Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes memory for storage of data, an IOMMU coupled to the memory, and a host-to-device link to couple the IOMMU with one or more devices and to operate as a translation agent on behalf of one or more devices in connection with memory operations relating to the memory, including receiving a translated request from a discrete device via the host-to-device link specifying a memory operation and a physical address within the memory pertaining to the memory operation, determining page access permissions assigned to a context of the discrete device for a physical page of the memory within which the physical address resides, allowing the memory operation to proceed when the page access permissions permit the memory operation, and blocking the memory operation when the page access permissions do not permit the memory operation.

Abstract: Embodiments may be generally direct to apparatuses, systems, method, and techniques to detect a message to communicate via an interconnect coupled with a device capable of communication via a plurality of interconnect protocols, the plurality of interconnect protocols comprising a non-coherent interconnect protocol, a coherent interconnect protocol, and a memory interconnect protocol. Embodiments also include determining an interconnect protocol of the plurality of interconnect protocols to communicate the message via the interconnect based on the message, and providing the message to a multi-protocol multiplexer coupled with the interconnect, the multi-protocol multiplexer to communicate the message utilizing the interconnect protocol via the interconnect with the device.

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

Abstract: Disclosed embodiments relate to remote atomic operations (RAO) in multi-socket systems. In one example, a method, performed by a cache control circuit of a requester socket, includes: receiving the RAO instruction from the requester CPU core, determining a home agent in a home socket for the addressed cache line, providing a request for ownership (RFO) of the addressed cache line to the home agent, waiting for the home agent to either invalidate and retrieve a latest copy of the addressed cache line from a cache, or to fetch the addressed cache line from memory, receiving an acknowledgement and the addressed cache line, executing the RAO instruction on the received cache line atomically, subsequently receiving multiple local RAO instructions to the addressed cache line from one or more requester CPU cores, and executing the multiple local RAO instructions on the received cache line independently of the home agent.

Abstract: An embodiment of an integrated circuit comprises circuitry to store memory protection information for a non-host memory in a memory protection cache, and perform one or more memory protection checks on a translated access request for the non-host memory based on the stored memory protection information. Other embodiments are disclosed and claimed.

Abstract: An embodiment of an integrated circuit comprises circuitry to share page tables associated with a page between a processor memory management unit (MMU) and an input/output memory management unit (IOMMU), store a page table entry in the memory associated with the page, and separately control access to the page from a processor and from a direct memory access (DMA) request based on one or more fields of the stored page table entry. Other embodiments are disclosed and claimed.

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes a memory device to store memory data in a plurality of physical pages shared by a plurality of devices, a first table to map each page of memory to an associated bundle identifier (ID) that identifies one or more devices having access to a page of memory, a second table to map each bundle ID to page access permissions that define access to one or more pages associated with a bundle ID and a translation agent to receive requests from the plurality of devices to perform memory operations on the memory and determine page access permissions for requests received from the plurality of devices using the first table and the second table.

Abstract: A system for tracking memory access patterns to be used in making data placement and migration policies. The system includes a processing unit and a system memory. The system memory includes a local memory and a remote memory, each of which having mapped thereon, a plurality of memory pages. Each of the plurality of memory pages corresponds to one or more physical addresses. A set of attributes for each memory page is stored in a physical attribute table (PAT). The PAT is looked up and the attributes updated when a memory access is detected. Attributes stored in the PAT are used to control the movement of memory pages between the local memory and the remote memory. When the attributes in the PAT indicate a remote memory page is being accessed frequently by the processing unit, the remote memory page is moved from the remote memory to the local memory.

Abstract: Disclosed embodiments relate to spatial and temporal merging of remote atomic operations.

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes memory for storage of data, an IOMMU coupled to the memory, and a host-to-device link to couple the IOMMU with one or more devices and to operate as a translation agent on behalf of one or more devices in connection with memory operations relating to the memory, including receiving a translated request from a discrete device via the host-to-device link specifying a memory operation and a physical address within the memory pertaining to the memory operation, determining page access permissions assigned to a context of the discrete device for a physical page of the memory within which the physical address resides, allowing the memory operation to proceed when the page access permissions permit the memory operation, and blocking the memory operation when the page access permissions do not permit the memory operation.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes DRAM for storage of data, an IOMMU coupled to the DRAM, and a host-to-device link to couple the IOMMU with one or more devices and to operate as a translation agent on behalf of one or more devices in connection with memory operations relating to the DRAM, including receiving a translated request from a discrete device via the host-to-device link specifying a memory operation and a physical address within the DRAM pertaining to the memory operation, determining page access permissions assigned to a context of the discrete device for a physical page of the DRAM within which the physical address resides, allowing the memory operation to proceed when the page access permissions permit the memory operation, and blocking the memory operation when the page access permissions do not permit the memory operation.

Abstract: Embodiments may be generally direct to apparatuses, systems, method, and techniques to detect a message to communicate via an interconnect coupled with a device capable of communication via a plurality of interconnect protocols, the plurality of interconnect protocols comprising a non-coherent interconnect protocol, a coherent interconnect protocol, and a memory interconnect protocol. Embodiments also include determining an interconnect protocol of the plurality of interconnect protocols to communicate the message via the interconnect based on the message, and providing the message to a multi-protocol multiplexer coupled with the interconnect, the multi-protocol multiplexer to communicate the message utilizing the interconnect protocol via the interconnect with the device.

Abstract: An embodiment of an apparatus comprises decode circuitry to decode a single instruction, the single instruction to include a field for an identifier of a first source operand, a field for an identifier of a destination operand, and a field for an opcode, the opcode to indicate execution circuitry is to program a user timer, and execution circuitry to execute the decoded instruction according to the opcode to retrieve timer program information from a location indicated by the first source operand, and program a user timer indicated by the destination operand based on the retrieved timer program information. Other embodiments are disclosed and claimed.

Abstract: Disclosed embodiments relate to remote atomic operations (RAO) in multi-socket systems. In one example, a method, performed by a cache control circuit of a requester socket, includes: receiving the RAO instruction from the requester CPU core, determining a home agent in a home socket for the addressed cache line, providing a request for ownership (RFO) of the addressed cache line to the home agent, waiting for the home agent to either invalidate and retrieve a latest copy of the addressed cache line from a cache, or to fetch the addressed cache line from memory, receiving an acknowledgement and the addressed cache line, executing the RAO instruction on the received cache line atomically, subsequently receiving multiple local RAO instructions to the addressed cache line from one or more requester CPU cores, and executing the multiple local RAO instructions on the received cache line independently of the home agent.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes a memory for storage of data, an Input/Output Memory Management Unit (IOMMU) coupled to the memory via a host-to-device link the IOMMU to perform operations, comprising receiving an address translation request from a remote device via a host-to-device link, wherein the address translation request comprises a virtual address (VA), determining a physical address (PA) associated with the virtual address (VA), generating an encrypted physical address (EPA) using at least the physical address (PA) and a cryptographic key, and sending the encrypted physical address (EPA) to the remote device via the host-to-device link.

Abstract: Techniques for increasing link efficiency are disclosed. In one embodiment, a device handle table is created at each end of a link. Device handle allocation messages can be used to associate a particular device handle with a particular domain identifier, such as a bus/device/function (BDF) identifier or a processor address space identifier (PASID). Once a device handle is allocated, messages can be sent between the two ends of the link that include the device handle. The device handle can be used to determine the domain identifier associated with the message. As the device handle can be fewer bits than the domain identifier, the link efficiency can be increased.

Abstract: In one embodiment, a data mover accelerator is to receive, from a first agent having a first address space and a first process address space identifier (PASID) to identify the first address space, a first job descriptor comprising a second PASID selector to specify a second PASID to identify a second address space. In response to the first job descriptor, the data mover accelerator is to securely access the first address space and the second address space. Other embodiments are described and claimed.