Abstract: Embodiments of an invention for virtualization exceptions are disclosed. In one embodiment, a processor includes instruction hardware, control logic, and execution hardware. The instruction hardware is to receive a plurality of instructions, including an instruction to enter a virtual machine. The control logic is to determine, in response to a privileged event occurring within the virtual machine, whether to generate a virtualization exception. The execution hardware is to generate a virtualization exception in response to the control logic determining to generate a virtualization exception.

Abstract: In one embodiment, an apparatus includes a control transfer termination (CTT) state machine configured to raise a fault when an indirect control transfer instruction of a process is not terminated by a CTT instruction. A virtual machine monitor (VMM) is configured to selectively enable the CTT state machine for the process. In addition, a binary translation engine is configured to receive fault information associated with a fault raised by the CTT state machine, provide at least some of the fault information to a security agent associated with the process, and responsive to direction from the security agent, to translate a code block of the process to a translated code block including a first CTT instruction associated with the indirect control transfer instruction, such that when the translated code block including the indirect control transfer instruction and the first CTT instruction is to be executed, the CTT state machine will not raise a fault. Other embodiments are described and claimed.

Abstract: In one embodiment, a processor includes an access logic to determine whether an access request from a virtual machine is to a device access page associated with a device of the processor and if so, to re-map the access request to a virtual device page in a system memory associated with the VM, based at least in part on information stored in a control register of the processor. Other embodiments are described and claimed.

Abstract: In an embodiment, a processor includes at least one core, a power management unit having a first test register including a first field to store a test patch identifier associated with a test patch and a second field to store a test mode indicator to request a core functionality test, and a microcode storage to store microcode to be executed by the at least one core. Responsive to the test patch identifier, the microcode may access a firmware interface table and obtain the test patch from a non-volatile storage according to an address obtained from the firmware interface table. Other embodiments are described and claimed.

Abstract: Embodiments of an invention for loading and virtualizing cryptographic keys are disclosed. In one embodiment, a processor includes a local key storage location, a backup key storage location, and execution hardware. Neither the local key storage location nor the backup key storage location is readable by software. The execution hardware is to perform a first operation and a second operation. The first operation includes loading a cryptographic key into the local key storage location. The second operation includes copying the cryptographic key from the local key storage location to the backup key storage location.

Abstract: Embodiments of an invention for virtualization exceptions are disclosed. In one embodiment, a processor includes instruction hardware, control logic, and execution hardware. The instruction hardware is to receive a plurality of instructions, including an instruction to enter a virtual machine. The control logic is to determine, in response to a privileged event occurring within the virtual machine, whether to generate a virtualization exception. The execution hardware is to generate a virtualization exception in response to the control logic determining to generate a virtualization exception.

Abstract: Embodiments of an invention for paging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes evicting a first page from an enclave page cache.

Abstract: Embodiments of an invention for a return address overflow buffer are disclosed. In one embodiment, a processor includes a stack pointer to store a reference to a first return address stored on a stack, an obscured address stack pointer to store a reference to an encrypted second return address stored in a memory, hardware to decrypt the encrypted second return address to generate a decrypted second return address, and a return address verification logic, responsive to receiving a return instruction, to compare the first return address to the decrypted second return address.

Abstract: A processor of an aspect includes at least one translation lookaside buffer (TLB) and a memory management unit (MMU). Each TLB is to store translations of logical addresses to corresponding physical addresses. The MMU, in response to a miss in the at least one TLB for a translation of a first logical address to a corresponding physical address, is to check for a multi-page protected container page versus regular page (P/R) check hint. If the multi-page P/R check hint is found, then the MMU is to check a P/R indication. If the multi-page P/R check hint is not found, then the MMU does not check the P/R indication. Other processors, methods, and systems are also disclosed.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for protecting confidential data with transactional processing in execute-only memory. The system may include a memory module configured to store an execute-only code page. The system may also include a transaction processor configured to enforce a transaction region associated with at least a portion of the code page. The system may further include a processor configured to execute a load instruction fetched from the code page, the load instruction configured to load at least a portion of the confidential data from an immediate operand of the load instruction if a transaction mode of the transaction region is enabled.

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

Abstract: A processor implementing techniques to supporting fault information delivery is disclosed. In one embodiment, the processor includes a memory controller unit to access an enclave page cache (EPC) and a processor core coupled to the memory controller unit. The processor core to detect a fault associated with accessing the EPC and generate an error code associated with the fault. The error code reflects an EPC-related fault cause. The processor core is further to encode the error code into a data structure associated with the processor core. The data structure is for monitoring a hardware state related to the processor core.

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

Abstract: In an embodiment, a processor includes at least one core, a power management unit having a first test register including a first field to store a test patch identifier associated with a test patch and a second field to store a test mode indicator to request a core functionality test, and a microcode storage to store microcode to be executed by the at least one core. Responsive to the test patch identifier, the microcode may access a firmware interface table and obtain the test patch from a non-volatile storage according to an address obtained from the firmware interface table. Other embodiments are described and claimed.

Abstract: In an embodiment, the present invention includes a processor having a decode unit and an execution unit. The decode unit is to decode control transfer instructions and the execution unit is to execute control transfer instructions, the control transfer instructions including a call instruction and a return instruction. The processor is to operate in a first mode in which the processor is to raise a fault if a next instruction to be executed immediately after the return instruction is not the call instruction.

Abstract: Methods and apparatus relating to processor extensions for execution of secure embedded containers are described. In an embodiment, a scalable solution for manageability function is provided, e.g., for UMPC environments or otherwise where utilizing a dedicated processor or microcontroller for manageability is inappropriate or impractical. For example, in an embodiment, an OS (Operating System) or VMM (Virtual Machine Manager) Independent (generally referred to herein as “OI”) architecture involves creating one or more containers on a processor by dynamically partitioning resources (such as processor cycles, memory, devices) between the HOST OS/VMM and the OI container. Other embodiments are also described and claimed.

Abstract: In one embodiment, software executing on a data processing system that is capable of performing dynamic operational mode transitions can realize performance improvements by predicting transitions between modes and/or predicting aspects of a new operational mode. Such prediction can allow the processor to begin an early transition into the target mode. The mode transition prediction principles can be applied for various processor mode transitions including 64-bit to 32-bit mode transitions, interrupts, exceptions, traps, virtualization mode transfers, system management mode transfers, and/or secure execution mode transfers.

Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.