Abstract: Root-trusted guest memory page management is described. A root-trusted guest is loaded by a hardware platform and authenticated. The root-trusted guest is configured to manage memory operations of different guests via special privileges that permit the root-trusted guest to execute memory operations using a guest's private memory page. To do so, a guest page table includes a novel “T-bit” in each entry, which indicates whether the root-trusted guest or a different guest owns the associated memory page. Each entry in the guest page table for the root-trusted guest additionally includes a “C-bit” that indicates whether the corresponding memory page is a protected page. Combined C-bit and T-bit values for a page table entry dictate whether operations performed as part of handling a guest's memory request are offloaded from the hardware platform to the root-trusted guest.

Abstract: A security framework for virtual machines is described. In one or more implementations, a hardware platform comprises physical computer hardware, the physical computer hardware including one or more processing units and one or more memories. The system also includes a virtual machine monitor configured to virtualize the physical computer hardware of the hardware platform to instantiate a plurality of framework-secure virtual machines. Further, the system includes a root framework-secure virtual machine instantiated by the virtual machine monitor. In accordance with the described techniques, the root framework-secure virtual machine is configured to control access to the hardware platform by the framework-secure virtual machines instantiated by the virtual machine monitor.

Abstract: A computing system may implement a split random number generator that may use a random number generator to generate and store seed values in a memory for retrieval and use by one or more core processors to generate random numbers for secure processes within each core processor.

Abstract: Restricting peripheral device protocols in confidential compute architectures, the method including: receiving a first address translation request from a peripheral device supporting a first protocol, wherein the first protocol supports cache coherency between the peripheral device and a processor cache; determining that a confidential compute architecture is enabled; and providing, in response to the first address translation request, a response including an indication to the peripheral device to not use the first protocol.

Abstract: Restricting peripheral device protocols in confidential compute architectures, the method including: receiving a first address translation request from a peripheral device supporting a first protocol, wherein the first protocol supports cache coherency between the peripheral device and a processor cache; determining that a confidential compute architecture is enabled; and providing, in response to the first address translation request, a response including an indication to the peripheral device to not use the first protocol.

Abstract: A computing system may implement a split random number generator that may use a random number generator to generate and store seed values in a memory for retrieval and use by one or more core processors to generate random numbers for secure processes within each core processor.

Abstract: A method includes establishing an isolated execution environment for executing a platform firmware operating mode subroutine in a platform firmware operating mode. In response to receiving an interrupt, the platform firmware operating mode subroutine is executed in the isolated execution environment. In response to detecting an attempted access of a hardware resource resulting from execution of the platform firmware operating mode subroutine, the attempted access is blocked when the attempted access violates a security policy.

Abstract: Systems, apparatuses, and methods for implementing hypervisor post-write notification of processor state register modifications. A write to a state register of the processor may be detected during guest execution. In response to detecting the write to the state register, the processor may trigger microcode to perform the write and copy the new value of the register to a memory location prior to exiting the guest. The hypervisor may be notified of the update to the state register after it occurs, and the hypervisor may be prevented from modifying the value of the guest's state register. The hypervisor may terminate the guest if the update to the state register is unacceptable. Alternatively, the hypervisor may recommend an alternate value to the guest. If the guest agrees, the guest may set the state register to the alternate value recommended by the hypervisor when the guest resumes operation.

Abstract: Overhead associated with verifying function return addresses to protect against security exploits is reduced by taking advantage of branch prediction mechanisms for predicting return addresses. More specifically, returning from a function includes popping a return address from a data stack. Well-known security exploits overwrite the return address on the data stack to hijack control flow. In some processors, a separate data structure referred to as a control stack is used to verify the data stack. When a return instruction is executed, the processor issues an exception if the return addresses on the control stack and the data stack are not identical. This overhead can be avoided by taking advantage of the return address stack, which is a data structure used by the branch predictor to predict return addresses. In most situations, if this prediction is correct, the above check does not need to occur, thus reducing the associated overhead.

Abstract: A computing device that handles address translations is described. The computing device includes a hardware table walker and a memory that stores a reverse map table and a plurality of pages of memory. The table walker is configured to use validated indicators in entries in the reverse map table to determine if page accesses are made to pages for which entries are validated. The table walker is further configured to use virtual machine permissions levels information in entries in the reverse map table determine if page accesses for specified operation types are permitted.

Abstract: Overhead associated with verifying function return addresses to protect against security exploits is reduced by taking advantage of branch prediction mechanisms for predicting return addresses. More specifically, returning from a function includes popping a return address from a data stack. Well-known security exploits overwrite the return address on the data stack to hijack control flow. In some processors, a separate data structure referred to as a control stack is used to verify the data stack. When a return instruction is executed, the processor issues an exception if the return addresses on the control stack and the data stack are not identical. This overhead can be avoided by taking advantage of the return address stack, which is a data structure used by the branch predictor to predict return addresses. In most situations, if this prediction is correct, the above check does not need to occur, thus reducing the associated overhead.

Abstract: An input-output (IO) memory management unit (IOMMU) uses a reverse map table (RMT) to ensure that address translations acquired from a nested page table are correct and that IO devices are permitted to access pages in a memory when performing memory accesses in a computing device. A translation lookaside buffer (TLB) flushing mechanism is used to invalidate address translation information in TLBs that are affected by changes in the RMT. A modified Address Translation Caching (ATC) mechanism may be used, in which only partial address translation information is provided to IO devices so that the RMT is checked when performing memory accesses for the IO devices using the cached address translation information.

Abstract: Systems, apparatuses, and methods for implementing virtualized process isolation are disclosed. A system includes a kernel and multiple guest virtual machines (VMs) executing on the system's processing hardware. Each guest VM includes a vShim layer for managing kernel accesses to user space and guest accesses to kernel space. The vShim layer also maintains a set of page tables separate from the kernel page tables. In one embodiment, data in the user space is encrypted and the kernel goes through the vShim layer to access user space data. When the kernel attempts to access a user space address, the kernel exits and the vShim layer is launched to process the request. If the kernel has permission to access the user space address, the vShim layer copies the data to a region in kernel space and then returns execution to the kernel. The vShim layer prevents the kernel from accessing the user space address if the kernel does not have permission to access the user space address.

Abstract: Embodiments herein provide for improved store-to-load-forwarding (STLF) logic and linear aliasing effect reduction logic. In one embodiment, a load instruction to be executed is selected. Whether a first linear address associated with said load instruction matches a linear address of a store instruction of a plurality of store instructions in a queue is determined. Data associated with said store instruction for executing said load instruction is forwarded, in response to determining that the first linear address matches the linear address of the store instruction.

Abstract: A table walker receives, from a requesting entity, a request to translate a first address into a second address associated with a page of memory. During a corresponding table walk, when a lock indicator in an entry in a reverse map table (RMT) for the page is set to mark the entry in the RMT as locked, the table walker halts processing the request and performs a remedial action. In addition, when the request is associated with a write access of the page and an immutable indicator in the entry in the RMT is set to mark the page as immutable, the table walker halts processing the request and performs the remedial action. Otherwise, when the entry in the RMT is not locked and the page is not marked as immutable for a write access, the table walker continues processing the request.

Abstract: The described embodiments perform a method for handling memory accesses by virtual machines in a computing device. The described embodiments include a reverse map table (RMT) and a separate guest accessed pages table (GAPT) for each virtual machine. The RMT has a plurality of entries, each entry including information for identifying a virtual machine that is permitted to access an associated page of data in a memory. Each GAPT has a record of pages being accessed by a corresponding virtual machine. During operation, a table walker receives a request from a given virtual machine to translate a guest physical address to a system physical address. The table walker checks at least one of the RMT and a corresponding GAPT to determine whether the given virtual machine has access to a corresponding page. If not, the table walker terminates the translating. Otherwise, the table walker completes the translating.

Abstract: An input-output (IO) memory management unit (IOMMU) uses a reverse map table (RMT) to ensure that address translations acquired from a nested page table are correct and that IO devices are permitted to access pages in a memory when performing memory accesses in a computing device. A translation lookaside buffer (TLB) flushing mechanism is used to invalidate address translation information in TLBs that are affected by changes in the RMT. A modified Address Translation Caching (ATC) mechanism may be used, in which only partial address translation information is provided to IO devices so that the RMT is checked when performing memory accesses for the IO devices using the cached address translation information.

Abstract: A computing device that handles address translations is described. The computing device includes a hardware table walker and a memory that stores a reverse map table and a plurality of pages of memory. The table walker is configured to use validated indicators in entries in the reverse map table to determine if page accesses are made to pages for which entries are validated. The table walker is further configured to use virtual machine permissions levels information in entries in the reverse map table determine if page accesses for specified operation types are permitted.

Abstract: Systems, apparatuses, and methods for implementing virtualized process isolation are disclosed. A system includes a kernel and multiple guest VMs executing on the system's processing hardware. Each guest VM includes a vShim layer for managing kernel accesses to user space and guest accesses to kernel space. The vShim layer also maintains a separate set of page tables from the kernel page tables. In one embodiment, data in the user space is encrypted and the kernel goes through the vShim layer to access user space data. When the kernel attempts to access a user space address, the kernel exits and the vShim layer is launched to process the request. If the kernel has permission to access the address, the vShim layer copies the data to a region in kernel space and then returns execution to the kernel.

Abstract: A table walker receives, from a requesting entity, a request to translate a first address into a second address associated with a page of memory. During a corresponding table walk, when a lock indicator in an entry in a reverse map table (RMT) for the page is set to mark the entry in the RMT as locked, the table walker halts processing the request and performs a remedial action. In addition, when the request is associated with a write access of the page and an immutable indicator in the entry in the RMT is set to mark the page as immutable, the table walker halts processing the request and performs the remedial action. Otherwise, when the entry in the RMT is not locked and the page is not marked as immutable for a write access, the table walker continues processing the request.