System and method providing region-granular, hardware-controlled memory encryption
First Claim
Patent Images
1. A computing apparatus, comprising:
- at least one storage location coupled to receive a block of data from a memory and a corresponding encryption indicator for the block of data, wherein the block of data corresponds to a selected memory region of the memory, and wherein the encryption indicator indicates whether the data corresponding to the selected memory region is encrypted in the memory; and
an encryption/decryption unit configured to decrypt the block of data dependent upon the encryption indicator before the block of data is stored in the storage location.
7 Assignments
0 Petitions
Accused Products
Abstract
A memory, system, and method for providing security for data stored within a memory and arranged within a plurality of memory regions. The method includes receiving an address within a selected memory region and using the address to access an encryption indicator. The encryption indicator indicates whether data stored in the selected memory page are encrypted. The method also includes receiving a block of data from the selected memory region and the encryption indicator and decrypting the block of data dependent upon the encryption indicator.
-
Citations
41 Claims
-
1. A computing apparatus, comprising:
-
at least one storage location coupled to receive a block of data from a memory and a corresponding encryption indicator for the block of data, wherein the block of data corresponds to a selected memory region of the memory, and wherein the encryption indicator indicates whether the data corresponding to the selected memory region is encrypted in the memory; and an encryption/decryption unit configured to decrypt the block of data dependent upon the encryption indicator before the block of data is stored in the storage location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system, comprising:
-
a memory management unit configured to manage a memory such that the memory stores data arranged within a plurality of memory regions; a security check unit coupled to receive a physical address within a selected one of the memory regions and configured to use the physical address to access a security attribute data structure located in the memory in order to obtain an encryption indicator indicating whether data stored in the selected memory region is encrypted in the memory; and a cache unit coupled to receive a block of data obtained from the selected memory region and to receive the encryption indicator from the security check unit, the cache unit comprising; an encryption/decryption unit configured to decrypt the received block of data dependent upon the encryption indicator before the received block of data is stored in the cache unit. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer system, comprising:
-
a memory for storing data, wherein the data includes instructions; a memory management unit operably coupled to the a memory and configurable to manage the memory such that the memory stores data arranged within a plurality of memory regions; a security check unit coupled to receive a physical address within a selected one of the memory regions and configured to use the physical address to access at least one security attribute data structure located in the memory in order to obtain an encryption indicator indicating whether data stored in the selected memory region is encrypted in the memory; and a cache unit coupled to receive a block of data obtained from the selected memory region and to receive the encryption indicator from the security check unit, the cache unit comprising; an encryption/decryption unit configured to decrypt the received block of data dependent upon the encryption indicator before the received block of data is stored in the cache unit. - View Dependent Claims (22, 23, 24)
-
-
25. A method for providing security for data stored within a memory, wherein the data are arranged within a plurality of memory regions, the method comprising:
-
receiving an address within a selected one of the memory regions; using the address to access an encryption indicator indicating whether data stored in the selected memory region is encrypted in the memory; receiving a block of data from the selected memory region and the encryption indicator; and decrypting the received block of data dependent upon the encryption indicator. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A non-transitory machine readable medium encoded with instructions that, when executed by a computer system, perform a method for providing security for data stored within a memory and arranged within a plurality of memory regions, the method comprising:
-
receiving an address within a selected memory region; using the address to access an encryption indicator indicating whether data stored in the selected memory region is encrypted in the memory; receiving a block of data from the selected memory region and the encryption indicator; and decrypting the received block of data dependent upon the encryption indicator. - View Dependent Claims (32, 33, 34, 35, 36)
-
-
37. A system, comprising:
- means for receiving an address within a selected memory region in a memory;
means for using the received address to access an encryption indicator indicating whetherdata stored in the selected memory region is encrypted in the memory; means for receiving a block of data from the selected memory region and the encryption indicator; and means for decrypting the received block of data dependent upon the encryption indicator; and means for storing the received block of data. - View Dependent Claims (38, 39, 40, 41)
- means for receiving an address within a selected memory region in a memory;
Specification