公开(公告)号：US20180129828A1

公开(公告)日：2018-05-10

申请号：US15344384

申请日：2016-11-04

Applicant: QUALCOMM Incorporated

Inventor： Thomas Zeng ,  Azzedine Touzni ,  Brian Kelley

IPC: G06F21/71 ,  G06F21/53 ,  G06F21/78

CPC classification number: G06F21/71 ,  G06F21/53 ,  G06F21/74 ,  G06F21/78 ,  G06F21/79 ,  G06F2221/2149

Abstract: Exemplary features pertain to establishing an Exclusive Execution Environment domain that Trusted Execution Zone components are forbidden to access. In one example, a system-on-a-chip (SoC) is equipped with a Reduced Instruction Set Computing (RISC) processor along with an application DSP (ADSP) and/or Graphics Processing Unit (GPU), where the ADSP and/or GPU is configured to provide and enforce the Exclusive Execution Environment domain. By forbidding access to Trusted Execution Zone components, security can be enhanced, especially within minimally-equipped devices that do not have the resources to implement a full Trust Execution Environment, such as low-power devices associated with the Internet of Things (IoT). Among other features, the systems and methods described herein allow application clients to build exclusive execution environments and claim exclusive access to buffer objects and hardware resource groups. Method and apparatus examples are provided.

公开(公告)号：US20170031838A1

公开(公告)日：2017-02-02

申请号：US14811296

申请日：2015-07-28

Applicant: QUALCOMM Incorporated

Inventor： Satyaki Mukherjee ,  Subodh Singh ,  Ajaykumar Shankargouda Patil ,  Thomas Zeng ,  Azzedine Touzni

IPC: G06F12/14 ,  G06F9/455

CPC classification number: G06F12/1441 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/53 ,  G06F21/85 ,  G06F2009/45587 ,  G06F2212/1016 ,  G06F2212/1052 ,  G06F2212/657

Abstract: Disclosed is a method for protecting virtual machine data at a peripheral subsystem connected to at least one processor configured to host a plurality of virtual machines. In the method, context information, including a virtual machine identifier (VMID), is received. The VMID is unique to one of the plurality of virtual machines. A storage bank of a plurality of storage banks is selected based on the VMID included in the received context information. Each storage bank of the plurality of storage banks uses a same bus address range. A data bus is connected to the selected storage bank.

Abstract translation: 公开了一种用于在与被配置为托管多个虚拟机的至少一个处理器连接的外围子系统上保护虚拟机数据的方法。 在该方法中，接收包括虚拟机标识符（VMID）的上下文信息。 VMID对于多个虚拟机之一是唯一的。 基于接收到的上下文信息中包含的VMID来选择多个存储体的存储体。 多个存储组的每个存储体使用相同的总线地址范围。 数据总线连接到选定的存储库。

公开(公告)号：US09507961B2

公开(公告)日：2016-11-29

申请号：US14014032

申请日：2013-08-29

Applicant: Qualcomm Incorporated

Inventor： Thomas Zeng ,  Azzedine Touzni ,  William Torzewski

IPC: G06F21/74 ,  G06F21/71 ,  G06T1/20

CPC classification number: G06F21/71 ,  G06F21/74 ,  G06F2221/2113 ,  G06T1/20

Abstract: Systems, methods, and computer programs are disclosed for providing secure access control to a graphics processing unit (GPU). One system includes a GPU, a plurality GPU programming interfaces, and a command processor. Each GPU programming interface is dynamically assigned to a different one of a plurality of security zones. Each GPU programming interface is configured to receive work orders issued by one or more applications associated with the corresponding security zone. The work orders comprise instructions to be executed by the GPU. The command processor is in communication with the plurality of GPU programming interfaces. The command processor is configured to control execution of the work orders received by the plurality of GPU programming interfaces using separate secure memory regions. Each secure memory region is allocated to one of the plurality of security zones.

Abstract translation: 公开了用于向图形处理单元（GPU）提供安全访问控制的系统，方法和计算机程序。 一个系统包括GPU，多个GPU编程接口和命令处理器。 每个GPU编程接口被动态分配给多个安全区中的不同的一个。 每个GPU编程接口被配置为接收由与相应安全区相关联的一个或多个应用发出的工作命令。 工作单包括由GPU执行的指令。 命令处理器与多个GPU编程接口通信。 命令处理器被配置为使用单独的安全存储器区域来控制由多个GPU编程接口接收的工作订单的执行。 每个安全存储器区域被分配给多个安全区域中的一个。

公开(公告)号：US20160335190A1

公开(公告)日：2016-11-17

申请号：US14710693

申请日：2015-05-13

Applicant: QUALCOMM Incorporated

Inventor： Yanru Li ,  Subbarao Palacharla ,  Moinul Khan ,  Alain Artieri ,  Azzedine Touzni

IPC: G06F12/08 ,  G06F12/10

CPC classification number: G06F12/0888 ,  G06F12/084 ,  G06F12/0893 ,  G06F12/0895 ,  G06F12/1045 ,  G06F2212/1041 ,  G06F2212/1044 ,  G06F2212/152 ,  G06F2212/608 ,  G06F2212/65 ,  Y02D10/13

Abstract: Aspects include computing devices, systems, and methods for implementing a cache maintenance or status operation for a component cache of a system cache. A computing device may generate a component cache configuration table, assign at least one component cache indicator of a component cache to a master of the component cache, and map at least one control register to the component cache indicator by a centralized control entity. The computing device may store the component cache indicator such that the component cache indicator is accessible by the master of the component cache for discovering a virtualized view of the system cache and issuing a cache maintenance or status command for the component cache bypassing the centralized control entity. The computing device may receive the cache maintenance or status command by a control register associated with a cache maintenance or status command and the component cache bypassing the centralized control entity.

Abstract translation: 方面包括用于实现系统高速缓存的组件高速缓存的高速缓存维护或状态操作的计算设备，系统和方法。 计算设备可以生成组件高速缓存配置表，将组件高速缓存的至少一个组件高速缓存指示符分配给组件高速缓存的主设备，并且通过集中控制实体将至少一个控制寄存器映射到组件高速缓存指示器。 计算设备可以存储组件高速缓存指示符，使得组件高速缓存指示符可被组件高速缓存的主机访问，用于发现系统高速缓存的虚拟化视图，并且发出用于绕过集中控制实体的组件高速缓存的高速缓存维护或状态命令 。 计算设备可以通过与高速缓存维护或状态命令相关联的控制寄存器以及绕过集中控制实体的组件高速缓存来接收高速缓存维护或状态命令。

公开(公告)号：US09330026B2

公开(公告)日：2016-05-03

申请号：US13785979

申请日：2013-03-05

Applicant: QUALCOMM Incorporated

Inventor： Thomas Zeng ,  Azzedine Touzni ,  Tzung Ren Tzeng ,  Phil J. Bostley

IPC: G06F12/14 ,  G06F12/1027 ,  G06F21/79 ,  G06F12/10

CPC classification number: G06F12/145 ,  G06F9/45504 ,  G06F12/1027 ,  G06F12/1491 ,  G06F21/79 ,  G06F2212/1032 ,  G06F2212/151 ,  G06F2212/152 ,  G06F2212/654 ,  G06F2212/68

Abstract: A security apparatus and method are provided for performing a security algorithm that prevents unauthorized access to contents of a physical address (PA) that have been loaded into a storage element of the computer system as a result of performing a prediction algorithm during a hardware table walk that uses a predictor to predict a PA based on a virtual address (VA). When the predictor is enabled, it might be possible for a person with knowledge of the system to configure the predictor to cause contents stored at a PA of a secure portion of the main memory to be loaded into a register in the TLB. In this way, a person who should not have access to contents stored in secure portions of the main memory could indirectly gain unauthorized access to those contents. The apparatus and method prevent such unauthorized access to the contents by masking the contents under certain conditions.

Abstract translation: 提供了一种安全装置和方法，用于执行安全算法，该安全算法防止在硬件表步行期间执行预测算法的结果，防止对已经加载到计算机系统的存储元件中的物理地址（PA）的内容的未经授权的访问 其使用预测器来基于虚拟地址（VA）预测PA。 当启用预测器时，具有系统知识的人可能配置预测器以使存储在主存储器的安全部分的PA的内容被加载到TLB中的寄存器中。 以这种方式，不能访问存储在主存储器的安全部分中的内容的人可以间接地获得对这些内容的未经授权的访问。 该装置和方法通过在某些条件下屏蔽内容来防止对该内容的未经授权的访问。

公开(公告)号：US09086813B2

公开(公告)日：2015-07-21

申请号：US13834380

申请日：2013-03-15

Applicant: QUALCOMM Incorporated

Inventor： Thomas M. Zeng ,  Azzedine Touzni ,  Thomas Andrew Sartorius

IPC: G06F3/06 ,  G06F12/10 ,  G06F12/12 ,  G06T1/60

CPC classification number: G06F3/0631 ,  G06F3/0604 ,  G06F3/0673 ,  G06F12/10 ,  G06F12/12 ,  G06T1/60

Abstract: A wireless mobile device includes a graphic processing unit (GPU) that has a system memory management unit (MMU) for saving and restoring system MMU translation contexts. The system MMU is coupled to a memory and the GPU. The system MMU includes a set of hardware resources. The hardware resources may be context banks, with each of the context banks having a set of hardware registers. The system MMU also includes a hardware controller that is configured to restore a hardware resource associated with an access stream of content issued by an execution thread of the GPU. The associated hardware resource may be restored from the memory into a physical hardware resource when the hardware resource associated with the access stream of content is not stored within one of the hardware resources.

Abstract translation: 无线移动设备包括具有用于保存和恢复系统MMU转换上下文的系统存储器管理单元（MMU）的图形处理单元（GPU）。 系统MMU耦合到存储器和GPU。 系统MMU包括一组硬件资源。 硬件资源可以是上下文库，其中每个上下文库具有一组硬件寄存器。 系统MMU还包括硬件控制器，其被配置为恢复与由GPU的执行线程发布的内容的访问流相关联的硬件资源。 当与内容的访问流相关联的硬件资源不被存储在硬件资源之一内时，相关联的硬件资源可以从存储器恢复为物理硬件资源。

公开(公告)号：US20140281283A1

公开(公告)日：2014-09-18

申请号：US13798803

申请日：2013-03-13

Applicant: QUALCOMM INCORPORATED

Inventor： Assaf Shacham ,  Amit Gil ,  Erez Tsidon ,  Yanru Li ,  Azzedine Touzni

IPC: G11C7/10

CPC classification number: G11C7/1075 ,  G06F1/3225 ,  G06F1/3275 ,  G06F1/3296 ,  G06F9/462 ,  G06F9/463 ,  G06F9/52 ,  G06F9/544 ,  G06F11/0757 ,  Y02D10/13 ,  Y02D10/14 ,  Y02D10/172

Abstract: Efficient techniques using a multi-port shared non-volatile memory are described that reduce latency in memory accesses from dedicated function specific processors, such as a modem control processor. The modem processor preempts a host processor that is accessing data from a multi-port shared non-volatile memory flash device allowing the modem processor to quickly access data in the flash device. The preemption process uses a doorbell interrupt initiated by a processor that seeks access and interrupts the processor being preempted. After preemption, the host processor may resume or restart the data access. Access control by the processors utilizes a hardware semaphore atomic control mechanism. Power control of the shared non-volatile memory modules includes at least one inactivity timer to indicate when a supply voltage to the shared non-volatile memory modules can be safely reduced or turned off. Power may be restarted by any of the processors sharing the memory, allowing fast access to the data.

Abstract translation: 描述了使用多端口共享非易失性存储器的有效技术，其减少了诸如调制解调器控制处理器之类的专用功能特定处理器的存储器访问中的延迟。 调制解调器处理器抢占正在从多端口共享非易失性存储器闪存器件访问数据的主处理器，允许调制解调器处理器快速访问闪存设备中的数据。 抢占过程使用由寻求访问并中断处理器被抢占的处理器发起的门铃中断。 抢占后，主机处理器可以恢复或重新启动数据访问。 处理器的访问控制利用硬件信号量原子控制机制。 共享的非易失性存储器模块的功率控制包括至少一个不活动定时器，以指示何时可以安全地减少或关闭共享的非易失性存储器模块的电源电压。 共享内存的任何处理器可能会重新启动电源，从而可以快速访问数据。

公开(公告)号：US20140258663A1

公开(公告)日：2014-09-11

申请号：US13785979

申请日：2013-03-05

Applicant: QUALCOMM INCORPORATED

Inventor： Thomas Zeng ,  Azzedine Touzni ,  Tzung Ren Tzeng ,  Phil J. Bostley

IPC: G06F12/14

CPC classification number: G06F12/145 ,  G06F9/45504 ,  G06F12/1027 ,  G06F12/1491 ,  G06F21/79 ,  G06F2212/1032 ,  G06F2212/151 ,  G06F2212/152 ,  G06F2212/654 ,  G06F2212/68

Abstract: A security apparatus and method are provided for performing a security algorithm that prevents unauthorized access to contents of a physical address (PA) that have been loaded into a storage element of the computer system as a result of performing a prediction algorithm during a hardware table walk that uses a predictor to predict a PA based on a virtual address (VA). When the predictor is enabled, it might be possible for a person with knowledge of the system to configure the predictor to cause contents stored at a PA of a secure portion of the main memory to be loaded into a register in the TLB. In this way, a person who should not have access to contents stored in secure portions of the main memory could indirectly gain unauthorized access to those contents. The apparatus and method prevent such unauthorized access to the contents by masking the contents under certain conditions.

Abstract translation: 提供一种安全装置和方法，用于执行安全算法，以防止在硬件表步行期间执行预测算法的结果，防止对已经加载到计算机系统的存储元件中的物理地址（PA）的内容的未经授权的访问 其使用预测器来基于虚拟地址（VA）预测PA。 当启用预测器时，具有系统知识的人可能配置预测器以使存储在主存储器的安全部分的PA的内容被加载到TLB中的寄存器中。 以这种方式，不能访问存储在主存储器的安全部分中的内容的人可以间接地获得对这些内容的未经授权的访问。 该装置和方法通过在某些条件下屏蔽内容来防止对该内容的未经授权的访问。

公开(公告)号：US20140258586A1

公开(公告)日：2014-09-11

申请号：US13785877

申请日：2013-03-05

Applicant: QUALCOMM INCORPORATED

Inventor： Thomas Zeng ,  Azzedine Touzni ,  Tzung Ren Tzeng ,  Phil J. Bostley

IPC: G06F12/10

CPC classification number: G06F12/1027 ,  G06F9/45533 ,  G06F9/45545 ,  G06F9/45558 ,  G06F12/10 ,  G06F2212/151 ,  G06F2212/171 ,  G06F2212/507 ,  G06F2212/654 ,  G06F2212/684

Abstract: A computer system and a method are provided that reduce the amount of time and computing resources that are required to perform a hardware table walk (HWTW) in the event that a translation lookaside buffer (TLB) miss occurs. If a TLB miss occurs when performing a stage 2 (S2) HWTW to find the PA at which a stage 1 (S1) page table is stored, the MMU uses the IPA to predict the corresponding PA, thereby avoiding the need to perform any of the S2 table lookups. This greatly reduces the number of lookups that need to be performed when performing these types of HWTW read transactions, which greatly reduces processing overhead and performance penalties associated with performing these types of transactions.

Abstract translation: 提供一种计算机系统和方法，其在发生翻译后备缓冲器（TLB）未命中的情况下减少执行硬件表行走（HWTW）所需的时间量和计算资源。 如果执行阶段2（S2）HWTW以找到存储第1（S1）页表的PA时发生TLB未命中，则MMU使用IPA预测相应的PA，从而避免执行任何 S2表查找。 这大大减少了执行这些类型的HWTW读取事务时需要执行的查找次数，这大大降低了与执行这些类型的事务相关联的处理开销和性能损失。