Abstract: An embodiment involves secure memory implementation for secure execution of virtual machines. Data is processed in a first mode and a second mode, and commands are sent to a chip interconnect bus using real addresses, wherein the chip interconnect bus includes a number of bits for the real addresses. A memory controller is operatively coupled to a memory component. A secure memory range is specified by using range registers. If the real address is detected to be in the secure memory range to match a memory component address, a real address bit is set. If the real address is in the memory address hole, a security access violation is detected. If the real address is not in the secure address range and the real address bit is set, the security access violation is detected.

Abstract: Hardware based isolation for secure execution of virtual machines (VMs). At least one virtual machine is executed via operation of a hypervisor and an ultravisor. A first memory component is configured for access by the hypervisor and the ultravisor, and a second memory component is configured for access by the ultravisor and not by the hypervisor. A first mode of operation is operated, such that the virtual machine is executed using the hypervisor, wherein the first memory component is accessible to the virtual machine and the second memory component is not accessible to the virtual machine. A second mode of operation is operated, such that the virtual machine is executed using the ultravisor, wherein the first memory component and the second memory component are accessible to the virtual machine, thereby executing application code and operating system code using the second memory component without code changes.

Abstract: Techniques for improving the security of nonvolatile memory such as magnetic random access memory (MRAM) are provided. In one aspect, a method of operating a nonvolatile memory chip is provided. The method includes: overwriting data stored on the nonvolatile memory chip automatically upon the nonvolatile memory chip being powered on. For example, all bits in the nonvolatile memory chip can be written to either i) a predetermined data state (e.g., a logic 1 or a logic 0) or ii) a random data state. A system is also provided that includes: a nonvolatile memory chip; and a writing circuit configured to overwrite data stored on the nonvolatile memory chip automatically upon the nonvolatile memory chip being powered on.

Abstract: Techniques for improving the security of nonvolatile memory such as magnetic random access memory (MRAM) are provided. In one aspect, a method of operating a nonvolatile memory chip is provided. The method includes: overwriting data stored on the nonvolatile memory chip automatically upon the nonvolatile memory chip being powered on. For example, all bits in the nonvolatile memory chip can be written to either i) a predetermined data state (e.g., a logic 1 or a logic 0) or ii) a random data state. A system is also provided that includes: a nonvolatile memory chip; and a writing circuit configured to overwrite data stored on the nonvolatile memory chip automatically upon the nonvolatile memory chip being powered on.

Abstract: A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream.

Abstract: Secure extraction of state information of a computer system is provided. A method includes obtaining, by a security engine of a system, a public encryption key associated with a private decryption key; generating an extraction key that is inaccessible outside of the security engine; encrypting the extraction key with the public encryption key, to thereby obtain an encrypted extraction key; collecting state information of the system; encrypting the collected state information with the extraction key and storing the encrypted collected state information; and based on a request for access to the stored encrypted collected state information by a request for the extraction key, providing the extraction key to facilitate decryption of the stored encrypted state information.

Abstract: Secure extraction of state information of a computer system is provided. A method includes obtaining, by a security engine of a system, a public encryption key associated with a private decryption key; generating an extraction key that is inaccessible outside of the security engine; encrypting the extraction key with the public encryption key, to thereby obtain an encrypted extraction key; collecting state information of the system; encrypting the collected state information with the extraction key and storing the encrypted collected state information; and based on a request for access to the stored encrypted collected state information by a request for the extraction key, providing the extraction key to facilitate decryption of the stored encrypted state information.

Abstract: Techniques and apparatus for utilizing bits in a translation look aside buffer (TLB) table to identify and access security parameters to be used in securely accessing data are provided. Any type of bits in the TLB may be used, such as excess bits in a translated address, excess attribute bits, or special purpose bits added specifically for security purposes. In some cases, the security parameters may include an index into a key table for use in retrieving a set of one or more keys to use for encryption and/or decryption.

Abstract: A mechanism is provided for performing secure recursive virtualization of a computer system. A portion of memory is allocated by a virtual machine monitor (VMM) or an operating system (OS) to a new domain. An initial program for the new domain is loaded into the portion of memory. Secure recursive virtualization firmware (SVF) in the data processing system is called to request that the new domain be generated. A determination is made as to whether the call is from a privileged domain or a non-privileged domain. Responsive to the request being from a privileged domain, all access to the new domain is removed from any other domain in the data processing system. Responsive to receiving an indication that the new domain has been generated, an execution of the initial program is scheduled.

Abstract: Techniques and apparatus for utilizing bits in a translation look aside buffer (TLB) table to identify and access security parameters to be used in securely accessing data are provided. Any type of bits in the TLB may be used, such as excess bits in a translated address, excess attribute bits, or special purpose bits added specifically for security purposes. In some cases, the security parameters may include an index into a key table for use in retrieving a set of one or more keys to use for encryption and/or decryption.

Abstract: Techniques and apparatus for utilizing bits in a translation look aside buffer (TLB) table to identify and access security parameters to be used in securely accessing data are provided. Any type of bits in the TLB may be used, such as excess bits in a translated address, excess attribute bits, or special purpose bits added specifically for security purposes. In some cases, the security parameters may include an index into a key table for use in retrieving a set of one or more keys to use for encryption and/or decryption.

Abstract: A bottle packaging for shipment includes a bottom tray, and a top tray made of molded pulp fiber, such as newspaper pulp, and a cardboard partition support structure disposed between the trays. Cavities formed in the bottom and top trays are arranged to engage both ends of a bottle and include crushable elements that can axially engage each bottle. The support partition may be made of corrugated cardboard material and be arranged such that the cardboard flutes provide support for loads imparted to the sides of the carton when the carton is laying on its side. The partition forms a void surrounding each bottle in the area of its labels. In this way, structural support and cushioning can be provided to the packaged bottles from all directions.

Abstract: Disclosed are a processor and processing method that provide non-hierarchical computer security enhancements for context states. The processor can comprise a context control unit that uses context identifier tags associated with corresponding contexts to control access by the contexts to context information (i.e., context states) contained in the processor's non-stackable and/or stackable registers. For example, in response to an access request, the context control unit can grant a specific context access to a register only when that register is tagged with a specific context identifier tag. If the register is tagged with another context identifier tag, the contents of the specific register are saved in a context save area of memory and the previous context states of the specific context are restored to the specific register before access can be granted.

Abstract: Electronic devices and methods are disclosed to provide and to test a physically unclonable function (PUF) based on relative threshold voltages of one or more pairs of transistors. In a particular embodiment, an electronic device is operable to generate a response to a challenge. The electronic device includes a plurality of transistors, with each of the plurality of transistors having a threshold voltage substantially equal to an intended threshold voltage. The electronic device includes a challenge input configured to receive the challenge. The challenge input includes one or more bits that are used to individually select each of a pair of transistors of the plurality of transistors. The electronic device also includes a comparator to receive an output voltage from each of the pair of transistors and to generate a response indicating which of the pair of transistors has the higher output voltage.

Abstract: A bottle packaging for shipment includes a bottom tray, and a top tray made of molded pulp fiber, such as newspaper pulp, and a cardboard partition support structure disposed between the trays. Cavities formed in the bottom and top trays are arranged to engage both ends of a bottle and include crushable elements that can axially engage each bottle. The support partition may be made of corrugated cardboard material and be arranged such that the cardboard flutes provide support for loads imparted to the sides of the carton when the carton is laying on its side. The partition forms a void surrounding each bottle in the area of its labels. In this way, structural support and cushioning can be provided to the packaged bottles from all directions.

Abstract: A bottle packaging for shipment includes a bottom tray, and a top tray made of molded pulp fiber, such as newspaper pulp, and a cardboard partition support structure disposed between the trays. Cavities formed in the bottom and top trays are arranged to engage both ends of a bottle and include crushable elements that can axially engage each bottle. The support partition may be made of corrugated cardboard material and be arranged such that the cardboard flutes provide support for loads imparted to the sides of the carton when the carton is laying on its side. The partition forms a void surrounding each bottle in the area of its labels. In this way, structural support and cushioning can be provided to the packaged bottles from all directions.

Abstract: A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream.

Abstract: A mechanism is provided for performing secure recursive virtualization of a computer system. A portion of memory is allocated by a virtual machine monitor (VMM) or an operating system (OS) to a new domain. An initial program for the new domain is loaded into the portion of memory. Secure recursive virtualization firmware (SVF) in the data processing system is called to request that the new domain be generated. A determination is made as to whether the call is from a privileged domain or a non-privileged domain. Responsive to the request being from a privileged domain, all access to the new domain is removed from any other domain in the data processing system. Responsive to receiving an indication that the new domain has been generated, an execution of the initial program is scheduled.

Abstract: A recursive logical partition real memory map mechanism is provided for use in address translation. The mechanism, which is provided in a data processing system, receives a first address based on an address submitted from a process of a currently active logical partition. The first address is translated into a second address using a recursive logical partition real memory (RLPRM) map data structure for the currently active logical partition. The memory is accessed using the second address. The RLPRM map data structure provides a plurality of translation table pointers, each translation table pointer pointing to a separate page table for a separate level of virtualization in the data processing system with the data processing system supporting multiple levels of virtualization.

Abstract: A mechanism is provided for performing secure recursive virtualization of a computer system. A portion of memory is allocated by a virtual machine monitor (VMM) or an operating system (OS) to a new domain. An initial program for the new domain is loaded into the portion of memory. Secure recursive virtualization firmware (SVF) in the data processing system is called to request that the new domain be generated. A determination is made as to whether the call is from a privileged domain or a non-privileged domain. Responsive to the request being from a privileged domain, all access to the new domain is removed from any other domain in the data processing system. Responsive to receiving an indication that the new domain has been generated, an execution of the initial program is scheduled.