Abstract: Systems, apparatuses, and methods related to securing domain crossing using domain access tables are described. For example, a computer processor can have registers configured to store locations of domain access tables respectively for predefined, non-hierarchical domains. Each respective domain access table can be pre-associated with a respective domain and can have entries configured to identify entry points of the respective domain. The processor is configured to enforce domain crossing in instruction execution using the domain access tables and to prevent arbitrary and/or unauthorized domain crossing.

Abstract: Methods, systems, and apparatuses related to adjustable security levels in processors are described. A processor may have functional units and a register configured to control security operations of the functional units. The register configures the functional units to operate in a first mode of security operations when the register contains a first setting; and the register configures the functional units to operate in a second mode of security operations when the register contains a second setting (e.g., to skip/bypassing a set of security operation circuit for enhanced execution speed).

Abstract: Systems, apparatuses, and methods related to a computer system having a page table entry containing permission bits for predefined types of memory accesses made by executions of routines in predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a routine accessing the virtual memory address, a permission bit corresponding to the execution domain of the routine and a type of the memory access can be extracted from the page table entry to determine whether the memory access is to be rejected.

Abstract: Ghost routing is a network verification technique that uses a portion of a production network itself to verify the impact of potential network changes. Ghost routing logically partitions the production network into a main network and a ghost network. The main network handles live traffic while the ghost network handles traffic generated for diagnostic purposes. The ghost network may have a network topology identical to the production network and may use the same hardware and software as the production network. An operator may implement a network configuration change on the ghost network and then use verification tools to verify that the network configuration change on the ghost network does not result in bugs. Verifying on the ghost network may not affect the main network. If the network operator verifies the network configuration change on the ghost network, the network operator may implement the network configuration change on the main network.

Abstract: A computing system, method and apparatus to cache a portion of a data block. A processor can access data using memory addresses in an address space. A first memory can store a block of data at a block of contiguous addresses in the space of memory address. A second memory can cache a first portion of the block of data identified by an item selection vector. For example, response to a request to cache the block of data stored in the first memory, the computing system can communicate the first portion of the block of data from the first memory to the second memory according to the item selection vector without accessing a second portion of the block of data. Thus, different data blocks in the first memory of a same size can be each cached in different cache blocks of different sizes in the second memory.

Abstract: Systems, apparatuses, and methods related to securing domain crossing using domain access tables are described. For example, a computer processor can have registers configured to store locations of domain access tables respectively for predefined, non-hierarchical domains. Each respective domain access table can be pre-associated with a respective domain and can have entries configured to identify entry points of the respective domain. The processor is configured to enforce domain crossing in instruction execution using the domain access tables and to prevent arbitrary and/or unauthorized domain crossing.

Abstract: Systems, apparatuses, and methods related to a computer system having a page table entry containing permission bits for predefined types of memory accesses made by executions of routines in predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a routine accessing the virtual memory address, a permission bit corresponding to the execution domain of the routine and a type of the memory access can be extracted from the page table entry to determine whether the memory access is to be rejected.

Abstract: Systems, apparatuses, and methods related to a hypervisor status register in a computer processor are described. For example, a memory coupled to the computer processor can store instructions of routines of predefined, non-hierarchical domains. The computer processor can store a value in the hypervisor status register during a power up process of the computer system. The value stored in the hypervisor status register that identifies whether or not an operating hypervisor is present in the computer system. The computer processor can configure its operations (e.g., address translation) based on the value stored in the hypervisor status register.

Abstract: Ghost routing is a network verification technique that uses a portion of a production network itself to verify the impact of potential network changes. Ghost routing logically partitions the production network into a main network and a ghost network. The main network handles live traffic while the ghost network handles traffic generated for diagnostic purposes. The ghost network may have a network topology identical to the production network and may use the same hardware and software as the production network. An operator may implement a network configuration change on the ghost network and then use verification tools to verify that the network configuration change on the ghost network does not result in bugs. Verifying on the ghost network may not affect the main network. If the network operator verifies the network configuration change on the ghost network, the network operator may implement the network configuration change on the main network.

Abstract: Methods, systems, and apparatuses related to adjustable security levels in processors are described. A processor may have functional units and a register configured to control security operations of the functional units. The register configures the functional units to operate in a first mode of security operations when the register contains a first setting; and the register configures the functional units to operate in a second mode of security operations when the register contains a second setting (e.g., to skip/bypassing a set of security operation circuit for enhanced execution speed).

Abstract: A computing system, method and apparatus to cache a portion of a data block. A processor can access data using memory addresses in an address space. A first memory can store a block of data at a block of contiguous addresses in the space of memory address. A second memory can cache a first portion of the block of data identified by an item selection vector. For example, response to a request to cache the block of data stored in the first memory, the computing system can communicate the first portion of the block of data from the first memory to the second memory according to the item selection vector without accessing a second portion of the block of data. Thus, different data blocks in the first memory of a same size can be each cached in different cache blocks of different sizes in the second memory.

Abstract: Systems, apparatuses, and methods related to a computer system having a page table entry containing security settings for calls from predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a call to execute a routine identified using the virtual memory address, a security setting corresponding to the execution domain from which the call initiates can be extracted from the page table entry to determine whether a security measure is to be used. For example, a shadow stack structure can be used to protect the private stack content of the routine from being access by a caller and/or to protect the private stack content of the caller from being access by the callee.

Abstract: Systems, apparatuses, and methods related to a hypervisor status register in a computer processor are described. For example, a memory coupled to the computer processor can store instructions of routines of predefined, non-hierarchical domains. The computer processor can store a value in the hypervisor status register during a power up process of the computer system. The value stored in the hypervisor status register that identifies whether or not an operating hypervisor is present in the computer system. The computer processor can configure its operations (e.g., address translation) based on the value stored in the hypervisor status register.

Abstract: A cache system, having: a first cache set; a second cache set; and a logic circuit coupled to a processor to control the caches based on at least respective first and second registers. When a connection to an address bus receives a memory address from the processor, the logic circuit is configured to: generate a set index from at least the address; and determine whether the generated set index matches with a content stored in the first register or with a content stored in the second register. And, the logic circuit is configured to implement a command via the first cache set in response to the generated set index matching with the content stored in the first register and via the second cache set in response to the generated set index matching with the content stored in the second register.

Abstract: A cache system having cache sets, and the cache sets having a first cache set configured to provide a first physical output upon a cache hit and a second cache set configured to provide a second physical output upon a cache hit. The cache system also has a control register and a mapping circuit coupled to the control register to map respective physical outputs of the cache sets to a first logical cache and a second logical cache according to a state of the control register. The first logical cache can be a normal or main cache for non-speculative executions by a processor and the second logical cache can be a shadow cache for speculative executions by the processor.

Abstract: Systems, apparatuses, and methods related to a computer system having a page table entry containing security settings for calls from predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a call to execute a routine identified using the virtual memory address, a security setting corresponding to the execution domain from which the call initiates can be extracted from the page table entry to determine whether a security measure is to be used. For example, a shadow stack structure can be used to protect the private stack content of the routine from being access by a caller and/or to protect the private stack content of the caller from being access by the callee.

Abstract: Disclosed herein are vector index registers in vector processors that each store multiple addresses for accessing multiple positions in vectors. It is known to use scalar index registers in vector processors to access multiple positions of vectors by changing the scalar index registers in vector operations. By using a vector indexing register for indexing positions of one or more operand vectors, the scalar index register can be replaced and at least the continual changing of the scalar index register can be avoided.

Abstract: A cache system, having: a first cache set; a second cache set; and a logic circuit coupled to a processor to control the caches based on at least respective first and second registers. When a connection to an address bus receives a memory address from the processor, the logic circuit is configured to: generate a set index from at least the address; and determine whether the generated set index matches with a content stored in the first register or with a content stored in the second register. And, the logic circuit is configured to implement a command via the first cache set in response to the generated set index matching with the content stored in the first register and via the second cache set in response to the generated set index matching with the content stored in the second register.

Abstract: A computing device, having: a processor; memory; a first cache coupled between the memory and the processor; and a second cache coupled between the memory and the processor. During speculative execution of one or more instructions, effects of the speculative execution are contained within the second cache.

Abstract: A cache system having cache sets, and the cache sets having a first cache set configured to provide a first physical output upon a cache hit and a second cache set configured to provide a second physical output upon a cache hit. The cache system also has a control register and a mapping circuit coupled to the control register to map respective physical outputs of the cache sets to a first logical cache and a second logical cache according to a state of the control register. The first logical cache can be a normal or main cache for non-speculative executions by a processor and the second logical cache can be a shadow cache for speculative executions by the processor.