Microprocessor that facilitates task switching between multiple encrypted programs having different associated decryption key values

US 8,719,589 B2
Filed: 04/21/2011
Issued: 05/06/2014
Est. Priority Date: 05/25/2010
Status: Active Grant

First Claim

Patent Images

1. A microprocessor, comprising:

a storage element, comprising a plurality of locations each configured to store decryption key data associated with an encrypted program;

a control register, comprising a field for specifying one of the plurality of locations of the storage element associated with a currently executing encrypted program, wherein the microprocessor is configured to restore from memory to the control register a previously saved value of the field in response to executing a return from interrupt instruction; and

a fetch unit, configured to fetch encrypted instructions of the currently executing encrypted program and to decrypt them using the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved value of the field, wherein the fetch unit is configured to decrypt the fetched encrypted instructions by performing a Boolean exclusive-OR (XOR) operation of the fetched encrypted instructions with the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved field value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A microprocessor includes a storage element having a plurality of locations each storing decryption key data associated with an encrypted program. A control register field (may be x86 EFLAGS register reserved field) specifies a storage element location associated with a currently executing encrypted program. The microprocessor restores from memory to the control register a previously saved value of the field in response to executing a return from interrupt instruction. A fetch unit fetches encrypted instructions of the currently executing encrypted program and decrypts them using the decryption key data stored the storage element location specified by the restored field value. A kill bit associated with each storage element location may be employed if the location is clobbered because more encrypted programs are multitasked than available locations in the storage element, in which case an exception is generated to re-load the clobbered decryption key data in response to the return from interrupt instruction.

Citations

29 Claims

1. A microprocessor, comprising:
- a storage element, comprising a plurality of locations each configured to store decryption key data associated with an encrypted program;
  
  a control register, comprising a field for specifying one of the plurality of locations of the storage element associated with a currently executing encrypted program, wherein the microprocessor is configured to restore from memory to the control register a previously saved value of the field in response to executing a return from interrupt instruction; and
  
  a fetch unit, configured to fetch encrypted instructions of the currently executing encrypted program and to decrypt them using the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved value of the field, wherein the fetch unit is configured to decrypt the fetched encrypted instructions by performing a Boolean exclusive-OR (XOR) operation of the fetched encrypted instructions with the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved field value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The microprocessor of claim 1, wherein the microprocessor is configured to load the fetch unit with the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved field value prior to the fetch unit decrypting the fetched encrypted instructions of the currently executing encrypted program.
  - 3. The microprocessor of claim 1, wherein the microprocessor is further configured to populate the field of the control register with a value to specify one of the plurality of locations of the storage element allocated for storing decryption key data for a new encrypted program requested to run on the microprocessor.
  - 4. The microprocessor of claim 3, wherein the microprocessor is further configured to load the decryption key data for the new encrypted program into the allocated one of the plurality of locations.
  - 5. The microprocessor of claim 4, wherein the microprocessor is further configured to load the fetch unit with the decryption key data for the new encrypted program from the allocated one of the plurality of locations.
  - 6. The microprocessor of claim 1, wherein the storage element comprises a register file, wherein each of the plurality of storage element locations comprises a register configured to store the decryption key data.
  - 7. The microprocessor of claim 1, wherein the storage element comprises a memory, wherein each of the plurality of storage element locations comprises a memory location configured to store the decryption key data.
  - 8. The microprocessor of claim 1, wherein plain text instructions decrypted from the fetched encrypted instructions are unobservable outside the microprocessor.
  - 9. The microprocessor of claim 1, wherein the control register comprises an x86 architecture EFLAGS register modified to include the field.
  - 10. The microprocessor of claim 1, wherein further in response to executing the return from interrupt instruction, the microprocessor is configured to generate an exception if a bit associated with the one of the plurality of locations of the storage element specified by the restored value of the field is set, prior to the fetch unit decrypting the fetched encrypted instructions of the currently executing one of the plurality of encrypted programs.
  - 11. The microprocessor of claim 10, wherein in response to the exception, the microprocessor re-loads the one of the plurality of locations of the storage element specified by the restored value of the field with decryption key data associated with the currently executing one of the plurality of encrypted programs, prior to the fetch unit decrypting the fetched encrypted instructions of the currently executing one of the plurality of encrypted programs.
  - 12. The microprocessor of claim 10, wherein the bit is configured to be set in response to the decryption key data associated with the currently executing one of the plurality of encrypted programs in the one of the plurality of locations of the storage element being clobbered, prior to the execution of the return from interrupt instruction.
  - 13. The microprocessor of claim 12, wherein the one of the plurality of locations of the storage element is clobbered when the microprocessor begins to execute a new encrypted program for which free space in the storage element is unavailable.
  - 14. The microprocessor of claim 12, wherein the one of the plurality of locations of the storage element is clobbered when the microprocessor re-loads the one of the plurality of locations of the storage element specified by the restored value of the field with decryption key data associated with the currently executing one of the plurality of encrypted programs in response to the exception.
  - 15. The microprocessor of claim 1, wherein the microprocessor is further configured to run system software configured to:
    - receive a request to run a new encrypted program; and
      
      if free space in the storage element is unavailable to store decryption key data for the new encrypted program, wait to run the new encrypted program until free space in the storage element is available.

16. A method for operating a microprocessor having a control register and a storage element comprising a plurality of locations each configured to store decryption key data associated with an encrypted program, the method comprising:
- restoring from memory to a field of the control register a previously saved value of the field, in response to executing a return from interrupt instruction, wherein the previously saved value of the field specifies one of the plurality of locations of the storage element associated with a currently executing encrypted program;
  
  fetching encrypted instructions of the currently executing encrypted program; and
  
  decrypting the fetched encrypted instructions using the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved value of the field, wherein said decrypting the fetched encrypted instructions comprises performing a Boolean exclusive-OR (XOR) operation of the fetched encrypted instructions with the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved field value.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The method of claim 16, further comprising:
    - loading a fetch unit of the microprocessor with the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved field value prior to said decrypting the fetched encrypted instructions of the currently executing encrypted program.
  - 18. The method of claim 16, further comprising:
    - allocating one of the plurality of locations of the storage element for storing decryption key data for a new encrypted program requested to run on the microprocessor; and
      
      populating the field of the control register with a value to specify the allocated one of the plurality of locations of the storage element.
  - 19. The method of claim 18, further comprising:
    - loading the decryption key data for the new encrypted program into the allocated one of the plurality of locations.
  - 20. The method of claim 16, wherein plain text instructions decrypted from the fetched encrypted instructions are unobservable outside the microprocessor.
  - 21. The method of claim 16, wherein the control register comprises an x86 architecture EFLAGS register modified to include the field.
  - 22. The method of claim 16, further comprising:
    - generating an exception, in response to said executing the return from interrupt instruction and prior to said decrypting the fetched encrypted instructions of the currently executing one of the plurality of encrypted programs, if a bit associated with the one of the plurality of locations of the storage element specified by the restored value of the field is set.
  - 23. The method of claim 22, further comprising:
    - re-loading the one of the plurality of locations of the storage element specified by the restored value of the field with decryption key data associated with the currently executing one of the plurality of encrypted programs, in response to the exception and prior to said decrypting the fetched encrypted instructions of the currently executing one of the plurality of encrypted programs.
  - 24. The method of claim 22, further comprising:
    - clobbering the decryption key data associated with the currently executing one of the plurality of encrypted programs in the one of the plurality of locations of the storage element, prior to the execution of the return from interrupt instruction; and
      
      setting the bit in response to said clobbering.
  - 25. The method of claim 24, further comprising:
    - determining that free space in the storage element for a new encrypted program to be run on the microprocessor is unavailable;
      
      wherein said clobbering is performed in response to said determining that free space in the storage element is unavailable.
  - 26. The method of claim 24, wherein said clobbering is performed by said re-loading the one of the plurality of locations of the storage element specified by the restored value of the field with decryption key data associated with the currently executing one of the plurality of encrypted programs in response to the exception.
  - 27. The method of claim 16, further comprising:
    - receiving a request to run a new encrypted program; and
      
      if free space in the storage element is unavailable to store decryption key data for the new encrypted program, waiting to run the new encrypted program until free space in the storage element is available.

28. A computer program product encoded in at least one non-transitory computer readable storage medium for use with a computing device, the computer program product comprising:
- computer readable program code embodied in said medium, for specifying a microprocessor, the computer readable program code comprising;
  
  first program code for specifying a storage element, comprising a plurality of locations each configured to store decryption key data associated with an encrypted program;
  
  second program code for specifying a control register, comprising a field for specifying one of the plurality of locations of the storage element associated with a currently executing encrypted program, wherein the microprocessor is configured to restore from memory to the control register a previously saved value of the field in response to executing a return from interrupt instruction; and
  
  third program code for specifying a fetch unit, configured to fetch encrypted instructions of the currently executing encrypted program and to decrypt them using the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved value of the field, wherein the fetch unit is configured to decrypt the fetched encrypted instructions by performing a Boolean exclusive-OR (XOR) operation of the fetched encrypted instructions with the decryption key data stored in the one of the plurality of locations of the storage element specified by the restored previously saved field value.
- View Dependent Claims (29)
- - 29. The computer program product of claim 28, wherein the at least one non-transitory computer readable storage medium is selected from the set of a disk, tape, or other magnetic, optical, or electronic storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIA Technologies Incorporated (VIA Technologies)
Original Assignee
VIA Technologies Incorporated (VIA Technologies)
Inventors
Henry, G. Glenn, Parks, Terry, Bean, Brent, Crispin, Thomas A.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Rahman, Mahfuzur

Application Number

US13/091,785
Publication Number

US 20110296205A1
Time in Patent Office

1,111 Days
Field of Search

713/190
US Class Current

713/190
CPC Class Codes

G06F 12/0875   with dedicated cache, e.g. ...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/602   Providing cryptographic fac...

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 2212/402   Encrypted data

G06F 2212/452   Instruction code

G06F 2221/2107   File encryption

G06F 9/30003   Arrangements for executing ...

G06F 9/30058   Conditional branch instruct...

G06F 9/30079   Pipeline control instructio...

G06F 9/30178   of compressed or encrypted ...

G06F 9/30189   according to execution mode...

H04L 2209/12   Details relating to cryptog...

H04L 2209/20   Manipulating the length of ...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0827   involving distinctive inter...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894 : Escrow, recovery or storing...

View All

Microprocessor that facilitates task switching between multiple encrypted programs having different associated decryption key values

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Microprocessor that facilitates task switching between multiple encrypted programs having different associated decryption key values

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links