Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

Abstract: Embodiments of an invention for a guest-physical address translation lookaside buffer are disclosed. In an embodiment, a processor includes an instruction decoder, a control register, and memory address translation hardware. The instruction decoder is to receive an instruction to transfer control of the processor to guest software to execute on a virtual machine. The virtual machine is to have a plurality of resources to be controlled by a virtual machine monitor. The virtual machine monitor is to execute on a host machine having a host-physical memory to be accessed using a plurality of host-physical addresses. The plurality of resources is to include a guest-physical memory. The guest software is to access the guest-physical memory using a plurality of guest-virtual addresses. The control register is to store a pointer to a plurality of virtual address page tables.

Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.

Abstract: A method comprises filtering branch trap events at a branch event filter, monitoring a branch event filter to capture indirect branch trap events that cause a control flow trap exception, receiving the indirect branch trap events at a handler and the handler processing the indirect branch trap events

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for controlled memory view switching. The system may include a memory module comprising a shared address space between a first memory view and a second memory view. The system may also include a virtual machine monitor (VMM) to maintain a list of Controlled View Switch (CVS) descriptors. The system may further include a processor to receive a memory view switch request and to execute an instruction to save processor state information and switch from the first memory view to the second memory view, wherein the second memory view is specified by an extended page table pointer (EPTP) provided by one of the CVS descriptors.

Abstract: Embodiments of an invention for modifying memory permissions in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to modify access permissions for a page in a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes setting new access permissions in an enclave page cache map entry. Furthermore, the page is immediately accessible from inside the secure enclave according to the new access permissions.

Abstract: Methods and apparatus relating to processor extensions for execution of secure embedded containers are described. In an embodiment, a scalable solution for manageability function is provided, e.g., for UMPC environments or otherwise where utilizing a dedicated processor or microcontroller for manageability is inappropriate or impractical. For example, in an embodiment, an OS (Operating System) or VMM (Virtual Machine Manager) Independent (generally referred to herein as “OI”) architecture involves creating one or more containers on a processor by dynamically partitioning resources (such as processor cycles, memory, devices) between the HOST OS/VMM and the OI container. Other embodiments are also described and claimed.

Abstract: An apparatus and method for fine grain memory protection. For example, one embodiment of a method comprises: performing a first lookup operation using a virtual address to identify a physical address of a memory page, the memory page comprising a plurality of sub-pages; determining whether sub-page permissions are enabled for the memory page; if sub-page permissions are enabled, then performing a second lookup operation to determine permissions associated with one or more of the sub-pages of the memory page; and implementing the permissions associated with the one or more sub-pages.

Abstract: Detailed herein are systems, apparatuses, and methods for transparent page level instruction translation. Exemplary embodiments include an instruction translation lookaside buffer (iTLB), wherein each iTLB entry includes a linear address of a page in memory, a physical address of the page in memory, and a remapping indicator.

Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.

Abstract: Embodiments of an invention for protecting information processing system secrets from debug attacks are disclosed. In one embodiment, a processor includes storage, a debug unit, and a test access port. The debug unit is to receive a policy from a debug aggregator. The policy is based on a value of a first fuse and has a production mode corresponding to a production value of the first fuse and a debug mode corresponding to a debug value of the fuse. The test access port is to provide access to the storage using a debug command in the debug mode and to prevent access to the storage using the debug command in the production mode.

Abstract: Systems, methods, and computer program products that provide for the use of a type 2 VMM to de-link or isolate underlying processor hardware from an operating system. This may allow the launching of a task that requires direct access to processor hardware, where such access requires the absence of an operating system. Such a task may take the form of a type 1 VMM, such as an information security or integrity VMM, e.g., an anti-malware VMM.

Abstract: Embodiments of an invention for paging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes evicting a first page from an enclave page cache.

Abstract: In one embodiment, an apparatus includes a control transfer termination (CTT) state machine configured to raise a fault when an indirect control transfer instruction of a process is not terminated by a CTT instruction. A virtual machine monitor (VMM) is configured to selectively enable the CTT state machine for the process. In addition, a binary translation engine is configured to receive fault information associated with a fault raised by the CTT state machine, provide at least some of the fault information to a security agent associated with the process, and responsive to direction from the security agent, to translate a code block of the process to a translated code block including a first CTT instruction associated with the indirect control transfer instruction, such that when the translated code block including the indirect control transfer instruction and the first CTT instruction is to be executed, the CTT state machine will not raise a fault. Other embodiments are described and claimed.

Abstract: In one embodiment, a processor comprises: a first register to store a first bound value for a stack to be stored in a memory; a second register to store a second bound value for the stack; a checker logic to determine, prior to an exit point at a conclusion of a function to be executed on the processor, whether a value of a stack pointer is within a range between the first bound value and the second bound value; and a logic to prevent a return to a caller of the function if the stack pointer value is not within the range. Other embodiments are described and claimed.

Abstract: An apparatus and method are described for translation lookaside buffer (TLB) miss handling. For example, one embodiment of a processor comprises: a translation lookaside buffer (TLB) to store virtual-to-physical address translations; a page miss handler (PMH) to process TLB misses when a desired virtual-to-physical address translation is not present in the TLB; and a compressed page table to be managed by the PMH, the compressed page table to store specified portions of page tables, wherein in response to a TLB miss for a first address translation, the PMH is to check the compressed page table to determine if a page table entry corresponding to the first address translation is stored therein and, if so, to provide the first address translation from the compressed page table.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify regions of code to be monitored, probe and lock code pages that include the identified regions of code, and remap the code pages as execute only. The code pages can be remapped as execute only in an alternate extended page table view.

Abstract: In an embodiment, the present invention includes a processor having a decode unit and an execution unit. The decode unit is to decode control transfer instructions and the execution unit is to execute control transfer instructions, the control transfer instructions including a call instruction and a return instruction. The processor is to operate in a first mode in which the processor is to raise a fault if a next instruction to be executed immediately after the return instruction is not the call instruction.

Abstract: Embodiments of an invention for secure processing environment measurement and attestation are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction associated with a build or a rebuild of a secure enclave. The execution unit is to execute the first instruction. Execution of the first instruction, when associated with the build, includes calculation of a first measurement and a second measurement of the secure enclave. Execution of the first instruction, when associated with the rebuild, includes calculation of the second measurement without calculation of the first measurement.

Abstract: Methods and apparatus relating to processor extensions for execution of secure embedded containers are described. In an embodiment, a scalable solution for manageability function is provided, e.g., for UMPC environments or otherwise where utilizing a dedicated processor or microcontroller for manageability is inappropriate or impractical. For example, in an embodiment, an OS (Operating System) or VMM (Virtual Machine Manager) Independent (generally referred to herein as “OI”) architecture involves creating one or more containers on a processor by dynamically partitioning resources (such as processor cycles, memory, devices) between the HOST OS/VMM and the OI container. Other embodiments are also described and claimed.