Abstract: A method of controlling access to an address translation data structure of a computer system. The computer system includes a processor having a normal execution mode and a secure execution mode. The method includes executing code and generating a linear address. During translation of the linear address into a physical address, the method also includes generating a read-only page fault exception during the normal execution mode in response to detecting a software invoked write access to an address translation data structure having a read/write attribute set to be read-only. The method further includes selectively generating either the read-only page fault exception or a security exception during the secure execution mode in response to detecting the software invoked write access.

Abstract: A system and method for secure computing. The system includes a processor, one or more secured assets coupled to the processor, and security hardware. The processor is configured to operate in various operating modes, including a secure operating mode. The security hardware is configured to control access to the secured assets dependant upon the operating mode of the processor. The security hardware is configured to allow access to the secure assets in the secure operating mode, preferably only in the secure operating mode. The method includes switching the computer system between operating modes, while allowing or restricting access to the secured assets based on the operating modes. The second operating mode comprises a secure operating mode. The method restricts access to the secured assets in the first operating mode and permits access to the secured assets in the secure operating mode.

Abstract: Methods for securing booting a personal computer system. One method includes establishing a secret between two or more devices and securing the secret in each of the two or more devices. Another method includes processing BIOS code instructions and accessing security hardware. The method also includes accessing a first device, locking the security hardware, and calling boot code. Another method includes reading a secret from a first location, storing the secret in a secure location different from the first location, and locking the first location. Another method includes requesting authentication for a device, receiving authentication for the device, and setting a timer associated with the device. Another method includes requesting authentication for a device, failing authentication for the device, and preventing access to the device upon failing authentication for the device.

Abstract: A communications system includes a physical layer hardware unit and a processing unit. The physical layer hardware unit is adapted to receive user data over a first communications channel and control codes over a second communications channel. The physical layer hardware unit is further adapted to transmit an upstream data signal over the first communications channel based on transmission assignments defined by the control codes. The processing unit is adapted to execute a software driver for interfacing with the physical layer hardware unit. The software driver includes program instructions for implementing a protocol layer to decrypt the user data and provide upstream data to the physical layer hardware unit for generation of the upstream data signal.

Abstract: A communications system includes a physical layer hardware unit and a processing unit. The physical layer hardware unit is adapted to communicate data over a communications channel in accordance with assigned transmission parameters. The physical layer hardware unit is adapted to receive an incoming signal over the communications channel and sample the incoming signal to generate a digital received signal. The processing unit is adapted to execute a standard mode driver in a standard mode of operation and a privileged mode driver in a privileged mode of operation. The standard mode driver includes program instructions adapted to extract control codes from the digital received signal and configure the physical layer hardware assigned transmission parameters based on the control codes.

Abstract: In one aspect of the present invention, an apparatus for converting a virtual address to a physical address is provided. The apparatus comprises a comparator, a first mechanism, and a second mechanism. The comparator is adapted to receive the virtual address and deliver a first signal indicating that the virtual address is outside a first preselected range, and a second signal indicating that the virtual address is within the first preselected range. The first mechanism is adapted to generate a first physical address from the virtual address in response to receiving the first signal, and the second mechanism is adapted to generate a second physical address from the virtual address in response to receiving the second signal.

Abstract: Interruptable and re-enterable system management mode (SMM) programming code. The code includes one or more instructions, an entry or exit location, and one or more instructions. The code is executable while the personal computer system is in SMM.

Abstract: A memory management unit (MMU) is disclosed for managing a memory storing data arranged within a multiple memory pages. The memory management unit includes a security check receiving a physical address within a selected memory page, and security attributes of the selected memory page. The security check unit uses the physical address to access one or more security attribute data structures located in the memory to obtain an additional security attribute of the selected memory page. The security check unit generates a fault signal dependent upon the security attributes of selected memory page and the additional security attribute of the selected memory page. The security attributes of the selected memory page may include a user/supervisor (U/S) bit and a read/write (R/W) bit as defined by the ×86 processor architecture. The one or more security attribute data structures may include a security attribute table directory and one or more security attribute tables.

Abstract: A communications system includes physical layer hardware and a processing unit. The physical layer hardware is adapted to communicate data over a communications channel in accordance with a plurality of control codes. The physical layer hardware is adapted to demodulate an incoming analog signal to generate a digital receive signal and modulate a digital transmit signal to generate an analog transmit signal. The processing unit is adapted to execute a privileged driver for interfacing with the physical layer hardware. The privileged driver includes program instructions for implementing a protocol layer to decode the digital receive signal, encode the digital transmit signal, and configure the physical layer hardware for receipt of the digital receive signal and transmission of the digital transmit signal based on the plurality of control codes.

Abstract: A device, method, and system for authenticating devices in a computer system. The device includes a storage location for storing a GUID. The device is configured to provide the GUID to a master in the computer system during a trusted setup. The device is further configured to provide at least an indication of the GUID during a data transaction. The computer system includes a master device and a device comprising a storage location for storing a GUID. The device is configured to provide the GUID to the master device during a trusted setup. The device is further configured to provide at least an indication of the GUID during a data transaction. The method includes providing a GUID and receiving a request for a data transaction. The method also includes transmitting data in the data transaction and at least an indication of the GUID in the data transaction and authenticating the data using at least the indication of the GUID in the data transaction.

Abstract: A computer system including a bus bridge for bridging transactions between a secure execution mode-capable processor and a security services processor. The bus bridge may include a transaction source detector, a configuration header and control logic. The transaction source detector may receive a security initialization transaction performed as a result of execution of a security initialization instruction. Further, the-transaction source detector may determine whether the secure execution mode-capable processor is a source of the security initialization transaction. The configuration header may provide storage of information associated with the security services processor. The control logic may determine whether the security services processor is coupled to the bus bridge via a non-enumerable, peripheral bus.

Abstract: A device for security and manageability. The device includes a port, one or more secured assets; and security hardware. The port is configured to receive at least one operating mode signal. The at least one operating mode signal is indicative of a first operating mode. The security hardware is coupled to receive the at least one operating mode signal. The security hardware is further coupled to control access to the secured assets dependant upon the at least one operating mode signal. Another device includes first bus interface logic for coupling to a first external bus, a port, one or more secured assets, and security hardware coupled to control the one or more secured assets. The port is configured to receive at least one operating mode signal, indicative of a first operating mode. The secured assets are coupled to the first bus interface logic.

Abstract: A memory management unit (MMU) is disclosed for managing a memory storing data arranged within a plurality of memory pages. The MMU includes a security check unit (SCU) receiving a physical address generated during execution of a current instruction. The physical address resides within a selected memory page. The SCU uses the physical address to access one or more security attribute data structures located in the memory to obtain a security attribute of the selected memory page, compares a numerical value conveyed by a security attribute of the current instruction to a numerical value conveyed by the security attribute of the selected memory page, and produces an output signal dependent upon a result of the comparison. The MMU accesses the selected memory page dependent upon the output signal. The security attribute of the selected memory page may include a security context identification (SCID) value indicating a security context level of the selected memory page.

Abstract: The initialization of a computer system including a secure execution mode-capable processor includes storing a secure operating system code segment loader to a plurality of locations corresponding to a particular range of addresses within a system memory. The method also includes executing a security initialization instruction. Executing the security initialization instruction may cause several operations to be performed including transmitting a start transaction including a base address of the particular range of addresses. In addition, executing the security instruction may also cause another operation to be performed including retrieving the secure operating system code segment loader from the system memory and transmitting the secure operating system code segment loader for validation as a plurality of data transactions.

Abstract: A computer system includes a processor which may initialize a secure execution mode by executing a security initialization instruction. Further, the processor may operate in the secure execution mode by executing a secure operating system code segment. The computer system also includes an input/output (I/O) interface coupled to the processor via an I/O link. The I/O interface may receive transactions performed as a result of the execution of the security initialization instruction. The transactions include at least a portion of the secure operating system code segment. The I/O interface may also determine whether the processor is a source of the transactions. The computer system further includes a security services processor coupled to the I/O interface via a peripheral bus. The I/O interface may convey the transactions to the security services processor dependent upon determining that the processor is the source of the transactions.

Abstract: An apparatus is provided for providing security in a computer system. The apparatus comprises an address generator, a multi-level lookup table, and a cache. The address generator is adapted for producing an address associated with a memory location in the computer system. The multi-level lookup table is adapted for receiving at least a portion of said address and delivering security attributes stored therein associated with said address, wherein the security attributes are associated with each page of memory in the computer system. The cache is a high-speed memory that contains a subset of the information contained in the multi-level lookup table, and may be used to speed the overall retrieval of the requested security attributes when the requested information is present in the cache.

Abstract: A method and an apparatus for performing a virtual memory access. A software object is executed. A security level for the software object is established. A secondary table is established. A memory access request based upon the executing of the software object is received. At least one security level that corresponds to a segment in the secondary table is determined. A match between an execution security level and a security level associated with a segment being accessed is verified in response to an execution of the software object. A virtual memory address based upon the secondary table in response to a match between the execution security level and the security level associated with the segment being accessed is determined. A physical memory location corresponding to the virtual memory address is located. A portion of a memory based upon locating the physical memory location is accessed.

Abstract: A method and an apparatus for performing an I/O device access using targeted security. A software object is executed. A security level for the software object is established. A multi-table input/output (I/O) space access is performed using at least one of the security levels. The function of the object is executed.

Abstract: A method and system for performing the method. a method is provided. The method includes executing an insecure routine and receiving a request from the insecure routine. The method also includes performing a first evaluation of the request in hardware, and performing a second evaluation of the request in a secure routine in software. The computer system includes a processor configurable to execute a secure routine and an insecure routine. The computer system also includes hardware coupled to perform a first evaluation of a request associated with the insecure routine. The hardware is further configured to provide a notification of the request to the secure routine. The secure routine is configured to perform a second evaluation of the request. The secure routine is further configured to deny a requested response to the request.

Abstract: A method and system for handling a security exception. The method includes creating a security exception stack frame in secure memory at a base address. The method also includes writing a faulting code sequence address and one or more register values into the security exception stack frame, and executing a plurality of security exception instructions.