Patent Application Titled "Instruction Set Architecture with Secure Clear Instructions for Protecting Processing Unit Architected State Information" Published Online
The assignee for this patent application is
Reporters obtained the following quote from the background information supplied by the inventors: "Protecting secure data stored or used by the processors of a data processing system is of critical importance in many data processing applications. Encryption algorithms are typically applied to secure data to render it unintelligible without application of a decryption algorithm, and secure data is typically stored in mass storage and other non-volatile storage media in an encrypted format, requiring decryption to be performed before the secure data can be read and/or manipulated by a processor in a data processing system. However, in many instances the decryption of encrypted secure data results in the secure data being stored in an unencrypted form in various types of volatile memory in a data processing system, e.g., within a main memory or within various levels of cache memories that are used to accelerate accesses to frequently-used data. Any time that data is stored in an unsecured form in any memory of a data processing system, however, that data may be subject to unauthorized access, potentially compromising the confidential nature of the data.
"Encrypting and decrypting data, however, typically requires some amount of processing overhead, and as such, even in applications where secure data is being processed, it is also desirable to retain other, non-secure data in a data processing system so that processing of that other data is not subject to the same processing overhead associated with encryption and decryption.
"In addition, as semiconductor technology continues to inch closer to practical limitations in terms of increases in clock speed, architects are increasingly focusing on parallelism in processor architectures to obtain performance improvements. At the chip level, multiple processing cores are often disposed on the same chip, functioning in much the same manner as separate processor chips, or to some extent, as completely separate computers. In addition, even within cores, parallelism is employed through the use of multiple execution units that are specialized to handle certain types of operations. Pipelining is also employed in many instances so that certain operations that may take multiple clock cycles to perform are broken up into stages, enabling other operations to be started prior to completion of earlier operations. Multithreading is also employed to enable multiple instruction streams to be processed in parallel, enabling more overall work to performed in any given clock cycle.
"Due to this increased parallelism, the challenges of maintaining secure data in a data processing system are more significant than in prior, non-parallel data processing systems. In a data processing system that only includes a single processor with a single thread, for example, secure data may be stored in an encrypted form outside of the processor, and decrypted as necessary by that single thread once the data is loaded into the processor. When additional threads, and even additional processing cores are disposed on the same processor chip, however, it may be necessary to limit access to secure data to only certain threads or processing cores on the chip. Thus, for example, if multiple threads or processing cores share a common cache memory, storing any secure data in an unencrypted form in that cache memory may present a risk that an unauthorized party may obtain access to that data via a thread or processing core other than that which is authorized to access the secure data. Furthermore, as modern system on chip (SOC) processor designs grow to hundreds of processing cores on a processor chip, it becomes increasingly important to protect unencrypted data from even other processes on the same processor chip.
"Furthermore, even from the standpoint of individual threads in a given processor or processing core, a risk may exist that secure data may be compromised as a result of virtualization. Virtualization may be used at different levels of a data processing system to support the concurrent execution of multiple user processes or applications. A processor hosting a single operating system, for example, may support the concurrent execution of multiple processes in a single operating environment, and may perform context switches to switch between the different processes at relatively frequent intervals such that the multiple processes appear to run in parallel. During a context switch, the internal architected state, or 'context,' of a processor when executing one process is stored and a previously-stored state for another process is loaded into the processor so that when the processor begins to execute the other process, the internal architected state of the processor is the same as it was when a context switch was made away from that other process.
"Likewise, when a processor hosts multiple operating systems within multiple virtual machines or operating environments, a hypervisor may transition between these different virtual operating environments using a process that is similar to a context switch, and as such, the term 'context switch' is used hereinafter to include not only context switches performed by an operating system, but also hypervisor-initiated transitions between virtual operating environments, or any other instances where the internal architected state of a processor is temporarily saved and later restored such that program code executing when the internal state of the processor is saved can be resumed when that state is restored as if execution of the program code had never been interrupted.
"When a processor transitions between different contexts or virtual machines, however, a risk exists that some data and portions of the architected state may be left behind from a previous context or virtual machine. For example, where a hypervisor controls a data processing system and manages different operating systems running under virtual machines there may be a danger that one operating system could access data or other state information from the previously-executed virtual machine. Conventional cache invalidate instructions, as just one example, invalidate a cache line in a cache by setting an invalidate bit, and otherwise leave the data in the invalidated cache line intact until a new cache line is loaded into the same physical storage. A subsequent operating system could therefore potentially access debug control registers and access the data left in a cache by a prior operating system.
"While this risk is generally not a particularly great concern for many applications, in some high security applications the risk that data and/or architected state information associated with one context or virtual machine may be accessed after a context switch precludes the use of some virtualization techniques in those applications. In many government applications, for example, virtual machines may not be permitted as a result of this risk, and it is believed that this risk could be even greater in cloud computing applications where processes owned by completely different entities are virtualized to execute on the same physical hardware.
"Therefore, a significant need continues to exist in the art for a manner of securing data and architected state information utilized by multiple processes running on a processor or processing core."
In addition to obtaining background information on this patent application, VerticalNews editors also obtained the inventors' summary information for this patent application: "The invention addresses these and other problems associated with the prior art by providing a method and circuit arrangement that utilize secure clear instructions defined in an instruction set architecture (ISA) for a processing unit to clear, overwrite or otherwise restrict unauthorized access to the internal architected state of the processing unit in association with context switch operations. The secure clear instructions are executable by a hypervisor, operating system, or other supervisory/higher privilege program code in connection with a context switch operation (e.g., from one process, operating system environment or virtual machine to another process, operating system environment or virtual machine), and the processing unit includes security logic that is responsive to such instructions to restrict access by an operating system, process or other lower privilege program code associated with an incoming context to architected state information associated with an operating system or process, or other lower privilege program code associated with an outgoing context.
"Therefore, consistent with one aspect of the invention, access to architected state information in a processing unit is restricted by receiving a secure clear instruction in an instruction stream in connection with performing a context switch from an outgoing context to an incoming context, where the secure clear instruction is defined in an instruction set architecture for the processing unit and targets at least one memory element in the processing unit, and in response to receiving the secure clear instruction, decoding and executing the secure clear instruction to perform at least one secure clear operation that restricts access, by program code associated with the incoming context, to data stored in the at least one memory element during execution of program code associated with the outgoing context.
"Consistent with another aspect of the invention, a context switch is performed from a first virtual machine to a second virtual machine by, in a hypervisor, causing a plurality of instructions in a context switch routine to be executed by a processing unit to perform a context switch from an outgoing context associated with the first virtual machine to an incoming context associated with the second virtual machine, where the plurality of instructions includes a secure clear instruction defined in an instruction set architecture for the processing unit, wherein the secure clear instruction targets at least one address translation data structure in the processing unit, and, in security logic disposed in the processing unit, and in response to the processing unit receiving the secure clear instruction, restricting virtual machine privilege access to each entry in the address translation data structure while retaining hypervisor privilege access to each entry in the address translation data structure indicating hypervisor privilege.
"These and other advantages and features, which characterize the invention, are set forth in the claims annexed hereto and forming a further part hereof. However, for a better understanding of the invention, and of the advantages and objectives attained through its use, reference should be made to the Drawings, and to the accompanying descriptive matter, in which there is described exemplary embodiments of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
"FIG. 1 is a block diagram of exemplary automated computing machinery including an exemplary computer useful in data processing consistent with embodiments of the present invention.
"FIG. 2 is a block diagram of an exemplary NOC implemented in the computer of FIG. 1.
"FIG. 3 is a block diagram illustrating in greater detail an exemplary implementation of a node from the NOC of FIG. 2.
"FIG. 4 is a block diagram illustrating an exemplary implementation of an IP block from the NOC of FIG. 2.
"FIG. 5 is a block diagram of an exemplary data processing system with a processing unit capable of decoding and executing secure clear instructions consistent with the invention.
"FIG. 6 is a block diagram of an exemplary instruction format for a secure clear instruction in the processing unit of FIG. 5.
"FIG. 7 is a block diagram of an exemplary ERAT entry format for the dERAT referenced in FIG. 5.
"FIG. 8 is a flowchart illustrating an exemplary sequence of operations for performing a context switch in the processing unit of FIG. 5.
"FIG. 9 is a flowchart illustrating an exemplary sequence of operations for clearing an ERAT in the processing unit of FIG. 5."
For more information, see this patent application: Muff, Adam J.; Schardt, Paul E.; Shearer, Robert A.; Tubbs, Matthew R. Instruction Set Architecture with Secure Clear Instructions for Protecting Processing Unit Architected State Information. Filed
Keywords for this news article include: Information Technology, Information and Data Processing, Information and Data Architecture,
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- Study: Recessions Can Postpone Motherhood Forever
- Tim Cook Has Proved That Apple is His Baby
- Hispanic Entrepreneurs Short-changed in Texas
- China Approves iPhone 6 After Security Assurances
- U.S. Home Prices Rose at Slowest Pace in 20 Months
- Meet the YouTube Tech Review Sensation
- Who Is Daniel Ivascyn?
- Hispanics Carry Big Clout: Census
- Netflix Eyes Hollywood With Feature Film
- PBS Series Examines America's Demographic Shift