ENCRYPTED MEMORY ACCESS USING PAGE TABLE ATTRIBUTES

US 20170371809A1
Filed: 06/27/2016
Published: 12/28/2017
Est. Priority Date: 06/27/2016
Status: Active Grant

First Claim

Patent Images

1. A memory system comprising:

memory elements organized into memory regions;

a memory controller at a memory interface, the memory controller comprising;

an encryptor to control a plurality of memory access keys respectively associated with the memory regions, wherein each memory region is allocated to a respective client;

an access manager to;

receive an access request from a client, the access request including a client access key to access a memory element,look up a memory access key from a page table attribute associated with a physical address of the memory element, anddetermine if the access request is valid by comparing the client access key with the memory access key associated with the memory region that includes the memory element, andprovide a response to the access request based on the determination and a mode of operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encrypted memory access using page table attributes is disclosed. One example is a memory system including a memory controller at a memory interface. The memory controller includes an encryptor to control a plurality of memory access keys respectively associated with memory regions, where each memory region is allocated to a respective client, and an access manager to receive an access request from a client, the access request including a client access key to access a memory element. The access manager looks up a memory access key from a page table attribute associated with a physical address of the memory element, and determines if the access request is valid by comparing the client access key with the memory access key associated with the memory region that includes the memory element. Based on the determination and a mode of operation, the access manager provides a response to the access request.

Citations

20 Claims

1. A memory system comprising:
- memory elements organized into memory regions;
  
  a memory controller at a memory interface, the memory controller comprising;
  
  an encryptor to control a plurality of memory access keys respectively associated with the memory regions, wherein each memory region is allocated to a respective client;
  
  an access manager to;
  
  receive an access request from a client, the access request including a client access key to access a memory element,look up a memory access key from a page table attribute associated with a physical address of the memory element, anddetermine if the access request is valid by comparing the client access key with the memory access key associated with the memory region that includes the memory element, andprovide a response to the access request based on the determination and a mode of operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The memory system of claim 1, wherein the access manager is to determine that the access request is not valid by identifying a page table miss in a page table that includes the page table attribute, and is to determine that the memory element is accessible to a new client, and wherein the encryptor is to update the memory access key to conform to a new client access key associated with the new client.
  - 3. The memory system of claim 1, wherein the mode of operation is isolation only, and wherein the access manager is to determine one of:
    - the access request is valid, and the encryptor is to provide unencrypted data to the client, andthe access request is not valid, and the encryptor is to provide scrambled data to the client.
  - 4. The memory system of claim 1, wherein the mode of operation is encryption and error correction only, and wherein the encryptor is to perform encryption and error correction functions, and wherein, upon a determination that the access request is not valid, the access manager is to generate an alert that a fatal uncorrectable memory error has occurred.
  - 5. The memory system of claim 1, wherein the mode of operation is isolation, encryption and error correction, and wherein the access manager is to determine one of:
    - the access request is valid, and the encryptor is to provide unencrypted data to the client, andthe access request is not valid, and the encryptor is to provide scrambled data to the client, and wherein the access manager is to generate an alert that a fatal uncorrectable memory error has occurred.
  - 6. The memory system of claim 1, wherein the client is one of a user, an application, a process, a driver, and a multiprocessor with virtualized clients.
  - 7. The memory system of claim 6, wherein the client access key is unique to each client of the plurality of clients.
  - 8. The memory system of claim 1, wherein the client access key includes one of a process identifier, a thread identifier, an application identifier, and a context definition.
  - 9. The memory system of claim 1, wherein the memory regions comprise non-volatile shared memory.

10. A method comprising:
- controlling, via a memory controller at a memory interface, a plurality of memory access keys respectively associated with memory regions of the memory system, wherein each memory region is allocated to a respective client;
  
  receiving, via the memory controller, an access request from a client, the access request including a client access key to access a memory element included in a memory region;
  
  looking up, via the memory controller, a memory access key from a page table attribute associated with a physical address of the memory element;
  
  determining, via the memory controller, if the access request is valid by comparing the client access key with the memory access key associated with the memory region that includes the memory element; and
  
  providing, via the memory controller, a response to the access request based on the determination and a mode of operation.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising:
    - determining that the access request is not valid by identifying a page table miss in the page table.
  - 12. The method of claim 11, further comprising:
    - determining that the memory element is accessible to a new client; and
      
      updating the memory access key to conform to a new client access key associated with the new client.
  - 13. The method of claim 10, wherein the mode of operation is isolation only, and further comprising:
    - providing unencrypted data to the client upon a determination that the access request is valid, andproviding scrambled data to the client upon a determination that the access request is not valid.
  - 14. The method of claim 10, wherein the mode of operation is encryption and error correction only, and further comprising:
    - performing encryption and error correction functions, and upon a determination that the access request is not valid, generating an alert that a fatal uncorrectable memory error has occurred.
  - 15. The method of claim 10, further comprising.identifying an unauthorized access request from a client;
    - andrestricting access to the memory region associated with the unauthorized access request.
  - 16. The method of claim 10, wherein the client access key is unique to each client of a plurality of clients.

17. A programmable memory controller comprising:
- a non-transitory computer readable medium that stores configuration data for logic to enable the memory controller to;
  
  control a plurality of memory access keys respectively associated with memory regions of the memory system, wherein each memory region is allocated to a respective client;
  
  receive an access request from a client, the access request including a client access key to access a memory element included in a memory region;
  
  look up a memory access key from a page table attribute associated with a physical address of the memory element;
  
  determine if the access request is valid by comparing the client access key with the memory access key associated with the memory region that includes the memory element; and
  
  provide a response to the access request based on the determination and a mode of operation, wherein the mode of operation is one of isolation only, encryption and error correction only, or a combination of isolation, encryption and error correction.
- View Dependent Claims (18, 19, 20)
- - 18. The memory controller of claim 17, wherein the computer readable medium stores configuration data for logic to:
    - identify a page table miss in the page table; and
      
      determine that the access request is not valid based on the identified page table miss.
  - 19. The memory controller of claim 18, wherein the computer readable medium stores configuration data for logic to:
    - determine that the memory element is accessible to a new client; and
      
      update the memory access key to conform to a new client access key associated with the new client.
  - 20. The memory controller of claim 17, wherein the client is an application, and wherein the computer readable medium stores configuration data for logic to:
    - identify an unauthorized access request from the application; and
      
      generate an interrupt to an operating system to terminate the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Benedict, Melvin K.

Granted Patent

US 11,126,565 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 12/1475   in a virtual system, e.g. w...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G11C 2029/4402   Internal storage of test re...

G11C 7/24   Memory cell safety or prote...

ENCRYPTED MEMORY ACCESS USING PAGE TABLE ATTRIBUTES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ENCRYPTED MEMORY ACCESS USING PAGE TABLE ATTRIBUTES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links