Memory initialization in a protected region
Abstract
Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A processor comprising:
a processor core; and a memory controller coupled between the processor core and main memory, wherein the main memory comprises a protected region including secured pages, and wherein the processor core is to perform the following in response to a content copy instruction:
initialize a target page in the protected region of an application address space;
select content of a source page in the protected region to be copied; and
copy the selected content to the target page in the protected region of the application address space.
2 . The processor of claim 1 , wherein the processor core, in response to the content copy instruction, is to further copy the selected content to the target page while an application is running, wherein the application is stored in the protected region.
3 . The processor of claim 1 , wherein the processor core is to add the target page to the protected region in response to a page add instruction.
4 . The processor of claim 1 , wherein the processor core is to:
determine a privilege level of the target page; and perform the page add instruction when a privilege level of the target page is zero.
5 . The processor of claim 3 , wherein the processor core is to:
determine when a page add instruction fails, wherein the page add instruction fails when:
an operand is not properly aligned;
unsupported security attributes are set;
selected software guard extensions (SGX) enclave control structure (SECS) pages are locked by another thread;
the EAUG instruction does not contain an effective address of an enclave page cache (EPC) page;
the EPC page is locked by another thread;
the EPC page is in a valid state; or
a selected protected region offset is outside of an effective address range of the protected region; and
determine when a content copy instruction fails, wherein the content copy instruction fails when:
an operand is not properly aligned;
an unsupported access right combination is requested;
the operand does not refer to an enclave page cache (EPC) page;
the target page or the source page is in use by another thread;
the EPC page does not have a selected PT_REG type; or
the EPC page is not a valid page.
6 . The processor of claim 3 , wherein the page add instruction comprises memory parameter information, wherein the memory parameter information includes:
an effective address of a page information (PAGEINFO) structure; and an effective address of an enclave page cache (EPC) page.
7 . The processor of claim 6 , wherein the PAGEINFO structure comprises:
a security information (SECINFO) structure of the target page; and a page information structure of the source page (SRCPAGE).
8 . The processor of claim 3 , wherein the processor core, in response to the page add instruction, is to:
associate a free enclave page cache (EPC) page with one or more selected software guard extensions (SGX) enclave control structure (SECS) pages in the section of the protected region; store a protected region offset attribute and a protected region security attribute in an enclave page cache map (EPCM); and zero contents of the target page.
9 . The processor of claim 3 , wherein the processor core is to:
determine when an page acceptance instruction is received, wherein a status of the target page remains pending until the page acceptance instruction is received; and add the target page to the protected region of the application address space when the page acceptance instruction is received.
10 . The processor of claim 1 , wherein the content copy instruction comprises memory parameter information, wherein the memory parameter information includes:
a software guard extensions (SGX) enclave control (SEC) information (SECINFO) structure, wherein the SECINFO structure specifies a selected permissions level for the target page being modified and a requested type for the target page when the selected content is copied; an effective address of the target page that the content is copied to; and an effective address of the source page that the content is copied from.
11 . The processor of claim 1 , wherein:
the source page is a valid enclave page cache (EPC) page; and the source page is a PT_REG type that is not in a blocked state, a pending state, or a modified state.
12 . The processor of claim 1 , wherein:
the target page is a valid enclave page cache (EPC) page; and the target page is a PT_REG type that is in a pending state but not a modified state or a blocked state.
13 . A method comprising:
decoding, by a processor core of a processor, a content copy instruction to copy selected content of a source page in a protected region of a main memory coupled to the processor core; and executing, by the processor core, the content copy instruction to copy the selected content of the source page to a target page within the protected region.
14 . The method of claim 13 , further comprising:
in response to the content copy instruction,
allocating, by the processor core, the target page of the protected region;
selecting, by the processor core, content of the source page of the protected region to be copied; and
copying, by the processor core, the selected content to the target page in the protected region.
15 . The method of claim 13 , further comprising:
in response to the content copy instruction,
updating, by the processor core, permissions of the target page;
clearing, by the processor core, a pending bit of the target page to indicate use of the target page is completed; and
releasing, by the processor core, an enclave dynamic memory management (EDMM) lock on the target page.
16 . The method of claim 13 , further comprising modifying, by the processor core, permissions of the target page.
17 . The method of claim 13 , further comprising:
validating, by a processor core, selected source parameters of the source page; or validating, by a processor core, selected target parameters of the target page.
18 . The method of claim 17 , wherein validating, by a processor core, the selected source parameters of the source page further comprises:
determining a readable status of the source page; and determining an enclave linear address range (ELRange) of the source page.
19 . The method of claim 17 , wherein validating, by the processor core, the selected target parameters of the target page further comprises:
determining a writable status of the target page; determining an enclave linear address range (ELRange) of the target page; and determining a location of the target page within the protected region.
20 . The method of claim 17 , wherein validating, by the processor core, the selected target parameters of the target page further comprises:
acquiring, by the processor core, an enclave dynamic memory management (EDMM) lock; verifying, by the processor core, that a status of the target page is regular and pending; and verifying, by the processor core, that the target page is accessed through a correct linear address.
21 . A system comprising:
a processor comprising a plurality of functional units to execute instructions; and a memory device coupled to the processor, wherein the memory device is operable to store code memory and data memory and comprises a protected region including secured pages, wherein the processor is to: decode an instruction to copy content within the protected region; and execute the content copy instruction to copy content from a first secured page to a second secured page.
22 . The system of claim 21 , wherein the processor is to copy content from a source secured page to a target secured page in response to the content copy instruction, and wherein the processor is to perform the following in response to the instruction:
initialize the second secured page in a protected region of an application address space; select content of an first secured page in the protected region to be copied; and copy the selected content to the second secured page in the protected region of the application address space.
23 . The system of claim 21 , wherein the processor, in response to the instruction, is to copy the selected content to the second page while an application is running, wherein the application is stored in the protected region.
24 . The system of claim 21 , wherein the memory allocation process comprises another instruction to add the first secured page to the protected region.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.