Abstract: A computing system, method and apparatus to cache a portion of a data block. A processor can access data using memory addresses in an address space. A first memory can store a block of data at a block of contiguous addresses in the space of memory address. A second memory can cache a first portion of the block of data identified by an item selection vector. For example, response to a request to cache the block of data stored in the first memory, the computing system can communicate the first portion of the block of data from the first memory to the second memory according to the item selection vector without accessing a second portion of the block of data. Thus, different data blocks in the first memory of a same size can be each cached in different cache blocks of different sizes in the second memory.

Abstract: A system, method and apparatus to facilitate data exchange via pointers. For example, in a computing system having a first processor and a second processor that is separate and independent from the first processor, the first processor can run a program configured to use a pointer identifying a virtual memory address having an ID of an object and an offset within the object. The first processor can use the virtual memory address to store data at a memory location in the computing system and/or identify a routine at the memory location for execution by the second processor. After the pointer is communicated from the first processor to the second processor, the second processor can access the same memory location identified by the virtual memory address. The second processor may operate on the data stored at the memory location or load the routine from the memory location for execution.

Abstract: Systems, apparatuses, and methods related to a computer system having a processor and a main memory storing scrambled data are described. The processor may have a secure zone configured to store keys and an unscrambled zone configured to operate on unscrambled data. The processor can convert the scrambled data into the unscrambled data in the unscrambled zone using the keys retrieved from the secure zone in response to execution of instructions configured to operate on the unscrambled data. Another processor may also be coupled with the memory, but can be prevented from accessing the unscrambled data in the unscrambled zone.

Abstract: Systems, apparatuses, and methods related to a virtual machine register in a computer processor are described. For example, a memory coupled to the computer processor can store instructions of routines of predefined, non-hierarchical domains. The computer processor can store, in the virtual machine register, an identifier of a virtual machine for which the processor is currently executing instructions in a current domain in the set of domains. For example, the processor can implement resource restriction/mapping and/or perform address translation for the virtual machine based on the identifier stored in the virtual machine register.

Abstract: Systems, apparatuses, and methods related to a computer system having a page table entry containing security settings for calls from predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a call to execute a routine identified using the virtual memory address, a security setting corresponding to the execution domain from which the call initiates can be extracted from the page table entry to determine whether a security measure is to be used. For example, a shadow stack structure can be used to protect the private stack content of the routine from being access by a caller and/or to protect the private stack content of the caller from being access by the callee.

Abstract: Systems, apparatuses, and methods related to a hypervisor status register in a computer processor are described. For example, a memory coupled to the computer processor can store instructions of routines of predefined, non-hierarchical domains. The computer processor can store a value in the hypervisor status register during a power up process of the computer system. The value stored in the hypervisor status register that identifies whether or not an operating hypervisor is present in the computer system. The computer processor can configure its operations (e.g., address translation) based on the value stored in the hypervisor status register.

Abstract: Systems, apparatuses, and methods related to a processor having configurable permission data for controlling access to a register of the processor from instructions running in different domains are described. Instructions can be used in predefined execution domains, such as hypervisor, operating system, application, etc. Different permission bits can be set for instructions running in different domains. In response to an instruction executed in the processor generates a request to access the register, the processor is configured to determine whether to accept or reject the request based on a permission bit provided in the permission data corresponding to an execution domain in which the instruction is running.

Abstract: Systems, apparatuses, and methods related to securing domain crossing using domain access tables are described. For example, a computer processor can have registers configured to store locations of domain access tables respectively for predefined, non-hierarchical domains. Each respective domain access table can be pre-associated with a respective domain and can have entries configured to identify entry points of the respective domain. The processor is configured to enforce domain crossing in instruction execution using the domain access tables and to prevent arbitrary and/or unauthorized domain crossing.

Abstract: Systems, apparatuses, and methods related to a computer system having a page table entry containing permission bits for predefined types of memory accesses made by executions of routines in predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a routine accessing the virtual memory address, a permission bit corresponding to the execution domain of the routine and a type of the memory access can be extracted from the page table entry to determine whether the memory access is to be rejected.

Abstract: Systems, apparatuses, and methods related to securing memory access made using virtual addresses are described. For example, a memory coupled to the computer processor can store instructions of routines of predefined, non-hierarchical domains. The computer processor can store separate tables for the different domains. A virtual address is configured with an object identifier and an offset of a location within the object represented by the object identifier. At least the object identifier of the virtual address is hashed to generate an index into a table of the current domain in which the processor is executing instructions. An entry retrieved from the table using the index provides a security configuration for the object represented by the object identifier. The processor secures memory access according to the security configuration in response the execution of an instruction that uses the virtual address.

Abstract: Systems, apparatuses, and methods related to a domain register of a processor in a computer system are described. The computer system has a memory configured to at least store instructions of routines that are classified in multiple predefined, non-hierarchical domains. The processor stores in the domain register an identifier of a current domain of a routine that is being executed in the processor. The processor is configured to perform security operations based on the content of the domain register and the security settings specified respectively for the predefined, non-hierarchical domains.

Abstract: Systems, apparatuses, and methods related to a computer system having a processor and a main memory storing scrambled data are described. The processor may have a cache, a register, an execution unit, and an unscrambler. The processor can load the scrambled data into the cache; and the unscrambler may convert the scrambled data into unscrambled data just in time for the register or the execution unit during instruction execution. The unscrambled data can be an instruction, an address, or an operand of an instruction. Unscrambling can be performed just before loading the data item in a scrambled form from the cache into the register in an unscrambled form, or after the data item leaves the register in the scrambled form as input to the execution unit in the unscrambled form. The unscrambled data and the scrambled data may have the same set of bits arranged in different orders.

Abstract: A method performed in a processor, includes: receiving, in the processor, a branch instruction in the processing; determining, by the processor, an address of an instruction after the branch instruction as a candidate for speculative execution, the address including an object identification and an offset; and determining, by the processor, whether or not to perform speculative execution of the instruction after the branch instruction based on the object identification of the address.

Abstract: A computing device (e.g., a processor) having a plurality of branch target buffers. A first branch target buffer in the plurality of branch target buffers is used in execution of a set of instructions containing a call to a subroutine. In response to the call to the subroutine, a second branch target buffer is allocated from the plurality of branch target buffers for execution of instructions in the subroutine. The second branch target buffer is cleared before the execution of the instructions in the subroutine. The execution of the instructions in the subroutine is restricted to access the second branch target buffer and blocked from accessing branch target buffers other than the second branch target buffer.

Abstract: A computer system having an address system of a first predetermined width in which each address of the first predetermined width in the address system includes a first portion identifying an object and a second portion identifying an offset relative to the object, where a static identifier for the first portion is predetermined to identify an address space having a second predetermined width that is smaller than the first predetermined width, or a space of kernel objects.

Abstract: A computing device, having: a processor; memory; a first cache coupled between the memory and the processor; and a second cache coupled between the memory and the processor. During speculative execution of one or more instructions, effects of the speculative execution are contained within the second cache.