Method for firmware isolation
First Claim
Patent Images
1. A method comprising:
- determining if an isolation driver is present in a non-volatile storage of a system and if so, determining if a processor of the system supports virtualization and if so, launching the isolation driver in a first privilege level, the first privilege different than a system privilege level and user privilege level;
creating a 1;
1 virtual mapping between a virtual address and a physical address, wherein the physical address is to be accessed using a page directory entry of a page directory and a page table entry of a page table using the isolation driver;
controlling access to a memory page associated with the page table entry based on a plurality of availability bits of the page table entry.
2 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, the present invention includes a method for determining if an isolation driver is present and a processor supports virtualization, launching the isolation driver in a first privilege level different than a system privilege level and user privilege level, creating a 1:1 virtual mapping between a virtual address and a physical address, using the isolation driver, and controlling access to a memory page using the isolation driver. Other embodiments are described and claimed.
51 Citations
15 Claims
-
1. A method comprising:
-
determining if an isolation driver is present in a non-volatile storage of a system and if so, determining if a processor of the system supports virtualization and if so, launching the isolation driver in a first privilege level, the first privilege different than a system privilege level and user privilege level; creating a 1;
1 virtual mapping between a virtual address and a physical address, wherein the physical address is to be accessed using a page directory entry of a page directory and a page table entry of a page table using the isolation driver;controlling access to a memory page associated with the page table entry based on a plurality of availability bits of the page table entry. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An article comprising a machine-accessible medium including instructions that when executed cause a system to:
-
determine if an isolation driver is present in a non-volatile storage and if so, determine if a processor supports virtualization and if so, launch the isolation driver in a first privilege level, the first privilege different than a system privilege level and user privilege level and at a higher privilege level than the system privilege level and the user privilege level; create a 1;
1 virtual mapping between a virtual address and a physical address, wherein the physical address is to be accessed using a page directory entry of a page directory and a page table entry of a page table using the isolation driver;control access to a memory page associated with the page table entry based on a plurality of availability bits of the page table entry. - View Dependent Claims (10, 11, 12)
-
-
13. A system comprising:
-
a processor to execute instructions; a non-volatile storage including trusted code to execute in a pre-boot environment, the trusted code including first code of a first privilege level, the first code including security code, pre-extensible firmware interface code, and driver execution environment code, second code of a second privilege level, the second code including an isolation driver to prevent third party code from execution in the second privilege level, create a 1;
1 virtual mapping between a virtual address and a physical address, wherein the physical address is to be accessed using a page directory entry of a page directory and a page table entry of a page table using the isolation driver, and control access to a memory page associated with the page table entry based on a plurality of availability bits of the page table entry;a mass storage device coupled to the processor, the mass storage device including third code of a third privilege level, the third code including the third party code. - View Dependent Claims (14, 15)
-
Specification