Abstract: Embodiments are directed to providing a secure address translation service.

Abstract: Systems, methods, and apparatuses relating to instructions to compartmentalize memory accesses and execution (e.g., non-speculative and speculative) are described.

Abstract: Embodiments described herein provide for a computing device comprising a hardware processor including a processor trace module to generate trace data indicative of an order of instructions executed by the processor, wherein the processor trace module is configurable to selectively output a processor trace packet associated with execution of a selected non-deterministic control flow transfer instruction.

Abstract: Methods and apparatus for trusted devices using trust domain extensions. The method is implemented on a compute platform including one or more devices and a set of hardware, firmware, and software components associated with a trusted computing base (TCB), including a host operating system and virtual machine manager (VMM). A device trust domain (dTD) is implemented in a trusted address space that is separate from the TCB, and one or multiple of the devices are bound to the dTD, which enables one or more virtual machines (VMs) or trusted domains (TDs) to access one or more functions provided by the bound device(s) in a secure and trusted manner. Firmware from a device is onloaded to the dTD and executed in the trusted address space to facilitate secure access to functions provided by the bound devices without using the VMM. Moreover, the VMM and any other software in the TCB cannot access data such as cryptographic keys and secrets that are employed by the dTD.

Abstract: In embodiments, an apparatus for computing includes a protection key register (PKR) having 2N bits, where N is an integer, to store a plurality of permission entries corresponding to protected memory domains, and a protected memory domain controller, coupled to the PKR. In embodiments, the memory domain controller is to: obtain protection key (PK) bits from a page table entry for a target page address; obtain one or more additional PK bits from a target linear memory address; and combine the PK bits and the additional PK bits to form a PK domain number to index into the plurality of permission entries in the PKR to obtain a permission entry for a protected memory domain.

Abstract: Examples described herein relate to an Infrastructure Processing Unit (IPU) that comprises: interface circuitry to provide a communicative coupling with a platform; network interface circuitry to provide a communicative coupling with a network medium; and circuitry to expose infrastructure services to be accessed by microservices for function composition and to selectively provide a barrier to halt operation of at least one microservice based on event data from a composite node that performs the at least one microservice.

Abstract: Examples described herein relate to an Infrastructure Processing Unit (IPU) that comprises: interface circuitry to provide a communicative coupling with a platform; network interface circuitry to provide a communicative coupling with a network medium; and circuitry to expose infrastructure services to be accessed by microservices for function composition.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.

Abstract: Embodiments of an invention for virtualization exceptions are disclosed. In one embodiment, a processor includes instruction hardware, control logic, and execution hardware. The instruction hardware is to receive a plurality of instructions, including an instruction to enter a virtual machine. The control logic is to determine, in response to a privileged event occurring within the virtual machine, whether to generate a virtualization exception. The execution hardware is to generate a virtualization exception in response to the control logic determining to generate a virtualization exception.

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: An apparatus to facilitate security of a shared memory resource is disclosed. The apparatus includes a memory device to store memory data, wherein the memory device comprises a plurality of private memory pages associated with one or more trusted domains and a cryptographic engine to encrypt and decrypt the memory data, including a key encryption table having a key identifier associated with each trusted domain to access a private memory page, wherein a first key identifier is generated to perform direct memory access (DMA) transfers for each of a plurality of input/output (I/O) devices.

Abstract: Systems, apparatuses and methods may provide technology for securing untrusted code using memory protection keys and control flow integrity, by applying a memory protection key to one or more memory regions, enforcing control flow integrity with respect to the one or more memory regions, and executing untrusted code in an isolated region of the one or more memory regions.

Abstract: Embodiments of this disclosure are directed to an execution profiling handler configured for intercepting an invocation of memory allocation library and observing memory allocation for an executable application process. The observed memory allocation can be used to update memory allocation meta-data for tracking purposes. The execution profiling handler can also intercept indirect branch calls to prevent heap allocation from converting to execution and intercept exploitation of heap memory to block execution.

Abstract: A system for detecting malware includes a processor to collect processor trace information corresponding to an application being executed by the processor (202). The processor can also detect an invalid indirect branch instruction from the processor trace information (204) and detect at least one malware instruction being executed by the application in response to analyzing modified memory values corresponding to the invalid indirect branch (206). Additionally, the processor can block the application from accessing or modifying memory (208).

Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.

Abstract: Methods and apparatus related to checkpointing for Solid State Drives (SSDs) that include no DRAM (Dynamic Random Access Memory) are described. In one embodiment, Non-Volatile Memory (NVM) stores an original Logical address to Physical address (L2P) table entry and a shadow L2P table entry. Allocation logic circuitry causes storage of the original L2P table entry and the shadow L2P table entry sequentially in the NVM. Data read from the shadow L2P table entry is capable to indicate a state of the original L2P table entry. Other embodiments are also disclosed and claimed.

Abstract: Embodiment of this disclosure provide techniques to support memory paging between trust domains (TDs) in computer systems. In one embodiment, a processing device including a memory controller and a memory paging circuit is provided. The memory paging circuit is to insert a transportable page into a memory location associated with a trust domain (TD), the transportable page comprises encrypted contents of a first memory page of the TD. The memory paging circuit is further to create a third memory page associated with the TD by binding the transportable page to the TD, binding the transportable page to the TD comprises re-encrypting contents of the transportable page based on a key associated with the TD and a physical address of the memory location. The memory paging circuit is further to access contents of the third memory page by decrypting the contents of the third memory page using the key associated with the TD.

Abstract: Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.