors
Barnes, Brian C., Strongin, Geoffrey S., Schmidt, Rodney

Granted Patent

US 8,135,962 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 12/1009   using page tables, e.g. pag...

G06F 12/1408   by using cryptography for d...

G06F 12/1441   for a range

G06F 21/6218   to a system of files or obj...

G06F 2221/2143   Clearing memory, e.g. to pr...

System and method providing region-granular, hardware-controlled memory encryption

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

System and method providing region-granular, hardware-controlled memory encryption

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others