Abstract: A processor includes a processing core to identify a code comprising a plurality of instructions to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, the address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping in the address translation data structures to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of

Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault- and/or cache-based side-channel attacks. In an embodiment, an apparatus includes a decoder to decode a first instruction, the first instruction having a first field for a first opcode that indicates that execution circuitry is to set a first flag in a first register that indicates a mode of operation that redirects program flow to an exception handler upon the occurrence of an event. The apparatus further includes execution circuitry to execute the decoded first instruction to set the first flag in the first register that indicates the mode of operation and to store an address of an exception handler in a second register.

Abstract: Preemptive scheduling enclaves as disclosed herein support both cooperative and preemptive scheduling of in-enclave (IE) thread execution. These preemptive scheduling enclaves may include a scheduler configured to be executed as part of normal hardware interrupt processing by enclave threads. The scheduler identifies an IE thread to be scheduled and modifies enclave data structures so that when the enclave thread resumes processing after a hardware interrupt, the identified IE thread is executed, rather than the interrupted IE thread.

Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault and/or cache-based side-channel attacks. In an embodiment, a processor includes a decoder to decode an instruction into a decoded instruction, the instruction comprising a first field that indicates an instruction pointer to a user-level event handler; and an execution unit to execute the decoded instruction to, after a swap of an instruction pointer that indicates where an event occurred from a current instruction pointer register into a user-level event handler pointer register, push the instruction pointer that indicates where the event occurred onto call stack storage, and change a current instruction pointer in the current instruction pointer register to the instruction pointer to the user-level event handler.

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

Abstract: Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves.

Abstract: Methods, apparatus, systems and articles of manufacture to determine provenance for data supply chains are disclosed. Example instructions cause a machine to at least, in response to data being generated, generate a local data object and object metadata corresponding to the data; hash the local data object; generate a hash of a label of the local data object; generate a hierarchical data structure for the data including the hash of the local data object and the hash of the label of the local data object; generate a data supply chain object including the hierarchical data structure; and transmit the data and the data supply chain object to a device that requested access to the data.

Abstract: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

Abstract: Translation lookaside buffer (TLB) tracking and managing technologies are described. A processing device comprises a translation lookaside buffer (TLB) and a processing core to execute a virtual machine monitor (VMM), the VMM to manage a virtual machine (VM) including virtual processors. The processing core to execute, via the VM, a plurality of conversion instructions on at least one of the virtual processors to convert a plurality of non-secure pages to a plurality of secure pages. The processing core also to execute, via the VM, one or more allocation instructions on the at least one of the virtual processors to allocate at least one secure page of the plurality of secure pages, execution of the one or more allocation instructions to include determining whether the TLB is cleared of mappings to the at least one secure page prior to allocating the at least one secure page.

Abstract: Instructions and logic support suspending and resuming migration of enclaves in a secure enclave page cache (EPC). An EPC stores a secure domain control structure (SDCS) in storage accessible by an enclave for a management process, and by a domain of enclaves. A second processor checks if a corresponding version array (VA) page is bound to the SDCS, and if so: increments a version counter in the SDCS for the page, performs an authenticated encryption of the page from the EPC using the version counter in the SDCS, and writes the encrypted page to external memory. A second processor checks if a corresponding VA page is bound to a second SDCS of the second processor, and if so: performs an authenticated decryption of the page using a version counter in the second SDCS, and loads the decrypted page to the EPC in the second processor if authentication passes.

Abstract: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations.

Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault- and/or cache-based side-channel attacks. In an embodiment, an apparatus includes a decoder to decode a first instruction, the first instruction having a first field for a first opcode that indicates that execution circuitry is to set a first flag in a first register that indicates a mode of operation that redirects program flow to an exception handler upon the occurrence of an event. The apparatus further includes execution circuitry to execute the decoded first instruction to set the first flag in the first register that indicates the mode of operation and to store an address of an exception handler in a second register.

Abstract: Preemptive scheduling enclaves as disclosed herein support both cooperative and preemptive scheduling of in-enclave (IE) thread execution. These preemptive scheduling enclaves may include a scheduler configured to be executed as part of normal hardware interrupt processing by enclave threads. The scheduler identifies an IE thread to be scheduled and modifies enclave data structures so that when the enclave thread resumes processing after a hardware interrupt, the identified IE thread is executed, rather than the interrupted IE thread.

Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.

Abstract: A processor includes a processing core to identify a code comprising a plurality of instructions to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, the address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping in the address translation data structures to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of

Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.

Abstract: A secure migration enclave is provided to identify a launch of a particular virtual machine on a host computing system, where the particular virtual machine is launched to include a secure quoting enclave to perform an attestation of one or more aspects of the virtual machine. A root key for the particular virtual machine is generated using the secure migration enclave hosted on the host computing system for use in association with provisioning the secure quoting enclave with an attestation key to be used in the attestation. The migration enclave registers the root key with a virtual machine registration service.

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The instruction to indicate a first structure in a protected container memory and to indicate a second structure in the protected container memory. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine whether a status indicator is configured to allow at least one key to be exchanged between the first and second structures, and is to exchange the at least one key between the first and second structures when the status indicator is configured to allow the at least one key to be exchanged between the first and second structures.

Abstract: In a method for protecting extra-enclave communications, a data processing system allocates a portion of random access memory (RAM) to a server application that is to execute at a low privilege level, and the data processing system creates an enclave comprising the portion of RAM allocated to the server application. The enclave protects the RAM in the enclave from access by software that executes at a high privilege level. The server application obtains a platform attestation report (PAR) for the enclave from the processor. The PAR includes attestation data from the processor attesting to integrity of the enclave. The server application also generates a public key certificate for the server application. The public key certificate comprises the attestation data. The server application utilizes the public key certificate to establish a transport layer security (TLS) communication channel with a client application outside of the enclave. Other embodiments are described and claimed.