Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault and/or cache-based side-channel attacks. In an embodiment, a processor includes a decoder to decode an instruction into a decoded instruction, the instruction comprising a first field that indicates an instruction pointer to a user-level event handler; and an execution unit to execute the decoded instruction to, after a swap of an instruction pointer that indicates where an event occurred from a current instruction pointer register into a user-level event handler pointer register, push the instruction pointer that indicates where the event occurred onto call stack storage, and change a current instruction pointer in the current instruction pointer register to the instruction pointer to the user-level event handler.

Abstract: Embodiments of methods and apparatuses for hardware load hardening are disclosed. In an embodiment, a processor includes safe logic, data forwarding hardware, and data fetching hardware. The safe logic is to determine whether a load is safe. The data forwarding hardware is to, in response to a determination that the load is safe, forward data requested by the load. The data fetching logic is to fetch the data requested by the load, regardless of the determination that the load is safe.

Abstract: Embodiments of methods and apparatuses for restricted speculative execution are disclosed. In an embodiment, a processor includes configuration storage, an execution circuit, and a controller. The configuration storage is to store an indicator to enable a restricted speculative execution mode of operation of the processor, wherein the processor is to restrict speculative execution when operating in restricted speculative execution mode. The execution circuit is to perform speculative execution. The controller to restrict speculative execution by the execution circuit when the restricted speculative execution mode is enabled.

Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault- and/or cache-based side-channel attacks. In an embodiment, an apparatus includes a decoder to decode a first instruction, the first instruction having a first field for a first opcode that indicates that execution circuitry is to set a first flag in a first register that indicates a mode of operation that redirects program flow to an exception handler upon the occurrence of an event. The apparatus further includes execution circuitry to execute the decoded first instruction to set the first flag in the first register that indicates the mode of operation and to store an address of an exception handler in a second register.

Abstract: A processor includes a processing core to identify a code comprising a plurality of instructions to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, the address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping in the address translation data structures to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of

Abstract: Embodiments of apparatuses and methods including virtual address memory range registers are disclosed. In one embodiment, a processor includes a memory interface, address translation hardware, and virtual memory address comparison hardware. The memory interface is to access a system memory using a physical memory address. The address translation hardware is to support translation of a virtual memory address to the physical memory address. The virtual memory address is used by software to access a virtual memory location in the virtual memory address space of the processor. The virtual memory address comparison hardware is to determine whether the virtual memory address is within a virtual memory address range.

Abstract: An apparatus for sharing information between entities includes a processor and a trusted execution module executing on the processor. The trusted execution module is configured to receive first confidential information from a first client device associated with a first entity, seal the first confidential information within a trusted execution environment, receive second confidential information from a second client device associated with a second entity, seal the second confidential information within the trusted execution environment, and execute code within the trusted execution environment. The code is configured to compute a confidential result based upon the first confidential information and the second confidential information.

Abstract: Embodiments of an invention for securing transmissions between processor packages are disclosed. In one embodiment, an apparatus includes an encryption unit to encrypt first content to be transmitted from the apparatus to a processor package directly through a point-to-point link.

Abstract: Embodiments of an invention for feature licensing in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to initialize a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes determining whether a requested feature is licensed for use in the secure enclave.

Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.

Abstract: In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments.

Abstract: An apparatus and method for securely suspending and resuming the state of a processor. For example, one embodiment of a method comprises: generating a data structure including at least the monotonic counter value; generating a message authentication code (MAC) over the data structure using a first key; securely providing the data structure and the MAC to a module executed on the processor; the module verifying the MAC, comparing the monotonic counter value with a counter value stored during a previous suspend operation and, if the counter values match, then loading processor state required for the resume operation to complete. Another embodiment of a method comprises: generating a first key by a processor; securely sharing the first key with an off-processor component; and using the first key to generate a pairing ID usable to identify a pairing between the processor and the off-processor component.

Abstract: Embodiments of apparatuses and methods including virtual address memory range registers are disclosed. In one embodiment, a processor includes a memory interface, address translation hardware, and virtual memory address comparison hardware. The memory interface is to access a system memory using a physical memory address. The address translation hardware is to support translation of a virtual memory address to the physical memory address. The virtual memory address is used by software to access a virtual memory location in the virtual memory address space of the processor. The virtual memory address comparison hardware is to determine whether the virtual memory address is within a virtual memory address range.

Abstract: Embodiments of an invention for modifying memory permissions in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to modify access permissions for a page in a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes setting new access permissions in an enclave page cache map entry. Furthermore, the page is immediately accessible from inside the secure enclave according to the new access permissions.

Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.

Abstract: Embodiments of apparatuses and methods including virtual address memory range registers are disclosed. In one embodiment, a processor includes a memory interface, address translation hardware, and virtual memory address comparison hardware. The memory interface is to access a system memory using a physical memory address. The address translation hardware is to support translation of a virtual memory address to the physical memory address. The virtual memory address is used by software to access a virtual memory location in the virtual memory address space of the processor. The virtual memory address comparison hardware is to determine whether the virtual memory address is within a virtual memory address range.

Abstract: Embodiments of an invention for secure processing environment measurement and attestation are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction associated with a build or a rebuild of a secure enclave. The execution unit is to execute the first instruction. Execution of the first instruction, when associated with the build, includes calculation of a first measurement and a second measurement of the secure enclave. Execution of the first instruction, when associated with the rebuild, includes calculation of the second measurement without calculation of the first measurement.

Abstract: An apparatus for sharing information between entities includes a processor and a trusted execution module executing on the processor. The trusted execution module is configured to receive first confidential information from a first client device associated with a first entity, seal the first confidential information within a trusted execution environment, receive second confidential information from a second client device associated with a second entity, seal the second confidential information within the trusted execution environment, and execute code within the trusted execution environment. The code is configured to compute a confidential result based upon the first confidential information and the second confidential information.

Abstract: An apparatus and method for securely suspending and resuming the state of a processor. For example, one embodiment of a method comprises: generating a data structure including at least the monotonic counter value; generating a message authentication code (MAC) over the data structure using a first key; securely providing the data structure and the MAC to a module executed on the processor; the module verifying the MAC, comparing the monotonic counter value with a counter value stored during a previous suspend operation and, if the counter values match, then loading processor state required for the resume operation to complete. Another embodiment of a method comprises: generating a first key by a processor; securely sharing the first key with an off-processor component; and using the first key to generate a pairing ID usable to identify a pairing between the processor and the off-processor component.

Abstract: An apparatus for sharing information between entities includes a processor and a trusted execution module executing on the processor. The trusted execution module is configured to receive first confidential information from a first client device associated with a first entity, seal the first confidential information within a trusted execution environment, receive second confidential information from a second client device associated with a second entity, seal the second confidential information within the trusted execution environment, and execute code within the trusted execution environment. The code is configured to compute a confidential result based upon the first confidential information and the second confidential information.