Patents by Inventor Jeremy W. Powell

Jeremy W. Powell has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20240311167
    Abstract: A processor includes a virtual machine manager (VMM) configured to map a guest process address space identifier (PASID) associated with a virtual machine (VM) to a host PASID associated with a host machine of the VM. The processor further includes a processor core configured to maintain, responsive to the guest PASID being mapped to the host PASID, an entry in a PASID reverse mapping table (PMP) including one or more security attributes associated with the host PASID.
    Type: Application
    Filed: March 16, 2023
    Publication date: September 19, 2024
    Inventors: Jeremy W. Powell, David Kaplan
  • Publication number: 20240289151
    Abstract: A processor configured to execute one or more virtual machines (VMs) includes an input-output memory management unit (IOMMU) configured to handle memory-mapped input-output (MMIO) requests and direct memory access (DMA) requests from a processor core of the processor or one or more input/output (I/O) devices. In response to receiving an MMIO or DMA request, the IOMMU is configured to determine a VM associated with the request. The IOMMU then checks a security indicator field of an address space identifier (ASID) mask table to determine if the VM was previously the target of an attack by a malicious entity. In response to the VM previously being a target of an attack, the IOMMU denies the received MMIO or DMA request.
    Type: Application
    Filed: February 24, 2023
    Publication date: August 29, 2024
    Inventors: Philip Ng, Nippon Raval, Jeremy W. Powell, Donald Matthews, JR., David Kaplan
  • Publication number: 20240289150
    Abstract: A processor includes a security processor and an input-output memory management unit (IOMMU). The security processor is configured to maintain device control information in a secure data structure and prevent a hypervisor from accessing the secure data structure. The IOMMU is configured to process at least one device request targeting a virtual machine from an input/output device based on the secure data structure.
    Type: Application
    Filed: February 24, 2023
    Publication date: August 29, 2024
    Inventors: Philip Ng, Nippon Raval, Jeremy W. Powell, Donald Matthews, JR., David Kaplan
  • Publication number: 20240220296
    Abstract: A processor manages memory-mapped input/output (MMIO) accesses, in secure fashion, at an input/output memory management unit (IOMMU). The processor is configured to ensure that, for a given MMIO request issued by a processor core and associated with a particular executing VM, the request is targeted to a MMIO address that has been assigned to the VM by a security module (e.g., a security co-processor). The processor thus prevents a malicious entity from accessing confidential information of a VM via MMIO requests.
    Type: Application
    Filed: December 29, 2022
    Publication date: July 4, 2024
    Inventors: Philip Ng, Nippon Raval, Jeremy W. Powell, Donald Matthews, JR., David Kaplan
  • Publication number: 20240220298
    Abstract: A security module of a processor manages the lifecycle of devices interfaces of input/output (I/O) devices within a virtualization environment in a secure and trusted manner. For example, the security module is configured to bind a device interface of an I/O device interface to a virtual machine (VM). Responsive to the device interface being bound, the security module is configured to attest at least one of the device interface and the I/O device. Responsive to the at least one of the device interface or the I/O device being attested, the security module is configured to configure an input-output memory management unit (IOMMU) and memory resources associated with the VM.
    Type: Application
    Filed: December 29, 2022
    Publication date: July 4, 2024
    Inventors: Jeremy W. Powell, David Kaplan
  • Publication number: 20240220429
    Abstract: A processor supports managing DMA accesses, in secure fashion, at an IOMMU. The IOMMU is configured to ensure that, for a given DMA request issued by an I/O device and associated with a particular executing VM, the device is bound to the VM according to a specified security registration process, and the request is targeted to a region of memory that has been assigned to the VM. The IOMMU thus prevents a malicious entity from accessing confidential information of a VM via DMA requests.
    Type: Application
    Filed: December 29, 2022
    Publication date: July 4, 2024
    Inventors: Philip Ng, Nippon Raval, Jeremy W. Powell, Donald Matthews, JR., David Kaplan
  • Publication number: 20240176638
    Abstract: A processing system executing a virtual machine (VM) in a confidential computing environment selectively randomizes the values of registers before the register values are encrypted to ciphertext and written to a secure region of memory upon the VM exiting execution at a processor of the processing system. When the VM later resumes executing at the processor, the processor de-randomizes the register values. By randomizing the register values, the processor obfuscates the register values from a hypervisor or physical attack, thereby protecting against side channel attacks on the encrypted ciphertext.
    Type: Application
    Filed: November 29, 2022
    Publication date: May 30, 2024
    Inventors: David Kaplan, Jelena Ilic, Jeremy W. Powell
  • Patent number: 11188640
    Abstract: A method includes establishing an isolated execution environment for executing a platform firmware operating mode subroutine in a platform firmware operating mode. In response to receiving an interrupt, the platform firmware operating mode subroutine is executed in the isolated execution environment. In response to detecting an attempted access of a hardware resource resulting from execution of the platform firmware operating mode subroutine, the attempted access is blocked when the attempted access violates a security policy.
    Type: Grant
    Filed: August 23, 2018
    Date of Patent: November 30, 2021
    Assignee: Advanced Micro Devices, Inc.
    Inventors: Jeremy W Powell, David A Kaplan
  • Patent number: 10671422
    Abstract: A security module in a memory access path of a processor of a processing system protects secure information by verifying the contents of memory pages as they transition between one or more virtual machines (VMs) executing at the processor and a hypervisor that provides an interface between the VMs and the processing system's hardware. The security module of the processor is employed to monitor memory pages as they transition between one or more VMs and a hypervisor so that memory pages that have been altered by a hypervisor or other VM cannot be returned to the VM from which they were transitioned.
    Type: Grant
    Filed: August 24, 2017
    Date of Patent: June 2, 2020
    Assignee: ADVANCED MICRO DEVICES, INC.
    Inventors: David Kaplan, Jeremy W. Powell, Richard Relph
  • Patent number: 10585805
    Abstract: A computing device that handles address translations is described. The computing device includes a hardware table walker and a memory that stores a reverse map table and a plurality of pages of memory. The table walker is configured to use validated indicators in entries in the reverse map table to determine if page accesses are made to pages for which entries are validated. The table walker is further configured to use virtual machine permissions levels information in entries in the reverse map table determine if page accesses for specified operation types are permitted.
    Type: Grant
    Filed: February 28, 2018
    Date of Patent: March 10, 2020
    Assignee: ADVANCED MICRO DEVICES, INC.
    Inventors: David A. Kaplan, Jeremy W. Powell, Thomas R. Woller
  • Patent number: 10241931
    Abstract: A table walker receives, from a requesting entity, a request to translate a first address into a second address associated with a page of memory. During a corresponding table walk, when a lock indicator in an entry in a reverse map table (RMT) for the page is set to mark the entry in the RMT as locked, the table walker halts processing the request and performs a remedial action. In addition, when the request is associated with a write access of the page and an immutable indicator in the entry in the RMT is set to mark the page as immutable, the table walker halts processing the request and performs the remedial action. Otherwise, when the entry in the RMT is not locked and the page is not marked as immutable for a write access, the table walker continues processing the request.
    Type: Grant
    Filed: January 27, 2017
    Date of Patent: March 26, 2019
    Assignee: ADVANCED MICRO DEVICES, INC.
    Inventors: David A. Kaplan, Jeremy W. Powell, Thomas R. Woller
  • Patent number: 10169244
    Abstract: The described embodiments perform a method for handling memory accesses by virtual machines in a computing device. The described embodiments include a reverse map table (RMT) and a separate guest accessed pages table (GAPT) for each virtual machine. The RMT has a plurality of entries, each entry including information for identifying a virtual machine that is permitted to access an associated page of data in a memory. Each GAPT has a record of pages being accessed by a corresponding virtual machine. During operation, a table walker receives a request from a given virtual machine to translate a guest physical address to a system physical address. The table walker checks at least one of the RMT and a corresponding GAPT to determine whether the given virtual machine has access to a corresponding page. If not, the table walker terminates the translating. Otherwise, the table walker completes the translating.
    Type: Grant
    Filed: July 29, 2016
    Date of Patent: January 1, 2019
    Assignee: ADVANCED MICRO DEVICES, INC.
    Inventors: David A. Kaplan, Jeremy W. Powell, Thomas R. Woller
  • Publication number: 20180189190
    Abstract: A computing device that handles address translations is described. The computing device includes a hardware table walker and a memory that stores a reverse map table and a plurality of pages of memory. The table walker is configured to use validated indicators in entries in the reverse map table to determine if page accesses are made to pages for which entries are validated. The table walker is further configured to use virtual machine permissions levels information in entries in the reverse map table determine if page accesses for specified operation types are permitted.
    Type: Application
    Filed: February 28, 2018
    Publication date: July 5, 2018
    Inventors: David A. Kaplan, Jeremy W. Powell, Thomas R. Woller
  • Publication number: 20180032447
    Abstract: A table walker receives, from a requesting entity, a request to translate a first address into a second address associated with a page of memory. During a corresponding table walk, when a lock indicator in an entry in a reverse map table (RMT) for the page is set to mark the entry in the RMT as locked, the table walker halts processing the request and performs a remedial action. In addition, when the request is associated with a write access of the page and an immutable indicator in the entry in the RMT is set to mark the page as immutable, the table walker halts processing the request and performs the remedial action. Otherwise, when the entry in the RMT is not locked and the page is not marked as immutable for a write access, the table walker continues processing the request.
    Type: Application
    Filed: January 27, 2017
    Publication date: February 1, 2018
    Inventors: David A. Kaplan, Jeremy W. Powell, Thomas R. Woller
  • Publication number: 20180032443
    Abstract: The described embodiments perform a method for handling memory accesses by virtual machines in a computing device. The described embodiments include a reverse map table (RMT) and a separate guest accessed pages table (GAPT) for each virtual machine. The RMT has a plurality of entries, each entry including information for identifying a virtual machine that is permitted to access an associated page of data in a memory. Each GAPT has a record of pages being accessed by a corresponding virtual machine. During operation, a table walker receives a request from a given virtual machine to translate a guest physical address to a system physical address. The table walker checks at least one of the RMT and a corresponding GAPT to determine whether the given virtual machine has access to a corresponding page. If not, the table walker terminates the translating. Otherwise, the table walker completes the translating.
    Type: Application
    Filed: July 29, 2016
    Publication date: February 1, 2018
    Inventors: David A. Kaplan, Jeremy W. Powell, Thomas R. Woller
  • Publication number: 20170277898
    Abstract: A processor employs a security module to manage authentication and encryption keys for the processor. The security module can authenticate itself to other processing systems, such as processing systems providing software to be executed at the processor, can generate keys for encrypting address spaces for the provided software, and can securely import and export information at the encrypted address spaces to and from the processing system. By using a security module that is separate from the processor cores of the processor to perform these security operations, the processing system allows software executing on the processor cores to manage operations based on the authentication and encryption keys without being able to read the keys themselves, thereby preventing unauthorized access by malicious software to the keys.
    Type: Application
    Filed: March 25, 2016
    Publication date: September 28, 2017
    Inventors: Jeremy W. Powell, David A. Kaplan, Jesse D. Larrew, Thomas R. Woller, Joshua Schiffman