Processors, methods, systems, and instructions to support live migration of protected containers
First Claim
1. A processor comprising:
- a die;
a decode unit on the die to decode an instruction of an instruction set of the processor, the instruction to indicate a page of a protected container memory, and to indicate a storage location outside of the protected container memory; and
an execution unit on the die and including at least some hardware, the execution unit coupled with the decode unit, the execution unit, in response to the instruction of the instruction set of the processor, to;
ensure that no writable permissions for the page of the protected container memory are cached in the processor while the page of the protected container memory has a write protected state;
encrypt a copy of the page of the protected container memory;
store the encrypted copy of the page to the indicated storage location outside of the protected container memory, after it has been ensured that there are no writable references to the page of the protected container memory; and
leave the page of the protected container memory in the write protected state, which is also to be valid and readable, after the encrypted copy of the page has been stored to the indicated storage location outside of the protected container memory.
1 Assignment
0 Petitions
Accused Products
Abstract
A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
46 Citations
22 Claims
-
1. A processor comprising:
-
a die; a decode unit on the die to decode an instruction of an instruction set of the processor, the instruction to indicate a page of a protected container memory, and to indicate a storage location outside of the protected container memory; and an execution unit on the die and including at least some hardware, the execution unit coupled with the decode unit, the execution unit, in response to the instruction of the instruction set of the processor, to; ensure that no writable permissions for the page of the protected container memory are cached in the processor while the page of the protected container memory has a write protected state; encrypt a copy of the page of the protected container memory; store the encrypted copy of the page to the indicated storage location outside of the protected container memory, after it has been ensured that there are no writable references to the page of the protected container memory; and leave the page of the protected container memory in the write protected state, which is also to be valid and readable, after the encrypted copy of the page has been stored to the indicated storage location outside of the protected container memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of performing from one to three machine instructions in a processor to perform operations comprising:
-
write protecting a page of a protected container memory with an execution unit that is on a die of the processor and that includes at least some hardware, wherein the protected container memory is part of main memory and is in dynamic random access memory (DRAM); ensuring that no writable permissions for the page of the protected container memory are cached in the processor; encrypting a copy of the page of the protected container memory; storing the encrypted copy of the page of the protected container memory to a storage location that is outside of the protected container memory, wherein the storage location that is outside of the protected container memory is part of the main memory and is in the DRAM, after said ensuring that there are no writable references to the write protected page of the protected container memory; and leaving the write protected page of the protected container memory in a valid and readable state after said storing the encrypted copy of the page of the protected container memory to the storage location that is outside of the protected container memory. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A system to process instructions comprising:
-
an interconnect; a processor coupled with the interconnect, the processor to receive an instruction of an instruction set of the processor, the instruction to indicate a page of a protected container memory, and to indicate a storage location outside of the protected container memory, the processor, in response to the instruction of the instruction set of the processor, to; ensure that there are no writable references to the page of the protected container memory, while the page of the protected container memory has a write protected state; encrypt a copy of the page of the protected container memory; store the encrypted copy of the page to the indicated storage location outside of the protected container memory, after it has been ensured that there are no writable references to the page of the protected container memory; and leave the page of the protected container memory in the write protected state, which is also to be valid and readable, after the encrypted copy of the page has been stored to the indicated storage location outside of the protected container memory; and a dynamic random access memory (DRAM) coupled with the interconnect. - View Dependent Claims (20)
-
-
21. An article of manufacture comprising a non-transitory machine-readable storage medium, the non-transitory machine-readable storage medium storing from one to three machine instructions that if executed by a machine are to cause the machine to perform operations comprising to:
-
write protect a page of a protected container memory, wherein the protected container memory is to be part of main memory; ensure that there are no writable references to the write protected page of the protected container memory; encrypt a copy of the page of the protected container memory; store the encrypted copy of the page of the protected container memory to a storage location that is outside of the protected container memory, wherein the storage location that is outside of the protected container memory is to be part of the main memory, after it has been ensured that there are no writable references to the write protected page of the protected container memory; and leave the write protected page of the protected container memory in a valid and readable state after said storage the encrypted copy of the page of the protected container memory to the storage location that is outside of the protected container memory. - View Dependent Claims (22)
-
Specification