公开(公告)号：US20180189190A1

公开(公告)日：2018-07-05

申请号：US15907593

申请日：2018-02-28

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan ,  Jeremy W. Powell ,  Thomas R. Woller

IPC: G06F12/1009 ,  G06F9/455

CPC classification number: G06F12/1009 ,  G06F9/45545 ,  G06F9/45558 ,  G06F12/1018 ,  G06F12/109 ,  G06F2009/45583 ,  G06F2212/1044 ,  G06F2212/151 ,  G06F2212/152 ,  G06F2212/657

Abstract: A computing device that handles address translations is described. The computing device includes a hardware table walker and a memory that stores a reverse map table and a plurality of pages of memory. The table walker is configured to use validated indicators in entries in the reverse map table to determine if page accesses are made to pages for which entries are validated. The table walker is further configured to use virtual machine permissions levels information in entries in the reverse map table determine if page accesses for specified operation types are permitted.

公开(公告)号：US20240289151A1

公开(公告)日：2024-08-29

申请号：US18113912

申请日：2023-02-24

Applicant: ATI Technologies ULC ,  Advanced Micro Devices, Inc.

Inventor： Philip Ng ,  Nippon Raval ,  Jeremy W. Powell ,  Donald Matthews, JR. ,  David Kaplan

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: A processor configured to execute one or more virtual machines (VMs) includes an input-output memory management unit (IOMMU) configured to handle memory-mapped input-output (MMIO) requests and direct memory access (DMA) requests from a processor core of the processor or one or more input/output (I/O) devices. In response to receiving an MMIO or DMA request, the IOMMU is configured to determine a VM associated with the request. The IOMMU then checks a security indicator field of an address space identifier (ASID) mask table to determine if the VM was previously the target of an attack by a malicious entity. In response to the VM previously being a target of an attack, the IOMMU denies the received MMIO or DMA request.

公开(公告)号：US20240220296A1

公开(公告)日：2024-07-04

申请号：US18090605

申请日：2022-12-29

Applicant: ATI TECHNOLOGIES ULC ,  ADVANCED MICRO DEVICES, INC.

Inventor： Philip Ng ,  Nippon Raval ,  Jeremy W. Powell ,  Donald Matthews, JR. ,  David Kaplan

IPC: G06F9/455 ,  G06F12/1081

CPC classification number: G06F9/45558 ,  G06F12/1081 ,  G06F2009/45587

Abstract: A processor manages memory-mapped input/output (MMIO) accesses, in secure fashion, at an input/output memory management unit (IOMMU). The processor is configured to ensure that, for a given MMIO request issued by a processor core and associated with a particular executing VM, the request is targeted to a MMIO address that has been assigned to the VM by a security module (e.g., a security co-processor). The processor thus prevents a malicious entity from accessing confidential information of a VM via MMIO requests.

公开(公告)号：US10671422B2

公开(公告)日：2020-06-02

申请号：US15685861

申请日：2017-08-24

Applicant: Advanced Micro Devices, Inc.

Inventor： David Kaplan ,  Jeremy W. Powell ,  Richard Relph

IPC: G06F9/455

Abstract: A security module in a memory access path of a processor of a processing system protects secure information by verifying the contents of memory pages as they transition between one or more virtual machines (VMs) executing at the processor and a hypervisor that provides an interface between the VMs and the processing system's hardware. The security module of the processor is employed to monitor memory pages as they transition between one or more VMs and a hypervisor so that memory pages that have been altered by a hypervisor or other VM cannot be returned to the VM from which they were transitioned.

公开(公告)号：US20240289150A1

公开(公告)日：2024-08-29

申请号：US18113655

申请日：2023-02-24

Applicant: ATI TECHNOLOGIES ULC ,  ADVANCED MICRO DEVICES, INC.

Inventor： Philip Ng ,  Nippon Raval ,  Jeremy W. Powell ,  Donald Matthews, JR. ,  David Kaplan

IPC: G06F9/455 ,  G06F13/42

CPC classification number: G06F9/45558 ,  G06F13/4221 ,  G06F2009/45579 ,  G06F2213/0026

Abstract: A processor includes a security processor and an input-output memory management unit (IOMMU). The security processor is configured to maintain device control information in a secure data structure and prevent a hypervisor from accessing the secure data structure. The IOMMU is configured to process at least one device request targeting a virtual machine from an input/output device based on the secure data structure.

公开(公告)号：US10169244B2

公开(公告)日：2019-01-01

申请号：US15224302

申请日：2016-07-29

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan ,  Jeremy W. Powell ,  Thomas R. Woller

IPC: G06F12/10 ,  G06F12/1027 ,  G06F12/1009 ,  G06F9/455

Abstract: The described embodiments perform a method for handling memory accesses by virtual machines in a computing device. The described embodiments include a reverse map table (RMT) and a separate guest accessed pages table (GAPT) for each virtual machine. The RMT has a plurality of entries, each entry including information for identifying a virtual machine that is permitted to access an associated page of data in a memory. Each GAPT has a record of pages being accessed by a corresponding virtual machine. During operation, a table walker receives a request from a given virtual machine to translate a guest physical address to a system physical address. The table walker checks at least one of the RMT and a corresponding GAPT to determine whether the given virtual machine has access to a corresponding page. If not, the table walker terminates the translating. Otherwise, the table walker completes the translating.

公开(公告)号：US20170277898A1

公开(公告)日：2017-09-28

申请号：US15081126

申请日：2016-03-25

Applicant: Advanced Micro Devices, Inc.

Inventor： Jeremy W. Powell ,  David A. Kaplan ,  Jesse D. Larrew ,  Thomas R. Woller ,  Joshua Schiffman

IPC: G06F21/60 ,  G06F21/62

CPC classification number: G06F21/602 ,  G06F21/53 ,  G06F21/6209 ,  G06F21/6218

Abstract: A processor employs a security module to manage authentication and encryption keys for the processor. The security module can authenticate itself to other processing systems, such as processing systems providing software to be executed at the processor, can generate keys for encrypting address spaces for the provided software, and can securely import and export information at the encrypted address spaces to and from the processing system. By using a security module that is separate from the processor cores of the processor to perform these security operations, the processing system allows software executing on the processor cores to manage operations based on the authentication and encryption keys without being able to read the keys themselves, thereby preventing unauthorized access by malicious software to the keys.

公开(公告)号：US20240220298A1

公开(公告)日：2024-07-04

申请号：US18090790

申请日：2022-12-29

Applicant: ADVANCED MICRO DEVICES, INC

Inventor： Jeremy W. Powell ,  David Kaplan

IPC: G06F9/455 ,  G06F21/64

CPC classification number: G06F9/45558 ,  G06F21/64 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: A security module of a processor manages the lifecycle of devices interfaces of input/output (I/O) devices within a virtualization environment in a secure and trusted manner. For example, the security module is configured to bind a device interface of an I/O device interface to a virtual machine (VM). Responsive to the device interface being bound, the security module is configured to attest at least one of the device interface and the I/O device. Responsive to the at least one of the device interface or the I/O device being attested, the security module is configured to configure an input-output memory management unit (IOMMU) and memory resources associated with the VM.

公开(公告)号：US20240176638A1

公开(公告)日：2024-05-30

申请号：US18071049

申请日：2022-11-29

Applicant: ADVANCED MICRO DEVICES, INC.

Inventor： David Kaplan ,  Jelena Ilic ,  Jeremy W. Powell

IPC: G06F9/455 ,  G06F21/60

CPC classification number: G06F9/45558 ,  G06F21/602 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: A processing system executing a virtual machine (VM) in a confidential computing environment selectively randomizes the values of registers before the register values are encrypted to ciphertext and written to a secure region of memory upon the VM exiting execution at a processor of the processing system. When the VM later resumes executing at the processor, the processor de-randomizes the register values. By randomizing the register values, the processor obfuscates the register values from a hypervisor or physical attack, thereby protecting against side channel attacks on the encrypted ciphertext.

公开(公告)号：US10585805B2

公开(公告)日：2020-03-10

申请号：US15907593

申请日：2018-02-28

Applicant: Advanced Micro Devices, Inc.

Inventor： David A. Kaplan ,  Jeremy W. Powell ,  Thomas R. Woller

IPC: G06F12/10 ,  G06F12/1009 ,  G06F9/455

Abstract: A computing device that handles address translations is described. The computing device includes a hardware table walker and a memory that stores a reverse map table and a plurality of pages of memory. The table walker is configured to use validated indicators in entries in the reverse map table to determine if page accesses are made to pages for which entries are validated. The table walker is further configured to use virtual machine permissions levels information in entries in the reverse map table determine if page accesses for specified operation types are permitted.