Abstract: In an embodiment, an input/output (I/O) memory management unit (IOMMU) comprises at least one memory configured to store translation data; and control logic coupled to the memory and configured to translate an I/O device-generated memory request using the translation data. The translation data corresponds to one or more device table entries in a device table stored in a memory system of a computer system that includes the IOMMU, wherein the device table entry for a given request is selected by an identifier corresponding to the I/O device that generates the request. The translation data further corresponds to one or more I/O page tables, wherein the selected device table entry for the given request includes a pointer to a set of I/O page tables to be used to translate the given request.

Abstract: A method and an apparatus for performing an I/O device access using targeted security. A software object is executed. A security level for the software object is established. A multi-table input/output (I/O) space access is performed using at least one of the security levels. The function of the object is executed.

Abstract: In one embodiment, an input/output (I/O) memory management unit (IOMMU) comprises at least one memory and control logic coupled to the memory. The memory is configured to store translation data corresponding to one or more I/O translation tables stored in a memory system of a computer system that includes the IOMMU. The control logic is configured to translate an I/O device-generated memory request using the translation data. The translation data includes a type field indicating one or more attributes of the translation, and the control logic is configured to control the translation responsive to the type field.

Abstract: In an embodiment, an input/output (I/O) memory management unit (IOMMU) comprises at least one memory configured to store translation data; and control logic coupled to the memory and configured to translate an I/O device-generated memory request using the translation data. The translation data corresponds to one or more device table entries in a device table stored in a memory system of a computer system that includes the IOMMU, wherein the device table entry for a given request is selected by an identifier corresponding to the I/O device that generates the request. The translation data further corresponds to one or more I/O page tables, wherein the selected device table entry for the given request includes a pointer to a set of I/O page tables to be used to translate the given request.

Abstract: A method and an apparatus for performing a virtual address based memory access. A software object is executed. A security level for the software object is established. A virtual address based memory access is performed using at least one of the security levels. The function of the object is executed based upon the virtual address based memory access.

Abstract: In one embodiment, an input/output (I/O) memory management unit (IOMMU) comprises at least one memory and control logic coupled to the memory. The memory is configured to store translation data corresponding to one or more I/O translation tables stored in a memory system of a computer system that includes the IOMMU. The control logic is configured to translate an I/O device-generated memory request using the translation data. The translation data includes a type field indicating one or more attributes of the translation, and the control logic is configured to control the translation responsive to the type field.

Abstract: In an embodiment, an input/output (I/O) memory management unit (IOMMU) comprises at least one memory configured to store translation data; and control logic coupled to the memory and configured to translate an I/O device-generated memory request using the translation data. The translation data corresponds to one or more device table entries in a device table stored in a memory system of a computer system that includes the IOMMU, wherein the device table entry for a given request is selected by an identifier corresponding to the I/O device that generates the request. The translation data further corresponds to one or more I/O page tables, wherein the selected device table entry for the given request includes a pointer to a set of I/O page tables to be used to translate the given request.

Abstract: In one embodiment, a system comprises one or more input/output (I/O) devices; an I/O memory management unit (IOMMU) coupled to receive memory requests sourced by the I/O devices and configured to provide address translation for the memory requests; and a virtual machine monitor (VMM) configured to manage one or more virtual machines on the system, wherein the VMM is configured to virtualize the IOMMU, providing one or more virtual IOMMUs for use by one or more virtual machines.

Abstract: The present invention provides a method and apparatus for securing portions of a memory. The method includes identifying information for protection and indicating at least one physical address of a memory that houses the information as at least one of read and write disabled. The method includes receiving a request from a program to access the information. The method further includes accessing the information in response to determining that the program has the authority to access the information. The apparatus includes a memory comprising a privileged code. The privileged code is capable of receiving a request to protect selected information and indicating at least one physical address of a memory housing the information as at least one of read and write disabled. The privileged code is capable of receiving a request from a program to access the information.

Abstract: In one embodiment, a system comprises one or more input/output (I/O) devices; an I/O memory management unit (IOMMU) coupled to receive memory requests sourced by the I/O devices and configured to provide address translation for the memory requests; and a virtual machine monitor (VMM) configured to manage one or more virtual machines on the system, wherein the VMM is configured to virtualize the IOMMU, providing one or more virtual IOMMUs for use by one or more virtual machines.

Abstract: A computer system includes a processor which may initialize a secure execution mode by executing a security initialization instruction. Further, the processor may operate in the secure execution mode by executing a secure operating system code segment. The computer system also includes an input/output (I/O) interface coupled to the processor via an I/O link. The I/O interface may receive transactions performed as a result of the execution of the security initialization instruction. The transactions include at least a portion of the secure operating system code segment. The I/O interface may also determine whether the processor is a source of the transactions. The computer system further includes a security services processor coupled to the I/O interface via a peripheral bus. The I/O interface may convey the transactions to the security services processor dependent upon determining that the processor is the source of the transactions.

Abstract: The initialization of a computer system including a secure execution mode-capable processor includes storing a secure operating system code segment loader to a plurality of locations corresponding to a particular range of addresses within a system memory. The method also includes executing a security initialization instruction. Executing the security initialization instruction may cause several operations to be performed including transmitting a start transaction including a base address of the particular range of addresses. In addition, executing the security instruction may also cause another operation to be performed including retrieving the secure operating system code segment loader from the system memory and transmitting the secure operating system code segment loader for validation as a plurality of data transactions.

Abstract: A method and apparatus for controlling access to segments of memory having security data stored therein is provided. A security check unit maintains information for a plurality of segments of memory regarding whether each of these plurality of segments has secure data stored therein. A hint directory maintains information regarding whether any of a plurality of these segments has secure data stored therein. The hint directory is capable of bypassing the security check unit when it receives an address that falls within a plurality of the segments that have been indicated as being free from secure data. When the hint directory determines that a received address falls within one of a plurality of segments that contain secure data, then the address is passed to the security check unit for a closer examination.

Abstract: A computer system includes a main processor and a security control processor that is coupled to the main processor and configured to control and monitor an operational state of the main processor. To ensure the computer system may be trusted, the security control processor may be configured to hold the main processor in a slave mode during initialization of the security control processor such that the main processor is not operable to fetch and execute instructions from an instruction source external to the main processor, for example. In addition, the security control processor may be configured to initialize the operational state of the main processor to a predetermined state by transferring to the main processor via a control interface one or more instructions and to cause the main processor to execute the one or more instructions while the main processor is held in the slave mode.

Abstract: In one embodiment, an input/output (I/O) node comprises an I/O memory management unit (IOMMU) configured to translate memory requests. The I/O node is configured to couple to an interconnect and to operate as a tunnel on the interconnect, and wherein the IOMMU is configured translate memory requests passing through the tunnel in the upstream direction. In another embodiment, a system comprises another I/O node configured to bridge another interconnect to the interconnect, wherein the I/O node is the tunnel for the other I/O node.

Abstract: In an embodiment, a computer system comprises a processor; a memory management module comprising a plurality of instructions executable on the processor; a memory coupled to the processor; and an input/output memory management unit (IOMMU) coupled to the memory. The IOMMU is configured to implement address translation and memory protection for memory operations sourced by one or more input/output (I/O) devices. The memory stores a command queue during use. The memory management module is configured to write one or more control commands to the command queue, and the IOMMU is configured to read the control commands from the command queue and execute the control commands.

Abstract: In an embodiment, an input/output memory management unit (IOMMU) is configured to receive a completion wait command defined to ensure that one or more preceding invalidation commands are completed by the IOMMU prior to a completion of the completion wait command. The IOMMU is configured to respond to the completion wait command by delaying completion of the completion wait command until: (1) a read response corresponding to each outstanding memory read operation that depends on a translation entry that is invalidated by the preceding invalidation commands is received; and (2) the control unit transmits one or more operations upstream to ensure that each memory write operation that depends on the translation table entry that is invalidated by the preceding invalidation commands has at least reached a bridge to a coherent fabric in the computer system and has become visible to the system.

Abstract: A method for controlling operation of a secure execution mode-capable processor includes receiving access requests to a plurality of addressable locations within a system memory. The method may further include preventing the access requests from completing in response to determining that the secure execution mode-capable processor is operating in a secure execution mode.

Abstract: A method and apparatus for selectively executing an I/O instruction. The method includes creating an I/O permission bitmap in a memory and receiving an I/O port number and a security context identification (SCID) value. The method also includes using the SCID value and the I/O port number to access the I/O permission bitmap stored to obtain a permission bit corresponding to the I/O port and executing the I/O instruction dependent upon a value of the permission bit corresponding to the I/O port. The I/O permission bitmap includes a plurality of permission bits. Each of the permission bits corresponds to a different one of a plurality of I/O ports. Each of the permission bits has a value indicating whether access to the corresponding I/O port is allowed. The I/O port number indicates the I/O port referenced by the I/O instruction. The SCID value indicates a security context level of a memory location including the I/O instruction.

Abstract: In one embodiment, an input/output memory management unit (IOMMU) comprises a cache to cache translation data from memory; and a control unit coupled to the cache. The control unit is configured to implement address translation and memory protection for memory requests sourced by one or more input/output (I/O) devices. The memory requests sourced by the I/O devices travel in one or more first virtual channels, and the control unit is configured to transmit memory requests sourced by the control unit in at least a second virtual channel separate from the first virtual channels.