Controlling access to multiple memory zones in an isolated execution environment

US 20040078590A1
Filed: 10/10/2003
Published: 04/22/2004
Est. Priority Date: 03/31/2000
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, the access transaction including access information; and

a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information, the multi-memory zone access checking circuit generating an access grant signal if the access transaction is valid.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method, apparatus, and system for controlling memory accesses to multiple memory zones in an isolated execution environment. A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.

113 Citations

View as Search Results

36 Claims

1. An apparatus comprising:
- a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, the access transaction including access information; and
  
  a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information, the multi-memory zone access checking circuit generating an access grant signal if the access transaction is valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1 wherein the access information includes a physical address.
  - 3. The apparatus of claim 2 wherein the configuration storage further comprises a process control register storing an execution mode word, the execution mode word being asserted as an execution mode signal when the processor is configured in the isolated execution mode.
  - 4. The apparatus of claim 3 wherein the configuration settings include a memory mask value, a memory base value, and a memory length value, a combination of at least two of the mask, base, and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode.
  - 5. The apparatus of claim 3 wherein each subsystem memory range setting corresponds to a memory zone for a subsystem in an isolated memory area in a memory external to the processor.
  - 6. The apparatus of claim 5 wherein each subsystem memory range setting includes a subsystem memory mask value, a subsystem memory base value, and a subsystem memory length value, a combination of at lease two of the subsystem mask, base, and length values to define a memory zone in the isolated memory area for the subsystem.
  - 7. The apparatus of claim 6 wherein an ID value for each subsystem identifies each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 8. The apparatus of claim 6 wherein the multi-memory zone access checking circuit comprises a subsystem address detector to detect if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem, the subsystem address detector generating a subsystem address matching signal.
  - 9. The apparatus of claim 8 wherein the multi-memory zone access checking circuit further comprises an access grant generator coupled to the subsystem address detector and the processor control register, the access grant generator generating an access grant signal if both the subsystem address matching signal and the execution mode word signal are asserted.

10. A method comprising:
- configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration settings including a plurality of subsystem memory range settings, the access transaction including access information;
  
  checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
  
  generating an access grant signal if the access transaction is valid.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 wherein the access information includes a physical address.
  - 12. The method of claim 11 wherein the configuration storage comprises a process control register storing an execution mode word, the execution mode word being asserted as an execution mode signal when the processor is configured in the isolated execution mode.
  - 13. The method of claim 12 wherein the configuration settings include a memory mask value, a memory base value, and a memory length value, a combination of at least two of the mask, base, and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode.
  - 14. The method of claim 12 wherein each subsystem memory range setting corresponds to a memory zone for a subsystem in an isolated memory area in a memory external to the processor.
  - 15. The method of claim 14 wherein each subsystem memory range setting includes a subsystem memory mask value, a subsystem memory base value, and a subsystem memory length value, a combination of at lease two of the subsystem mask, base, and length values to define a memory zone in the isolated memory area for the subsystem.
  - 16. The method of claim 15 wherein configuring the access transaction further comprises storing an ID value for each subsystem to identify each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 17. The method of claim 15 wherein checking the access transaction comprises detecting if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem by a subsystem address detector, the subsystem address detector generating a subsystem address matching signal.
  - 18. The method of claim 17 wherein generating an access grant signal if the access transaction is valid comprises generating an access grant signal by an access grant generator if both the subsystem address matching signal and the execution mode word signal are asserted.

19. A computer program product comprising:
- a machine readable medium having computer program code therein, the computer program product comprising;
  
  computer readable program code for configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration settings including a plurality of subsystem memory range settings, the access transaction including access information;
  
  computer readable program code for checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
  
  computer readable program code for generating an access grant signal if the access transaction is valid.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer program product of claim 19 wherein the access information includes a physical address.
  - 21. The computer program product of claim 20 wherein the configuration storage comprises a process control register storing an execution mode word, the execution mode word being asserted as an execution mode signal when the processor is configured in the isolated execution mode.
  - 22. The computer program product of claim 21 wherein the configuration settings include a memory mask value, a memory base value, and a memory length value, a combination of at least two of the mask, base, and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode.
  - 23. The computer program product of claim 21 wherein each subsystem memory range setting corresponds to a memory zone initiated for a subsystem in an isolated memory area in a memory external to the processor.
  - 24. The computer program product of claim 23 wherein each subsystem memory range setting includes a subsystem memory mask value, a subsystem memory base value, and a subsystem memory length value, a combination of at lease two of the subsystem mask, base, and length values to define a memory zone in the isolated memory area for the subsystem.
  - 25. The computer program product of claim 24 wherein the computer readable program code for configuring the access transaction further comprises computer readable program code for storing an ID value for each subsystem to identify each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 26. The computer program product of claim 24 wherein the computer readable program code for checking the access transaction comprises computer readable program code for detecting if the physical address is within a currently initialized subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem by a subsystem address detector, the subsystem address detector generating a subsystem address matching signal.
  - 27. The computer program product of claim 26 wherein the computer readable program code for generating an access grant signal if the access transaction is valid comprises computer readable program code for generating an access grant signal by an access grant generator if both the subsystem address matching signal and the execution mode word signal are asserted.

28. A system comprising:
- a chipset;
  
  a memory coupled to the chipset having an isolated memory area;
  
  a processor coupled to the chipset and the memory having an access manager, the processor having a normal execution mode and an isolate execution mode, the processor generating an access transaction having access information, the access manager comprising;
  
  a configuration storage storing configuration settings to configure an access transaction generated by the processor, the configuration settings including a plurality of subsystem memory range settings; and
  
  a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information, the multi-memory zone access checking circuit generating an access grant signal if the access transaction is valid.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The system of claim 28 wherein the access information includes a physical address.
  - 30. The system of claim 29 wherein the configuration storage further comprises a process control register storing an execution mode word, the execution mode word being asserted as an execution mode signal when the processor is configured in the isolated execution mode.
  - 31. The system of claim 30 wherein the configuration settings include a memory mask value, a memory base value, and a memory length value, a combination of at least two of the mask, base, and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode.
  - 32. The system of claim 30 wherein each subsystem memory range setting corresponds to a memory zone for a subsystem in an isolated memory area in a memory external to the processor.
  - 33. The system of claim 32 wherein each subsystem memory range setting includes a subsystem memory mask value, a subsystem memory base value, and a subsystem memory length value, a combination of at lease two of the subsystem mask, base, and length values to define a the memory zone in the isolated memory area for the subsystem.
  - 34. The system of claim 33 wherein an ID value for each subsystem to identifies each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 35. The system of claim 33 wherein the multi-memory zone access checking circuit comprises a subsystem address detector to detect if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem, the subsystem address detector generating a subsystem address matching signal.
  - 36. The system of claim 35 wherein the multi-memory zone access checking circuit further comprises an access grant generator coupled to the subsystem address detector and the processor control register, the access grant generator generating an access grant signal if both the subsystem address matching signal and the execution mode word signal are asserted.

Specification

Resources

Litigation Campaign Assessment

Granted Patent

US 6,934,817 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 12/1441 for a range

G06F 12/1491 in a hierarchical protectio...

Controlling access to multiple memory zones in an isolated execution environment

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to multiple memory zones in an isolated execution environment

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links