Abstract: Systems and techniques are provided for identity impersonation in access control systems. For example, a process for identity impersonation in access control systems can include: receiving, at a hardware identity impersonator from a first access domain, a request to make a target region accessible to a second access domain; updating a second access domain identity data structure to include an entry corresponding to the first access domain, the entry comprising an address of the target region and a first access domain identifier; receiving, at the hardware identity impersonator from the second access domain, an access request to access the target region, wherein the access request comprises an address and a second access domain identifier of the second access domain; and transmitting, at the hardware identity impersonator based on the access request, the address and the first access domain identifier to a memory management unit (MMU) of an access control system.

Abstract: Resource access control in a system-on-chip (“SoC”) may employ an agent executing on a processor of the SoC and a trust management engine of the SoC. The agent, such as, for example, a high-level operating system or a hypervisor, may be configured to allocate a resource comprising a memory region to an access domain and to load a software image associated with the access domain into the memory region. The trust management engine may be configured to lock the resource against access by any entity other than the access domain, to authenticate the software image associated with the access domain, and to initiate booting of the access domain in response to a successful authentication of the software image associated with the access domain.

Abstract: Resource access control in a system-on-chip (“SoC”) may employ an agent executing on a processor of the SoC and a trust management engine of the SoC. The agent, such as, for example, a high-level operating system or a hypervisor, may be configured to allocate a resource comprising a memory region to an access domain and to load a software image associated with the access domain into the memory region. The trust management engine may be configured to lock the resource against access by any entity other than the access domain, to authenticate the software image associated with the access domain, and to initiate booting of the access domain in response to a successful authentication of the software image associated with the access domain.

Abstract: A method for external access control to protect system-on-chip (SoC) subsystems and stored subsystem assets is described. The method includes sensing, during a cold boot of an SoC hardware system, a debug fuse vector for access to SoC subsystems of an SoC owner and/or third-party subsystems of an SoC hardware architecture. The method also includes disabling access to each SoC subsystem with a blown fuse in the debug fuse vector. The method further includes re-enabling, by a secure root of trust, access to an SoC subsystem and/or a third-party subsystem for an external debugger when authentication of one or more debug certificates of a third-party owner of the external debugger is successful.

Abstract: Systems, methods, and computer programs are disclosed for optimizing headless virtual memory management in a system on chip (SoC) with global translation lookaside buffer shootdown. The SoC comprises an application processor configured to execute a headful virtual machine and one or more SoC processing devices configured to execute a corresponding headless virtual machine. The method comprises issuing a virtual machine mapping command with a headless virtual machine having a first virtual machine identifier. In response to the virtual machine mapping command, a current value stored in a hardware register in the application processor is saved. The first virtual machine identifier associated with the headless virtual machine is loaded into the hardware register. A translation lookaside buffer (TLB) invalidate command is issued while the first virtual machine identifier is loaded in the hardware register.

Abstract: In an aspect, an apparatus that includes a first security domain and at least a second security domain obtains, at a virtual machine of the first security domain, a stream identifier associated with the second security domain. The apparatus generates, at the virtual machine of the first security domain, a command to map the stream identifier associated with the second security domain to a first address translation context. The apparatus maps, at a hypervisor device, the first address translation context to a second address translation context that is associated with the second security domain of the stream identifier. The apparatus processes a stream of memory access transactions that includes the stream identifier based on at least the first address translation context or the second address translation context.

Abstract: Systems, methods, and computer programs are disclosed for optimizing headless virtual memory management in a system on chip (SoC) with global translation lookaside buffer shootdown. The SoC comprises an application processor configured to execute a headful virtual machine and one or more SoC processing devices configured to execute a corresponding headless virtual machine. The method comprises issuing a virtual machine mapping command with a headless virtual machine having a first virtual machine identifier. In response to the virtual machine mapping command, a current value stored in a hardware register in the application processor is saved. The first virtual machine identifier associated with the headless virtual machine is loaded into the hardware register. A translation lookaside buffer (TLB) invalidate command is issued while the first virtual machine identifier is loaded in the hardware register.

Abstract: Providing hardware-based translation lookaside buffer (TLB) conflict resolution in processor-based systems is disclosed. In this regard, in one aspect, a memory system provides a memory management unit (MMU) and multiple hierarchical page tables, each comprising multiple page table entries comprising corresponding translation preference indicators. The memory system further includes a TLB comprising multiple TLB entries each configured to cache a page table entry. The MMU determines whether a TLB conflict exists between a first TLB entry caching a first page table entry comprising a translation preference indicator that is set and a second TLB entry caching a second page table entry comprising a translation preference indicator that is not set. If so, the MMU selects the first TLB entry for use in a virtual-to-physical address translation operation, based on the translation preference indicator of the first page table entry cached by the first TLB entry being set.

Abstract: Various aspects include computing device methods for managed virtual machine memory access. Various aspects may include receiving a memory access request from a managed virtual machine having a virtual address, retrieving a first physical address for a stage 2 page table for a managing virtual machine, in which the stage 2 page table is stored in a physical memory space allocated to a hypervisor, retrieving a second physical address from an entry of the stage 2 page table for a stage 1 page table for a process executed by the managed virtual machine, in which the second physical address is for a physical memory space allocated to the managing virtual machine and the stage 1 page table is stored in that physical memory space, and retrieving a first intermediate physical address from an entry of the stage 1 page table for a translation of the virtual address.

Abstract: One feature pertains to an apparatus that includes a memory circuit, a system memory-management unit (SMMU), and a processing circuit. The memory circuit stores an executable program associated with a client. The SMMU enforces memory access control policies for the memory circuit, and includes a plurality of micro-translation lookaside buffers (micro-TLBs), macro-TLB, and a page walker circuit. The plurality of micro-TLBs include a first micro-TLB that enforces memory access control policies for the client. The processing circuit loads memory address translations associated with the executable program into the first micro-TLB, and initiates isolation mode for the first micro-TLB causing communications between the first micro-TLB and the macro-TLB and between the first micro-TLB and the page walker circuit to be severed. The first micro-TLB continues to enforce memory access control policies for the client while in isolation mode.

Abstract: Providing hardware-based translation lookaside buffer (TLB) conflict resolution in processor-based systems is disclosed. In this regard, in one aspect, a memory system provides a memory management unit (MMU) and multiple hierarchical page tables, each comprising multiple page table entries comprising corresponding translation preference indicators. The memory system further includes a TLB comprising multiple TLB entries each configured to cache a page table entry. The MMU determines whether a TLB conflict exists between a first TLB entry caching a first page table entry comprising a translation preference indicator that is set and a second TLB entry caching a second page table entry comprising a translation preference indicator that is not set. If so, the MMU selects the first TLB entry for use in a virtual-to-physical address translation operation, based on the translation preference indicator of the first page table entry cached by the first TLB entry being set.

Abstract: In an aspect, an apparatus that includes a first security domain and at least a second security domain obtains, at a virtual machine of the first security domain, a stream identifier associated with the second security domain. The apparatus generates, at the virtual machine of the first security domain, a command to map the stream identifier associated with the second security domain to a first address translation context. The apparatus maps, at a hypervisor device, the first address translation context to a second address translation context that is associated with the second security domain of the stream identifier. The apparatus processes a stream of memory access transactions that includes the stream identifier based on at least the first address translation context or the second address translation context.

Abstract: Aspects include apparatuses and methods for secure, fast and normal virtual interrupt direct assignment managing secure and non-secure, virtual and physical interrupts by processor having a plurality of execution environments, including a trusted (secure) and a non-secure execution environment. An interrupt controller may identify a security group value for an interrupt and direct secure interrupts to the trusted execution environment. The interrupt controller may identify a direct assignment value for the non-secure interrupts indicating whether the non-secure interrupt is owned by a high level operating system (HLOS) Guest or a virtual machine manager (VMM), and whether it is a fast or a normal virtual interrupt. The interrupt controller may direct the HLOS Guest owned interrupt to the HLOS Guest while bypassing the VMM. When the HLOS Guest in unavailable, the interrupt may be directed to the VMM to attempt to pass the interrupt to the HLOS Guest until successful.

Abstract: Disclosed is a method for inheriting a non-secure thread context. In the method, a first secure monitor call associated with a first non-secure thread of a non-secure environment of a processing system is received. A first secure thread is created, in response to the first secure monitor call, that inherits a first interrupt state of the first non-secure thread.

Abstract: Aspects include apparatuses and methods for secure, fast and normal virtual interrupt direct assignment managing secure and non-secure, virtual and physical interrupts by processor having a plurality of execution environments, including a trusted (secure) and a non-secure execution environment. An interrupt controller may identify a security group value for an interrupt and direct secure interrupts to the trusted execution environment. The interrupt controller may identify a direct assignment value for the non-secure interrupts indicating whether the non-secure interrupt is owned by a high level operating system (HLOS) Guest or a virtual machine manager (VMM), and whether it is a fast or a normal virtual interrupt. The interrupt controller may direct the HLOS Guest owned interrupt to the HLOS Guest while bypassing the VMM. When the HLOS Guest in unavailable, the interrupt may be directed to the VMM to attempt to pass the interrupt to the HLOS Guest until successful.

Abstract: Disclosed is a method for inheriting a non-secure thread context. In the method, a first secure monitor call associated with a first non-secure thread of a non-secure environment of a processing system is received. A first secure thread is created, in response to the first secure monitor call, that inherits a first interrupt state of the first non-secure thread.