Abstract: In one embodiment, an apparatus comprises a cache to store a plurality of instructions and data associated with a trusted execution environment; instruction processing circuitry to execute the plurality of instructions and process the data, the plurality of instructions including one or more instructions with memory operands, wherein responsive to an interrupt or an exception, the instruction processing circuitry is to pause processing the plurality of instructions and execute a handler; and decode circuitry to partially decode a next instruction of the plurality of instructions to be processed following execution of the handler to determine if the next instruction indicates a memory access and, if so, to calculate at least one corresponding memory address, wherein the partial decode is performed in accordance with one or more constant time programming restrictions.

Abstract: An apparatus and method for securely reserving resources for trusted execution.

Abstract: In one embodiment, an apparatus comprises a processing circuitry to detect an occurrence of at least one of a single-stepping event or a zero-stepping event in an execution thread on an architecturally protected enclave and in response to the occurrence, implement at least one mitigation process to inhibit further occurrences of the at least one of a single-stepping event or a zero-stepping event in the architecturally protected enclave.

Abstract: Systems, apparatus, methods, and articles of manufacture to validate the accuracy of artificial intelligence models are disclosed. An example apparatus includes machine-readable instructions; and at least one processor circuit to be programmed by the machine-readable instructions to: compute accuracy statistics of an artificial intelligence model using software applied by a trusted third party and an input data set; determine a signed artifact based on (1) the accuracy statistics indicative of the accuracy of the artificial intelligence model, (2) the software applied by the trusted third party, and (3) the input data set; and communicate the signed artifact to a user of the artificial intelligence model.

Abstract: Systems, apparatuses and methods provide for technology that determines that first data associated with a first security domain is to be stored in a first permutated cache set, where the first permuted cache set is identified based on a permutation function that permutes at least one of a plurality of first cache indexes. The technology further determines that second data associated with a second security domain is to be stored in a second permutated cache set, where the second permuted cache set is identified based on the permutation function. The second permutated cache set may intersect the first permutated cache set at one data cache line to cause an eviction of first data associated with the first security domain from the one data cache line and bypass eviction of data associated with the first security domain from at least one other data cache line of the first permuted cache set.

Abstract: Techniques and mechanisms for a processor core to execute an instruction for a hardware (HW) thread to have access to a trusted execution environment (TEE). In an embodiment, execution of the instruction includes determining whether any sibling HW thread, which is currently active, is also currently approved to access the TEE. TEE access by the HW thread is conditioned upon a requirement that any sibling HW thread is either currently inactive, is currently in the same TEE, or is currently approved to enter the TEE. In another embodiment, execution of another instruction, for the HW thread to exit the TEE, includes or otherwise results in system software being conditionally notified of an opportunity to wake up one or more sibling HW threads.

Abstract: The technology includes allocating an object in a memory and setting an ownership identifier (ID) in the allocated object, the allocated object being associated with a first variable in a program and setting a matching ownership ID in a pointer to the allocated object. When the allocated object is accessed during execution of the program by a processor, an exception is generated when the ownership ID in the allocated object does not match the ownership ID in the pointer, and execution of the program is continued when the ownership ID in the allocated object does match the ownership ID in the pointer.

Abstract: Techniques and mechanisms for a victim cache to operate in conjunction with a skewed cache to help mitigate the risk of a side-channel attack. In an embodiment, a first line is evicted from a skewed cache, and moved to a victim cache, based on a message indicating that a second line is to be stored to the skewed cache. Subsequently, a request to access the first line results in a search of both the victim cache and sets of the skewed cache which have been mapped to an address corresponding to the first line. Based on the search, the first line is evicted from the victim cache, and reinserted in the skewed cache. In another embodiment, reinsertion of the first line in the skewed cache includes the first line and a third line being swapped between the skewed cache and the victim cache.

Abstract: Techniques for improving exception-based invocation of instrumentation handler programs include executing, by a processor, an interrupt instruction of an instrumented program, the interrupt instruction having an interrupt number; searching for the interrupt number in an interrupt table; and in response to the interrupt number being found in the interrupt table, saving an address of a next instruction of the instrumented program after the interrupt instruction as a return address, determining a destination address, in an interrupt destination table, of a beginning of an instrumentation handler program associated with the interrupt number and transferring control of the instrumented program to the instrumentation handler program at the destination address.

Abstract: Techniques for an instruction for a Runtime Call operation are described. An example apparatus comprises decoder circuitry to decode a single instruction, the single instruction to include a field for an identifier of an opcode, the opcode to indicate execution circuitry is to execute a no operation when a runtime call destination equals a predetermined value; and execute an indirect call with the runtime call destination as a destination address when the runtime call destination does not equal the predetermined value. Other examples are described and claimed.

Abstract: Detailed herein are examples of determining when to allow access to a trusted execution environment (TEE). For example, using TEE logic associated with software to at least in part: determine that a TEE feature is supported based at least on a value of a bit position in a data structure; and not allow a TEE entry instruction to access to a TEE when the bit position of the data structure is reserved.

Abstract: Techniques and mechanisms for a victim cache to operate in conjunction with another cache to help mitigate the risk of a side-channel attack. In an embodiment, a first line is evicted from a primary cache, and moved to a victim cache, based on a message indicating that a second line is to be stored to the primary cache. The victim cache is accessed using an independently randomized mapping. Subsequently, a request to access the first line results in a search of the victim cache and the primary cache. Based on the search, the first line is evicted from the victim cache, and reinserted in the primary cache. In another embodiment, reinsertion of the first line in the primary cache includes the first line and a third line being swapped between the primary cache and the victim cache.

Abstract: Systems, methods, and apparatuses relating efficient exception handling in trusted execution environments are described. In an embodiment, a hardware processor includes a register, a decoder, and execution circuitry. The register has a field to be set to enable an architecturally protected execution environment at one of a plurality of contexts for code in an architecturally protected enclave in memory. The decoder is to decode an instruction having a format including a field for an opcode, the opcode to indicate that the execution circuitry is to perform a context change. The execution circuitry is to perform one or more operations corresponding to the instruction, the one or more operations including changing, within the architecturally protected enclave, from a first context to a second context.

Abstract: Techniques for ratchet pointers in computing hardware are described. The technology includes a memory to store an object referenced by a ratchet pointer, and a processor to provide access to a slice of the object by decrypting a base address and a limit of the ratchet pointer, generating a cryptographic address in an encrypted format bound to an identity of the object and not the slice; and performing effective address generation for the cryptographic address based at least in part on the base address and the limit.

Abstract: Embodiments for dynamically mitigating speculation vulnerabilities are disclosed. In an embodiment, an apparatus includes decode circuitry and execution circuitry coupled to the decode circuitry. The decode circuitry is to decode a single instruction to mitigate vulnerability to a speculative execution attack. The execution circuitry is to be hardened in response to the single instruction.

Abstract: Embodiments for dynamically mitigating speculation vulnerabilities are disclosed. In an embodiment, an apparatus includes decode circuitry and execution circuitry coupled to the decode circuitry. The decode circuitry is to decode a register hardening instruction to mitigate vulnerability to a speculative execution attack. The execution circuitry is to be hardened in response to the register hardening instruction.

Abstract: Embodiments for dynamically mitigating speculation vulnerabilities are disclosed. In an embodiment, an apparatus includes a hybrid key generator and memory protection hardware. The hybrid key generator is to generate a hybrid key based on a public key and multiple process identifiers. Each of the process identifiers corresponds to one or more memory spaces in a memory. The memory protection hardware is to use the first hybrid key to protect to the memory spaces.

Abstract: Techniques for borrow checking in hardware are described. The technology includes allocating an object in a memory and setting an ownership identifier (ID) in the allocated object, the allocated object being associated with a first variable in a program and setting a matching ownership ID in a pointer to the allocated object. When the allocated object is accessed during execution of the program by a processor, an exception is generated when the ownership ID in the allocated object does not match the ownership ID in the pointer, and execution of the program is continued when the ownership ID in the allocated object does match the ownership ID in the pointer.

Abstract: Embodiments for dynamically mitigating speculation vulnerabilities are disclosed. In an embodiment, an apparatus includes a decode circuitry and store circuitry coupled to the decode circuitry. The decode circuitry is to decode a store hardening instruction to mitigate vulnerability to a speculative execution attack. The store circuitry is to be hardened in response to the store hardening instruction.

Abstract: Embodiments for dynamically mitigating speculation vulnerabilities are disclosed. In an embodiment, an apparatus includes decode circuitry and branch circuitry coupled to the decode circuitry. The decode circuitry is to decode a branch hardening instruction to mitigate vulnerability to a speculative execution attack. The branch circuitry is to be hardened in response to the branch hardening instruction.