Controlling access to multiple memory zones in an isolated execution environment
First Claim
Patent Images
1. An apparatus comprising:
- a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode, the access transaction including access information including a physical address; and
a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid.
1 Assignment
0 Petitions
Accused Products
Abstract
A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.
265 Citations
44 Claims
-
1. An apparatus comprising:
-
a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode, the access transaction including access information including a physical address; and
a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, each subsystem memory range setting corresponding to a memory zone for a subsystem in an isolated memory area in a memory external to the processor and including a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for the subsystem, the access transaction including access information including a physical address; and
a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A method comprising:
-
configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor that is accessible to the processor in the isolated execution mode, wherein the access transaction includes access information including a physical address;
checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
generating an access grant signal if the access transaction is valid. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method comprising:
-
configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, each subsystem memory range setting corresponding to a memory zone for a subsystem in an isolated memory area in a memory external to the processor and including a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for the subsystem, wherein the access transaction includes access information including a physical address;
checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
generating an access grant signal if the access transaction is valid. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A computer program product comprising:
-
a machine readable medium having computer program code therein, the computer program product comprising;
computer readable program code for configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor that is accessible to the processor in the isolated execution mode, wherein the access transaction includes access information including a physical address;
computer readable program code for checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
computer readable program code for generating an access grant signal if the access transaction is valid. - View Dependent Claims (24, 25, 26, 27, 28)
-
-
29. A computer program product comprising:
-
a machine readable medium having computer program code therein, the computer program product comprising;
computer readable program code for configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, each subsystem memory range setting corresponding to a memory zone for a subsystem in an isolated memory area in a memory external to the processor and including a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for the subsystem, wherein the access transaction includes access information including a physical address;
computer readable program code for checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
computer readable program code for generating an access grant signal if the access transaction is valid. - View Dependent Claims (30, 31, 32, 33)
-
-
34. A system comprising:
-
a chipset;
a memory coupled to the chipset having an isolated memory area;
a processor coupled to the chipset and the memory having an access manager, the processor having a normal execution mode and an isolated execution mode, the processor generating an access transaction having access information, the access manager comprising;
a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode, the access transaction including access information including a physical address; and
a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid. - View Dependent Claims (35, 36, 37, 38, 39)
-
-
40. A system comprising:
-
a chipset;
a memory coupled to the chipset having an isolated memory area;
a processor coupled to the chipset and the memory having an access manager, the processor having a normal execution mode and an isolated execution mode, the processor generating an access transaction having access information, the access manager comprising;
a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, each subsystem memory range setting corresponding to a memory zone for a subsystem in an isolated memory area in a memory external to the processor and including a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for the subsystem, the access transaction including access information including a physical address; and
a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid. - View Dependent Claims (41, 42, 43, 44)
-
Specification