Abstract: Techniques for an instruction for a Runtime Call operation are described. An example apparatus comprises decoder circuitry to decode a single instruction, the single instruction to include a field for an identifier of an opcode, the opcode to indicate execution circuitry is to execute a no operation when a runtime call destination equals a predetermined value; and execute an indirect call with the runtime call destination as a destination address when the runtime call destination does not equal the predetermined value. Other examples are described and claimed.

Abstract: Data-dependent (memory) prefetcher support is described. In some examples, the data-dependent (memory) prefetcher utilizes metadata to predict if a data word is a valid pointer before doing a prefetch. Data words that are not deemed to be valid pointers are not used to prefetch. The metadata may be linear or physical depending on the example.

Abstract: Techniques for memory safety using cryptographic entropy tagging are described. In an embodiment, an apparatus includes a plurality of decryption circuits and an entropy comparison circuit. The plurality of decryption circuits are to decrypt content of a memory location to be referenced by a pointer used in an attempted access to the memory location, the pointer to include a supplied tag value, wherein the supplied tag value is one of a plurality of possible tag values, and wherein each of the plurality of decryption circuits is to decrypt the content of the memory location based on a different one of the plurality of possible tag values to generate a plurality of decryption results.

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

Abstract: A processor core requests a cacheline to be loaded from a memory in a memory access request; and a cache determines a speculated color value for the memory access request, receives a data granule of the cacheline from the memory, and decrypts data of the data granule using the speculated color value.

Abstract: Prefetch (e.g., prefetcher) circuits and methods that allow the safe prefetch of any speculative memory references using cryptographic addressing are described. In certain examples, a computing system includes a memory; a register to store a cryptographic address prefetch key; a core to generate a memory access request for the memory; a cache; and a prefetch circuit to: generate a speculative memory access request for an encrypted memory address based at least in part on the memory access request, decrypt the encrypted memory address to determine a memory line stored at the memory address decrypted by the cryptographic address prefetch key to generate a plaintext address, and store a memory line referenced by the plaintext address in the cache.

Abstract: Methods and apparatus relating to zero-redundancy tag storage for bucketed allocators are described. In some embodiments, memory stores a memory page. The memory page includes a metadata page and a plurality of slots. The metadata page includes information corresponding to the plurality of slots. Decode circuitry decodes an instruction that includes a source operand. Execution circuitry executes the decoded instruction according to the source operand to load a first tag for a first slot of the plurality of slots in response to a memory access request directed at the first slot of the plurality of slots. The memory access request is allowed to proceed in response to a match between the first tag and a second tag of a pointer of the memory access request. The memory page stores a separate tag in proximity to each of the plurality of slots. Other embodiments are also disclosed and claimed.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed that perform bounds checking on authorized memory allocations during pointer arithmetic. In some examples, instruction decode circuitry decodes an update pointer instruction for a pointer. In some examples, bounds checking circuitry determines an authorized allocation for the pointer, determines one or more exclusion zones and poison zones for the pointer. In some examples, bounds checking circuitry updates the pointer and generates a fault if the pointer points to one of the exclusion zones and poisons the pointer if the pointer points to one of the poison zones.

Abstract: Circuitry and methods for implementing one or more switch subprocess instructions are described. In certain examples, a hardware processor (e.g., core) includes (e.g., a coupling to) a memory management circuit to control a memory access based on a stored memory tag in a memory tag data structure and based on a memory tag of a pointer to memory; decoder circuitry to decode an instruction into a decoded instruction, the instruction comprising an operand to identify the memory tag data structure for a subprocess of a plurality of memory tag data structures for corresponding subprocesses of a process, and an opcode to indicate execution circuitry is to switch from another memory tag data structure for another subprocess of the process to the memory tag data structure for the subprocess; and the execution circuitry to execute the decoded instruction according to the opcode. The memory tag data structure may be repurposed to provide access control permissions for the subprocess per memory granule.

Abstract: Examples of instructions to support the recording of memory initialization states as well as several ways to manipulate the states to detect uninitialized memory reads are described. In some examples, execution circuitry to conditionally execute decoded read and write instructions; and integrity check value integrity checking circuitry to determine when decoded read and write instructions associated with an object are allowed to execute based at least in part on integrity check value (ICV) metadata are described.

Abstract: An apparatus to facilitate capability-based memory access control for graphics processors and accelerators is disclosed. The apparatus includes one or more processing cores to: determine that a set of data accesses triggers a bulk access capability check; generate the bulk access capability check to combine with the set of data accesses; prior to performing a first data access of the set of data accesses, perform the bulk access capability check to check that the set of data accesses is allowed to be accessed in accordance with a capability; and responsive to the bulk access capability check passing, allow the set of data accesses to proceed without performing a capability check for each individual data access of the set of data accesses.

Abstract: Techniques disclosed include selecting a first key identifier (ID) for a first compartment of a compartmentalized process of a computing system, the first compartment including first private data; assigning a first extended page table (EPT) having at least one memory address including the first key ID; encrypting the first private data with a first key associated with the first key ID; and storing the encrypted first private data in a memory starting at the at least one memory address of the first EPT.

Abstract: An apparatus includes circuitry to receive a memory access request based on a memory address in a memory allocation of a program. The memory allocation is assigned to a slot of memory apportioned into a plurality of slots. The circuitry is to calculate an index based, at least in part, on whether a size of the slot exceeds a slot threshold size, and determine whether a buffer communicatively coupled to the circuitry includes a buffer entry corresponding to the index and containing a set of metadata associated with the memory allocation. Based on the slot size, the circuitry is to calculate the index by either determining a metadata virtual address or by determining a virtual address of a midpoint of the slot. The indexed data may include bounds and tag information for the circuitry to determine if a memory access is within the bounds and matches the tag value.

Abstract: Some aspects of the present disclosure relate to an apparatus comprising memory circuitry, machine-readable instructions, and processor circuitry to execute the machine-readable instructions to obtain a hash value being indicative of an object path of an object, determine specialization information being indicative of a location of a field of the object relative to the object, combine the hash value and the specialization information, and generate a cryptographic address of the field of the object, with the cryptographic address comprising the combination.

Abstract: A processor of an aspect includes a cache hierarchy and a memory access unit coupled with the cache hierarchy. The memory access unit is to perform a demand load based on a Y-bit pointer to cause a first one or more cache lines to be loaded from memory into the cache hierarchy. The Y-bit pointer has an X-bit virtual address field and a data object extent field in one or more of bits [Y-1:X]. The data object extent field is to store a value. The processor also includes a prefetch unit coupled with the cache hierarchy. The prefetch unit is to determine whether or not to prefetch a second one or more cache lines, adjacent to the first one or more cache lines, from memory into the cache hierarchy based at least in part on the value. In another aspect, the prefetch unit may additionally or alternatively scan code or data for a bit pattern in bits [Y-1:X] to identify likely pointers and prefetch data referenced by such identified pointer's memory addresses.

Abstract: An example method comprises storing, in a register, an encoded pointer to a memory location, where first context information is stored in first bits of the encoded pointer and a slice of a memory address of the memory location is encrypted and stored in second bits of the encoded pointer. The method further includes decoding the encoded pointer to obtain the memory address of the memory location, using the memory address obtained by decoding the encoded pointer to access encrypted data at the memory location, and decrypting the encrypted data based on a first key and a first tweak value. The first tweak value includes one or more bits derived, at least in part, from the encoded pointer.

Abstract: Techniques for cryptographic computing isolation are described. A processor includes circuitry to be coupled to memory configured to store one or more instructions. The circuitry is to execute the one or more instructions to instantiate a first process based on an application. To instantiate the first process is to include creating a context table to be used by the first process, identifying a software component to be invoked during the first process, encrypting the software component using a first cryptographic key, and creating a first entry in the context table. The first entry is to include first context information identifying the encrypted software component and second context information representing the first cryptographic key. In more specific embodiments, third context information representing a first load address of the encrypted software component is stored in the first entry of the context table.

Abstract: Techniques for instruction prefix encoding for cryptographic computing capability data types are described. In an embodiment, an apparatus includes an instruction decoder to decode a first instruction including a first prefix; and cryptography circuitry to perform a cryptographic operation on data, the cryptographic operation to be based at least in part on the first prefix and a relative enumeration in a pointer to the data.

Abstract: Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.