Co-existence of trust domain architecture with multi-key total memory encryption technology in servers

Assignee

• Intel Corporation · US

Inventors

• Ido Ouziel · Atlit, IL
• Arie Aharon · Haifa, IL
• Dror Caspi · Kiryat Yam, IL
• Baruch Chaikin · Kiryat Shmona, IL
• Jacob Doweck · Haifa, IL
• Gideon Gerzon · Jerusalem, IL
• Barry E. Huntley · Hillsboro, US
• Francis X. McKeen · Portland, US
• Gilbert Neiger · Hillsboro, US
• Carlos V. Rozas · Portland, US
• Ravi L. Sahita · Portland, US
• Vedvyas Shanbhogue · Austin, US
• Assaf Zaltsman · Haifa, IL
• Hormuzd M. Khosravi · Hillsboro, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2212/7202
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Implementations described provide hardware support for the co-existence of restricted and non-restricted encryption keys on a computing system. Such hardware support may comprise a processor having a core, a hardware register to store a bit range to identify a number of bits, of physical memory addresses, that define key identifiers (IDs) and a partition key ID identifying a boundary between non-restricted and restricted key IDs. The core may allocate at least one of the non-restricted key IDs to a software program, such as a hypervisor. The core may further allocate a restricted key ID to a trust domain whose trust computing base does not comprise the software program. A memory controller coupled to the core may allocate a physical page of a memory to the trust domain, wherein data of the physical page of the memory is to be encrypted with an encryption key associated with the restricted key ID.