Abstract: Aspects of the present disclosure involve systems, methods, apparatus, and computer-readable media for mitigating laser-based fault injection attacks against one or more processing devices. Techniques may include generating a corresponding representation of at least one of data or a component of a processing device, locating the corresponding representation on a die of the processing device adjacent to a location on the die of at least one of the data or the component, and executing, based on a determination that the corresponding representation is different than at least one of the data or the component of the processing device, a mitigation procedure. One example may include hashing, using a secure hashing function, security data to generate integrity data corresponding to the security data and storing the security data and the integrity data in adjacent memory locations in a memory device.

Abstract: Systems, apparatuses, methods, and computer-readable media for implementing confidential computing of one or more computing systems and/or devices using component authentication and data encryption with integrity and anti-replay mechanisms are disclosed. In some examples, the systems, apparatuses, methods, and computer-readable media described herein can perform various techniques, including one or more secure boot processes, component and data authentication, and data encryption with integrity and anti-replay, among other secure techniques. One implementation may include executing secure boot process based on authentication of a device identifier stored in a secure physical object of a processing device. Another implementation may include encrypting and storing a counter value corresponding to a cache line and generating an integrity tag value replacing error correction code bits associated with the cache line with the generated cache line tag value.

Abstract: Methods and apparatuses relating to mitigations for speculative execution side channels are described. Speculative execution hardware and environments that utilize the mitigations are also described. For example, three indirect branch control mechanisms and their associated hardware are discussed herein: (i) indirect branch restricted speculation (IBRS) to restrict speculation of indirect branches, (ii) single thread indirect branch predictors (STIBP) to prevent indirect branch predictions from being controlled by a sibling thread, and (iii) indirect branch predictor barrier (IBPB) to prevent indirect branch predictions after the barrier from being controlled by software executed before the barrier.

Abstract: Methods and apparatuses relating to mitigations for speculative execution side channels are described. Speculative execution hardware and environments that utilize the mitigations are also described. For example, three indirect branch control mechanisms and their associated hardware are discussed herein: (i) indirect branch restricted speculation (IBRS) to restrict speculation of indirect branches, (ii) single thread indirect branch predictors (STIBP) to prevent indirect branch predictions from being controlled by a sibling thread, and (iii) indirect branch predictor barrier (IBPB) to prevent indirect branch predictions after the barrier from being controlled by software executed before the barrier.

Abstract: Techniques are described herein for security hardened processing devices. For example, a method can include performing a secure boot of a processing device of a computer system. The processing device is configured as a root of trust for a secure boot process. The computer system can include the processing device and a non-volatile memory storing a basic input/output system (BIOS) for the secure boot process. The method can include identifying a set of programmable fuses of the processing device, deriving an encryption key using a value encoded by the set of programmable fuses in the processing device, and authenticating the BIOS to perform the secure boot process using a key derivation algorithm based on the encryption key.

Abstract: Techniques are described herein for security hardened processing devices. For example, a method can include performing a secure boot of a processing device of a computer system. The processing device is configured as a root of trust for a secure boot process. The computer system can include the processing device and a non-volatile memory storing a basic input/output system (BIOS) for the secure boot process. The method can include identifying a set of programmable fuses of the processing device, deriving an encryption key using a value encoded by the set of programmable fuses in the processing device, and authenticating the BIOS to perform the secure boot process using a key derivation algorithm based on the encryption key.

Abstract: Methods and apparatuses relating to mitigations for speculative execution side channels are described. Speculative execution hardware and environments that utilize the mitigations are also described. For example, three indirect branch control mechanisms and their associated hardware are discussed herein: (i) indirect branch restricted speculation (IBRS) to restrict speculation of indirect branches, (ii) single thread indirect branch predictors (STIBP) to prevent indirect branch predictions from being controlled by a sibling thread, and (iii) indirect branch predictor barrier (IBPB) to prevent indirect branch predictions after the barrier from being controlled by software executed before the barrier.

Abstract: Aspects of the present disclosure involve systems, methods, apparatus, and computer-readable media for mitigating laser-based fault injection attacks against one or more processing devices. Techniques may include generating a corresponding representation of at least one of data or a component of a processing device, locating the corresponding representation on a die of the processing device adjacent to a location on the die of at least one of the data or the component, and executing, based on a determination that the corresponding representation is different than at least one of the data or the component of the processing device, a mitigation procedure. One example may include hashing, using a secure hashing function, security data to generate integrity data corresponding to the security data and storing the security data and the integrity data in adjacent memory locations in a memory device.

Abstract: A system is disclosed for Input/Output (I/O) device emulation that allows a service provider to configure and enforce a policy for software access to some or all I/O resources in a platform. I/O device emulation enables service providers to protect their platforms from malicious guest software that may be executed on associated platforms that has direct access to I/O resources in case of bare-metal servers, escalates the privilege level from guest to host in case of hosted-Virtual Machine servers, or escalates the privilege level from guest to System Management Mode in case of either bare-metal servers or hosted-Virtual Machine servers. The technology enables service providers to protect their platforms from malicious guest software running on their platforms that either has direct access to legacy I/O and memory mapped I/O resources. In one illustrative example, the platform may include a microprocessor.

Abstract: Systems, apparatuses, methods, and computer-readable media for implementing confidential computing of one or more computing systems and/or devices using component authentication and data encryption with integrity and anti-replay mechanisms are disclosed. In some examples, the systems, apparatuses, methods, and computer-readable media described herein can perform various techniques, including one or more secure boot processes, component and data authentication, and data encryption with integrity and anti-replay, among other secure techniques. One implementation may include executing secure boot process based on authentication of a device identifier stored in a secure physical object of a processing device. Another implementation may include encrypting and storing a counter value corresponding to a cache line and generating an integrity tag value replacing error correction code bits associated with the cache line with the generated cache line tag value.

Abstract: A processor of an aspect includes a decode unit to decode a read from memory instruction. The read from memory instruction is to indicate a source memory operand and a destination storage location. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the read from memory instruction, is to read data from the source memory operand, store an indication of defective data in an architecturally visible storage location, when the data is defective, and complete execution of the read from memory instruction without causing an exceptional condition, when the data is defective. Other processors, methods, systems, and instructions are disclosed.

Abstract: Techniques are described herein for security hardened processing devices. For example, a method can include performing a secure boot of a processing device of a computer system. The processing device is configured as a root of trust for a secure boot process. The computer system can include the processing device and a non-volatile memory storing a basic input/output system (BIOS) for the secure boot process. The method can include identifying a set of programmable fuses of the processing device, deriving an encryption key using a value encoded by the set of programmable fuses in the processing device, and authenticating the BIOS to perform the secure boot process using a key derivation algorithm based on the encryption key.

Abstract: Embodiments of processors, methods, and systems for virtualizing interrupt prioritization and delivery are disclosed. In one embodiment, a processor includes instruction hardware and execution hardware. The instruction hardware is to receive a plurality of instructions, including a first instruction to transfer the processor from a root mode to a non-root mode for executing guest software in a virtual machine, wherein the processor is to return to the root mode upon the detection of any of a plurality of virtual machine exit events. The execution hardware is to execute the first instruction, execution of the first instruction to include determining a first virtual processor-priority value and storing the first virtual processor-priority value in a virtual copy of a processor-priority field, where the virtual copy of the processor-priority field is a virtual resource corresponding to a physical resource associated with an interrupt controller.

Abstract: Methods and apparatuses relating to mitigations for speculative execution side channels are described. Speculative execution hardware and environments that utilize the mitigations are also described. For example, three indirect branch control mechanisms and their associated hardware are discussed herein: (i) indirect branch restricted speculation (IBRS) to restrict speculation of indirect branches, (ii) single thread indirect branch predictors (STIBP) to prevent indirect branch predictions from being controlled by a sibling thread, and (iii) indirect branch predictor barrier (IBPB) to prevent indirect branch predictions after the barrier from being controlled by software executed before the barrier.

Abstract: A processor of an aspect includes a decode unit to decode a read from memory instruction. The read from memory instruction is to indicate a source memory operand and a destination storage location. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the read from memory instruction, is to read data from the source memory operand, store an indication of defective data in an architecturally visible storage location, when the data is defective, and complete execution of the read from memory instruction without causing an exceptional condition, when the data is defective. Other processors, methods, systems, and instructions are disclosed.

Abstract: A processor of an aspect includes a decode unit to decode a read from memory instruction. The read from memory instruction is to indicate a source memory operand and a destination storage location. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the read from memory instruction, is to read data from the source memory operand, store an indication of defective data in an architecturally visible storage location, when the data is defective, and complete execution of the read from memory instruction without causing an exceptional condition, when the data is defective. Other processors, methods, systems, and instructions are disclosed.

Abstract: Embodiments of processors, methods, and systems for virtualizing interrupt prioritization and delivery are disclosed. In one embodiment, a processor includes instruction hardware and execution hardware. The instruction hardware is to receive a plurality of instructions, including a first instruction to transfer the processor from a root mode to a non-root mode for executing guest software in a virtual machine, wherein the processor is to return to the root mode upon the detection of any of a plurality of virtual machine exit events. The execution hardware is to execute the first instruction, execution of the first instruction to include determining a first virtual processor-priority value and storing the first virtual processor-priority value in a virtual copy of a processor-priority field, where the virtual copy of the processor-priority field is a virtual resource corresponding to a physical resource associated with an interrupt controller.

Abstract: A processor of an aspect includes a decode unit to decode a read from memory instruction. The read from memory instruction is to indicate a source memory operand and a destination storage location. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the read from memory instruction, is to read data from the source memory operand, store an indication of defective data in an architecturally visible storage location, when the data is defective, and complete execution of the read from memory instruction without causing an exceptional condition, when the data is defective. Other processors, methods, systems, and instructions are disclosed.

Abstract: Embodiments of an invention to protection a branch instruction from side channel vulnerabilities are described. In one embodiment, a method includes receiving a request to modify the operation of a processor to protect against side channel attacks, and modifying branch prediction operation in response to the request.