Abstract: In a computer system operable at more than one privilege level, confidential code is securely customized to use secret data to establish a code protection domain without disclosing the secret data to a managing operating system. In operation, a security module executes at a higher privilege level than both the managing operating system and the confidential code. After the managing operating system loads the executable of the confidential code, the security module injects the secret data directly into an authorization instruction and a verification instruction included in the confidential code and then sets both the authorization instruction and the verification instruction as executable-only. As the confidential code executes at the assigned privilege level, the authorization instruction and the verification instruction use the secret data to distinguish between unauthorized and authorized execution of the confidential code.

Abstract: A low overhead way for insuring that only routines of sufficient privilege can execute on a secured page of memory in an hierarchial computer system, and for raising the privilege level of a low privilege process in an orderly and secure way is presented. This is done through the execution of a single "gateway" branch instruction standing between a procedure call by a lower privileged routine, such as a user program, and an operating system itself.