METHOD AND APPARATUS TO PROVIDE SECURE APPLICATION
EXECUTION
Field of the Invention
Embodiments of the invention relate generally to the field of information processing and more specifically, to the field of security in computing systems and microprocessors.
Background
Securing execution and integrity of applications and their data within a computer system is of growing importance. Some prior art security techniques fail to adequately secure applications and data in a flexible but reliable manner.
Brief Description of the Drawings
Embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which;
Figure 1 illustrates a block diagram of a microprocessor, in which at least one embodiment of the invention may be used;
Figure 2 illustrates a block diagram of a shared bus computer system, in which at least one embodiment of the invention may be used;
Figure 3 illustrates a block diagram a point-to-point interconnect computer system, in which at least one embodiment of the invention may be used.
Detailed Description
Embodiments of the invention pertain to a technique for providing secure application and data in a flexible but reliable manner. Although there are multiple embodiments of multiple aspects of the invention, the attached document entitled "Secure Enclaves Architecture" is hereby incorporated by referrence as an example of at least one embodiment. However, the incorporated reference is not intended to limit the scope of embodiments of the invention in any way and other embodiments may be used while remaining within the spirit and scope of the invention.
Figure 1 illustrates a microprocessor in which at least one embodiment of the invention may be used. In particular, Figure 1 illustrates microprocessor 100 having one or more processor cores 105 and 110, each having associated therewith a local cache 107 and 113, respectively. Also illustrated in Figure 1 is a shared cache memory 115 which may store versions of at least some of the information stored in each of the local caches
107 and 113. In some embodiments, microprocessor 100 may also include other logic not shown in Figure 1, such as an integrated memory controller, integrated graphics controller, as well as other logic to perform other functions within a computer system, such as I/O control. In one embodiment, each microprocessor in a multi-processor system or each processor core in a multi-core processor may include or otherwise be associated with logic 119 to enable secure enclave techniques, in accordance with at least one embodiment. The logic may include circuits, software (embodied in a tangible medium) or both to enable more efficient resource allocation among a plurality of cores or processors than in some prior art implementations.
Figure 2, for example, illustrates a front-side-bus (FSB) computer system in which one embodiment of the invention may be used. Any processor 201, 205, 210, or 215 may access information from any local level one (LI) cache memory 220, 225, 230, 235, 240, 245, 250, 255 within or otherwise associated with one of the processor cores 223, 227, 233,237, 243, 247, 253, 257. Furthermore, any processor 201, 205, 210, or 215 may access information from any one of the shared level two (L2) caches 203, 207, 213, 217 or from system memory 260 via chipset 265. One or more of the processors in Figure 2 may include or otherwise be associated with logic 219 to enable secure enclave techniques, in accordance with at least one embodiment.
In addition to the FSB computer system illustrated in Figure 2, other system configurations may be used in conjunction with various embodiments of the invention, including point-to-point (P2P) interconnect systems and ring interconnect systems. The P2P system of Figure 3, for example, may include several processors, of which only two, processors 370, 380 are shown by example. Processors 370, 380 may each include a local memory controller hub (MCH) 372, 382 to connect with memory 32, 34. Processors 370, 380 may exchange data via a point-to-point (PtP) interface 350 using PtP interface circuits 378, 388. Processors 370, 380 may each exchange data with a chipset 390 via individual PtP interfaces 352, 354 using point to point interface circuits 376, 394, 386, 398. Chipset 390 may also exchange data with a high-performance graphics circuit 338 via a high-performance graphics interface 339. Embodiments of the invention may be located within any processor having any number of processing cores, or within each of the PtP bus agents of Figure 3. In one embodiment, any processor core may include or otherwise be associated with a local cache memory (not shown). Furthermore, a shared cache (not shown) may be included in either processor outside of both processors, yet connected
with the processors via p2p interconnect, such that either or both processors' local cache information may be stored in the shared cache if a processor is placed into a low power mode. One or more of the processors or cores in Figure 3 may include or otherwise be associated with logic 319 to enable secure enclave techniques, in accordance with at least one embodiment.
One or more aspects of at least one embodiment may be implemented by representative data stored on a machine-readable medium which represents various logic within the processor, which when read by a machine causes the machine to fabricate logic to perform the techniques described herein. Such representations, known as "IP cores" may be stored on a tangible, machine readable medium ("tape") and supplied to various customers or manufacturing facilities to load into the fabrication machines that actually make the logic or processor.
Thus, a method and apparatus for directing micro-architectural memory region accesses has been described. It is to be understood that the above description is intended to be illustrative and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reading and understanding the above description. The scope of the invention should, therefore, be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

CLAIMS What is claimed is:
1. A processor comprising:
execution logic to perform at least a first instruction to move protected data between an enclave page cache (EPC) and a second storage area.
2. The processor of claim 1, wherein the data is to be moved during a performance of a program to access the protected data.
3. The processor of claim 2, wherein the program is to run in a privileged mode.
4. The processor of claim 1, wherein the at least first instruction includes an instruction to copy data from a memory to the EPC.
5. The processor of claim 1, wherein the at least first instruction includes an instruction to copy data from the EPC to memory.
6. The processor of claim 1, wherein the EPC is to store information that is protected from malicious code.
7. The processor of claim 1, wherein the EPC is to store information that is specific to a user application.
8. The processor of claim 1, wherein the EPC is only accessible using an encrypted key.
9. A machine-readable medium having stored thereon an instruction, which if executed by a machine, causes the machine to perform a method comprising:
moving protected data between an enclave page cache (EPC) and a second storage area.
10. The machine-readable medium of claim 9, wherein the data is to be moved during a performance of a program to access the protected data.
11. The machine-readable medium of claim 10, wherein the program is to run in a privileged mode.
12. The machine-readable medium of claim 9, wherein the at least first instruction includes an instruction to copy data from a memory to the EPC.
13. The machine-readable medium of claim 9, wherein the at least first instruction includes an instruction to copy data from the EPC to memory.
14. The machine-readable medium of claim 9, wherein the EPC is to store information that is protected from malicious code.
15. The machine-readable medium of claim 9, wherein the EPC is to store information that is specific to a user application.
16. The machine-readable medium of claim 9, wherein the EPC is only accessible using an encrypted key.
17. A system comprising:
a storage area to store a first instruction;
a processor to fetch the first instruction from the storage area, wherein the
first
instruction is to copy protected data between an enclave page cache
(EPC)
and a second storage area.
18. The system of claim 17, wherein the data is to be moved during a performance of a program to access the protected data.
19. The system of claim 18, wherein the program is to run in a privileged mode.
20. The system of claim 17, wherein the at least first instruction includes an instruction to copy data from a memory to the EPC.
21. The system of claim 17, wherein the at least first instruction includes an instruction to copy data from the EPC to memory.
22. The system of claim 17, wherein the EPC is to store information that is protected from malicious code.
23. The system of claim 17, wherein the EPC is to store information that is specific to a user application.
24. The system of claim 17, wherein the EPC is only accessible using an encrypted key.
25. A method comprising:
moving information between an enclave page cache (EPC) and a storage area in response to performing a first instruction, wherein the first instruction is a special EPC access instruction, and wherein the data is to be moved during a performance of a program to access the protected data, and wherein the program is to run in a privileged mode.
26. The method of claim 25, wherein the at least first instruction includes an
instruction to copy data from a memory to the EPC.
27. The method of claim 26, wherein the at least first instruction includes an
instruction to copy data from the EPC to memory.
28. The method of claim 27, wherein the EPC is to store information that is protected
from malicious code.
29. The method of claim 28, wherein the EPC is to store information that is specific to a user application.
30. The method of claim 29, wherein the EPC is only accessible using an encrypted key.