System and method providing region-granular, hardware-controlled memory encryption
First Claim
Patent Images
1. A memory, comprising:
- at least one storage location coupled to receive a block of data and a corresponding encryption indicator for the block of data, wherein the block of data corresponds to a selected memory region, and wherein the encryption indicator indicates whether the data corresponding to the selected memory region is encrypted; and
an encryption/decryption unit for encrypting and decrypting data, wherein the encryption/decryption unit is configured to decrypt the block of data dependent upon the encryption indicator before the block of data is stored in the storage location.
7 Assignments
0 Petitions
Accused Products
Abstract
A memory, system, and method for providing security for data stored within a memory and arranged within a plurality of memory regions. The method includes receiving an address within a selected memory region and using the address to access an encryption indicator. The encryption indicator indicates whether data stored in the selected memory page are encrypted. The method also includes receiving a block of data from the selected memory region and the encryption indicator and decrypting the block of data dependent upon the encryption indicator.
83 Citations
42 Claims
-
1. A memory, comprising:
-
at least one storage location coupled to receive a block of data and a corresponding encryption indicator for the block of data, wherein the block of data corresponds to a selected memory region, and wherein the encryption indicator indicates whether the data corresponding to the selected memory region is encrypted; and
an encryption/decryption unit for encrypting and decrypting data, wherein the encryption/decryption unit is configured to decrypt the block of data dependent upon the encryption indicator before the block of data is stored in the storage location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system, comprising:
-
a memory management unit (MMU) operably coupled to a memory and configured to manage the memory, wherein the MMU is configurable to manage the memory such that the memory stores data arranged within a plurality of memory regions;
a security check unit coupled to receive a physical address within a selected memory region and configured to use the physical address to access at least one security attribute data structure located in the memory in order to obtain an encryption indicator, and wherein the encryption indicator indicates whether data stored in the selected memory region is encrypted, and wherein the security check unit is configured to provide the encryption indicator to an encryption/decryption unit; and
a cache unit coupled to receive a block of data obtained from the selected memory region and the encryption indicator, wherein the cache unit comprises the encryption/decryption unit, wherein the encryption/decryption unit is configured to decrypt the block of data dependent upon the encryption indicator before storing the block of data. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 24, 26, 27, 28, 29, 30, 32, 33, 34, 35, 36, 38, 39, 40, 41, 42)
-
-
21. A computer system, comprising:
-
a memory for storing data, wherein the data includes instructions;
a memory management unit (MMU) operably coupled to a memory and configured to manage the memory, wherein the MMU is configurable to manage the memory such that the memory stores data arranged within a plurality of memory regions;
a security check unit coupled to receive a physical address within a selected memory region and configured to use the physical address to access at least one security attribute data structure located in the memory in order to obtain an encryption indicator, and wherein the encryption indicator indicates whether data stored in the selected memory region is encrypted, and wherein the security check unit is configured to provide the encryption indicator to an encryption/decryption unit; and
a cache unit coupled to receive a block of data obtained from the selected memory region and the encryption indicator, wherein the cache unit comprises the encryption/decryption unit, wherein the encryption/decryption unit is configured to decrypt the block of data dependent upon the encryption indicator before storing the block of data. - View Dependent Claims (23)
-
-
25. A method for providing security for data stored within a memory, wherein the data are arranged within a plurality of memory regions, the method comprising:
-
receiving an address within a selected memory region;
using the address to access an encryption indicator, wherein the encryption indicator indicates whether or not data stored in the selected memory page is encrypted;
receiving a block of data from the selected memory region and the encryption indicator;
decrypting the block of data dependent upon the encryption indicator; and
-
-
31. A machine readable medium encoded with instructions that, when executed by a computer system, perform a method for providing security for data stored within a memory and arranged within a plurality of memory regions, the method comprising:
-
receiving an address within a selected memory region;
using the address to access an encryption indicator, wherein the encryption indicator indicates whether or not data stored in the selected memory page is encrypted;
receiving a block of data from the selected memory region and the encryption indicator; and
decrypting the block of data dependent upon the encryption indicator.
-
-
37. A system, comprising:
-
means for receiving an address within a selected memory region in a memory;
means for using the address to access an encryption indicator, wherein the encryption indicator indicates whether or not data stored in a selected memory page is encrypted;
means for receiving a block of data from the selected memory region and the encryption indicator;
means for decrypting the block of data dependent upon the encryption indicator; and
-
Specification