Executing isolated mode instructions in a secure system running in privilege rings

US 6,507,904 B1
Filed: 03/31/2000
Issued: 01/14/2003
Est. Priority Date: 03/31/2000
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus comprising:

an execution unit to execute an isolated instruction in a processor operating in a platform, the processor being configured in one of a normal execution mode and an isolated execution mode; and

a parameter storage containing at least one parameter to support execution of the isolated instruction when the processor is configured in the isolated execution mode;

wherein the isolated instruction is one of an isolated initialize (iso_init) instruction, an isolated close (iso_close) instruction, an isolated enter (iso_-enter) instruction, an isolated exit (iso_exit) instruction, an isolated configuration read (iso_config_read), and an isolated configuration write (iso_config_write) instruction.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique is provided to execute isolated instructions according to an embodiment of the present invention. An execution unit executes an isolated instruction in a processor operating in a platform. The processor is configured in one of a normal execution mode and an isolated execution mode. A parameter storage containing at least one parameter to support execution of the isolated instruction when the processor is configured in the isolated execution mode.

314 Citations

56 Claims

1. An apparatus comprising:
- an execution unit to execute an isolated instruction in a processor operating in a platform, the processor being configured in one of a normal execution mode and an isolated execution mode; and
  
  a parameter storage containing at least one parameter to support execution of the isolated instruction when the processor is configured in the isolated execution mode;
  
  wherein the isolated instruction is one of an isolated initialize (iso_init) instruction, an isolated close (iso_close) instruction, an isolated enter (iso_-enter) instruction, an isolated exit (iso_exit) instruction, an isolated configuration read (iso_config_read), and an isolated configuration write (iso_config_write) instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The apparatus of claim 1 wherein the at least one parameter is one of an isolated feature word, an execution mode word, a logical processor value, an isolated setting including a mask value and a base value, a frame, an exit physical address, an entry physical address, and a processor nub loader physical address.
  - 3. The apparatus of claim 2 wherein the parameter storage is one of an internal storage and an external storage.
  - 4. The apparatus of claim 3 wherein the internal storage includes a feature register to store the isolated feature word, a control register to store the execution mode word, a logical processor register to store a logical processor value, a mask register to store the mask value, a base register to store the base value, a frame register set to store the frame, an exit frame register to store the exit address, an entry frame register to store the entry address, and a loader register to store the processor nub loader address.
  - 5. The apparatus of claim 4 wherein the external storage includes a memory controller hub (MCH) storage in an MCH and an input/output controller hub (ICH) storage in an ICH.
  - 6. The apparatus of claim 5 wherein the execution mode word configures the processor in the isolated execution mode.
  - 7. The apparatus of claim 6 wherein the iso_init instruction, when executed, causes the processor to:
8. The apparatus of claim 7 wherein the iso_init instruction, when executed, further causes the processor to:
- initialize the isolated area for the platform; and
  
  obtain a location of a processor nub.
9. The apparatus of claim 8 wherein the iso_init instruction causing the processor to execute the processor nub loader causes the processor to:
- copy the processor nub into the isolated area; and
  
  verify a signature of the processor nub using a public key contained in the processor nub loader; and
  
  execute the processor nub if the signature is verified.
10. The apparatus of claim 6 wherein the iso_close instruction, when executed, causes the processor to:
- reset the isolated setting in the processor if a corresponding logical processor is last to withdraw; and
  
  reset the isolated setting in the MCH and the ICH if the processor is last to withdraw.
11. The apparatus of claim 6 wherein the iso_enter instruction, when executed, causes the processor to:
- store contents of the frame register set in an exit frame, the exit frame being pointed to by the exit address in the exit frame register; and
  
  load an entry frame into the frame register set, the entry frame being pointed to by the entry address in the entry frame register.
12. The apparatus of claim 6 wherein the iso_exit instruction, when executed, causes the processor to:
- load an exit frame into the frame register set, the exit frame being pointed to by the exit address in the exit frame register.
13. The apparatus of claim 6 wherein the iso_config_read instruction, when executed, causes the processor to:
- return contents of a configuration storage corresponding to the parameter storage.
14. The apparatus of claim 6 wherein the iso_config_write instruction, when executed, causes the processor to:
- write contents of a configuration storage corresponding to the parameter storage.

15. A method comprising:
- executing an isolated instruction by an execution unit in a processor operating in a platform, the processor being configured in one of a normal execution mode and an isolated execution mode; and
  
  supporting execution of the isolated instruction by a parameter storage containing at least one parameter when the processor is configured in the isolated execution mode;
  
  wherein executing the isolated instruction comprises executing one of an isolated initialize (iso_init) instruction, an isolated close (iso_close) instruction, an isolated enter (iso_enter) instruction, an isolated exit (iso_exit) instruction, an isolated configuration read (iso_config_read), and an isolated configuration write (iso_config_write) instruction.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The method of claim 15 wherein the at least one parameter is one of an isolated feature word, an execution mode word, a logical processor value, an isolated setting including a mask value and a base value, a frame, an exit physical address, an entry physical address, and a processor nub loader physical address.
  - 17. The method of claim 16 wherein the parameter storage is one of an internal storage and an external storage.
  - 18. The method of claim 17 wherein the internal storage includes a feature register to store the isolated feature word, a control register to store the execution mode word, a logical processor register to store a logical processor value, a mask register to store the mask value, a base register to store the base value, a frame register set to store the frame, an exit frame register to store the exit address, an entry frame register to store the entry address, and a loader register to store the processor nub loader address.
  - 19. The method of claim 18 wherein the external storage includes a memory controller hub (MCH) storage in an MCH and an input/output controller hub (ICH) storage in an ICH.
  - 20. The method of claim 19 wherein the execution mode word configures the processor in the isolated execution mode.
  - 21. The method of claim 20 wherein executing the iso_init instruction comprises:
22. The method of claim 21 wherein executing the iso_init instruction further comprises:
- initializing the isolated area for the platform; and
  
  obtaining a location of a processor nub.
23. The method of claim 22 wherein executing the processor nub loader comprises:
- copying the processor nub into the isolated area;
  
  verifying a signature of the processor nub using a public key contained in the processor nub loader; and
  
  executing the processor nub if the signature is verified.
24. The method of claim 20 wherein executing the iso_close instruction comprises:
- resetting the isolated setting in the processor if a corresponding logical processor is last to withdraw; and
  
  resetting the isolated setting in the MCH and the ICH if the processor is last to withdraw.
25. The method of claim 20 wherein executing the iso_enter instruction comprises:
- storing contents of the frame register set in an exit frame, the exit frame being pointed to by the exit address in the exit frame register; and
  
  loading an entry frame into the frame register set, the entry frame being pointed to by the entry address in the entry frame register.
26. The method of claim 20 wherein executing the iso_exit instruction comprises:
- loading an exit frame into the frame register set, the exit frame being pointed to by the exit address in the exit frame register.
27. The method of claim 20 wherein executing the iso_config_read instruction comprises:
- returning contents of a configuration storage corresponding to the parameter storage.
28. The method of claim 20 wherein executing the iso_config_write instruction comprises:
- writing contents of a configuration storage corresponding to the parameter storage.

29. A system comprising:
- a chipset;
  
  a memory coupled to the chipset having an isolated memory area; and
  
  a processor coupled to the chipset and the memory operating in a platform, the processor having an isolated instruction execution circuit, the processor being configured in one of a normal execution mode and an isolated execution mode, the isolated instruction execution circuit comprising;
  
  an execution unit to execute an isolated instruction, and a parameter storage containing at least one parameter to support execution of the isolated instruction when the processor is configured in the isolated execution mode;
  
  wherein the isolated instruction is one of an isolated initialize (iso_init) instruction, an isolated close (iso_close) instruction, an isolated enter (iso_enter) instruction, an isolated exit (iso_exit) instruction, an isolated configuration read (iso_config_read), and an isolated configuration write (iso_config_write) instruction.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 30. The system of claim 29 wherein the at least one parameter is one of an isolated feature word, an execution mode word, a logical processor value, an isolated setting including a mask value and a base value, a frame, an exit physical address, an entry physical address, and a processor nub loader physical address.
  - 31. The system of claim 30 wherein the parameter storage is one of an internal storage and an external storage.
  - 32. The system of claim 31 wherein the internal storage includes a feature register to store the isolated feature word, a control register to store the execution mode word, a logical processor register to store the logical processor value, a mask register to store the mask value, a base register to store the base value, a frame register set to store the frame, an exit frame register to store the exit address, an entry frame register to store the entry address, and a loader register to store the processor nub loader address.
  - 33. The system of claim 32 wherein the external storage includes a memory controller hub (MCH) storage in an MCH and an input/output controller hub (ICH) storage in an ICH.
  - 34. The system of claim 33 wherein the execution mode word configures the processor in the isolated execution mode.
  - 35. The system of claim 34 wherein the iso_init instruction, when executed, causes the processor to:
36. The system of claim 35 wherein the iso_init instruction, when executed, further causes the processor to:
- initialize the isolated area for the platform; and
  
  obtain a location of a processor nub.
37. The system of claim 36 wherein the iso_init instruction causing the processor to execute the processor nub loader causes the processor to:
- copy the processor nub into the isolated area; and
  
  verify a signature of the processor nub using a public key contained in the processor nub loader; and
  
  execute the processor nub if the signature is verified.
38. The system of claim 34 wherein the iso_close instruction, when executed, causes the processor to:
- reset the isolated setting in the processor if a corresponding logical processor is last to withdraw; and
  
  reset the isolated setting in the MCH and the ICH if the processor is last to withdraw.
39. The system of claim 34 wherein the iso_enter instruction, when executed, causes the processor to:
- store contents of the frame register set in an exit frame, the exit frame being pointed to by the exit address in the exit frame register; and
  
  load an entry frame into the frame register set, the entry frame being pointed to by the entry address in the entry frame register.
40. The system of claim 34 wherein the iso_exit instruction, when executed, causes the processor to:
- load an exit frame into the frame register set, the exit frame being pointed to by the exit address in the exit frame register.
41. The system of claim 34 wherein the iso_config_read instruction, when executed, causes the processor to:
- return contents of a configuration storage corresponding to the parameter storage.
42. The system of claim 34 wherein the iso_config_write instruction, when executed, causes the processor to:
- write contents of a configuration storage corresponding to the parameter storage.

43. A computer program product comprising:
- a machine readable medium having computer program code embodied therein, the computer program product having;
  
  computer readable program code for executing an isolated instruction by an execution unit in a processor operating in a platform, the processor being configured in one of a normal execution mode and an isolated execution mode; and
  
  computer readable program code for supporting execution of the isolated instruction by a parameter storage containing at least one parameter when the processor is configured in the isolated execution mode;
  
  wherein the computer readable program code for executing the isolated instruction comprises computer readable program code for executing one of an isolated initialize (iso_init) instruction, an isolated close (iso_close) instruction, an isolated enter (iso_enter) instruction, an isolated exit (iso_exit) instruction, an isolated configuration read (iso_config_read), and an isolated configuration write (iso_config_write) instruction.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 44. The computer program product of claim 43 wherein the at least one parameter is one of an isolated feature word, an execution mode word, a logical processor value, an isolated setting including a mask value and a base value, a frame, an exit physical address, an entry physical address, and a processor nub loader physical address.
  - 45. The computer program product of claim 44 wherein the parameter storage is one of an internal storage and an external storage.
  - 46. The computer program product of claim 45 wherein the internal storage includes a feature register to store the isolated feature word, a control register to store the execution mode word, a logical processor register to store a logical processor value, a mask register to store the mask value, a base register to store the base value, a frame register set to store the frame, an exit frame register to store the exit address, an entry frame register to store the entry address, and a loader register to store the processor nub loader address.
  - 47. The computer program product of claim 46 wherein the external storage includes a memory controller hub (MCH) storage in an MCH and an input/output controller hub (ICH) storage in an ICH.
  - 48. The computer program product of claim 47 wherein the execution mode word configures the processor in the isolated execution mode.
  - 49. The computer program product of claim 48 wherein the computer readable program code for executing the iso_init instruction comprises:
50. The computer program product of claim 49 wherein the computer readable program code for executing the iso_init instruction further comprises:
- computer readable program code for initializing the isolated area for the platform; and
  
  computer readable program code for obtaining a location of a processor nub.
51. The computer program product of claim 50 wherein the computer readable program code for executing the processor nub loader comprises:
- computer readable program code for copying the processor nub into the isolated area;
  
  computer readable program code for verifying a signature of the processor nub using a public key contained in the processor nub loader; and
  
  computer readable program code for executing the processor nub if the signature is verified.
52. The computer program product of claim 48 wherein the computer readable program code for executing the iso_close instruction comprises:
- computer readable program code for resetting the isolated setting in the processor if a corresponding logical processor is last to withdraw; and
  
  computer readable program code for resetting the isolated setting in the MCH and the ICH if the processor is last to withdraw.
53. The computer program product of claim 48 wherein the computer readable program code for executing the iso_enter instruction comprises:
- computer readable program code for storing contents of the frame register set in an exit frame, the exit frame being pointed to by the exit address in the exit frame register; and
  
  computer readable program code for loading an entry frame into the frame register set, the entry frame being pointed to by the entry address in the entry frame register.
54. The computer program product of claim 48 wherein the computer readable program code for executing the iso_exit instruction comprises:
- computer readable program code for loading an exit frame into the frame register set, the exit frame being pointed to by the exit address in the exit frame register.
55. The computer program product of claim 48 wherein the computer readable program code for executing the iso_config_read instruction comprises:
- computer readable program code for returning contents of a configuration storage corresponding to the parameter storage.
56. The computer program product of claim 48 wherein the computer readable program code for executing the iso_config_write instruction comprises:
- computer readable program code for writing contents of a configuration storage corresponding to the parameter storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Thakkar, Shreekant S., Neiger, Gilbert, Ellison, Carl M., Mittal, Millind, Reneris, Ken, Lin, Derrick C., McKeen, Francis X., Sutton, James A., Herbert, Howard C., Golliver, Roger A.
Primary Examiner(s)
Kim, Kenneth S.

Application Number

US09/541,477
Time in Patent Office

1,019 Days
Field of Search

712/229, 713/164, 713/166, 711/152, 709/100
US Class Current

712/229
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 2221/2105 Dual mode as a secondary as...

Executing isolated mode instructions in a secure system running in privilege rings

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

314 Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

Executing isolated mode instructions in a secure system running in privilege rings

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

314 Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links