Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

Abstract: An apparatus includes an extended capability register and an input/output (I/O) memory management circuitry. The I/O memory management circuitry is to receive, from an I/O device, an address translation request referencing a guest virtual address associated with a guest virtual address space of a virtual machine. The I/O memory management circuitry may translate the guest virtual address to a guest physical address associated with a guest physical address space of the virtual machine, and, responsive to determining that a value stored by the extended capability register indicates a restrict-translation-request-response (RTRR) mode, transmit, to the I/O device, a translation response having the guest physical address.

Abstract: Implementations of the disclosure provide for supporting oversubscription of guest enclave memory pages. In one implementation, a processing device comprising a memory controller unit to access a secure enclave and a processor core, operatively coupled to the memory controller unit. The processing device is to identify a target memory page in memory. The target memory page is associated with a secure enclave of a virtual machine (VM). A data structure comprising context information corresponding to the target memory page is received. A state of the target memory page is determined based on the received data structure. The state indicating whether the target memory page is associated with at least one of: a child memory page or a parent memory page of the VM. Thereupon, an instruction to evict the target memory page from the secure enclave is generated based on the determined state.

Abstract: Methods and apparatus are disclosed for efficient TLB (translation look-aside buffer) shoot-downs for heterogeneous devices sharing virtual memory in a multi-core system. Embodiments of an apparatus for efficient TLB shoot-downs may include a TLB to store virtual address translation entries, and a memory management unit, coupled with the TLB, to maintain PASID (process address space identifier) state entries corresponding to the virtual address translation entries. The PASID state entries may include an active reference state and a lazy-invalidation state. The memory management unit may perform atomic modification of PASID state entries responsive to receiving PASID state update requests from devices in the multi-core system and read the lazy-invalidation state of the PASID state entries. The memory management unit may send PASID state update responses to the devices to synchronize TLB entries prior to activation responsive to the respective lazy-invalidation state.

Abstract: An apparatus includes an extended capability register and an input/output (I/O) memory management circuitry. The I/O memory management circuitry is to receive, from an I/O device, an address translation request referencing a guest virtual address associated with a guest virtual address space of a virtual machine. The I/O memory management circuitry may translate the guest virtual address to a guest physical address associated with a guest physical address space of the virtual machine, and, responsive to determining that a value stored by the extended capability register indicates a restrict-translation-request-response (RTRR) mode, transmit, to the I/O device, a translation response having the guest physical address.

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The instruction to indicate a first structure in a protected container memory and to indicate a second structure in the protected container memory. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine whether a status indicator is configured to allow at least one key to be exchanged between the first and second structures, and is to exchange the at least one key between the first and second structures when the status indicator is configured to allow the at least one key to be exchanged between the first and second structures.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to store data in a secure domain in a cloud network, create encryption keys, where each encryption key is to provide a different type of access to the data, and store the encryption keys in a secure domain key store in the cloud network. In an example, each encryption key provides access to a different version of the data. In another example, a counter engine stores the location of each version of the data in the cloud network.

Abstract: Methods and apparatus for using per task time slice information to improve dynamic performance state selection are described. In one embodiment, a new performance state is selected for a process based on one or more previous execution time slice values of the process. Other embodiments are also described.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: Technologies for multi-level virtualization include a computing device having a processor that supports a root virtualization mode and a non-root virtualization mode. A non-root hypervisor determines whether it is executed under control of a root hypervisor, and if so, registers a callback handler and trigger conditions with the root hypervisor. The non-root hypervisor hosts one or more virtual machines. In response to a virtual machine exit, the root hypervisor determines whether a callback handler has been registered for the virtual machine exit reason and, if so, evaluates the trigger conditions associated with the callback handler. If the trigger conditions are satisfied, the root hypervisor invokes the callback handler. The callback handler may update a virtual virtualization support object based on changes made by the root hypervisor to a virtualization support object. The root hypervisor may invoke the callback handler in the non-root virtualization mode. Other embodiments are described and claimed.

Abstract: A processor of an aspect includes a decode unit to decode a user-level suspend thread instruction that is to indicate a first alternate state. The processor also includes an execution unit coupled with the decode unit. The execution unit is to perform the instruction at a user privilege level. The execution unit in response to the instruction, is to: (a) suspend execution of a user-level thread, from which the instruction is to have been received; (b) transition a logical processor, on which the user-level thread was to have been running, to the indicated first alternate state; and (c) resume the execution of the user-level thread, when the logical processor is in the indicated first alternate state, with a latency that is to be less than half a latency that execution of a thread can be resumed when the logical processor is in a halt processor power state.

Abstract: Technologies for multi-level virtualization include a computing device having a processor that supports a root virtualization mode and a non-root virtualization mode. A non-root hypervisor determines whether it is executed under control of a root hypervisor, and if so, registers a callback handler and trigger conditions with the root hypervisor. The non-root hypervisor hosts one or more virtual machines. In response to a virtual machine exit, the root hypervisor determines whether a callback handler has been registered for the virtual machine exit reason and, if so, evaluates the trigger conditions associated with the callback handler. If the trigger conditions are satisfied, the root hypervisor invokes the callback handler. The callback handler may update a virtual virtualization support object based on changes made by the root hypervisor to a virtualization support object. The root hypervisor may invoke the callback handler in the non-root virtualization mode. Other embodiments are described and claimed.

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

Abstract: Apparatuses and methods for supervisor mode execution protection are disclosed. In one embodiment, a processor includes an interface to access a memory, execution hardware, and control logic. A region in the memory is user memory. The execution hardware is to execute an instruction. The control logic is to prevent the execution hardware from executing the instruction when the instruction is stored in user memory and the processor is in supervisor mode.

Abstract: An example processing system may comprise: a lower stack bound register configured to store a first memory address, the first memory address identifying a lower bound of a memory addressable via a stack segment; an upper stack bound register configured to store a second memory address, the second memory address identifying an upper bound of the memory addressable via the stack segment; and a stack bounds checking logic configured to detect unauthorized stack pivoting, by comparing a memory address being accessed via the stack segment with at least one of the first memory address and the second memory address.

Abstract: Apparatuses and methods for supervisor mode execution protection are disclosed. In one embodiment, a processor includes an interface to access a memory, execution hardware, and control logic. A region in the memory is user memory. The execution hardware is to execute an instruction. The control logic is to prevent the execution hardware from executing the instruction when the instruction is stored in user memory and the processor is in supervisor mode.

Abstract: Method, apparatus and system embodiments to schedule OS-independent “shreds” without intervention of an operating system. For at least one embodiment, the shred is scheduled for execution by a scheduler routine rather than the operating system. A scheduler routine may run on each enabled sequencer. The schedulers may retrieve shred descriptors from a queue system. The sequencer associated with the scheduler may then execute the shred described by the descriptor. Other embodiments are also described and claimed.

Abstract: An example processing system may comprise: a lower stack bound register configured to store a first memory address, the first memory address identifying a lower bound of a memory addressable via a stack segment; an upper stack bound register configured to store a second memory address, the second memory address identifying an upper bound of the memory addressable via the stack segment; and a stack bounds checking logic configured to detect unauthorized stack pivoting, by comparing a memory address being accessed via the stack segment with at least one of the first memory address and the second memory address.

Abstract: Method, apparatus and system embodiments to schedule OS-independent “shreds” without intervention of an operating system. For at least one embodiment, the shred is scheduled for execution by a scheduler routine rather than the operating system. A scheduler routine may run on each enabled sequencer. The schedulers may retrieve shred descriptors from a queue system. The sequencer associated with the scheduler may then execute the shred described by the descriptor. Other embodiments are also described and claimed.