Abstract: In one embodiment, a processor includes at least one core and an interface circuit to interface the at least one core to additional circuitry of the processor. In response to an in-field self test instruction, at least one core may save state to a low power memory, enter into a diagnostic sleep state and execute an in-field self test in the diagnostic sleep state in which the at least one core appears to be inactive. Other embodiments are described and claimed.

Abstract: Embodiments of an invention for virtualization exceptions are disclosed. In one embodiment, a processor includes instruction hardware, control logic, and execution hardware. The instruction hardware is to receive a plurality of instructions, including an instruction to enter a virtual machine. The control logic is to determine, in response to a privileged event occurring within the virtual machine, whether to generate a virtualization exception. The execution hardware is to generate a virtualization exception in response to the control logic determining to generate a virtualization exception.

Abstract: A processor implementing techniques to supporting fault information delivery is disclosed. In one embodiment, the processor includes a memory controller unit to access an enclave page cache (EPC) and a processor core coupled to the memory controller unit. The processor core to detect a fault associated with accessing the EPC and generate an error code associated with the fault. The error code reflects an EPC-related fault cause. The processor core is further to encode the error code into a data structure associated with the processor core. The data structure is for monitoring a hardware state related to the processor core.

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

Abstract: In an embodiment, the present invention includes a processor having an execution logic to execute instructions and a control transfer termination (CTT) logic coupled to the execution logic. This logic is to cause a CTT fault to be raised if a target instruction of a control transfer instruction is not a CTT instruction. Other embodiments are described and claimed.

Abstract: An apparatus and method for sub-page extended page table protection. For example, one embodiment of an apparatus comprises: a page miss handler to perform a page walk using a guest physical address (GPA) and to detect whether a page identified with the GPA is mapped with sub-page permissions; a sub-page control storage to store at least one GPA and other data related to a sub-page; the page miss handler to determine whether the GPA is programmed in the sub-page control storage; and the page miss handler to send a translation to a translation lookaside buffer (TLB) with a sub-page protection indication set to cause a matching of the sub-page control storage when an access matches a TLB entry with sub-page protection indication.

Abstract: Apparatuses for computing are disclosed herein. In embodiments, an apparatus may include one or more processors, a memory, and a compiler to be operated by the one or more processors to compile a computer program. The compiler may include one or more analyzers to parse and analyze source code of the computer program that generates pointers or de-references pointers. The compiler may also include a code generator coupled to the one or more analyzers to generate executable instructions for the source code of the computer program including insertion of additional encryption or decryption executable instructions into the computer program, based at least in part on a result of the analysis, to authenticate memory access operations of the source code.

Abstract: An embodiment of a semiconductor package apparatus may include technology to identify a first encrypted memory alias corresponding to a first portion of memory based on a verification indicator, where the first portion is decryptable and readable by both a privileged component and an unprivileged component, and identify a second encrypted memory alias corresponding to a second portion of memory based on the verification indicator, where the second portion is accessible by only the unprivileged component. Other embodiments are disclosed and claimed.

Abstract: Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processing core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.

Abstract: A system includes a processor core and main memory. The processor core is to, in response to execution of a patch-load instruction, retrieve, from a predetermined area of the main memory, memory protection metadata and a memory range of reserved memory, wherein the reserved memory is not flexibly convertible to enclave pages. The processor core is further to retrieve a bit from an architectural control register, wherein a value of the bit is to indicate whether an operating system is capable of management of flexibly-convertible enclave pages. The processor core is further to activate, using the memory protection metadata and one of the first information or the second information, a mode of protected memory management for the processor core in response to the value of the bit in the architectural control register.

Abstract: A processor comprises a register to store a first reference to a context data structure specifying a virtual machine context, the context data structure comprising a second reference to a target array and an execution unit comprising a logic circuit to execute a virtual machine (VM) based on the virtual machine context, wherein the VM comprises a guest operating system (OS) associated with a page table comprising a first memory address mapping between a guest virtual address (GVA) space and a guest physical address (GPA) space, receive a request by the guest OS to switch from the first memory address mapping to a second memory address mapping, the request comprising an index value and a first root value, retrieve an entry, identified by the index value, from the target array, the entry comprising a second root value, and responsive to determining that the first root value matches the second root value, cause a switch from the first memory address mapping to the second memory address mapping.

Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.

Abstract: A processer is provided that includes on-die memory, a protected memory region, and a memory encryption engine (MEE). The MEE includes logic to: receive a request for data in a particular page in the protected region of memory, and access a pointer in an indirection directory, where the pointer is to point to a particular metadata page stored outside the protected region of memory. The particular metadata page includes a first portion of security metadata for use in securing the data of the particular page. The MEE logic is further to access a second portion of the security metadata associated with the particular page from the protected region of memory, and determine authenticity of the data of the particular page based on the first and second portions of the security metadata.

Abstract: In one embodiment, a processor includes a plurality of cores to execute instructions, a first identification register having a first field to store a feedback indicator to indicate to an operating system (OS) that the processor is to provide hardware feedback information to the OS dynamically and a power controller coupled to the plurality of cores. The power controller may include a feedback control circuit to dynamically determine the hardware feedback information for at least one of the plurality of cores and inform the OS of an update to the hardware feedback information. Other embodiments are described and claimed.

Abstract: Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.

Abstract: Embodiments of processors, methods, and systems for a processor core supporting a heterogenous system instruction set architecture are described. In an embodiment, a processor includes an instruction decoder and an exception generation circuit. The exception generation circuit is to, in response to the instruction decoder receiving an unsupported instruction, generate an exception and report an instruction classification value of the unsupported instruction.

Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.

Abstract: Various embodiments are generally directed to techniques for control flow protection with minimal performance overhead, such as by utilizing one or more micro-architectural optimizations to implement a shadow stack (SS) to verify a return address before returning from a function call, for instance. Some embodiments are particularly directed to a computing platform, such as an internet of things (IoT) platform, that overlaps or parallelizes one or more SS access operations with one or more data stack (DS) access operations.

Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.

Abstract: A processing device includes a conflict resolution logic circuit to initiate a tracking phase to track translation look aside buffer (TLB) mappings to an enclave memory cache (EPC) page of a secure enclave. The conflict resolution logic circuit is further to execute a tracking instruction as part of the tracking phase, wherein the tracking instruction takes any page in the secure enclave as an argument parameter to the tracking instruction.