Managing a secure environment using a chipset in isolated execution mode

US 7,013,484 B1
Filed: 03/31/2000
Issued: 03/14/2006
Est. Priority Date: 03/31/2000
Status: Expired due to Term

First Claim

Patent Images

1. A processing system comprising:

a processor to support an isolated execution mode, a normal execution mode, a first privilege ring within the normal execution mode for use by an operating system (OS) kernel, and a second privilege ring within the normal execution mode for use by a software application;

a memory responsive to the processor, the memory to include an isolated memory area, the isolated memory area to be inaccessible to the processor in the normal execution mode;

a chipset responsive to the processor, the chipset to support the normal execution mode and the isolated execution mode;

processor executive (PE) handler storage in the chipset to store at least part of a PE handler, the PE handler to be loaded into the isolated memory area during a boot process for the processing system after at least a portion of the processing system is initialized, the PE handler to manage, from the isolated execution mode, at least one subsequent operation in the boot process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A chipset is initialized in a secure environment for an isolated execution mode by an initialization storage. The secure environment has a plurality of executive entities and is associated with an isolated memory area accessible by at least one processor. The at least one processor has a plurality of threads and operates in one of a normal execution mode and the isolated execution mode. The executive entities include a processor executive (PE) handler. PE handler data corresponding to the PE handler are stored in a PE handler storage. The PE handler data include a PE handler image to be loaded into the isolated memory area after the chipset is initialized. The loaded PE handler image corresponds to the PE handler.

Citations

34 Claims

1. A processing system comprising:
- a processor to support an isolated execution mode, a normal execution mode, a first privilege ring within the normal execution mode for use by an operating system (OS) kernel, and a second privilege ring within the normal execution mode for use by a software application;
  
  a memory responsive to the processor, the memory to include an isolated memory area, the isolated memory area to be inaccessible to the processor in the normal execution mode;
  
  a chipset responsive to the processor, the chipset to support the normal execution mode and the isolated execution mode;
  
  processor executive (PE) handler storage in the chipset to store at least part of a PE handler, the PE handler to be loaded into the isolated memory area during a boot process for the processing system after at least a portion of the processing system is initialized, the PE handler to manage, from the isolated execution mode, at least one subsequent operation in the boot process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The processing system of claim 1, wherein the processing system enters the isolated execution mode before loading the PE handler into the isolated memory area.
  - 3. The processing system of claim 1, further comprising:
    - a thread count storage, the processing system to store, in the thread count storage, a thread count indicating a number of threads operating in the isolated execution mode.
  - 4. The processing system of claim 3, further comprising:
    - an initialization storage, the processing system to update the thread count in response to access to the initialization storage.
  - 5. The processing system of claim 3, wherein the processing system provides indication of a failure mode in response to the thread count reaching a thread limit.
  - 6. The processing system of claim 1, further comprising:
    - a log storage to store identifiers of executive entities operating in the isolated execution mode.
  - 7. The processing system of claim 1, further comprising:
    - key storage to store a key to be used to handle one or more executive entities to operate in the isolated execution mode.
  - 8. The processing system of claim 7, wherein the key comprises data based on a substantially random value generated by a manufacture of hardware for the processing system.
  - 9. The processing system of claim 1, further comprising:
    - storage responsive to the processor; and
      
      at least one executive entity encoded in the storage, the at least one executive entity selected from the group consisting of a processor executive (PE) and an operating system executive (OSE), the at least one executive entity to operate in the isolated execution mode.
  - 10. The processing system of claim 1, further comprising:
    - configuration storage to store a base value and a mask value, the processing system to establish the isolated memory area in the memory based at least in part on the base value and the mask value.
  - 11. The processing system of claim 1, wherein the PE handler storage comprises substantially non-volatile storage.

12. A method comprising:
- initializing a processing system during a boot process for the processing system, wherein the processing system comprises a processor and a memory, the processing system to support an isolated execution mode, a normal execution mode, a first privilege ring within the normal execution mode for use by an operating system (OS) kernel, and a second privilege ring within the normal execution mode for use by a software application;
  
  during the boot process, establishing an isolated memory area in the memory, the isolated memory area to be inaccessible from the normal execution mode; and
  
  after at least a portion of the processing system is initialized, loading a processor executive (PE) handler into the isolated memory area, the PE handler to manage, from the isolated execution mode, at least one subsequent operation in the boot process.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 13. The method of claim 12, wherein the processing system further comprises a chipset with a PE handler storage, the method further comprising:
    - obtaining at least part of the PE handler from the PE handler storage of the chipset.
  - 14. The method of claim 13, wherein the PE handler storage comprises substantially non-volatile storage.
  - 15. The method of claim 12, further comprising:
    - entering the isolated execution mode before loading the PE handler into the isolated memory area.
  - 16. The method of claim 12, wherein the processing system further comprises a thread count storage, the method further comprising:
    - storing a thread count in the thread count storage, the thread count indicating a number of threads operating in the isolated execution mode.
  - 17. The method of claim 16, further comprising:
    - providing indication of a failure mode in response to the thread count reaching a thread limit.
  - 18. The method of claim 16, wherein the processing system further comprises an initialization storage, the method further comprising:
    - updating the thread count in response to access to the initialization storage.
  - 19. The method of claim 12, further comprising:
    - operating one or more executive entities in the isolated execution mode; and
      
      storing identifiers of the executive entities operating in the isolated execution mode.
  - 20. The method of claim 12, wherein the processing system comprises key storage to store a key, the method further comprising:
    - using the key to handle one or more executive entities to operate in the isolated execution mode.
  - 21. The method of claim 20, wherein the key comprises data based on a substantially random value generated by a manufacture of hardware for the processing system.
  - 22. The method of claim 12, further comprisingoperating one or more executive entities in the isolated execution mode, wherein the executive entities comprise at least one entity selected from the group consisting of a processor executive (PE) and an operating system executive (OSE).
  - 23. The method of claim 12, wherein the processing system comprises configuration storage to store a base value and a mask value, and the operation of establishing an isolated memory area in the memory comprises:
    - using the base value and the mask value to establish the isolated memory area.

24. An apparatus comprising:
- a machine accessible medium; and
  
  instructions encoded in the machine accessible medium, wherein the instructions, when executed by a processor of a processing system, perform operations comprising;
  
  initializing at least part of the processing system during a boot process for the processing system, the processing system to support an isolated execution mode, a normal execution mode, a first privilege ring within the normal execution mode for use by an operating system (OS) kernel, and a second privilege ring within the normal execution mode for use by a software application;
  
  during the boot process, establishing an isolated memory area in a memory of the processing system, the isolated memory area to be inaccessible from the normal execution mode; and
  
  after at least a portion of the processing system is initialized, loading a processor executive (PE) handler into the isolated memory area, the PE handler to manage, from the isolated execution mode, at least one subsequent operation in the boot process.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 25. The apparatus of claim 24, wherein the processing system further comprises a chipset with a PE handler storage, and the instructions perform operations comprising:
    - obtaining at least part of the PE handler from the PE handler storage of the chipset.
  - 26. The apparatus of claim 24, wherein the instructions perform operations comprising:
    - causing the processor to enter the isolated execution mode before loading the PE handler into the isolated memory area.
  - 27. The apparatus of claim 24, wherein the processing system further comprises a thread count storage, and the instructions perform operations comprising:
    - storing a thread count in the thread count storage, the thread count indicating a number of threads operating in the isolated execution mode.
  - 28. The apparatus of claim 27, wherein the instructions perform operations comprising:
    - providing indication of a failure mode in response to the thread count reaching a thread limit.
  - 29. The apparatus of claim 27, wherein the processing system further comprises an initialization storage, and the instructions perform operations comprising:
    - updating the thread count in response to access to the initialization storage.
  - 30. The apparatus of claim 24, wherein the instructions perform operations comprising:
    - causing one or more executive entities to operate in the isolated execution mode; and
      
      storing identifiers of the executive entities operating in the isolated execution mode.
  - 31. The apparatus of claim 24, wherein the processing system comprises key storage to store a key, and the instructions perform operations comprising:
    - using the key to handle one or more executive entities to operate in the isolated execution mode.
  - 32. The apparatus of claim 31, wherein the key comprises data based on a substantially random value generated by a manufacture of hardware for the processing system.
  - 33. The apparatus of claim 24, wherein the instructions perform operations comprising:
    - causing one or more executive entities to operate in the isolated execution mode, wherein the executive entities comprise at least one entity selected from the group consisting of a processor executive (PE) and an operating system executive (OSE).
  - 34. The apparatus of claim 24, wherein the processing system comprises configuration storage to store a base value and a mask value, and the operation of establishing an isolated memory area in the memory comprises:
    - using the base value and the mask value to establish the isolated memory area.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
Intel Corporation
Inventors
Thakkar, Shreekant S., Mittal, Millind, Ellison, Carl M., Golliver, Roger A., Herbert, Howard C., Lin, Derrick C., McKeen, Francis X., Neiger, Gilbert, Reneris, Ken, Sutton, James A.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Tran, Ellen C

Application Number

US09/540,613
Time in Patent Office

2,174 Days
Field of Search

395100-800, 709100-250, 711110-170, 712 10-300, 713/164, 713/200
US Class Current

726/26
CPC Class Codes

G06F 12/1491 in a hierarchical protectio...

Managing a secure environment using a chipset in isolated execution mode

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Managing a secure environment using a chipset in isolated execution mode

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links