Controlling access to multiple memory zones in an isolated execution environment

US 6,633,963 B1
Filed: 07/18/2000
Issued: 10/14/2003
Est. Priority Date: 03/31/2000
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode, the access transaction including access information including a physical address; and

a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.

265 Citations

44 Claims

1. An apparatus comprising:
- a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode, the access transaction including access information including a physical address; and
  
  a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1 wherein each subsystem memory range setting corresponds to a memory zone for a subsystem in an isolated memory area in a memory external to the processor.
  - 3. The apparatus of claim 1 wherein each subsystem memory range setting includes a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for a subsystem.
  - 4. The apparatus of claim 3 wherein an ID value for each subsystem identifies each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 5. The apparatus of claim 3 wherein the multi-memory zone access checking circuit comprises a subsystem address detector to detect if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem, the subsystem address detector generating a subsystem address matching signal.
  - 6. The apparatus of claim 5 wherein the multi-memory zone access checking circuit further comprises an access grant generator coupled to the subsystem address detector and the processor control register, the access grant generator generating an access grant signal if both the subsystem address matching signal and the execution mode word signal are asserted.

7. An apparatus comprising:
- a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, each subsystem memory range setting corresponding to a memory zone for a subsystem in an isolated memory area in a memory external to the processor and including a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for the subsystem, the access transaction including access information including a physical address; and
  
  a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus of claim 7 wherein the configuration settings further include a memory base value and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being the isolated execution mode.
  - 9. The apparatus of claim 7 wherein an ID value for each subsystem identifies each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 10. The apparatus of claim 7 wherein the multi-memory zone access checking circuit comprises a subsystem address detector to detect if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem, the subsystem address detector generating a subsystem address matching signal.
  - 11. The apparatus of claim 10 wherein the multi-memory zone access checking circuit further comprises an access grant generator coupled to the subsystem address detector and the processor control register, the access grant generator generating an access grant signal if both the subsystem address matching signal and the execution mode word signal are asserted.

12. A method comprising:
- configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor that is accessible to the processor in the isolated execution mode, wherein the access transaction includes access information including a physical address;
  
  checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
  
  generating an access grant signal if the access transaction is valid.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12 wherein each subsystem memory range setting corresponds to a memory zone for a subsystem in an isolated memory area in a memory external to the processor.
  - 14. The method of claim 12 wherein each subsystem memory range setting includes a subsystem memory base value and a subsystem memory length value, a combination of at the subsystem base and length values to define a memory zone in the isolated memory area for a subsystem.
  - 15. The method of claim 14 wherein configuring the access transaction further comprises storing an ID value for each subsystem to identify each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 16. The method of claim 14 wherein checking the access transaction comprises detecting if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem by a subsystem address detector, the subsystem address detector generating a subsystem address matching signal.
  - 17. The method of claim 16 wherein generating an access grant signal if the access transaction is valid comprises generating an access grant signal by an access grant generator if both the subsystem address matching signal and the execution mode word signal are asserted.

18. A method comprising:
- configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, each subsystem memory range setting corresponding to a memory zone for a subsystem in an isolated memory area in a memory external to the processor and including a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for the subsystem, wherein the access transaction includes access information including a physical address;
  
  checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
  
  generating an access grant signal if the access transaction is valid.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18 wherein the configuration settings further include a memory base value and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode.
  - 20. The method of claim 18 wherein configuring the access transaction further comprises storing an ID value for each subsystem to identify each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 21. The method of claim 18 wherein checking the access transaction comprises detecting if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem by a subsystem address detector, the subsystem address detector generating a subsystem address matching signal.
  - 22. The method of claim 21 wherein generating an access grant signal if the access transaction is valid comprises generating an access grant signal by an access grant generator if both the subsystem address matching signal and the execution mode word signal are asserted.

23. A computer program product comprising:
- a machine readable medium having computer program code therein, the computer program product comprising;
  
  computer readable program code for configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor that is accessible to the processor in the isolated execution mode, wherein the access transaction includes access information including a physical address;
  
  computer readable program code for checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
  
  computer readable program code for generating an access grant signal if the access transaction is valid.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The computer program product of claim 23 wherein each subsystem memory range setting corresponds to a memory zone for a subsystem in an isolated memory area in a memory external to the processor.
  - 25. The computer program product of claim 23 wherein each subsystem memory range setting includes a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for a subsystem.
  - 26. The computer program product of claim 25 wherein the computer readable code for configuring the access transaction further comprises computer readable code storing an ID value for each subsystem to identify each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 27. The computer program product of claim 25 wherein the computer readable code for checking the access transaction comprises computer readable code for detecting if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem by a subsystem address detector, the subsystem address detector generating a subsystem address matching signal.
  - 28. The computer program product of claim 27 wherein the computer readable code for generating an access grant signal if the access transaction is valid comprises computer readable code for generating an access grant signal by an access grant generator if both the subsystem address matching signal and the execution mode word signal are asserted.

29. A computer program product comprising:
- a machine readable medium having computer program code therein, the computer program product comprising;
  
  computer readable program code for configuring an access transaction generated by a processor having a normal execution mode and an isolated execution mode using a configuration storage storing configuration settings, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, each subsystem memory range setting corresponding to a memory zone for a subsystem in an isolated memory area in a memory external to the processor and including a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for the subsystem, wherein the access transaction includes access information including a physical address;
  
  computer readable program code for checking the access transaction by a multi-memory zone access checking circuit using at least one of the configuration settings and the access information; and
  
  computer readable program code for generating an access grant signal if the access transaction is valid.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The computer program product of claim 29 wherein the configuration settings further include a memory base value and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode.
  - 31. The computer program product of claim 29 wherein the computer readable code for configuring the access transaction further comprises computer readable code for storing an ID value for each subsystem to identify each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 32. The computer program product of claim 29 wherein the computer readable code for checking the access transaction comprises computer readable code for detecting if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem by a subsystem address detector, the subsystem address detector generating a subsystem address matching signal.
  - 33. The computer program product of claim 32 wherein the computer readable code for generating an access grant signal if the access transaction is valid comprises computer readable code for generating an access grant signal by an access grant generator if both the subsystem address matching signal and the execution mode word signal are asserted.

34. A system comprising:
- a chipset;
  
  a memory coupled to the chipset having an isolated memory area;
  
  a processor coupled to the chipset and the memory having an access manager, the processor having a normal execution mode and an isolated execution mode, the processor generating an access transaction having access information, the access manager comprising;
  
  a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, a memory base value, and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode, the access transaction including access information including a physical address; and
  
  a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid.
- View Dependent Claims (35, 36, 37, 38, 39)
- - 35. The system of claim 34 wherein each subsystem memory range setting corresponds to a memory zone for a subsystem in an isolated memory area in a memory external to the processor.
  - 36. The system of claim 34 wherein each subsystem memory range setting includes a subsystem memory base value and a subsystem memory length value, a combination of at least the base and length values to define a memory zone in the isolated memory area for a subsystem.
  - 37. The system of claim 36 wherein an ID value for each subsystem identifies each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 38. The system of claim 36 wherein the multi-memory zone access checking circuit comprises a subsystem address detector to detect if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem, the subsystem address detector generating a subsystem address matching signal.
  - 39. The system of claim 38 wherein the multi-memory zone access checking circuit further comprises an access grant generator coupled to the subsystem address detector and the processor control register, the access grant generator generating an access grant signal if both the subsystem address matching signal and the execution mode word signal are asserted.

40. A system comprising:
- a chipset;
  
  a memory coupled to the chipset having an isolated memory area;
  
  a processor coupled to the chipset and the memory having an access manager, the processor having a normal execution mode and an isolated execution mode, the processor generating an access transaction having access information, the access manager comprising;
  
  a configuration storage storing configuration settings to configure an access transaction generated by a processor having a normal execution mode and an isolated execution mode, the configuration storage including a process control register storing an execution mode word that is asserted as an execution mode signal when the processor is configured in the isolated execution mode, the configuration settings including a plurality of subsystem memory range settings, each subsystem memory range setting corresponding to a memory zone for a subsystem in an isolated memory area in a memory external to the processor and including a subsystem memory base value and a subsystem memory length value, a combination of at least the subsystem base and length values to define a memory zone in the isolated memory area for the subsystem, the access transaction including access information including a physical address; and
  
  a multi-memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information and generating an access grant signal if the access transaction is valid.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The system of claim 40 wherein the configuration settings further include a memory base value and a memory length value, a combination of at least the base and length values to define an isolated memory area in a memory external to the processor, the isolated memory area being accessible to the processor in the isolated execution mode.
  - 42. The system of claim 40 wherein an ID value for each subsystem identifies each subsystem and the subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting.
  - 43. The system of claim 40 wherein the multi-memory zone access checking circuit comprises a subsystem address detector to detect if the physical address is within a currently active subsystem'"'"'s associated memory zone as defined by the subsystem memory range setting for the subsystem, the subsystem address detector generating a subsystem address matching signal.
  - 44. The system of claim 43 wherein the multi-memory zone access checking circuit further comprises an access grant generator coupled to the subsystem address detector and the processor control register, the access grant generator generating an access grant signal if both the subsystem address matching signal and the execution mode word signal are asserted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Thakkar, Shreekant S., Neiger, Gilbert, Ellison, Carl M., Mittal, Millind, Reneris, Ken, Lin, Derrick C., McKeen, Francis X., Sutton, James A., Herbert, Howard C., Golliver, Roger A.
Primary Examiner(s)
PEIKARI, BEHZAD

Application Number

US09/618,489
Time in Patent Office

1,183 Days
Field of Search

711/1, 711/147, 711/151, 711/152, 711/153, 711/163, 711/164, 711/170, 711/173, 711/220, 709/213
US Class Current

711/163
CPC Class Codes

G06F 12/1441 for a range

G06F 12/1491 in a hierarchical protectio...

Controlling access to multiple memory zones in an isolated execution environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

265 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to multiple memory zones in an isolated execution environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

265 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links