Abstract: A method and system for handling a security exception. The method includes creating a security exception stack frame in secure memory at a base address. The method also includes writing a faulting code sequence address and one or more register values into the security exception stack frame, and executing a plurality of security exception instructions.

Abstract: A host bridge is described including a memory controller and a security check unit. The memory controller is adapted for coupling to a memory storing data arranged within a multiple memory pages. The memory controller receives memory access signals (e.g., during a memory access), and responds to the memory access signals by accessing the memory. The security check unit receives the memory access signals, wherein the memory access signals convey a physical address within a target memory page. The security check unit uses the physical address to access one or more security attribute data structures located in the memory to obtain a security attribute of the target memory page. The security check unit provides the memory access signals to the memory controller dependent upon the security attribute of the target memory page.

Abstract: In one embodiment, a register in a processor is programmable with an intercept indication indicative of whether or not an event that would cause a transition by the processor to a first mode is to be intercepted during execution of a guest. Responsive to the intercept indication and further responsive to detecting the event, execution circuitry in the processor is configured to exit the guest. In another embodiment, a method comprises: detecting an event that would cause a processor to transition to a first mode, wherein first code is to be executed in the first mode; and causing the first code to be executed in a guest responsive to the detecting. In still another embodiment, a computer accessible medium comprising instructions which when executed in response to detecting the event, cause the first code to be executed in a guest.

Abstract: A communications system includes a physical layer hardware unit and a processing unit. The physical layer hardware unit is adapted to communicate data over a communications channel in accordance with assigned transmission parameters. The physical layer hardware unit is adapted to receive an incoming signal over the communications channel and sample the incoming signal to generate a digital received signal. The processing unit is adapted to execute a software driver including program instructions adapted to extract control codes from the digital received signal, generate an authentication code, and transfer the control codes and the authentication code to the physical layer hardware unit. The physical layer hardware unit is adapted to signal a security violation in response to the control codes being inconsistent with the authentication code.

Abstract: A system apparatus and method for providing access security for a subject device. The apparatus includes a security check unit (SCU) configured to be coupled to a transmission medium. The SCU is configured to monitor signals on the transmission medium and to detect an attempt by a first device coupled to the transmission medium to access a second device coupled to the transmission medium based upon the signals. The SCU is also configured to determine an identity of the first device based upon the signals and to control access to the second device by the first device dependent upon the identity of the first device. The method includes monitoring signals and detecting an attempt by an additional device to access the subject device based upon the signals. The method also includes using the signals to determine an identity of the additional device and controlling access to the subject device dependent upon the identity of the additional device.

Abstract: A computer system including a bus bridge for bridging transactions between a secure execution mode-capable processor and a security services processor. The bus bridge may include a transaction source detector, a configuration header and control logic. The transaction source detector may receive a security initialization transaction performed as a result of execution of a security initialization instruction. Further, the transaction source detector may determine whether the secure execution mode-capable processor is a source of the security initialization transaction. The configuration header may provide storage of information associated with the security services processor. The control logic may determine whether the security services processor is coupled to the bus bridge via a non-enumerable, peripheral bus.

Abstract: A method and apparatus for preventing radio communication system access by an unauthorized modem. The apparatus comprises a signal detector that determines if an authorization signal has been received from the base station within a specified period of time. The authorization signal authorizes the apparatus to communicate with the base station. A transmitter transmits information to the base station, and a controller disables the transmitter of the apparatus providing that the authorization signal has not been received within the specified period of time.

Abstract: In an embodiment, an input/output (I/O) memory management unit (IOMMU) comprises at least one memory configured to store translation data; and control logic coupled to the memory and configured to translate an I/O device-generated memory request using the translation data. The translation data corresponds to one or more device table entries in a device table stored in a memory system of a computer system that includes the IOMMU, wherein the device table entry for a given request is selected by an identifier corresponding to the I/O device that generates the request. The translation data further corresponds to one or more I/O page tables, wherein the selected device table entry for the given request includes a pointer to a set of I/O page tables to be used to translate the given request.

Abstract: In one embodiment, a system comprises one or more input/output (I/O) devices; an I/O memory management unit (IOMMU) coupled to receive memory requests sourced by the I/O devices and configured to provide address translation for the memory requests; and a virtual machine monitor (VMM) configured to manage one or more virtual machines on the system, wherein the VMM is configured to virtualize the IOMMU, providing one or more virtual IOMMUs for use by one or more virtual machines.

Abstract: In one embodiment, an input/output (I/O) node comprises an I/O memory management unit (IOMMU) configured to translate memory requests. The I/O node is configured to couple to an interconnect and to operate as a tunnel on the interconnect, and wherein the IOMMU is configured translate memory requests passing through the tunnel in the upstream direction. In another embodiment, a system comprises another I/O node configured to bridge another interconnect to the interconnect, wherein the I/O node is the tunnel for the other I/O node.

Abstract: In one embodiment, an input/output (I/O) memory management unit (IOMMU) comprises at least one memory and control logic coupled to the memory. The memory is configured to store translation data corresponding to one or more I/O translation tables stored in a memory system of a computer system that includes the IOMMU. The control logic is configured to translate an I/O device-generated memory request using the translation data. The translation data includes a type field indicating one or more attributes of the translation, and the control logic is configured to control the translation responsive to the type field.

Abstract: A method and system for enhanced security and manageability using secure storage. The system may include a crypto-processor and a memory coupled to receive memory transactions through the crypto-processor. The memory transactions are passed to the memory by the crypto-processor. The system may include a first processor, a second processor coupled to the first processor, and a storage device operably coupled to the first processor through the second processor. The second processor is configured to control access to the storage device. The method includes transmitting a request for a memory transaction for a storage location in the storage device and receiving the request for the memory transaction at the crypto-processor. The method also includes determining if the memory transaction is authorized for the storage location, and passing the request for the memory transaction to the storage device if the memory transaction is authorized for the storage location.

Abstract: A computer system includes a processor which may initialize a secure execution mode by executing a security initialization instruction. Further, the processor may operate in the secure execution mode by executing a secure operating system code segment. The computer system also includes a system memory configured to store data in a plurality of locations. The computer system also includes a memory controller which may selectively clear the data from a programmed range of the memory locations of the system memory when enabled in response to a reset of the processor.

Abstract: A computer system includes a peripheral device and a processing unit. The processing unit is adapted to execute a driver for interfacing with the peripheral device in a standard mode of operation and an authentication agent in a privileged mode of operation, wherein the authentication agent includes program instructions adapted to authenticate the driver. The peripheral device may comprise a communications device, such as a software modem. A method for identifying security violations in a computer system includes executing a driver in a standard processing mode of a processing unit; transitioning the processing unit into a privileged processing mode; and authenticating the driver in the privileged processing mode. The driver may be adapted for interfacing with a communications peripheral device, such as a software modem.

Abstract: A communications system includes a physical layer hardware unit and a processing unit. The physical layer hardware unit is adapted to communicate data over a communications channel. The physical layer hardware unit is adapted to receive unencrypted control codes and encrypted user data over the communications channel and transmit an upstream data signal over the communications channel based on the control codes. The processing unit is adapted to execute a software driver for interfacing with the physical layer hardware unit. The software driver includes program instructions for implementing a protocol layer to decrypt the user data and provide the upstream data to the physical layer hardware unit. A method for configuring a transceiver includes receiving unencrypted control codes over a communications channel; receiving encrypted user data over the communications channel; and transmitting an upstream signal over the communications channel based on transmission assignments defined by the control codes.

Abstract: A method is provided for controlling interrupts in a secure execution mode-capable processor. The method includes detecting an interrupt and performing a predetermined routine in response to detecting the interrupt. The method further includes performing a second routine prior to performing the predetermined routine in response to detecting the interrupt depending upon whether the processor is operating in a secure execution mode.

Abstract: A method and system for providing an external locking mechanism for memory locations. The memory includes a first plurality of storage locations configured with BIOS data and a second plurality of storage locations. The second plurality of storage locations includes a first plurality of blocks readable only in SMM and a second plurality of blocks readable in SMM and at least one operating mode other than SMM. The computer system includes a bus, a memory coupled to the bus, and a device coupled to access the memory over the bus. The memory includes a plurality of storage locations, divided into a plurality of memory units. The device includes one or more locks configured to control access to one or more of the plurality of memory units.

Abstract: A system is configured to selectively block peripheral accesses to system memory. The system includes a secure execution mode (SEM)-capable processor configured to operate in a trusted execution mode. The system also includes a system memory including a plurality of addressable locations. The system further includes a memory controller that may determine a source of an access request to one or more of the plurality of locations of the system memory. The memory controller may further allow the access request to proceed in response to determining that the source of the access request is the SEM-capable processor.

Abstract: A method of controlling a secure execution mode-capable processor includes allowing a plurality of interrupts to interrupt the secure execution mode-capable processor when the secure execution mode-capable processor is operating in a non-secure execution mode. The method also includes disabling the plurality of interrupts from interrupting the secure execution mode-capable processor when the secure execution mode-capable processor is operating in a secure execution mode.

Abstract: A communications system includes a physical layer hardware unit and a processing unit. The physical layer hardware unit is adapted to communicate data over a communications channel in accordance with assigned transmission parameters and receive an incoming signal over the communications channel and sample the incoming signal to generate a digital received signal. The processing unit is adapted to execute a standard mode driver in a standard mode of operation and a privileged mode driver in a privileged mode of operation. The standard mode driver includes program instructions adapted to extract encrypted data from the digital received signal and pass the encrypted data to the privileged mode driver. The privileged mode driver includes program instructions adapted to decrypt the encrypted data to generate decrypted data including control codes and transfer the control codes to the physical layer hardware unit.