Abstract: A processor executive (PE) handles an operating system executive (OSE) in a secure environment. The secure environment has a fused key (FK) and is associated with an isolated memory area in the platform. The OSE manages a subset of an operating system (OS) running on the platform. The platform has a processor operating in one of a normal execution mode and an isolated execution mode. The isolated memory area is accessible to the processor in the isolated execution mode. A PE supplement supplements the PE with a PE manifest representing the PE and a PE identifier to identify the PE. A PE handler handles the PE using the FK and the PE supplement.

Abstract: A processor executive (PE) handles an operating system executive (OSE) in a secure environment. The secure environment has a platform key (PK) and is associated with an isolated memory area in the platform. The OSE manages a subset of an operating system (OS) running on the platform. The platform has a processor operating in one of a normal execution mode and an isolated execution mode. The isolated memory area is accessible to the processor in the isolated execution mode. A PE supplement supplements the PE with a PE manifest representing the PE and a PE identifier to identify the PE. A PE handler handles the PE using the PK and the PE supplement.

Abstract: An example processing system comprises a processor to execute in an isolated execution mode in a ring 0 operating mode. The processor also supports one or more higher ring operating modes, as well as a normal execution mode. The processing system also comprises memory, as well as a machine-accessible medium having instructions. When the processing system executes the instructions, the processing system configures the processor to run in the isolated execution mode, configures the processing system to establish an isolated memory area in the memory, and loads initialization software into the isolated memory area. The processing system may provide a manifest that represents the initialization software. The initialization software may be verified, based at least in part on the manifest.

Abstract: The present invention provides a method, apparatus, and system for controlling memory accesses to multiple memory zones in an isolated execution environment. A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.

Abstract: An access transaction generated by a processor is configured using a configuration storage containing a configuration setting. The processor has a normal execution mode and an isolated execution mode. The access transaction has access information. Access to the configuration storage is controlled. An access grant signal is generated using the configuration setting and the access information. The access grant signal indicates if the access transaction is valid.

Abstract: A method, apparatus, and system for invoking a reset process in response to a logical processor being individually reset is disclosed. When a last logical processor operating within a platform in an isolated execution mode and associated with an isolated area of memory is reset, it is reset without clearing a cleanup flag. Subsequently, an initializing physical processor invokes an initialization process that determines that the cleanup flag is set. The initialization process invokes the execution of a processor nub loader, and if the cleanup flag is set, the processor nub loader scrubs the isolated area of memory and invokes a controlled close for the initializing physical processor which clears the cleanup flag. The initializing physical processor then re-performs the initialization process. Upon the second iteration of the initialization process, with the cleanup flag not set, a new clean isolated area of memory is created for the initializing physical processor.

Abstract: The present invention is a method, apparatus, and system to generate a key hierarchy for use in an isolated execution environment of a protected platform. In order to bind secrets to particular code operating in isolated execution, a key hierarchy comprising a series of symmetric keys for a standard symmetric cipher is utilized. The protected platform includes a processor that is configured in one of a normal execution mode and an isolated execution mode. A key storage stores an initial key that is unique for the platform. A cipher key creator located in the protected platform creates the hierarchy of keys based upon the initial key. The cipher key creator creates a series of symmetric cipher keys to protect the secrets of loaded software code.

Abstract: The present invention provides a method, apparatus, and system for invoking a reset process in response to a processor being individually reset. The reset processor operates within a platform in an isolated execution mode and is associated with an isolated area of memory. An initialization process is invoked for an initializing processor. The initialization process determines whether or not a cleanup flag is set. If the cleanup flag is set, the isolated area of memory is scrubbed. In one embodiment, when a last processor operating in the platform is reset, it is reset without clearing the cleanup flag. Subsequently, an initializing processor invokes the initialization process. The initialization process determines that the cleanup flag is set. The initialization process invokes the execution of a processor nub loader. If the cleanup flag is set, the processor nub loader scrubs the isolated area of memory and invokes a controlled close for the initializing processor.

Abstract: The present invention provides a method, apparatus, and system for controlling memory accesses to multiple memory zones in an isolated execution environment. A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.

Abstract: The present invention provides a method, apparatus, and system for controlling memory accesses to multiple isolated memory areas in an isolated execution environment. A page manager is used to distribute a plurality of pages to a plurality of different areas of a memory, respectively. The memory is divided into non-isolated areas and isolated areas. The page manager is located in an isolated area of memory. Further, a memory ownership page table describes each page of memory and is also located in an isolated area of memory. The page manager assigns an isolated attribute to a page if the page is distributed to an isolated area of memory. On the other hand, the page manager assigns a non-isolated attribute to a page if the page is distributed to a non-isolated area of memory. The memory ownership page table records the attribute for each page. In one embodiment, a processor having a normal execution mode and an isolated execution mode generates an access transaction.

Abstract: A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.

Abstract: A floating-point unit of a computer includes a floating-point computation unit, floating-point registers and a floating-point status register. The floating-point status register may include a main status field and one or more alternate status fields. Each of the status fields contains flag and control information. Different floating-point operations may be associated with different status fields. Subfields of the floating-point status register may be updated dynamically during operation. The control bits of the alternate status fields may include a trap disable bit for deferring interruptions during speculative execution. A widest range exponent control bit in the status fields may be used to prevent interruptions when the exponent of an intermediate result is within the range of the register format but exceeds the range of the memory format. The floating-point data may be stored in big endian or little endian format.

Abstract: A technique is provided to execute isolated instructions according to an embodiment of the present invention. An execution unit executes an isolated instruction in a processor operating in a platform. The processor is configured in one of a normal execution mode and an isolated execution mode. A parameter storage containing at least one parameter to support execution of the isolated instruction when the processor is configured in the isolated execution mode.

Abstract: A method and apparatus for performing complex arithmetic is disclosed. In one embodiment, a method comprises decoding a single instruction, and in response to decoding the single instruction, moving a first operand occupying lower order bits of a first storage area to higher order bits of a result, moving a second operand occupying higher order bits of a second storage area to lower order bits of the result, and negating one of the first and second operands of the result.

Abstract: A computer program product and method for multiplying a sparse matrix by a vector are disclosed. The computer program product includes a computer readable medium for storing instructions, which, when executed by a computer, cause the computer to efficiently multiply a sparse matrix by a vector, and produce a resulting vector. The computer is made to create a first array containing the non-zero elements of the sparse matrix, and a second array containing the end_of_row position of the last non-zero element in each row of the sparse matrix. A variable is initialized, and then, for each row of the second array, the computer is made to do one of two things. Either, it equates the variable to the sum of the variable and the product of a particular element of the first array and a particular element of the vector. Or, it equates a particular element of the resulting vector to the variable, and then equates the variable to a particular value.

Abstract: A file is sent to a remote signing authority via a network. The signing authority checks the file and provides a signature indicating file integrity of the file. The signature returned from the signing authority via the network is verified.

Abstract: A signature key is generated in a secure platform. The secure platform has a processor configured in one of a normal execution mode and an isolated execution mode. A file checker is loaded into an isolated memory area accessible to the processor in the isolated execution mode. In isolated execution mode, a file checker performs a scan operation on the original file and produces a result. A signature associated with the scanned file is generated based on the result and using the signature key. The signature indicates file integrity.

Abstract: A method and apparatus to handle exceptions. The method receives and prioritizes exceptions resulting from executing an instruction on different elements of an operand. The exceptions are reported to an interrupt service register which communicates the exceptions to an exception handler to effectively process the exceptions.

Abstract: A floating-point unit of a computer includes a floating-point computation unit, floating-point registers and a floating-point status register. The floating-point status register may include a main status field and one or more alternate status fields. Each of the status fields contains flag and control information. Different floating-point operations may be associated with different status fields. Subfields of the floating-point status register may be updated dynamically during operation. The control bits of the alternate status fields may include a trap disable bit for deferring interruptions during speculative execution. A widest range exponent control bit in the status fields may be used to prevent interruptions when the exponent of an intermediate result is within the range of the register format but exceeds the range of the memory format. The floating-point data may be stored in big endian or little endian format.

Abstract: A method and apparatus for performing complex arithmetic is disclosed. In one embodiment, a method comprises decoding a single instruction, and in response to decoding the single instruction, moving a first operand occupying lower order bits of a first storage area to higher order bits of a result, moving a second operand occupying higher order bits of a second storage area to lower order bits of the result, and negating one of the first and second operands of the result.