Methods, apparatus, and systems for secure demand paging and other paging operations for processor devices

US 9,667,425 B2
Filed: 08/13/2014
Issued: 05/30/2017
Est. Priority Date: 04/08/2004
Status: Active Grant

First Claim

Patent Images

1. A secure demand paging system comprisinga processor;

a cryptographic accelerator;

a hash accelerator; and

a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the cryptographic accelerator is operable to encrypt the hash result upon completion of the parallel transfer of the data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure demand paging system includes a processor operable for executing instructions, an internal memory for a first page in a first virtual machine context, an external memory for a second page in a second virtual machine context, and a security circuit coupled to the processor and to the internal memory for maintaining the first page secure in the internal memory. The processor is operable to execute sets of instructions representing: a central controller, an abort handler coupled to supply to the central controller at least one signal representing a page fault by an instruction in the processor, a scavenger responsive to the central controller and operable to identify the first page as a page to free, a virtual machine context switcher responsive to the central controller to change from the first virtual machine context to the second virtual machine context; and a swapper manager operable to swap in the second page from the external memory with decryption and integrity check, to the internal memory in place of the first page.

Citations

56 Claims

1. A secure demand paging system comprisinga processor;
- a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the cryptographic accelerator is operable to encrypt the hash result upon completion of the parallel transfer of the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The secure demand paging system claimed in claim 1 wherein the hash accelerator is further operable to perform a hash on identification before said transfer in parallel.
  - 3. The secure demand paging system claimed in claim 1 wherein the hash accelerator is further operable to perform a key hash before said transfer in parallel.
  - 4. The secure demand paging system claimed in claim 1 further comprising a DMA (direct memory access) circuit operable to couple said secure memory to said cryptographic accelerator for encryption and to said hash accelerator.
  - 5. The secure demand paging system claimed in claim 1 wherein said cryptographic accelerator and said hash accelerator are operable as two synchronous targets for said DMA circuit.
  - 6. The secure demand paging system claimed in claim 5 further comprising an external volatile memory wherein said DMA circuit is further operable to couple said cryptographic accelerator to said external volatile memory.
  - 7. The secure demand paging system claimed in claim 1 further comprising a DMA (direct memory access) circuit operable to couple a decryption stream from said cryptographic accelerator concurrently to said secure memory and to said hash accelerator.
  - 8. The secure demand paging system claimed in claim 1 wherein said DMA circuit has virtual scatter/gather capability with virtual to physical lookups prior to a DMA operation.
  - 9. The secure demand paging system claimed in claim 8 wherein the lookups provide a physical page list, and said DMA circuit has a secure interrupt handler and is operable at each page completion to start the next physical page transfer based on the physical page list.
  - 10. The secure demand paging system claimed in claim 8 wherein said DMA has first and second logical channels and said DMA circuit is operable for DMA fetch to operate the first logical channel in response to the physical page list and operate the second logical channel to repeat each fetch by the first logical channel.
  - 11. The secure demand paging system claimed in claim 1 wherein said hashing accelerator is operable to deliver the hash result directly to said processor to bypass said DMA circuit.
  - 12. The secure demand paging system claimed in claim 1 further comprising a security key and wherein said hash accelerator is responsive to said security key.

13. A secure demand paging system comprisinga processor;
- a cryptographic accelerator;
  
  a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor; and
  
  a DMA (direct memory access) circuit operable to couple said secure memory to said cryptographic accelerator for encryption and to said hash accelerator, wherein said DMA circuit is coupled to activate said cryptographic accelerator and said hash accelerator by said DMA circuit itself.

14. A secure demand paging system comprisinga processor;
- a cryptographic accelerator;
  
  a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor;
  
  a DMA (direct memory access) circuit operable to couple a decryption stream from said cryptographic accelerator concurrently to said secure memory and to said hash accelerator; and
  
  an external volatile memory and wherein said DMA circuit is operable to couple said external volatile memory to said cryptographic accelerator for decryption.

15. A secure demand paging system comprisinga processor;
- a cryptographic accelerator;
  
  a hash accelerator, wherein said hash accelerator supplies an interrupt request, and said processor is responsive to the interrupt request to read the hash result directly from the hashing accelerator; and
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor.

16. A secure demand paging system comprisinga processor;
- a cryptographic accelerator;
  
  a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor; and
  
  an external volatile memory coupled to said secure memory to receive pages from said secure memory hashed by said hash accelerator and encrypted by said cryptographic accelerator.

17. A secure demand paging system comprisinga processor;
- a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor; and
  
  an external memory coupled to said secure memory to feed pages from said external memory to said secure memory, the pages decrypted by said cryptographic accelerator and hash-checked by said hash accelerator in parallel.

18. A secure demand paging system comprisinga processor;
- a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor; and
  
  a source of rotating cryptographic keys coupled to said cryptographic accelerator.

19. A secure demand paging system comprisinga processor;
- a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor; and
  
  a source of rotating cryptographic keys coupled to said hash accelerator.

20. A method of secure demand paging in a system comprising:
- a processor;
  
  a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory including data, said method comprising;
  
  transferring the same secure memory data to the cryptographic accelerator and to the hash accelerator in parallel; and
  
  delivering a hash result from said hash accelerator to said processor; and
  
  encrypting said hash result.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The method of claim 20, further comprising the step of performing in said hash accelerator a hash on identification information in said secure memory data.
  - 22. The method of claim 20, further comprising the step of performing in said hash accelerator a key hash.
  - 23. The method of claim 20, wherein said system comprises a direct memory access (DMA) circuit, and wherein said method further comprises the step of coupling said secure memory to said cryptographic accelerator and to said hash accelerator through said DMA circuit.
  - 24. The method of claim 23 further comprising the step of using the DMA circuit to activate said cryptographic accelerator and said hash accelerator.
  - 25. The method of claim 23 further comprising the step of making said cryptographic accelerator and said hash accelerator synchronous targets of said DMA circuit.
  - 26. The method of claim 25, wherein said system comprises a volatile memory, and wherein said method further comprises the step of using the DMA circuit to couple said cryptographic accelerator to said volatile memory.
  - 27. The method of claim 26, further comprising the step of coupling said volatile memory to said cryptographic accelerator for decryption.
  - 28. The method of claim 23 further comprising the step of directing a decryption stream from said cryptographic accelerator concurrently to said secure memory and to said hash accelerator.
  - 29. The method of claim 23, further comprising the step of bypassing said DMA circuit to deliver said hash result to said processor.

30. A method of secure demand paging in a system comprising:
- a processor;
  
  a cryptographic accelerator;
  
  a hash accelerator;
  
  a secure memory including data, said method comprising;
  
  transferring the same secure memory data to the cryptographic accelerator and to the hash accelerator in parallel;
  
  delivering a hash result from said hash accelerator to said processor; and
  
  wherein said system comprises a direct memory access (DMA) circuit, and wherein said method further comprises the step of coupling said secure memory to said cryptographic accelerator and to said hash accelerator through said DMA circuit; and
  
  performing a scatter/gather operation with said DMA circuit subsequent to performing virtual to physical lookups.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30 wherein said step of performing virtual to physical lookups results in a physical page list, said method further comprising the step of starting a next physical page transfer based on said physical page list at the completion of the prior page transfer.
  - 32. The method of claim 30 wherein said DMA circuit has first and second logical channels, said method further comprising the step of fetching in the first logical channel in accordance with said physical page list, and further comprising the step of fetching in the second logical channel to repeat each fetch made in the first logical channel.

33. A method of secure demand paging in a system comprising:
- a processor;
  
  a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory including data, said method comprising;
  
  transferring the same secure memory data to the cryptographic accelerator and to the hash accelerator in parallel; and
  
  delivering a hash result from said hash accelerator to said processor; and
  
  reading said hash result from said hashing accelerator in response from an interrupt request from said hash accelerator to said processor.

34. A method of secure demand paging in a system comprising:
- a processor;
  
  a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory including data, said method comprising;
  
  transferring the same secure memory data to the cryptographic accelerator and to the hash accelerator in parallel;
  
  delivering a hash result from said hash accelerator to said processor; and
  
  a volatile memory coupled to said secure memory, said method further comprising the step of hashing and encrypting pages from said secure memory and sending the results to said volatile memory.

35. A method of secure demand paging in a system comprising:
- a processor;
  
  a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory including data, said method comprising;
  
  transferring the same secure memory data to the cryptographic accelerator and to the hash accelerator in parallel;
  
  delivering a hash result from said hash accelerator to said processor; and
  
  a second memory coupled to said secure memory, wherein said method further comprises the step of decrypting and hash-checking pages transferred from said second memory to said secure memory in parallel.

36. A method of secure demand paging in a system comprising:
- a processor;
  
  a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory including data, said method comprising;
  
  transferring the same secure memory data to the cryptographic accelerator and to the hash accelerator in parallel;
  
  delivering a hash result from said hash accelerator to said processor; and
  
  supplying said cryptographic accelerator with a rotating source of cryptographic keys.

37. A method of secure demand paging in a system comprising:
- a processor;
  
  a cryptographic accelerator;
  
  a hash accelerator; and
  
  a secure memory including data, said method comprising;
  
  transferring the same secure memory data to the cryptographic accelerator and to the hash accelerator in parallel;
  
  delivering a hash result from said hash accelerator to said processor; and
  
  supplying said hash accelerator with a rotating source of cryptographic keys.

38. A communications apparatus, comprising:
- an antenna;
  
  a receiver and a transmitter coupled to said antenna;
  
  a processor coupled to the receiver and transmitter, said processor having a cryptographic accelerator and a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor;
  
  a DMA circuit coupled to activate said cryptographic accelerator and said hash accelerator by said DMA circuit itself; and
  
  a user interface coupled to the processor.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45)
- - 39. The communications apparatus in claim 38 wherein the hash accelerator is further operable to perform a hash on identification information before said transfer in parallel.
  - 40. The communications apparatus in claim 39 wherein the hash accelerator is further operable to perform a key hash before said transfer in parallel.
  - 41. The communications apparatus in claim 39 further comprising a DMA (direct memory access) circuit operable to couple said secure memory to said cryptographic accelerator for encryption and to said hash accelerator.
  - 42. The communications apparatus in claim 39 further comprising a DMA (direct memory access) circuit operable to couple a decryption stream from said cryptographic accelerator concurrently to said secure memory and to said hash accelerator.
  - 43. The communications apparatus in claim 39 further comprising a security key and wherein said hash accelerator is responsive to said security key.
  - 44. The communications apparatus in claim 38 wherein said cryptographic accelerator and said hash accelerator are operable as two synchronous targets for said DMA circuit.
  - 45. The communications apparatus in claim 38 further comprising an external volatile memory wherein said DMA circuit is further operable to couple said cryptographic accelerator to said external volatile memory.

46. A communications apparatus, comprising:
- an antenna;
  
  a receiver and a transmitter coupled to said antenna;
  
  a processor coupled to the receiver and transmitter, said processor having a cryptographic accelerator and a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the hash accelerator is further operable to perform a key hash before said transfer in parallel, and wherein the cryptographic accelerator is operable to encrypt the has result upon completion of the parallel transfer of the data; and
  
  a user interface coupled to the processor.
- View Dependent Claims (47, 48, 49, 50)
- - 47. The communications apparatus in claim 46 wherein said DMA circuit has virtual scatter/gather capability with virtual to physical lookups prior to a DMA operation.
  - 48. The communications apparatus in claim 47 wherein the lookups provide a physical page list, and said DMA circuit has a secure interrupt handler and is operable at each page completion to start the next physical page transfer based on the physical page list.
  - 49. The communications apparatus in claim 47 wherein said DMA has first and second logical channels and said DMA circuit is operable for DMA fetch to operate the first logical channel in response to the physical page list and operate the second logical channel to repeat each fetch by the first logical channel.
  - 50. The communications apparatus in claim 46 wherein said hashing accelerator is operable to deliver the hash result directly to said processor to bypass said DMA circuit.

51. A communications apparatus, comprising:
- an antenna;
  
  a receiver and a transmitter coupled to said antenna;
  
  a processor coupled to the receiver and transmitter, said processor having a cryptographic accelerator and a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the hash accelerator is further operable to perform a hash on identification information before said transfer in parallel;
  
  a DMA (direct memory access) circuit operable to couple a decryption stream from said cryptographic accelerator concurrently to said secure memory and to said hash accelerator;
  
  an external volatile memory and wherein said DMA circuit is operable to couple said external volatile memory to said cryptographic accelerator for decryption; and
  
  a user interface coupled to the processor.

52. A communications apparatus, comprising;
- an antenna;
  
  a receiver and a transmitter coupled to said antenna;
  
  a processor coupled to the receiver and transmitter, said processor having a cryptographic accelerator and a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the hash accelerator is further operable to perform a hash on identification information before said transfer in parallel, wherein said hash accelerator supplies an interrupt request, and said processor is responsive to the interrupt request to read the hash result directly from the hashing accelerator; and
  
  a user interface coupled to the processor.

53. A communications apparatus, comprising:
- an antenna;
  
  a receiver and a transmitter coupled to said antenna;
  
  a processor coupled to the receiver and transmitter, said processor having a cryptographic accelerator and a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the hash accelerator is further operable to perform a hash on identification information before said transfer in parallel;
  
  an external volatile memory coupled to said secure memory to receive pages from said secure memory hashed by said hash accelerator and encrypted by said cryptographic accelerator; and
  
  a user interface coupled to the processor.

54. A communications apparatus, comprising:
- an antenna;
  
  a receiver and a transmitter coupled to said antenna;
  
  a processor coupled to the receiver and transmitter, said processor having a cryptographic accelerator and a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the hash accelerator is further operable to perform a hash on identification information before said transfer in parallel;
  
  an external memory coupled to said secure memory to feed pages from said external memory to said secure memory, the pages decrypted by said cryptographic accelerator and hash-checked by said hash accelerator in parallel; and
  
  a user interface coupled to the processor.

55. A communications apparatus, comprising:
- an antenna;
  
  a receiver and a transmitter coupled to said antenna;
  
  a processor coupled to the receiver and transmitter, said processor having a cryptographic accelerator and a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the hash accelerator is further operable to perform a hash on identification information before said transfer in parallel;
  
  a source of rotating cryptographic keys coupled to said cryptographic accelerator; and
  
  a user interface coupled to the processor.

56. A communications apparatus, comprising:
- an antenna;
  
  a receiver and a transmitter coupled to said antenna;
  
  a processor coupled to the receiver and transmitter, said processor having a cryptographic accelerator and a hash accelerator;
  
  a secure memory coupled to said processor and coupled to transfer the same secure memory data to the cryptographic accelerator and the hash accelerator in parallel, the hashing accelerator operable to securely deliver a hash result directly to said processor, wherein the hash accelerator is further operable to perform a hash on identification information before said transfer in parallel;
  
  a source of rotating cryptographic keys coupled to said hash accelerator; and
  
  a user interface coupled to the processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Texas Instruments, Inc.
Original Assignee
Texas Instruments, Inc.
Inventors
Goss, Steven, Shankar, Narendar M., Akkar, Mehdi-Laurent, Vial, Aymeric, Conti, Gregory Remy Philippe
Primary Examiner(s)
Tran, Denise

Application Number

US14/458,571
Publication Number

US 20150033038A1
Time in Patent Office

1,021 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 12/0246   in block erasable memory, e...

G06F 12/08   in hierarchically structure...

G06F 12/1408   by using cryptography for d...

G06F 12/145   the protection being virtua...

G06F 12/1483   using an access-table, e.g....

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/575   Secure boot

G06F 21/79   in semiconductor storage me...

G06F 2212/171   Portable consumer electroni...

G06F 2212/402   Encrypted data

G06F 2212/7201   Logical to physical mapping...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/461   Saving or restoring of prog...

H04L 63/123   received data contents, e.g...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 9/0897   involving additional device...

H04L 9/3236   using cryptographic hash fu...

H04W 12/069   using certificates or pre-s...

H04W 12/102 : Route integrity, e.g. using...

Y02D 10/00 : Energy efficient computing,...

View All

Methods, apparatus, and systems for secure demand paging and other paging operations for processor devices

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, apparatus, and systems for secure demand paging and other paging operations for processor devices

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links