Abstract: Technologies for untrusted code execution include a computing device having a processor with sandbox support. The computing device executes code included in a native domain in a non-privileged, native processor mode. The computing device may invoke a sandbox jump processor instruction during execution of the code in the native domain to enter a sandbox domain. The computing device executes code in the sandbox domain in a non-privileged, sandbox processor mode in response to invoking the sandbox jump instruction. While executing in the sandbox processor mode, the processor denies access to memory outside of the sandbox domain and may deny execution of one or more prohibited instructions. From the sandbox domain, the computing device may execute a sandbox exit instruction to exit the sandbox domain and resume execution in the native domain. The computing device may execute processor instructions to configure the sandbox domain. Other embodiments are described and claimed.

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

Abstract: Methods and apparatuses relating to switching of a shadow stack pointer are described. In one embodiment, a hardware processor includes a hardware decode unit to decode an instruction, and a hardware execution unit to execute the instruction to: pop a token for a thread from a shadow stack, wherein the token includes a shadow stack pointer for the thread with at least one least significant bit (LSB) of the shadow stack pointer overwritten with a bit value of an operating mode of the hardware processor for the thread, remove the bit value in the at least one LSB from the token to generate the shadow stack pointer, and set a current shadow stack pointer to the shadow stack pointer from the token when the operating mode from the token matches a current operating mode of the hardware processor.

Abstract: In an embodiment, the present invention includes a processor having an execution logic to execute instructions and a control transfer termination (CTT) logic coupled to the execution logic. This logic is to cause a CTT fault to be raised if a target instruction of a control transfer instruction is not a CTT instruction. Other embodiments are described and claimed.

Abstract: Implementations describe a computing system that implements a plurality of virtual machines inside a trust domain (TD), enabled via a secure arbitration mode (SEAM) of the processor. A processor includes one or more registers to store a SEAM range of memory, a TD key identifier of a TD private encryption key. The processor is capable of initializing a trust domain resource manager (TDRM) to manage the TD, and a virtual machine monitor within the TD to manage the plurality of virtual machines therein. The processor is further capable of exclusively associating a plurality of memory pages with the TD, wherein the plurality of memory pages associated with the TD is encrypted with a TD private encryption key inaccessible to the TDRM. The processor is further capable of using the SEAM range of memory, inaccessible to the TDRM, to provide isolation between the TDRM and the plurality of virtual machines.

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

Abstract: Technologies for untrusted code execution include a computing device having a processor with sandbox support. The computing device executes code included in a native domain in a non-privileged, native processor mode. The computing device may invoke a sandbox jump processor instruction during execution of the code in the native domain to enter a sandbox domain. The computing device executes code in the sandbox domain in a non-privileged, sandbox processor mode in response to invoking the sandbox jump instruction. While executing in the sandbox processor mode, the processor denies access to memory outside of the sandbox domain and may deny execution of one or more prohibited instructions. From the sandbox domain, the computing device may execute a sandbox exit instruction to exit the sandbox domain and resume execution in the native domain. The computing device may execute processor instructions to configure the sandbox domain. Other embodiments are described and claimed.

Abstract: A processor implementing techniques for processor extensions to protect stacks during ring transitions is provided. In one embodiment, the processor includes a plurality of registers and a processor core, operatively coupled to the plurality of registers. The plurality of registers is used to store data used in privilege level transitions. Each register of the plurality of registers is associated with a privilege level. An indicator to change a first privilege level of a currently active application to a second privilege level is received. In view of the second privilege level, a shadow stack pointer (SSP) stored in a register of the plurality of registers is selected. The register is associated with the second privilege level. By using the SSP, a shadow stack for use by the processor at the second privilege level is identified.

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

Abstract: Data integrity logic is executable by a processor to generate a data integrity code using a hardware-based secret. A container manager, executable by the processor, creates a secured container including report generation logic that determines measurements of the secured container, generates a report according to a defined report format, and sends a quote request including the report. The defined report format includes a field to include the measurements and a field to include the data integrity code, and the report format is compatible for consumption by any one of a plurality of different quote creator types.

Abstract: In an embodiment, the present invention includes a processor having an execution logic to execute instructions and a control transfer termination (CTT) logic coupled to the execution logic. This logic is to cause a CTT fault to be raised if a target instruction of a control transfer instruction is not a CTT instruction. Other embodiments are described and claimed.

Abstract: In a method to utilize a secure public cloud, a computer receives a domain manager image and memory position-dependent address information in response to requesting a service from a cloud services provider. The computer also verifies the domain manager image and identifies a key domain key to be used to encrypt data stored in a key domain of a key domain-capable server. The computer also uses the key domain key and the memory-position dependent address information to encrypt a domain launch image such that the encrypted domain launch image is cryptographically bound to at least one memory location of the key domain. The computer also encrypts the key domain key and sends the encrypted domain launch image and the encrypted key domain key to the key domain-capable server, to cause a processor of the key domain-capable server to create the key domain. Other embodiments are described and claimed.

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

Abstract: A processor implementing techniques for processor extensions to protect stacks during ring transitions is provided. In one embodiment, the processor includes a plurality of registers and a processor core, operatively coupled to the plurality of registers. The plurality of registers is used to store data used in privilege level transitions. Each register of the plurality of registers is associated with a privilege level. An indicator to change a first privilege level of a currently active application to a second privilege level is received. In view of the second privilege level, a shadow stack pointer (SSP) stored in a register of the plurality of registers is selected. The register is associated with the second privilege level. By using the SSP, a shadow stack for use by the processor at the second privilege level is identified.

Abstract: Implementations describe a computing system that implements a plurality of virtual machines inside a trust domain (TD), enabled via a secure arbitration mode (SEAM) of the processor. A processor includes one or more registers to store a SEAM range of memory, a TD key identifier of a TD private encryption key. The processor is capable of initializing a trust domain resource manager (TDRM) to manage the TD, and a virtual machine monitor within the TD to manage the plurality of virtual machines therein. The processor is further capable of exclusively associating a plurality of memory pages with the TD, wherein the plurality of memory pages associated with the TD is encrypted with a TD private encryption key inaccessible to the TDRM. The processor is further capable of using the SEAM range of memory, inaccessible to the TDRM, to provide isolation between the TDRM and the plurality of virtual machines.

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

Abstract: Methods and apparatuses relating to switching of a shadow stack pointer are described. In one embodiment, a hardware processor includes a hardware decode unit to decode an instruction, and a hardware execution unit to execute the instruction to: pop a token for a thread from a shadow stack, wherein the token includes a shadow stack pointer for the thread with at least one least significant bit (LSB) of the shadow stack pointer overwritten with a bit value of an operating mode of the hardware processor for the thread, remove the bit value in the at least one LSB from the token to generate the shadow stack pointer, and set a current shadow stack pointer to the shadow stack pointer from the token when the operating mode from the token matches a current operating mode of the hardware processor.