Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS20030229794 A1
Publication typeApplication
Application numberUS 10/165,597
Publication dateDec 11, 2003
Filing dateJun 7, 2002
Priority dateJun 7, 2002
Also published asCN1675623A, CN100377092C, EP1512074A2, US7581219, US20060015869, WO2003104981A2, WO2003104981A3
Publication number10165597, 165597, US 2003/0229794 A1, US 2003/229794 A1, US 20030229794 A1, US 20030229794A1, US 2003229794 A1, US 2003229794A1, US-A1-20030229794, US-A1-2003229794, US2003/0229794A1, US2003/229794A1, US20030229794 A1, US20030229794A1, US2003229794 A1, US2003229794A1
InventorsJames Sutton, David Grawrock, Richard Uhlig, David Poisner, Andrew Glew, Clifford Hall, Lawrence Smith, Gilbert Neiger, Michael Kozuch, Robert George, Bradley Burgess
Original AssigneeSutton James A., Grawrock David W., Uhlig Richard A., Poisner David I., Glew Andrew F., Hall Clifford D., Smith Lawrence O., Gilbert Neiger, Kozuch Michael A., George Robert T., Burgess Bradley G.
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
System and method for protection against untrusted system management code by redirecting a system management interrupt and creating a virtual machine container
US 20030229794 A1
Abstract
A system and method for permitting the execution of system management mode (SMM) code during secure operations in a microprocessor system is described. In one embodiment, the system management interrupt (SMI) may be first directed to a handler in a secured virtual machine monitor (SVMM). The SMI may then be re-directed to SMM code located in a virtual machine (VM) that is under the security control of the SVMM. This redirection may be accomplished by allowing the SVMM to read and write the system management (SM) base register in the processor.
Images(8)
Previous page
Next page
Claims(43)
What is claimed is:
1. A system, comprising:
a processor to operate in a user mode, a supervisor mode, and a sub operating system mode, to receive a sub operating system mode interrupt;
a first code to be contained within a first virtual machine; and
a first handler to be contained within a trusted code in a second virtual machine to redirect said sub operating system mode interrupt to said first code.
2. The system of claim 1, wherein said trusted code is to write an interrupt service register in said processor.
3. The system of claim 2, wherein said interrupt service register is a system management base register, and wherein said sub operating system mode interrupt is a system management interrupt.
4. The system of claim 1, wherein said first code is to execute in page mode.
5. The system of claim 4, wherein said first code is a system management mode code.
6. The system of claim 1, further comprising a second handler within said trusted code to be invoked upon access attempts to locked pages of a memory.
7. The system of claim 6, wherein said second handler determines if access is allowable to said locked pages of said memory.
8. The system of claim 6, wherein said second handler initiates an exit from said first code by issuing a modified resume instruction.
9. The system of claim 8, wherein said modified resume instruction is capable of execution in page mode.
10. The system of claim 1, wherein said first handler establishes a space within locked pages of a memory to store state data.
11. The system of claim 1, wherein said first code is located in unlocked pages of memory.
12. The system of claim 1, wherein said system comprises a single processor system.
13. The system of claim 1, wherein said trusted code is to disable an interrupt service register in said processor.
14. The system of claim 13, wherein said interrupt service register is a system management base register, and wherein said first interrupt is a system management interrupt.
15. The system of claim 1, wherein said first handler within said trusted code to be invoked upon access attempts to locked pages of a memory.
16. The system of claim 15, wherein said first handler determines if access is allowable to said locked pages of said memory.
17. The system of claim 15, wherein said first handler initiates an exit from said first code by issuing a modified resume instruction.
18. The system of claim 1, wherein said modified resume instruction is capable of execution in page mode.
19. A method, comprising:
directing a sub operating system mode interrupt to a first handler in a trusted code within a second virtual machine;
storing a state in a locked page in memory; and
entering a first code in a first virtual machine.
20. The method of claim 19, further comprising invoking a second handler in said trusted code from said first code.
21. The method of claim 20, wherein said invoking is subsequent to said first code accessing said locked page in memory.
22. The method of claim 19, wherein said first code is system management mode code.
23. The method of claim 19, further comprising invoking a second handler in said trusted code from said first code.
24. The method of claim 23, wherein said invoking is subsequent to said first code accessing said locked page in memory.
25. The method of claim 19, further comprising executing a modified resume instruction from a page mode.
26. The method of claim 19, further comprising determining whether said first code may access said locked page in memory.
27. The method of claim 19, wherein said directing includes writing a memory location within said trusted code to an interrupt service register.
28. The method of claim 27, wherein said interrupt service register is a system management base register.
29. The method of claim 19, wherein said sub operating system mode interrupt is a system management interrupt.
30. The method of claim 19, further comprising invoking said first handler in said trusted code from said first code.
31. The method of claim 30, wherein said invoking is subsequent to said first code accessing said locked page in memory.
32. A processor, comprising
a first logic to execute a modified resume instruction; and
an interrupt service register capable of being written subsequent to execution of a secure enter instruction.
33. The processor of claim 32, wherein said modified resume instruction returns said processor to previous program execution subsequent to execution of a first code.
34. The processor of claim 33, wherein said modified resume instruction may be executed from within page mode.
35. The processor of claim 33, wherein said execution of said first code occurs within a sub operating system mode.
36. The processor of claim 35, wherein said sub operating system mode is a system management mode.
37. The processor of claim 32, wherein said interrupt service register is a system management base register.
38. A processor, comprising
a first logic to execute a modified resume instruction; and
an interrupt service register capable of being disabled subsequent to execution of a monitor initialization instruction.
39. The processor of claim 38, wherein said modified resume instruction returns said processor to previous program execution subsequent to execution of a first code.
40. The processor of claim 39, wherein said modified resume instruction may be executed from within page mode.
41. The processor of claim 39, wherein said execution of said first code occurs within a sub operating system mode.
42. The processor of claim 41, wherein said sub operating system mode is a system management mode.
43. The processor of claim 38, wherein said interrupt service register is a system management base register.
Description
    FIELD
  • [0001]
    The present disclosure relates generally to microprocessor systems, and more specifically to microprocessor systems that may operate in a trusted or secured environment.
  • BACKGROUND
  • [0002]
    Processors may operate in several processor operating modes depending upon the immediate requirements of system operation. Generally processors may have a supervisor mode, a user mode, and sometimes other special-purpose modes. Supervisor mode may support the execution of the operating system, and may enable the execution of most instructions, including privileged instructions. Access may be given in supervisor mode to a different address space and peripheral devices. User mode may be restricted to non-privileged instructions when compared with supervisor mode, so that user code may not disrupt system functionality.
  • [0003]
    It is often the case that commercially released software is not a perfect fit on a particular original equipment manufacturer's (OEM) hardware suite. Due to specification misunderstandings or implementation errors, there may be situations where the software attempts to access hardware in a manner not anticipated or supported by the hardware. A simple example could be where a software program expects to place a value in a register at address x whereas the actual register in the hardware is at address x+y. This could cause a system exception.
  • [0004]
    In order to deal with such situations, processors may be designed to support an operating mode having the ability to operate in operating system transparent or quasi-transparent manner, or in a privilege-level independent manner, for the purpose of executing low-level patches. For the purpose of the present application such a mode may be defined as a “sub operating system mode”. One such mode is the system management mode (SMM) of the Intel® Pentium® processor family and compatible processors. (See Chapter 14 of the Pentium® 4 Processor Software Developer's Manual, Vol. III, 2001 edition, order number 245472, available from Intel Corporation of Santa Clara, Calif.) Other sub operating system modes may exist in a MIPS Technologies® MIPS32™ or MIPS64™ architecture processor, in an IBM® PowerPC™ architecture processor, in a SPARC International® SPARC® architecture processor, or in many other processors. The existence of a sub operating system mode may have additional system benefits, such as supporting transitions into a power-down mode. In order to deal with software and hardware mismatches as outlined above, existing sub operating system mode implementations may have no privilege restrictions or address mapping restrictions. Sub operating system modes may be invoked by a dedicated sub operating system mode interrupt, sometimes generated by system firmware or system hardware. This dedicated sub operating system mode interrupt is usually designed to be non-maskable in order to respond to the exigencies that required the entry into the mode.
  • [0005]
    A sub operating system mode may generally have the following major mechanisms. The only way to enter the mode is by means of a special sub operating system mode interrupt. In the case of SMM, the dedicated sub operating system mode interrupt is called a system management interrupt (SMI). The processor may execute the mode's code in a separate address space. For example, when the mode is SMM, the separate address space allows access to system management random-access memory (SMRAM), which may be made inaccessible to the other operating modes. When entering the mode, the processor saves the context of the interrupted program or task within the separate address space. For example, in SMM the context is saved into SMRAM. During the execution within the mode, normal interrupts may be disabled. Finally, the mode may be exited by means of a resume instruction that may only be executed while executing within the mode.
  • [0006]
    The increasing number of financial and personal transactions being performed on local or remote microcomputers has given impetus for the establishment of “trusted” or “secured” microprocessor environments. The problem these environments try to solve is that of loss of privacy, or data being corrupted or abused. Users do not want their private data made public. They also do not want their data altered or used in inappropriate transactions. Examples of these include unintentional release of medical records or electronic theft of funds from an on-line bank or other depository. Similarly, content providers seek to protect digital content (for example, music, other audio, video, or other types of data in general) from being copied without authorization.
  • [0007]
    The existence of a sub operating system mode, such as SMM, is a design challenge for designers of secure or trusted systems. The fact that such a sub operating system mode may have no privilege restrictions or address mapping restrictions is incompatible with secure or trusted system architecture. And this lack of privilege restrictions or address mapping restrictions often cannot be avoided by attempting to mask such a mode's dedicated interrupts, because these are usually designed to be non-maskable.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • [0008]
    The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which:
  • [0009]
    [0009]FIG. 1 is a memory mapping of system management mode code in system management RAM in an existing implementation.
  • [0010]
    [0010]FIG. 2 is a diagram of an exemplary software environment having trusted and untrusted areas, according to one embodiment.
  • [0011]
    [0011]FIG. 3 is a schematic diagram of an exemplary microprocessor system adapted to support the software environment of FIG. 2, according to one embodiment of the present invention.
  • [0012]
    [0012]FIG. 4 is a diagram showing a system management code operating in a virtual machine container, according to one embodiment of the present invention.
  • [0013]
    [0013]FIG. 5 is diagram showing system management interrupt redirection, according to one embodiment of the present invention.
  • [0014]
    [0014]FIG. 6 is a schematic diagram of an exemplary microprocessor system adapted to support the software environment of FIG. 2, according to another embodiment of the present invention.
  • [0015]
    [0015]FIG. 7 is diagram showing system management interrupt redirection, according to another embodiment of the present invention.
  • DETAILED DESCRIPTION
  • [0016]
    The following description describes techniques for permitting the execution of certain system management mode code in a trusted or secured environment in a microprocessor system. In the following description, numerous specific details such as logic implementations, software module allocation, encryption techniques, bus signaling techniques, and details of operation are set forth in order to provide a more thorough understanding of the present invention. It will be appreciated, however, by one skilled in the art that the invention may be practiced without such specific details. In other instances, control structures, gate level circuits and full software instruction sequences have not been shown in detail in order not to obscure the invention. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation. The invention is disclosed in the form of a microprocessor system. However, the invention may be practiced in other forms of processor such as a digital signal processor, a minicomputer, or a mainframe computer.
  • [0017]
    In order to permit limited sub operating system mode code execution within a secure or trusted environment, the sub operating system mode interrupt may be first directed to a handler in a trusted code that controls virtual machine access to system resources. This direction to the handler may be accomplished by allowing the trusted code to read and write to the interrupt service register in the processor containing the location of the code required to service such a sub operating system mode interrupt. (An interrupt service register may generally be defined as a register that is used to determine that code that should be executed on receipt of an interrupt.) The sub operating system mode interrupt will then be re-directed to sub operating system mode code, located in another virtual machine that is under the security control of the above trusted code, for interrupt servicing. Alternatively, a microprocessor's virtualization architecture may be such that, when trusted code has been established, the sub operating system mode interrupt will no longer use the normal interrupt service register but will instead cause a transition to the trusted code consistent with the virtualization architecture.
  • [0018]
    In an exemplary case where the sub operating system mode is the system management mode (SMM), the SMM code execution within a secure or trusted environment may begin by having the system management interrupt (SMI) first be directed to a handler in a secured virtual machine monitor (SVMM). This direction to the handler may be accomplished by allowing the SVMM to read and write a system management base (SMBASE) register in the processor (PSMBASE). The SMI will then be re-directed to SMM code located in a virtual machine (VM) that is under the security control of the SVMM. Alternatively, the processor's virtualization architecture may disable use of the PSMBASE register and cause redirection of all SMIs to the SVMM directly.
  • [0019]
    In one embodiment, the SMM code may be granted access to all system resources except the protected pages in memory, and the associated system controls that maintain this protection. In order to accomplish this, after the initialization of secured operations the SMIs may be directed to a handler within SVMM first. This handler may establish a suitable virtual machine (VM) container for the SMM code, and re-direct the SMI to that code. By executing the SMM code within the VM container, the SMM code may be prevented from accessing various system resources, such as memory, that the SVMM has deemed protected. In one embodiment, the SMM code may now be written to conform to VM requirements. One such conforming change may be that the SMM code be written in either flat protected mode or in some other page memory access mode.
  • [0020]
    Referring now to FIG. 1, a memory mapping of system management mode (SMM) code in system management random-access memory (SMRAM) is shown in one embodiment. During normal system initialization, a section of system random-access memory (RAM) 110 may be set aside for exclusive use by SMM code. This set aside section is called system management RAM (SMRAM). Specific memory locations within SMRAM may be pointed to by interrupt service registers within the chipset or processor, which in one embodiment are called system management base (SMBASE) registers.
  • [0021]
    The chipset SMBASE register's content CSMBASE may define the boundaries of SMRAM. For example, the SMRAM may occupy the space between CSMBASE 120 and CSMBASE+FFFF hex 132. In other embodiments, in order to support two or more processors executing SMM code at the same time, each processor may have its own dedicated SMRAM space. The processors' SMBASE register content PSMBASE may define code-entry points and state save locations within SMRAM. For example, within SMRAM a standard code-entry point may be located at CSMBASE+8000 hex 124. The value of CSMBASE may be written at system initialization to each processor's SMBASE register, thereby allowing each processor to go to the SMM code-entry point upon receipt of an SMI. Prior to entry into SMM code, the processor may in one embodiment store state data in a state save area between an address PSMBASE+FE00 hex 128 and the end of SMRAM at location SMBASE+FFFF hex 132. In other embodiments, in order to support two or more processors executing SMM code at the same time, each processor's SMBASE register may contain a different value of PSMBASE, permitting differing code-entry points and locations for storing state data.
  • [0022]
    The state data may include the values of control registers, flags, an auto halt restart field, an input/output (I/O) instruction restart field, and an SMM revision identifier. Some of the locations within SMRAM may be modified by an SMI handler. Upon completion of SMM code execution, the original program may be re-entered when the processor executes a resume (RSM) instruction. This existing RSM instruction may only be issued within SMM, and it restores the state values previously stored within SMRAM. The use of this existing SMM design is well-known in the art.
  • [0023]
    Referring now to FIG. 2, a diagram of an exemplary trusted or secured software environment is shown, according to one embodiment of the present invention. In the FIG. 2 embodiment, trusted and untrusted software may be loaded simultaneously and may execute simultaneously on a single computer system. A SVMM 250 selectively permits or prevents direct access to hardware resources 280 from untrusted operating system 240 (or, if multiple untrusted virtual machines are implemented, multiple operating systems) and untrusted applications 210 through 230. In this context, “untrusted” does not necessarily mean that the operating system or applications are deliberately misbehaving, but that the size and variety of interacting code makes it impractical to reliably assert that the software is behaving as desired, and that there are no viruses or other foreign code interfering with its execution. In a typical embodiment, the untrusted code might consist of the normal operating system and applications found on today's personal computers.
  • [0024]
    SVMM 250 also selectively permits or prevents direct access to hardware resources 280 from one or more trusted or secure kernels 260 and one or more trusted applications 270. Such a trusted or secure kernel 260 and trusted applications 270 may be limited in size and functionality to aid in the ability to perform trust analysis upon it. The trusted application 270 may be any software code, program, routine, or set of routines which is executable in a secure environment. Thus, the trusted application 270 may be a variety of applications, or code sequences, or may be a relatively small application such as a Java applet.
  • [0025]
    Instructions or operations normally performed by operating system 240 or kernel 260 that could alter system resource protections or privileges may be trapped by SVMM 250, and selectively permitted, partially permitted, or rejected. As an example, in a typical embodiment, instructions that change the processor's page table that would normally be performed by operating system 240 or kernel 260 would instead be trapped by SVMM 250, which would ensure that the request was not attempting to change page privileges outside the domain of its virtual machine. One way of viewing this system is that operating system 240, kernel 260, and SVMM 250 are all virtual machines, with operating system 240 virtual machine and kernel 260 virtual machine executing within the SVMM 250 virtual machine. Thus a hierarchy of virtual machines is created. Here in one embodiment a virtual machine may be defined as any multi-user shared-resource operating system that gives each user the appearance of having sole control of all the resources of the system, or virtual machine may also be defined as an operating system that is in turn managed by an underlying control program.
  • [0026]
    Referring now to FIG. 3, one embodiment of a microprocessor system 300 adapted to support the secured software environment of FIG. 2 is shown. CPU A 310, CPU B 314, CPU C 318, and CPU D 322 may be configured with additional microcode or logic circuitry to support the execution of special instructions. In one embodiment, the processors may be Intel® Pentium® class microprocessors with certain special modifications in accordance with an embodiment of the present invention. These special instructions may support the issuance of special bus messages on system bus 320 that may enable the proper synchronization of SVMM 250 operation in the processors. Similarly chipset 330 may support the above-mentioned special cycles on system bus 320. The number of physical processors may vary upon the implementation of a particular embodiment.
  • [0027]
    In the FIG. 3 embodiment, the four processors CPU A 310, CPU B 314, CPU C 318, and CPU D 322 are shown as four separate hardware entities. In other embodiments, the number of processors may differ. Indeed, the processors may be replaced by separate threads, each running on one of the physical processors. In the latter case these threads possess many of the attributes of additional physical processors. In order to have a generic expression to discuss using any mixture of multiple physical processors and multiple threads upon processors, the expression “logical processor” may be used to describe either a physical processor or a thread operating in one of the physical processors. Thus, one single-threaded processor may be considered a logical processor, and multi-threaded or multi-core processors may be considered multiple logical processors.
  • [0028]
    Modifications to processors may include, in one embodiment, changes to the behavior of registers and new or modified instructions. For example, in one embodiment CPU C 318 may include a new instruction secure enter (SENTER) 324. The SENTER 324 instruction, upon execution, may enable the initiation of secure or trusted operations as shown in FIG. 2 above. SENTER 324 may enable multiple logical processors to synchronize their entry into secure or trusted operations. In one embodiment, SENTER 324 may also permit writing to the PSMBASE register 316 of CPU C 318 in certain circumstances to support secure or trusted SMM operations.
  • [0029]
    In one embodiment CPU C 318 may also include a modified resume (RSM) 326 instruction. The modified RSM 326 may permit a return from SMM that supports secure or trusted operations. Ordinarily RSM instructions may only be executed from within SMM. The modified RSM 326 may be executed from within normal page mode. When invoked with VM extensions enabled, the modified RSM 326 instruction may perform a special system call, called a VMexit, back to an SVMM handler for SMI.
  • [0030]
    The chipset 330 may service read and write requests carried from the CPUs on the system bus 320, and may then perform the physical read and write operations on physical memory 334. Allocation of SMRAM within memory 334 may be facilitated by a chipset SMBASE register 331 containing the value of CSMBASE. The chipset 330 additionally may connect to specialized input/output (I/O) channels, such as an advanced graphics port (AGP) 336. Chipset 330 may control access to pages of memory within physical memory 334 from processors CPU A 310, CPU B 314, CPU C 318 and CPU D 322, and additionally from I/O devices. Such devices may include mass storage devices such as fixed media 344 or removable media 348. The fixed media 344 or removable media 348 may be magnetic disks, magnetic tape, magnetic diskettes, magneto-optical drives, CD-ROM, DVD-ROM, Flash memory cards, or many other forms of mass storage. Fixed media 344 or removable media 348 may be connected to chipset 330 via peripheral component interconnect (PCI) bus 346, or, alternately, via a universal serial bus (USB) 342, an integrated controller electronics (IDE) bus (not shown), or a small computer systems interconnect (SCSI) bus (not shown).
  • [0031]
    The SVMM 364 may permit or deny the access of a VM to specific pages within memory 334. The pages of memory that the VM are denied access to may be called “locked” pages, whereas the pages that the VM are permitted access to may be called “unlocked” pages. Within locked memory pages 360 may be located SVMM 364 and modules within SVMM 364 to support secure SMM operation. In one embodiment, such modules may include an SVMM SMM handler 366 and a virtual machine exit (VMexit)/virtual machine call (VMcall) handler 368. In other embodiments the functions of the SVMM SMM handler 366 and the VMexit/VMcall handler 368 may be combined or may be distributed among other modules. Other pages of memory may remain unlocked, such as unlocked memory pages 362. Within unlocked memory pages 362 may be located standard operating systems 372. Also within unlocked memory pages 362 may be a SMM virtual machine (SMM VM) 370. SMM VM 370 may include software code similar to standard SMM code but modified to operate in a virtual machine container. Such modifications in SMM VM 370 may include code prepared for execution in page mode rather than normal SMM.
  • [0032]
    The memory controller and I/O device controller functions of chipset 330 are shown in the FIG. 3 embodiment as being implemented on a single separate integrated circuit. In alternate embodiments, a separate memory controller integrated circuit may generally implement the memory, controller functions described above for chipset 330. Similarly, a separate I/O device controller integrated circuit may generally implement the I/O device controller functions described above for chipset 330. In further embodiments, the memory controller functions of chipset 330 may be implemented in circuitry on the CPU integrated circuits, permitting several CPUs to each have direct access to certain amounts of physical memory. In such an embodiment, the memory controller functions of chipset 330 may be divided among the several CPU integrated circuits, or for multiple processors may be included on a single die.
  • [0033]
    Referring now to FIG. 4, a diagram of a system management code (SMM) operating in a virtual machine (VM) container is shown, according to one embodiment of the present invention. In the FIG. 4 embodiment, SVMM 450 has two additional modules to support secure or trusted SMM operations. The SVMM SMM handler 452 establishes the SMM code in a SMM VM 490 in response to the execution of an SENTER instruction. The VMexit/VMcall handler 454 handles entry into and exit from the SMM VM 490 due to the intentional lower privilege level of SMM VM 490 within its VM container. In some embodiments, the SVMM SMM handler 452 and the VMexit/VMcall handler 454 may be the same software module.
  • [0034]
    The SVMM SMM handler 452 may perform several functions. During the transition into secure or trusted operations, following the execution of an SENTER command by a processor, the SVMM SMM handler 452 loads and initiates the SMM VM 490 code in a virtual machine container. In some embodiments, SVMM SMM handler 452 would then write an entry location within itself into the modified SMBASE register of each processor in the system. This entry location permits an SMI to be directed first to the SVMM SMM handler 452. This may not be necessary for other embodiments that invoke the VMexit/VMcall handler 454 directly in response system-management interrupts; for these embodiments, the SVMM SMM handler 452 and VMexit/VMcall handler 454 would be combined into one software module. The SVMM SMM handler 452 also establishes a space within the locked memory pages to store the state data that needs to be saved upon entry into SMM operations. Examples of this state data are discussed above in connection with FIG. 1. Placing this state data within locked memory pages prevents unauthorized disclosure or manipulation of the state data.
  • [0035]
    The VMexit/VMcall handler 454 may perform several functions. VMexit/VMcall handler 454 may handle entries into and exits from SMM VM 490 subsequent to the initial entry. VMexit/VMcall handler 454 may also handle exceptions raised when SMM VM 490 attempts to read from or write to locked memory pages. Portions of VMexit/VMcall handler 454 may determine whether certain of these reads from or writes to locked memory pages should be allowed to proceed depending upon circumstances. In one embodiment, reads from or writes to locked memory pages may be permitted if VMexit/VMcall handler 454 determines that the location targeted within the locked memory pages does not contain trusted data.
  • [0036]
    The SMM VM 490 contains the desired SMM code, modified from SMM mode format to now execute in a page memory access mode. In general the SMM code in the SMM VM 490 executes as written, with the exceptional case of those instructions to create memory reads and writes to the locked memory pages. In those cases, the SMM code may invoke VMexit/VMcall handler 454. SMM code may make an explicit call to the VMexit/VMcall handler 454, or may make an indirect call by allowing an exception to trap to VMexit/VMcall handler 454. In either case VMexit/VMcall handler 454 handles these circumstances.
  • [0037]
    Referring now to FIG. 5, a diagram of a system management interrupt redirection is shown, according to one embodiment of the present invention. Consider an SMI producing event in hardware 480 subsequent to the initiation of secure or trusted operations. The processor examines its SMBASE register. Since the SVMM SMM handler 452 upon initialization wrote an internal memory location into modified SMBASE register within the processor, the processor begins execution of SVMM SMM handler 452. SVMM SMM handler 452 stores state data within a locked memory page, and then issues a virtual mode enter (VMenter) call to the actual SMM code within SMM VM 490. In another embodiment, the SMI may cause invocation of the SVMM's VMexit handler.
  • [0038]
    The SMM code within SMM VM 490 executes until it attempts to read from or write to a memory location within a locked memory page. Then either by an explicit call, or by an exception causing a trap, a VMexit/VMcall 524 may be made to invoke VMexit/VMcall handler 454. The VMexit/VMcall handler 454 performs those memory accesses that it deems permissible, and then returns to SMM VM 490 by another VMenter 522. This process may repeat several times until the desired SMM code within SMM VM 490 is finished. At this time the SMM code exits via a final VMexit/VMcall 524 to VMexit/VMcall handler 454. For some embodiments, the VMexit/VMcall handler 454 would then exit to the SVMM SMM handler 452 through the execution of a modified resume instruction SMM VM code RSM 526. This causes the SVMM SMM handler 452 to restore the (potentially modified by VMexit/VMcall handler 454) state data stored in locked memory pages. For other embodiments, the SVMM SMM handler 452 and the VMexit/VMcall handler 454 might be combined, and these operations might be carried out in software. Upon the restoration of the state data, the processor resumes its original operation.
  • [0039]
    Referring now to FIG. 6, a schematic diagram of an exemplary microprocessor system adapted to support the software environment of FIG. 2 is shown, according to another embodiment of the present invention. CPU A 610, CPU B 614, CPU C 618, and CPU D 622 may be configured with additional microcode or logic circuitry to support the execution of special instructions. Modifications to the processors may include, in one embodiment, changes to the behavior of registers and new or modified instructions. For example, in one embodiment CPU C 618 may include a new instruction “virtual machine monitor initialization” (VMMINIT) 624. The VMMINIT 624 instruction, upon execution, may enable the initiation of secure or trusted operations as shown in FIG. 2 above. In one embodiment, VMMINIT 624 may also disable normal operations of the PSMBASE register 616 of CPU C 618 in certain circumstances to support secure or trusted SMM operations. In such an embodiment, CPU C 618 may then redirect an SMI to a code entry point and state save area within VMexit/VMcall handler 668 prearranged by the security environment rules.
  • [0040]
    In one embodiment CPU C 618 may also include a modified resume (RSM) 626 instruction. The modified RSM 626 may permit a return from SMM that supports secure or trusted operations. Ordinarily RSM instructions may only be executed from within SMM. The modified RSM 626 may be executed from within normal page mode. When invoked with VM extensions enabled, the modified RSM 626 instruction may perform a special system call, called a VMexit, back to invoke VMexit/VMcall handler 668.
  • [0041]
    The chipset 630 may service read and write requests carried from the CPUs on the system bus 620, and may then perform the physical read and write operations on physical memory 634. Allocation of SMRAM within memory 634 may be facilitated by a chipset SMBASE register 631 containing the value of CSMBASE.
  • [0042]
    The SVMM 664 may permit or deny the access of a VM to specific pages within memory 634. The pages of memory that the VM are denied access to may be called “locked” pages, whereas the pages that the VM are permitted access to may be called “unlocked” pages. Within locked memory pages 660 may be located SVMM 664 and a module within SVMM 664 to support secure SMM operation. In one embodiment, the module may be VMexit/VMcall handler 668. In other embodiments the functions of the VMexit/VMcall handler 668 may be combined or may be distributed among other modules. Other pages of memory may remain unlocked, such as unlocked memory pages 662. Within unlocked memory pages 662 may be located standard operating systems 672. Also within unlocked memory pages 662 may be a SMM VM 670. SMM VM 670 may include software code similar to standard SMM code but modified to operate in a virtual machine container. Such modifications in SMM VM 670 may include code prepared for execution in page mode rather than normal SMM.
  • [0043]
    Referring now to FIG. 7, a diagram of system management interrupt redirection is shown, according to another embodiment of the present invention. In the FIG. 7 embodiment, SVMM 750 has two additional modules to support secure or trusted SMM operations. In one embodiment the VMexit/VMcall handler 754 establishes the SMM code in a SMM VM 790 in response to the execution of an VMMINIT instruction, and additionally handles entry into and exit from the SMM VM 790 due to the intentional lower privilege level of SMM VM 790 within its VM container.
  • [0044]
    The VMexit/VMcall handler 754 may perform several functions. During the transition into secure or trusted operations, following the execution of a VMMINIT command by a processor, the VMexit/VMcall handler 754 loads and initiates the SMM VM 790 code in a virtual machine container. The VMexit/VMcall handler 754 also establishes a space within the locked memory pages to store the state data that needs to be saved upon entry into SMM operations.
  • [0045]
    The VMexit/VMcall handler 754 may perform several additional functions. VMexit/VMcall handler 754 may handle entries into and exits from SMM VM 790. VMexit/VMcall handler 754 may also handle exceptions raised when SMM VM 790 attempts to read from or write to locked memory pages. Portions of VMexit/VMcall handler 754 may determine whether certain of these reads from or writes to locked memory pages should be allowed to proceed depending upon circumstances. In one embodiment, reads from or writes to locked memory pages may be permitted if VMexit/VMcall handler 754 determines that the location targeted within the locked memory pages does not contain trusted data.
  • [0046]
    The SMM VM 790 contains the desired SMM code, modified in one embodiment from SMM mode format to now execute in a page memory access mode. In general the SMM code in the SMM VM 790 executes as written, with the exceptional case of those instructions to create memory reads and writes to the locked memory pages. In those cases, the SMM code may invoke VMexit/VMcall handler 754. The SMM code may make an explicit call to the VMexit/VMcall handler 754, or may make an indirect call by allowing an exception to trap to VMexit/VMcall handler 754. In either case VMexit/VMcall handler 754 handles these circumstances.
  • [0047]
    Consider an SMI producing event in hardware 780 subsequent to the initiation of secure or trusted operations. The processor examines its SMBASE register. Since the execution of VMMINIT disabled the normal operation of modified SMBASE register within the processor, the processor begins execution of VMexit/VMcall handler 754 from a code entry point prearranged by the security environment rules. VMexit/VMcall handler 754 stores state data within a locked memory page, and then issues a VMenter call 722 to the actual SMM code within SMM VM 790.
  • [0048]
    The SMM code within SMM VM 790 executes until it attempts to read from or write to a memory location within a locked memory page. Then either by an explicit call, or by an exception causing a trap, a VMexit/VMcall 724 may be made to invoke VMexit/VMcall handler 754. The VMexit/VMcall handler 754 performs those memory accesses that it deems permissible, and then returns to SMM VM 790 by another VMenter 722. This process may repeat several times until the desired SMM code within SMM VM 790 is finished. At this time the SMM code exits via a final VMexit/VMcall 724 to VMexit/VMcall handler 754. For some embodiments, the VMexit/VMcall handler 454 would then exit to normal SVMM 750 operations by first executing a modified resume instruction. This causes the VMexit/VMcall handler 754 to restore the (potentially modified by VMexit/VMcall handler 754) state data stored in locked memory pages. Upon the restoration of the state data, the processor resumes its original operation.
  • [0049]
    While various embodiments disclosed include two or more processors (either logical or physical processors), it should be understood that such multi-processor and/or multi-threaded systems are described in more detail to explain the added complexity associated with securing a system with multiple logical or physical processors. An embodiment also likely to be advantageous in less complex system may use only one processor. In some cases, the one physical processor may be multi-threading and therefore may include multiple logical processors. In other cases, however, a single-processor, single-threaded system may be used, and still utilize disclosed secure processing techniques. In such cases, the secure processing techniques still operate to reduce the likelihood that data can be stolen or manipulated in an unauthorized manner.
  • [0050]
    In the foregoing specification, the invention has been described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.
Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US3699532 *Apr 27, 1970Oct 17, 1972Singer CoMultiprogramming control for a data handling system
US3996449 *Aug 25, 1975Dec 7, 1976International Business Machines CorporationOperating system authenticator
US4162536 *Jan 30, 1978Jul 24, 1979Gould Inc., Modicon Div.Digital input/output system and method
US4207609 *May 8, 1978Jun 10, 1980International Business Machines CorporationMethod and means for path independent device reservation and reconnection in a multi-CPU and shared device access system
US4247905 *Aug 26, 1977Jan 27, 1981Sharp Kabushiki KaishaMemory clear system
US4276594 *Jun 16, 1978Jun 30, 1981Gould Inc. Modicon DivisionDigital computer with multi-processor capability utilizing intelligent composite memory and input/output modules and method for performing the same
US4278837 *Jun 4, 1979Jul 14, 1981Best Robert MCrypto microprocessor for executing enciphered programs
US4307214 *Sep 3, 1980Dec 22, 1981Phillips Petroleum CompanySC2 activation of supported chromium oxide catalysts
US4307447 *Jun 19, 1979Dec 22, 1981Gould Inc.Programmable controller
US4319233 *Nov 28, 1979Mar 9, 1982Kokusan Denki Co., Ltd.Device for electrically detecting a liquid level
US4319323 *Apr 4, 1980Mar 9, 1982Digital Equipment CorporationCommunications device for data processing system
US4347565 *Nov 30, 1979Aug 31, 1982Fujitsu LimitedAddress control system for software simulation
US4366537 *May 23, 1980Dec 28, 1982International Business Machines Corp.Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys
US4403283 *Jul 28, 1980Sep 6, 1983Ncr CorporationExtended memory system and method
US4419724 *Apr 14, 1980Dec 6, 1983Sperry CorporationMain bus interface package
US4430709 *Jul 7, 1981Feb 7, 1984Robert Bosch GmbhApparatus for safeguarding data entered into a microprocessor
US4521852 *Jun 30, 1982Jun 4, 1985Texas Instruments IncorporatedData processing device formed on a single semiconductor substrate having secure memory
US4571672 *Dec 19, 1983Feb 18, 1986Hitachi, Ltd.Access control method for multiprocessor systems
US4759064 *Oct 7, 1985Jul 19, 1988Chaum David LBlind unanticipated signature systems
US4795893 *Jul 10, 1987Jan 3, 1989Bull, Cp8Security device prohibiting the function of an electronic data processing unit after a first cutoff of its electrical power
US4802084 *Feb 10, 1986Jan 31, 1989Hitachi, Ltd.Address translator
US4825052 *Dec 30, 1986Apr 25, 1989Bull Cp8Method and apparatus for certifying services obtained using a portable carrier such as a memory card
US4907270 *Jul 9, 1987Mar 6, 1990Bull Cp8Method for certifying the authenticity of a datum exchanged between two devices connected locally or remotely by a transmission line
US4907272 *Jul 9, 1987Mar 6, 1990Bull Cp8Method for authenticating an external authorizing datum by a portable object, such as a memory card
US4910774 *Jul 8, 1988Mar 20, 1990Schlumberger IndustriesMethod and system for suthenticating electronic memory cards
US4975836 *Dec 16, 1985Dec 4, 1990Hitachi, Ltd.Virtual computer system
US5007082 *Feb 26, 1990Apr 9, 1991Kelly Services, Inc.Computer software encryption apparatus
US5022077 *Aug 25, 1989Jun 4, 1991International Business Machines Corp.Apparatus and method for preventing unauthorized access to BIOS in a personal computer system
US5075842 *Dec 22, 1989Dec 24, 1991Intel CorporationDisabling tag bit recognition and allowing privileged operations to occur in an object-oriented memory protection mechanism
US5079737 *Oct 25, 1988Jan 7, 1992United Technologies CorporationMemory management unit for the MIL-STD 1750 bus
US5139760 *Feb 26, 1990Aug 18, 1992Mizusawa Industrial Chemicals, Ltd.Amorphous silica-alumina spherical particles and process for preparation thereof
US5187802 *Dec 18, 1989Feb 16, 1993Hitachi, Ltd.Virtual machine system with vitual machine resetting store indicating that virtual machine processed interrupt without virtual machine control program intervention
US5230069 *Oct 2, 1990Jul 20, 1993International Business Machines CorporationApparatus and method for providing private and shared access to host address and data spaces by guest programs in a virtual machine computer system
US5237616 *Sep 21, 1992Aug 17, 1993International Business Machines CorporationSecure computer system having privileged and unprivileged memories
US5255379 *Dec 28, 1990Oct 19, 1993Sun Microsystems, Inc.Method for automatically transitioning from V86 mode to protected mode in a computer system using an Intel 80386 or 80486 processor
US5287363 *Jul 1, 1991Feb 15, 1994Disk Technician CorporationSystem for locating and anticipating data storage media failures
US5293424 *Oct 14, 1992Mar 8, 1994Bull Hn Information Systems Inc.Secure memory card
US5295251 *Sep 21, 1990Mar 15, 1994Hitachi, Ltd.Method of accessing multiple virtual address spaces and computer system
US5317705 *Aug 26, 1993May 31, 1994International Business Machines CorporationApparatus and method for TLB purge reduction in a multi-level machine system
US5319760 *Jun 28, 1991Jun 7, 1994Digital Equipment CorporationTranslation buffer for virtual machines with address space match
US5355490 *Jun 14, 1991Oct 11, 1994Toshiba America Information Systems, Inc.System and method for saving the state for advanced microprocessor operating modes
US5361375 *May 24, 1993Nov 1, 1994Fujitsu LimitedVirtual computer system having input/output interrupt control of virtual machines
US5386552 *Jul 18, 1994Jan 31, 1995Intel CorporationPreservation of a computer system processing state in a mass storage device
US5421006 *Apr 20, 1994May 30, 1995Compaq Computer Corp.Method and apparatus for assessing integrity of computer system software
US5434999 *Apr 8, 1993Jul 18, 1995Bull Cp8Safeguarded remote loading of service programs by authorizing loading in protected memory zones in a terminal
US5437033 *Nov 4, 1991Jul 25, 1995Hitachi, Ltd.System for recovery from a virtual machine monitor failure with a continuous guest dispatched to a nonguest mode
US5442645 *Oct 24, 1994Aug 15, 1995Bull Cp8Method for checking the integrity of a program or data, and apparatus for implementing this method
US5455909 *Apr 22, 1992Oct 3, 1995Chips And Technologies Inc.Microprocessor with operation capture facility
US5459867 *Sep 30, 1993Oct 17, 1995Iomega CorporationKernels, description tables, and device drivers
US5459869 *Feb 17, 1994Oct 17, 1995Spilo; Michael L.Method for providing protected mode services for device drivers and other resident software
US5469557 *Mar 5, 1993Nov 21, 1995Microchip Technology IncorporatedCode protection in microcontroller with EEPROM fuses
US5473692 *Sep 7, 1994Dec 5, 1995Intel CorporationRoving software license for a hardware agent
US5479509 *Apr 6, 1994Dec 26, 1995Bull Cp8Method for signature of an information processing file, and apparatus for implementing it
US5504922 *Sep 6, 1994Apr 2, 1996Hitachi, Ltd.Virtual machine with hardware display controllers for base and target machines
US5506975 *Dec 14, 1993Apr 9, 1996Hitachi, Ltd.Virtual machine I/O interrupt control method compares number of pending I/O interrupt conditions for non-running virtual machines with predetermined number
US5511217 *Nov 30, 1993Apr 23, 1996Hitachi, Ltd.Computer system of virtual machines sharing a vector processor
US5522075 *Mar 22, 1994May 28, 1996Digital Equipment CorporationProtection ring extension for computers having distinct virtual machine monitor and virtual machine address spaces
US5528231 *Jun 7, 1994Jun 18, 1996Bull Cp8Method for the authentication of a portable object by an offline terminal, and apparatus for implementing the process
US5533126 *Apr 21, 1994Jul 2, 1996Bull Cp8Key protection device for smart cards
US5555385 *Oct 27, 1993Sep 10, 1996International Business Machines CorporationAllocation of address spaces within virtual machine compute system
US5555414 *Dec 14, 1994Sep 10, 1996International Business Machines CorporationMultiprocessing system including gating of host I/O and external enablement to guest enablement at polling intervals
US5560013 *Dec 6, 1994Sep 24, 1996International Business Machines CorporationMethod of using a target processor to execute programs of a source architecture that uses multiple address spaces
US5564040 *Nov 8, 1994Oct 8, 1996International Business Machines CorporationMethod and apparatus for providing a server function in a logically partitioned hardware machine
US5566323 *Oct 24, 1994Oct 15, 1996Bull Cp8Data processing system including programming voltage inhibitor for an electrically erasable reprogrammable nonvolatile memory
US5568552 *Jun 7, 1995Oct 22, 1996Intel CorporationMethod for providing a roving software license from one node to another node
US5574936 *Jan 25, 1995Nov 12, 1996Amdahl CorporationAccess control mechanism controlling access to and logical purging of access register translation lookaside buffer (ALB) in a computer system
US5582717 *Sep 11, 1991Dec 10, 1996Di Santo; Dennis E.Water dispenser with side by side filling-stations
US5603499 *Jul 26, 1995Feb 18, 1997Doris G. JagoszBlackjack play option response indicator
US5604805 *Feb 9, 1996Feb 18, 1997Brands; Stefanus A.Privacy-protected transfer of electronic information
US5606617 *Oct 14, 1994Feb 25, 1997Brands; Stefanus A.Secret-key certificates
US5615263 *Jan 6, 1995Mar 25, 1997Vlsi Technology, Inc.Dual purpose security architecture with protected internal operating system
US5628022 *Jun 1, 1994May 6, 1997Hitachi, Ltd.Microcomputer with programmable ROM
US5633929 *Sep 15, 1995May 27, 1997Rsa Data Security, IncCryptographic key escrow system having reduced vulnerability to harvesting attacks
US5657445 *Jan 26, 1996Aug 12, 1997Dell Usa, L.P.Apparatus and method for limiting access to mass storage devices in a computer system
US5668971 *Feb 27, 1996Sep 16, 1997Compaq Computer CorporationPosted disk read operations performed by signalling a disk read complete to the system prior to completion of data transfer
US5684948 *Sep 1, 1995Nov 4, 1997National Semiconductor CorporationMemory management circuit which provides simulated privilege levels
US5706469 *Sep 11, 1995Jan 6, 1998Mitsubishi Denki Kabushiki KaishaData processing system controlling bus access to an arbitrary sized memory area
US5708818 *Feb 23, 1995Jan 13, 1998Munz; HeinrichMethod and apparatus for real-time operation of a processor
US5717903 *May 15, 1995Feb 10, 1998Compaq Computer CorporationMethod and appartus for emulating a peripheral device to allow device driver development before availability of the peripheral device
US5720609 *Dec 11, 1996Feb 24, 1998Pfefferle; William CharlesCatalytic method
US5721222 *Aug 25, 1995Feb 24, 1998Zeneca LimitedHeterocyclic ketones
US5729760 *Jun 21, 1996Mar 17, 1998Intel CorporationSystem for providing first type access to register if processor in first mode and second type access to register if processor not in first mode
US5737604 *Sep 30, 1996Apr 7, 1998Compaq Computer CorporationMethod and apparatus for independently resetting processors and cache controllers in multiple processor systems
US5740178 *Aug 29, 1996Apr 14, 1998Lucent Technologies Inc.Software for controlling a reliable backup memory
US5752046 *Dec 18, 1996May 12, 1998Apple Computer, Inc.Power management system for computer device interconnection bus
US5757919 *Dec 12, 1996May 26, 1998Intel CorporationCryptographically protected paging subsystem
US5764969 *Feb 10, 1995Jun 9, 1998International Business Machines CorporationMethod and system for enhanced management operation utilizing intermixed user level and supervisory level instructions with partial concept synchronization
US5854913 *Jun 10, 1997Dec 29, 1998International Business Machines CorporationMicroprocessor with an architecture mode control capable of supporting extensions of two distinct instruction-set architectures
US5987604 *Oct 7, 1997Nov 16, 1999Phoenix Technologies, Ltd.Method and apparatus for providing execution of system management mode services in virtual mode
US6075938 *Jun 10, 1998Jun 13, 2000The Board Of Trustees Of The Leland Stanford Junior UniversityVirtual machine monitors for scalable multiprocessors
US6182089 *Sep 23, 1997Jan 30, 2001Silicon Graphics, Inc.Method, system and computer program product for dynamically allocating large memory pages of different sizes
US6272637 *Apr 14, 1997Aug 7, 2001Dallas Semiconductor CorporationSystems and methods for protecting access to encrypted information
US6282650 *Jan 25, 1999Aug 28, 2001Intel CorporationSecure public digital watermark
US6314409 *Oct 26, 1998Nov 6, 2001Veridian Information SolutionsSystem for controlling access and distribution of digital property
US6374317 *Oct 7, 1999Apr 16, 2002Intel CorporationMethod and apparatus for initializing a computer interface
US6397242 *Oct 26, 1998May 28, 2002Vmware, Inc.Virtualization system including a virtual machine monitor for a computer with a segmented architecture
US6961941 *Jun 8, 2001Nov 1, 2005Vmware, Inc.Computer configuration for resource management in systems including a virtual machine
US20020099753 *Jan 20, 2001Jul 25, 2002Hardin David S.System and method for concurrently supporting multiple independent virtual machines
US20030037089 *Aug 15, 2001Feb 20, 2003Erik Cota-RoblesTracking operating system process and thread execution and virtual machine execution in hardware or in a virtual machine monitor
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US7480908Jun 24, 2005Jan 20, 2009Azul Systems, Inc.Segmented virtual machine transport mechanism
US7487222Mar 29, 2005Feb 3, 2009International Business Machines CorporationSystem management architecture for multi-node computer system
US7496958 *Oct 29, 2003Feb 24, 2009Qualcomm IncorporatedSystem for selectively enabling operating modes of a device
US7536688 *Feb 28, 2003May 19, 2009Azul SystemsSegmented virtual machine
US7620953 *Nov 17, 2009Azul Systems, Inc.System and method for allocating resources of a core space among a plurality of core virtual machines
US7644258Aug 29, 2005Jan 5, 2010Searete, LlcHybrid branch predictor using component predictors each having confidence and override signals
US7748037Sep 22, 2005Jun 29, 2010Intel CorporationValidating a memory type modification attempt
US7752436 *Jul 6, 2010Intel CorporationExclusive access for secure audio program
US7908653 *Mar 15, 2011Intel CorporationMethod of improving computer security through sandboxing
US7934076Apr 26, 2011Intel CorporationSystem and method for limiting exposure of hardware failure information for a secured execution environment
US7971057 *Apr 2, 2010Jun 28, 2011Intel CorporationExclusive access for secure audio program
US8028152Oct 31, 2007Sep 27, 2011The Invention Science Fund I, LlcHierarchical multi-threading processor for executing virtual threads in a time-multiplexed fashion
US8037288Oct 31, 2007Oct 11, 2011The Invention Science Fund I, LlcHybrid branch predictor having negative ovedrride signals
US8099718Nov 13, 2007Jan 17, 2012Intel CorporationMethod and system for whitelisting software components
US8145903 *May 25, 2007Mar 27, 2012Red Hat, Inc.Method and system for a kernel lock validator
US8250273 *Aug 21, 2012International Business Machines CorporationSecure handling and routing of message-signaled interrupts
US8266412Sep 11, 2012The Invention Science Fund I, LlcHierarchical store buffer having segmented partitions
US8275976Sep 25, 2012The Invention Science Fund I, LlcHierarchical instruction scheduler facilitating instruction replay
US8276138Dec 5, 2008Sep 25, 2012Azul Systems, Inc.Segmented virtual machine transport mechanism
US8296550Oct 23, 2012The Invention Science Fund I, LlcHierarchical register file with operand capture ports
US8316414Dec 29, 2006Nov 20, 2012Intel CorporationReconfiguring a secure system
US8327353 *Aug 30, 2005Dec 4, 2012Microsoft CorporationHierarchical virtualization with a multi-level virtualization mechanism
US8336048Dec 5, 2008Dec 18, 2012Azul Systems, Inc.Reducing latency in a segmented virtual machine
US8356297Mar 21, 2007Jan 15, 2013Azul Systems, Inc.External data source redirection in segmented virtual machine
US8364601Dec 31, 2008Jan 29, 2013Intel CorporationMethods and systems to directly render an image and correlate corresponding user input in a secure memory domain
US8473945 *Dec 31, 2007Jun 25, 2013Intel CorporationEnabling system management mode in a secure system
US8495750Aug 31, 2010Jul 23, 2013International Business Machines CorporationFilesystem management and security system
US8499151Mar 5, 2012Jul 30, 2013Intel CorporationSecure platform voucher service for software components within an execution environment
US8601273May 27, 2011Dec 3, 2013Intel CorporationSigned manifest for run-time verification of software program identity and integrity
US8607299Apr 27, 2004Dec 10, 2013Microsoft CorporationMethod and system for enforcing a security policy via a security virtual machine
US8612755 *Mar 29, 2004Dec 17, 2013Hewlett-Packard Development Company, L.P.Security policy in trusted computing systems
US8683191Oct 31, 2012Mar 25, 2014Intel CorporationReconfiguring a secure system
US8813227Mar 29, 2011Aug 19, 2014Mcafee, Inc.System and method for below-operating system regulation and control of self-modifying code
US8839450Aug 2, 2007Sep 16, 2014Intel CorporationSecure vault service for software components within an execution environment
US8843742 *Aug 26, 2008Sep 23, 2014Hewlett-Packard CompanyHypervisor security using SMM
US8850601 *May 18, 2009Sep 30, 2014Hewlett-Packard Development Company, L.P.Systems and methods of determining a trust level from system management mode
US8863283 *Mar 31, 2011Oct 14, 2014Mcafee, Inc.System and method for securing access to system calls
US8925089Mar 29, 2011Dec 30, 2014Mcafee, Inc.System and method for below-operating system modification of malicious code on an electronic device
US8959638Mar 29, 2011Feb 17, 2015Mcafee, Inc.System and method for below-operating system trapping and securing of interdriver communication
US8966624Mar 31, 2011Feb 24, 2015Mcafee, Inc.System and method for securing an input/output path of an application against malware with a below-operating system security agent
US8966629Mar 31, 2011Feb 24, 2015Mcafee, Inc.System and method for below-operating system trapping of driver loading and unloading
US9032525Mar 29, 2011May 12, 2015Mcafee, Inc.System and method for below-operating system trapping of driver filter attachment
US9038176Mar 31, 2011May 19, 2015Mcafee, Inc.System and method for below-operating system trapping and securing loading of code into memory
US9058183Dec 29, 2009Jun 16, 2015Advanced Micro Devices, Inc.Hypervisor isolation of processor cores to enable computing accelerator cores
US9087199Mar 31, 2011Jul 21, 2015Mcafee, Inc.System and method for providing a secured operating system execution environment
US9176741Oct 31, 2007Nov 3, 2015Invention Science Fund I, LlcMethod and apparatus for segmented sequential storage
US9223963May 20, 2013Dec 29, 2015Mcafee, Inc.Systems and methods for behavioral sandboxing
US9245141Dec 1, 2014Jan 26, 2016Intel CorporationSecure vault service for software components within an execution environment
US9262246Mar 31, 2011Feb 16, 2016Mcafee, Inc.System and method for securing memory and storage of an electronic device with a below-operating system security agent
US9311138Mar 13, 2013Apr 12, 2016Intel CorporationSystem management interrupt handling for multi-core processors
US9317304Mar 18, 2014Apr 19, 2016Stmicroelectronics (Grenoble 2) SasLaunching multiple applications in a processor
US9317690Mar 28, 2011Apr 19, 2016Mcafee, Inc.System and method for firmware based anti-malware security
US20040172629 *Feb 28, 2003Sep 2, 2004Azul SystemsSegmented virtual machine
US20040250110 *Mar 29, 2004Dec 9, 2004Wray Michael JohnSecurity policy in trusted computing systems
US20040268332 *Apr 22, 2004Dec 30, 2004Masato MitsumoriMemory access control method and processing system with memory access check function
US20050097345 *Oct 29, 2003May 5, 2005Kelley Brian H.System for selectively enabling operating modes of a device
US20050257243 *Apr 27, 2004Nov 17, 2005Microsoft CorporationMethod and system for enforcing a security policy via a security virtual machine
US20050289311 *Jun 29, 2004Dec 29, 2005David DurhamSystem and method for secure inter-platform and intra-platform communications
US20060021029 *Jun 29, 2004Jan 26, 2006Brickell Ernie FMethod of improving computer security through sandboxing
US20060075312 *Sep 30, 2004Apr 6, 2006Fischer Stephen ASystem and method for limiting exposure of hardware failure information for a secured execution environment
US20060224685 *Mar 29, 2005Oct 5, 2006International Business Machines CorporationSystem management architecture for multi-node computer system
US20070038997 *Aug 9, 2005Feb 15, 2007Steven GrobmanExclusive access for secure audio program
US20070050764 *Aug 30, 2005Mar 1, 2007Microsoft CorporationHierarchical virtualization with a multi-level virtualization mechanism
US20070067590 *Sep 22, 2005Mar 22, 2007Uday SavagaonkarProviding protected access to critical memory regions
US20070083739 *Aug 29, 2005Apr 12, 2007Glew Andrew FProcessor with branch predictor
US20080133883 *Oct 31, 2007Jun 5, 2008Centaurus Data LlcHierarchical store buffer
US20080133885 *Oct 31, 2007Jun 5, 2008Centaurus Data LlcHierarchical multi-threading processor
US20080133889 *Oct 31, 2007Jun 5, 2008Centaurus Data LlcHierarchical instruction scheduler
US20080133893 *Oct 31, 2007Jun 5, 2008Centaurus Data LlcHierarchical register file
US20080163331 *Dec 29, 2006Jul 3, 2008Datta Sham MReconfiguring a secure system
US20080216096 *Mar 24, 2006Sep 4, 2008Lenovo (Beijing) LimitedVirtual Computer System Supporting Trusted Computing and Method for Implementing Trusted Computation Thereon
US20080263679 *Apr 23, 2007Oct 23, 2008Microsoft CorporationStoring information in closed computing devices
US20080294892 *May 25, 2007Nov 27, 2008Ingo MolnarMethod and system for a kernel lock validator
US20090038017 *Aug 2, 2007Feb 5, 2009David DurhamSecure vault service for software components within an execution environment
US20090172385 *Dec 31, 2007Jul 2, 2009Datta Sham MEnabling system management mode in a secure system
US20090172665 *Dec 5, 2008Jul 2, 2009Azul Systems, Inc.Reducing latency in a segmented virtual machine
US20090178039 *Dec 5, 2008Jul 9, 2009Azul Systems, Inc.Segmented virtual machine transport mechanism
US20100057982 *Aug 26, 2008Mar 4, 2010Phoenix Technologies LtdHypervisor security using SMM
US20100169666 *Dec 31, 2008Jul 1, 2010Prashant DewanMethods and systems to direclty render an image and correlate corresponding user input in a secuire memory domain
US20100192150 *Apr 2, 2010Jul 29, 2010Steven GrobmanExclusive access for secure audio program
US20110066783 *Sep 14, 2009Mar 17, 2011International Business Machines CorporationSecure Handling and Routing of Message-Signaled Interrupts
US20110231668 *Sep 22, 2011Travis SchluesslerSigned Manifest for Run-Time Verification of Software Program Identity and Integrity
US20120017285 *May 18, 2009Jan 19, 2012Mark A PiwonkaSystems and methods of determining a trust level from system management mode
US20120255004 *Mar 31, 2011Oct 4, 2012Mcafee, Inc.System and method for securing access to system calls
US20130326288 *Dec 31, 2011Dec 5, 2013Shamanna M. DattaProcessor that detects when system management mode attempts to reach program code outside of protected space
CN100533334CJun 21, 2005Aug 26, 2009英特尔公司Method of improving computer security through sandboxing
EP2691908A2 *Mar 27, 2012Feb 5, 2014McAfee, Inc.System and method for virtual machine monitor based anti-malware security
EP2782007A1 *Mar 19, 2013Sep 24, 2014STMicroelectronics (Grenoble 2) SASLaunching multiple applications in containers on a processor
EP2782038A1 *Mar 19, 2013Sep 24, 2014STMicroelectronics (Grenoble 2) SASResource management in a processor for trusted and untrusted applications
WO2006012197A2Jun 21, 2005Feb 2, 2006Intel CorporationMethod of improving computer security through sandboxing
WO2006012197A3 *Jun 21, 2005Apr 6, 2006Ernie F BrickellMethod of improving computer security through sandboxing
WO2006012341A1Jun 24, 2005Feb 2, 2006Intel CorporationSystem and method for secure inter-platform and intra-platform communications
WO2014158603A1 *Feb 26, 2014Oct 2, 2014Intel CorporationSystem management interrupt handling for multi-core processors
Classifications
U.S. Classification713/189, 711/E12.097, 713/164
International ClassificationG06F9/46, G06F12/14, G06F21/00, G06F1/00
Cooperative ClassificationG06F2221/2105, G06F12/1491, G06F21/53, G06F21/57
European ClassificationG06F21/57, G06F21/53, G06F12/14D3
Legal Events
DateCodeEventDescription
Jun 7, 2002ASAssignment
Owner name: INTEL CORPORATION, CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GLEW, ANDY;REEL/FRAME:012995/0740
Effective date: 20020603
Oct 15, 2002ASAssignment
Owner name: INTEL CORPORATION, CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SUTTON, JAMES A. II;GRAWROCK, DAVID W.;UHLIG, RICHARD A.;AND OTHERS;REEL/FRAME:013389/0650;SIGNING DATES FROM 20020813 TO 20021004