SECURE MEMORY ACCESS IN A VIRTUALIZED COMPUTING ENVIRONMENT

US 20200133878A1
Filed: 10/31/2018
Published: 04/30/2020
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving at an input/output memory management unit (IOMMU) a first memory access request from a bus device, the first memory access request comprising a first memory address and a first request identifier indicating a first virtual machine (VM) associated with the first memory access request; and

in response to determining at the IOMMU, based on mapping a virtual memory identifier (VMID) to a virtual function identifier (VFID), that the first virtual machine is authorized to access a first region of memory associated with first memory address, satisfying the first memory access request at a memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processor supports secure memory access in a virtualized computing environment by employing requestor identifiers at bus devices (such as a graphics processing unit) to identify the virtual machine associated with each memory access request. The virtualized computing environment uses the requestor identifiers to control access to different regions of system memory, ensuring that each VM accesses only those regions of memory that the VM is allowed to access. The virtualized computing environment thereby supports efficient memory access by the bus devices while ensuring that the different regions of memory are protected from unauthorized access.

9 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving at an input/output memory management unit (IOMMU) a first memory access request from a bus device, the first memory access request comprising a first memory address and a first request identifier indicating a first virtual machine (VM) associated with the first memory access request; and
  
  in response to determining at the IOMMU, based on mapping a virtual memory identifier (VMID) to a virtual function identifier (VFID), that the first virtual machine is authorized to access a first region of memory associated with first memory address, satisfying the first memory access request at a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein mapping the VMID to the VFID comprises mapping the first request identifier the VFID.
  - 3. The method of claim 2, wherein mapping the first request identifier to the VFID comprises mapping based on an offset value that indexes to a linked list of virtual functions.
  - 4. The method of claim 3, wherein mapping the first request identifier to the VFID comprises mapping based on a stride value that indexes to the linked list of virtual functions.
  - 5. The method of claim 4, wherein mapping the first request identifier to the VFID based on the stride value comprises multiplying the stride value with a virtual function number corresponding to the virtual function.
  - 6. The method of claim 1, wherein:
    - the first request identifier is stored at a field of the memory access request reserved for a device identifier.
  - 7. The method of claim 1, further comprising:
    - identifying the first request identifier based on a device driver associated with the bus device.
  - 8. The method of claim 1, further comprising:
    - accessing a set of page tables based on the mapping.
  - 9. The method of claim 1, further comprising:
    - receiving at the IOMMU a second memory access request from the device, the second memory access request comprising a second memory address and a second request identifier indicating a second virtual machine (VM) associated with the second memory access request; and
      
      in response to determining at the IOMMU, based on mapping a virtual memory identifier (VMID) to a virtual function identifier (VFID), that the second virtual machine is authorized to access a second region of memory associated with first memory address, satisfying the second memory access request at the memory.

10. A method, comprising:
- in response to receiving an interrupt from a bus device, identifying a memory region based on mapping a virtual machine identifier (VMID associated with the interrupt to a virtual function; and
  
  storing a payload of the interrupt at the memory region.
- View Dependent Claims (11)
- - 11. The method of claim 10, further comprising:
    - retrieving, by a guest operating system, the payload from the memory region.

12. A processor, comprising:
- a bus device to execute workloads on behalf of a first virtual machine (VM); and
  
  an input/output memory management unit (IOMMU) configured to;
  
  receive a first memory access request from a bus device, the first memory access request comprising a first memory address and a first request identifier indicating the first VM; and
  
  in response to determining at the IOMMU, based on mapping a virtual machine identifier (VMID) to a virtual function identifier (VFID), that the first virtual machine is authorized to access a first region of memory associated with first memory address, satisfy the first memory access request at a memory.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The processor of claim 12, wherein the IOMMU is configured to map the VMID to the VFID by mapping the first request identifier the VFID.
  - 14. The processor of claim 13, wherein the IOMMU is configured to map the first request identifier to the VFID by mapping based on an offset value that indexes to a linked list of virtual functions.
  - 15. The processor of claim 14, the IOMMU is configured to map the first request identifier to the VFID by mapping based on a stride value that indexes to the linked list of virtual functions.
  - 16. The processor of claim 15, wherein the IOMMU is configured to map the first request identifier to the VFID by multiplying the stride value with a virtual function number corresponding to the virtual function:
  - 17. The processor of claim 12, wherein:
    - the first request identifier is stored at a field of the memory access request reserved for a device identifier.
  - 18. The processor of claim 12, wherein the bus device is configured to:
    - identify the first request identifier based on a device driver associated with the bus device.
  - 19. The processor of claim 12, wherein the IOMMU is configured to:
    - accessing a set of page tables based on the mapping.
  - 20. The processor of claim 12, wherein the IOMMU is configured to:
    - receive a second memory access request from the device, the second memory access request comprising a second memory address and a second request identifier indicating a second virtual machine (VM) associated with the second memory access request; and
      
      in response to determining, that the second virtual machine is authorized to access a second region of memory associated with first memory address, satisfy the second memory access request at the memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Advanced Micro Devices, Inc., ATI Technologies ULC (Advanced Micro Devices, Inc.)
Original Assignee
Advanced Micro Devices, Inc., ATI Technologies ULC (Advanced Micro Devices, Inc.)
Inventors
ASARO, Anthony, CHENG, Jeffrey G., ACHARYA, Anirudh R.

Granted Patent

US 11,836,091 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1009   using page tables, e.g. pag...

G06F 12/1081   for peripheral access to ma...

G06F 12/1441   for a range

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2212/1052   Security improvement

G06F 2212/152   Virtualized environment, e....

G06F 2212/657   Virtual address space manag...

G06F 9/45558   Hypervisor-specific managem...

SECURE MEMORY ACCESS IN A VIRTUALIZED COMPUTING ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE MEMORY ACCESS IN A VIRTUALIZED COMPUTING ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links