Controlling access to multiple isolated memories in an isolated execution environment

US 6,678,825 B1
Filed: 07/18/2000
Issued: 01/13/2004
Est. Priority Date: 03/31/2000
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a page manager distributing a plurality of pages to a plurality of different areas of a memory, respectively, the memory divided into non-isolated areas and isolated areas, the page manager located in an isolated area of memory; and

a memory ownership page table located in an isolated area of memory, the memory ownership page table describing each page of memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method, apparatus, and system for controlling memory accesses to multiple isolated memory areas in an isolated execution environment. A page manager is used to distribute a plurality of pages to a plurality of different areas of a memory, respectively. The memory is divided into non-isolated areas and isolated areas. The page manager is located in an isolated area of memory. Further, a memory ownership page table describes each page of memory and is also located in an isolated area of memory. The page manager assigns an isolated attribute to a page if the page is distributed to an isolated area of memory. On the other hand, the page manager assigns a non-isolated attribute to a page if the page is distributed to a non-isolated area of memory. The memory ownership page table records the attribute for each page. In one embodiment, a processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that contains configuration settings related to a page and access information. An access checking circuit coupled to the configuration storage checks the access transaction using at least one of the configuration settings and the access information and generates an access grant signal if the access transaction is valid.

233 Citations

40 Claims

1. An apparatus comprising:
- a page manager distributing a plurality of pages to a plurality of different areas of a memory, respectively, the memory divided into non-isolated areas and isolated areas, the page manager located in an isolated area of memory; and
  
  a memory ownership page table located in an isolated area of memory, the memory ownership page table describing each page of memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1 wherein the page manager assigns an isolated attribute to a page if the page is distributed to an isolated area of memory.
  - 3. The apparatus of claim 2, wherein the page manager assigns a non-isolated attribute to the page if the page is distributed to a non-isolated area of memory, the memory ownership page table recording the attribute for each page.
  - 4. The apparatus of claim 3 further comprising:
5. The apparatus of claim 4 wherein the configuration settings include the attribute for a page and an execution mode word.
6. The apparatus of claim 5 wherein the access information comprises a physical address and an access type, the access type indicating if the access transaction is one of a memory access, an input/output access, and a logical processor access.
7. The apparatus of claim 5 wherein the configuration storage further comprises an attribute storage to contain the attribute for a page defining the page as isolated or non-isolated.
8. The apparatus of claim 5 wherein the configuration storage further comprises a processor control register to contain the execution mode word, the execution mode word being asserted when the processor is configured in the isolated execution mode.
9. The apparatus of claim 5 wherein the access checking circuit comprises a TLB access checking circuit to detect if the attribute for the page is set to isolated and the execution mode word is asserted, the TLB access checking circuit generating an access grant signal.
10. The apparatus of claim 5 wherein the access checking circuit comprises an FSB snoop checking circuit coupled to a cache, the FSB snoop checking circuit combining the attribute, an external isolated access signal from another processor, and a cache access signal, the FSB snoop checking circuit generating a processor snoop access signal.

11. A method comprising:
- distributing a plurality of pages to a plurality of different areas of a memory, respectively, utilizing a page manager, the memory divided into non-isolated areas and isolated areas, the page manager located in an isolated area of memory; and
  
  describing each page of memory.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 wherein describing each page of memory comprises assigning an isolated attribute to a page if the page is distributed to an isolated area of memory.
  - 13. The method of claim 12 wherein describing each page of memory further comprises:
14. The method of claim 13 further comprising configuring an access transaction generated by a processor having a configuration storage containing configuration settings, the processor having a normal execution mode and an isolated execution mode, the access transaction having access information;
- andchecking the access transaction by an access checking circuit using at least one of the configuration settings and the access information.
15. The method of claim 14 wherein the configuration settings include the attribute for a page and an execution mode word.
16. The method of claim 15 wherein the access information comprises a physical address and an access type, the access type indicating if the access transaction is one of a memory access, an input/output access, and a logical processor access.
17. The method of claim 15 wherein configuring the access transaction further comprises:
- setting the attribute for the page as isolated or non-isolated; and
  
  storing the attribute in an attribute storage within the configuration storage.
18. The method of claim 15 wherein configuring the access transaction further comprises asserting the execution mode word stored in a processor control register when the processor is configured in the isolated execution mode.
19. The method of claim 15 wherein checking the access transaction comprises:
- detecting if the attribute for the page is set to isolated;
  
  detecting if the execution mode word is asserted; and
  
  generating an access grant signal.
20. The method of claim 15 wherein checking the access transaction comprises:
- combining the attribute, an external isolated access signal from another processor, and a cache access signal; and
  
  generating a processor snoop access signal.

21. A computer program product comprising:
- a machine readable medium having computer program code embodied therein, the computer program product comprising;
  
  computer readable program code for distributing a plurality of pages to a plurality of different areas of a memory, respectively, utilizing a page manager, the memory divided into non-isolated areas and isolated areas, the page manager located in an isolated area of memory; and
  
  computer readable program code for describing each page of memory.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer program product of claim 21 wherein the computer readable program code for describing each page of memory comprises computer readable program code for assigning an isolated attribute to a page if the page is distributed to an isolated area of memory.
  - 23. The computer program product of claim 22 wherein the computer readable program code for describing each page of memory further comprises:
24. The computer program product of claim 23 further comprising:
- computer readable program code for configuring an access transaction generated by a processor having a configuration storage containing configuration settings, the processor having a normal execution mode and an isolated execution mode, the access transaction having access information; and
  
  computer readable program code for checking the access transaction by an access checking circuit using at least one of the configuration settings and the access information.
25. The computer program product of claim 24 wherein the configuration settings include the attribute for a page and an execution mode word.
26. The computer program product of claim 25 wherein the access information comprises a physical address and an access type, the access type indicating if the access transaction is one of a memory access, an input/output access, and a logical processor access.
27. The computer program product of claim 25 wherein the computer readable program code for configuring the access transaction further comprises:
- computer readable program code for setting the attribute for the page as isolated or non-isolated; and
  
  computer readable program code for storing the attribute in an attribute storage within the configuration storage.
28. The computer program product of claim 25 wherein the computer readable program code for configuring the access transaction further comprises computer readable program code for asserting the execution mode word stored in a processor control register when the processor is configured in the isolated execution mode.
29. The computer program product of claim 25 wherein the computer readable program code for checking the access transaction comprises:
- computer readable program code for detecting if the attribute for the page is set to isolated;
  
  computer readable program code for detecting if the execution mode word is asserted; and
  
  computer readable program code for generating an access grant signal.
30. The computer program product of claim 25 wherein the computer readable program code for checking the access transaction comprises:
- computer readable program code for combining the attribute, an external isolated access signal from another processor, and a cache access signal; and
  
  computer readable program code for generating a processor snoop access signal.

31. A system comprising:
- a chipset;
  
  a memory coupled to the chipset;
  
  a processor coupled to the chipset and the memory, the processor having a normal execution mode and an isolated execution mode;
  
  a page manager operating under the control of the processor, the page manager distributing a plurality of pages to a plurality of different areas of the memory, respectively, the memory divided into non-isolated areas and isolated areas, the page manager located in an isolated area of memory; and
  
  a memory ownership page table located in an isolated area of memory, the memory ownership page table describing each page of memory.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The system of claim 31 wherein the page manager assigns an isolated attribute to a page if the page is distributed to an isolated area of memory.
  - 33. The system of claim 32 wherein the page manager assigns a non-isolated attribute to the page if the page is distributed to a non-isolated area of memory, the memory ownership page table recording the attribute for each page.
  - 34. The system of claim 33 further comprising:
35. The system of claim 34 wherein the configuration settings include the attribute for a page and an execution mode word.
36. The system of claim 35 wherein the access information comprises a physical address and an access type, the access type indicating if the access transaction is one of a memory access, an input/output access, and a logical processor access.
37. The system of claim 35 wherein the configuration storage further comprises an attribute storage to contain the attribute for a page defining the page as isolated or non-isolated.
38. The system of claim 35 wherein the configuration storage further comprises a processor control register to contain the execution mode word, the execution mode word being asserted when the processor is configured in the isolated execution mode.
39. The system of claim 35 wherein the access checking circuit comprises a TLB access checking circuit to detect if the attribute for the page is set to isolated and the execution mode word is asserted, the TLB access checking circuit generating an access grant signal.
40. The system of claim 35 wherein the access checking circuit further comprises an FSB snoop checking circuit coupled to a cache, the FSB snoop checking circuit combining the attribute, an external isolated access signal from another processor, and a cache access signal, the FSB snoop checking circuit generating a processor snoop access signal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Neiger, Gilbert, Mittal, Millind, Reneris, Ken, Lin, Derrick C., McKeen, Francis X., Sutton, James A., Golliver, Roger A., Thakkar, Shreekant S., Ellison, Carl M., Herbert, Howard C.
Primary Examiner(s)
Hayes, John W.

Application Number

US09/618,738
Time in Patent Office

1,274 Days
Field of Search

713/200, 711/152, 711/156, 711/163, 710/108, 710/200, 710/240
US Class Current

726/17
CPC Class Codes

G06F 12/0831   using a bus scheme, e.g. wi...

G06F 12/1009   using page tables, e.g. pag...

G06F 12/145   the protection being virtua...

G06F 12/1491   in a hierarchical protectio...

G06F 21/74   operating in dual or compar...

G06F 2212/1016   Performance improvement

G06F 2212/1041   Resource optimization

G06F 2212/1052   Security improvement

Controlling access to multiple isolated memories in an isolated execution environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

233 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to multiple isolated memories in an isolated execution environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

233 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links