Controlling access to multiple memory zones in an isolated execution environment
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-012/06
G06F-012/14
출원번호
US-0618489
(2000-07-18)
발명자
/ 주소
Ellison, Carl M.
Golliver, Roger A.
Herbert, Howard C.
Lin, Derrick C.
McKeen, Francis X.
Neiger, Gilbert
Reneris, Ken
Sutton, James A.
Thakkar, Shreekant S.
Mittal, Millind
출원인 / 주소
Intel Corporation
대리인 / 주소
Blakely, Sokoloff, Taylor & Zafman LLP
인용정보
피인용 횟수 :
156인용 특허 :
51
초록▼
A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining
A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.
대표청구항▼
A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining
A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid. types of data from said buffers in the write process. 3. A buffer apparatus according to claim 2, wherein said buffers are configures as FIFO memories when said transmission medium handles one line for which the data is to be inserted, wherein said buffer apparatus further comprises a data insertion control buffer memory common to the individual FIFO memories for storing the write process order, in which the data have been stored in said FIFO memories, to thereby generate said link data. 4. A buffer apparatus according to claim 1, wherein, if said transmission medium handles a plurality of lines for which the data are to be inserted, said buffers are able to respectively hold data for the individual lines, and wherein said data insertion controller controls the insertion order for each of said plurality of lines. 5. A buffer apparatus according to claim 4, wherein said data insertion control monitors a total amount of data accumulated in said plurality of buffers for each said line, and inhibits an additional write process of data to said buffer for the line in which the total amount of accumulated data exceeds a predetermined value. 6. A buffer apparatus according to claim 1, wherein said at least one type of data to be inserted in the predetermined allowable insertion delay time is a performance monitoring (PM) cell which is to be inserted into said idle slot of the user data in accordance with a predetermined amount of the user data. 7. A data insertion control method comprising the steps of: administering the storage order in which different types of data each of which is to be inserted into an idle slot of a user data stream on a predetermined transmission medium and which are equal in insertion priority and at least one type of which is to be inserted in a predetermined allowable insertion delay time are accumulated in a buffer; and controlling the data insertion order in which the different types of data are to be inserted into said idle slot of the user data stream according to the administered storage order so as to keep said allowable insertion delay time for said at least one types data. 8. A data insertion control method according to claim 7, wherein said at least one type of data to be inserted in the predetermined allowable insertion delay time is a performance monitoring (PM) cell which is to be inserted into said idle slot of the user data in accordance with a predetermined amount of the user data. 9. A data insertion apparatus with a data insertion control function, comprising: a plurality of buffers for holding different types of operation, administration and management (OAM) data, each of which is to be inserted into an idle slot of a user data stream on a predetermined transmission medium and which are equal in insertion priority and at least one type of which is to be inserted in a predetermined allowable insertion delay time; a common data inserting section shared by said plurality of buffers for receiving the OAM data in said buffers, and inserting the OAM data into said idle slot of the user data stream; and a data insertion controller for controlling the data output order in which the OAM data are to be output to said common data inserting section so as to insert the OAM data into said idle slot while keeping said allowable insertion delay time for said at least one type data by controlling a read process order in which the different types of the OAM data are to be read from said plurality of buffers, based on a write process order in which the different types of the OAM data have been stored in said plurality of buffers. 10. A data insertion control method according to claim 9, wherein said at least one type of OAM data to be inserted in the predetermined allowable insertion delay time is a performance monitoring (PM) cell which is to be inserted into said idle slot of the user data in accordance with a predetermined amount of the user data. 11. A buffer apparatus with a data insertion control function, comprising: a plurality of buffers for holding different types of data each of which is to be inserted into an idle slot of a user data stream on a predetermined transmission medium and which are equal in insertion priority; a data insertion controller for controlling a data insertion order in which the different types of data are to be inserted into said idle slot of the user data stream so as to insert the different types of data into said idle slot by controlling a read process order in which the different types of data are to be read from said plurality of buffers based on a write process order in which the different types of data have been stored in said plurality of buffers; and a plurality of first link memories corresponding one to each of said plurality of buffers and each having the same address configuration as that of the corresponding buffer, wherein said data insertion controller generates link data about the write process order during a write process, and performs a read process of the different types of data according to said link data, to thereby read the different types of data from said buffers in the write process and said data insertion controller stores a type of the data which has currently been written, in said first link memory at the same address as that of the corresponding buffer at which the previous write process was performed, to thereby generate said link data. 12. A buffer apparatus according to claim 11, further comprising a plurality of second link memories corresponding one to each of said plurality of buffers, each of second link memories having the same address configuration as that of the corresponding buffer for storage of link data about the write process order in which the data are stored in the same buffer, said first and second link memories corresponding to each said buffer constituting a unitary shared memory, wherein, if said transmission medium handles a plurality of lines for which the data is to be inserted, said buffers are able to respectively hold data for the individual lines. 13. A buffer apparatus according to claim 11, wherein each said first link memory and the corresponding buffer constitutes a unitary shared memory. 14. A buffer apparatus according to claim 13, wherein each said first link memory and the corresponding buffer are configured as a composite memory of FIFO type when said transmission medium handles one line for which the data is to be inserted. 15. A buffer apparatus with a data insertion control function, comprising: a plurality of buffers for holding different types of data each of which is to be inserted into an idle slot of a user data stream on a predetermined transmission medium and which are equal in insertion priority; a data insertion controller for controlling a data insertion order in which the different types of data are to be inserted into said idle slot of the user data stream so as to insert the different types of data into said idle slot by controlling a read process order in which the different types of data are to be read from said plurality of buffers based on a write process order in which the different types of data have been stored in said plurality of buffers; and a plurality of third link memories corresponding one to each of said plurality of buffers, each of said third link memories having the same address configuration as that of the corresponding buffer, wherein said data insertion controller generates link data about the write process order during a write process, and performs a read process of the different types of data according to said link data, to thereby read the different types of data from said buffers in the write process and inherent global addresses are assigned one to each of said plurality of buffers, and said data insertion controller stores said inherent global address of each said buffer at which a current write process has been performed in said third link memory at the same address as that of said buffer at which the previous write process was performed, to thereby generate said link data. 16. A buffer apparatus according to claim 15, wherein said inherent global address includes a set of data type information and an address inherent in each said buffer. 17. A buffer apparatus with a data insertion control function, comprising: a plurality of buffers for holding different types of data each of which is to be inserted into an idle slot of a user data stream on a predetermined transmission medium and which are equal in insertion priority; a data insertion controller for controlling a data insertion order in which the different types of data are to be inserted into said idle slot of the user data stream so as to insert the different types of data into said idle slot by controlling a read process order in which the different types of data are to be read from said plurality of buffers based on a write process order in which the different types of data have been stored in said plurality of buffers, wherein said plurality of buffers are configured as a composite buffer having an address configuration on the basis of the greatest common divisor of amounts of the different types of data, and wherein said data insertion controller generates link data about the write process order in which the different types of data are to be stored in said composite buffer to read the different types of data according to said link data, to thereby read the different types of data in said composite buffer in the write process order. 18. A buffer apparatus according to claim 17, wherein said data insertion controller monitors an amount of data stored in said composite buffer for each of the different types of data, and inhibits an additional write process of data of the type in which the amount of accumulated data exceeds a predetermined value. t access to the logical device associated with the input logical number if there is a logical device associated with the input logical number. 4. The method of claim 1, further comprising: updating the host map for each host that is assigned to the input cluster group to indicate that a logical number assigned to the input logical device is included in the input cluster group if the input logical device is accessible to all hosts. 5. The method of claim 1, wherein a logical device is a member of a set of storage spaces comprising one of multiple direct access storage devices and a portion of a RAID array. 6. The method of claim 1, wherein logical numbers used in different cluster groups are capable of being assigned to different logical devices. 7. A method for restricting host access to at least one logical device, wherein each logical device comprises a section of physical storage space that is non-overlapping with the physical storage space associated with other logical devices, comprising: for each cluster group, assigning at least one logical device and at least one host to the cluster group, wherein hosts that are not in the cluster group cannot access the logical devices that are assigned to the cluster group; for each cluster group, assigning a logical number to each logical device in the cluster group such that no host member of that cluster group uses the assigned logical number to access another logical device, wherein hosts in the cluster group use the logical number to access the logical device to which the logical number is assigned in the cluster group; providing a host list indicating all available hosts, wherein all hosts in the host list can access a logical device assigned one logical number and not assigned to a cluster group, and wherein for each host in the host list there is a host map indicating each logical number accessible to the host; receiving a request, including as parameters one input logical device and input cluster group, to add the input logical device to the input cluster group; determining whether the input logical device is not assigned one logical number; if the input logical device is not assigned one logical number, further performing: (i) determining one logical number that is not used by any host assigned to the input cluster group to access one logical device by determining a lowest logical number that is not used by any host assigned to the input cluster group to access one logical device; (ii) assigning the determined logical number to the input logical device; and (iii) updating the host map for each host that is assigned to the input cluster group to indicate that the determined logical number is assigned to the input logical device, wherein after the host maps are updated, each host in the input cluster group can use the determined logical number to access the input logical device. 8. A method for restricting host access to at least one logical device, wherein each logical device comprises a section of physical storage space that is non-overlapping with the physical storage space associated with other logical devices, comprising: for each cluster group, assigning at least one logical device and at least one host to the cluster group, wherein hosts that are not in the cluster group cannot access the logical devices that are assigned to the cluster group; for each cluster group, assigning a logical number to each logical device in the cluster group such that no host member of that cluster group uses the assigned logical number to access another logical device, wherein hosts in the cluster group use the logical number to access the logical device to which the logical number is assigned in the cluster group; providing a host list indicating all available hosts, wherein all hosts in the host list can access a logical device assigned one logical number and not assigned to a cluster group, wherein for each host in the host list there is a host map indicating each logical number accessible to the host; receiving a request including as a parameter one input logical device to make accessible to all hosts in the host list; determining one cluster group including the input logical device; determining the logical number for the input logical device; determining whether any host that is not in the determined cluster group including the input logical device uses the determined logical number for the input logical device to access one logical device other than the input logical device; and updating the host map for each host in the host list to indicate that the determined logical number is assigned to the input logical device if no other host that is not in the determined cluster group uses the determined logical number, wherein after updating the host map for each host in the host list, all the hosts in the host list can use the determined logical number to access the input logical device. 9. The method of claim 8, wherein if at least one host that is not in the determined cluster group uses the determined logical number, then further performing: determining one unused logical number that is not used by any host in the host list to access one logical device; and updating the host map for each host in the host list to indicate that the determined unused logical number is assigned to the input logical device, wherein all the hosts in the host list can use the determined unused logical number to access the input logical device. 10. A system for restricting host access to at least one logical device, wherein each logical device comprises a section of physical storage space that is non-overlapping with the physical storage space associated with other logical devices, comprising: means for assigning at least one logical device and at least one host to at least one cluster group, wherein hosts that are not assigned to one cluster group cannot access the logical devices that are assigned to the cluster group, and wherein multiple hosts are capable of being assigned to one cluster group; means for assigning a logical number to at least one logical device in the at least one cluster group such that the at least one host assigned to one cluster group does not use the assigned logical number to access another logical device, wherein the at least one host assigned to one cluster group uses the logical number to access the logical device to which the logical number is assigned in the cluster group, wherein a host list indicates all available hosts and wherein all hosts in the host list can access a logical device assigned one logical number and not assigned to a cluster group and wherein for each host in the host list there is a host map indicating each logical number accessible to the host; means for receiving a request, including as parameters one input logical device and input cluster group, to add the input logical device to the input cluster group; means for determining whether the input logical device is accessible to all hosts; and means for updating the host map for each host in one host list that is not assigned to the input cluster group to indicate that the input logical device is not accessible if the input logical device is accessible to all hosts. 11. The system of claim 10, wherein a logical device is only capable of being a member assigned to one cluster group. 12. The system of claim 10, further comprising: means for receiving an access request including as parameters one input logical number from one host; means for determining whether the host is capable of accessing one logical device associated with the input logical number; and means for permitting the host access to the logical device associated with the input logical number if there is a logical device associated with the input logical number. 13. The system of claim 10, further comprising: means for updating the host map for each host that is assigned to the input cluster group to indicate that
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (51)
Davis Derek L., Apparatus and method for a vetted field upgrade.
Bealkowski Richard (Delray Beach FL) Blackledge ; Jr. John W. (Boca Raton FL) Cronk Doyle S. (Boca Raton FL) Dayan Richard A. (Boca Raton FL) Dixon Jerry D. (Boca Raton FL) Kinnear Scott G. (Boca Rat, Apparatus and method for preventing unauthorized access to BIOS in a personal computer system.
Barnett Philip C.,GBX, Memory management method and apparatus for partitioning homogeneous memory and restricting access of installed applications to predetermined memory ranges.
Harold L. McFarland ; David R. Stiles ; Korbin S. Van Dyke ; Shrenik Mehta ; John Gregory Favor ; Dale R. Greenley ; Robert A. Cargnoni, Method and apparatus for debugging an integrated circuit.
Kahle James Allan ; Loper Albert J. ; Mallick Soummya ; Ogden Aubrey Deene ; Sell John Victor, Method and system for enhanced management operation utilizing intermixed user level and supervisory level instructions w.
Melo Michael D. (Billerica MA), Method for automatically transitioning from V86 mode to protected mode in a computer system using an Intel 80386 or 8048.
Eugene Feng ; Gary Phillips, Microcontroller system having allocation circuitry to selectively allocate and/or hide portions of a program memory address space.
Grimmer ; Jr. George G. ; Rhoades Michael W., Microcontroller with security logic circuit which prevents reading of internal memory by external program.
Browne Hendrik A., Secure computer system and method of providing secure access to a computer system including a stand alone switch operable to inhibit data corruption on a storage device.
Hudson Jerome D. ; Champagne Jean-Paul,FRX ; Galindo Mary A. ; Hickerson Cynthia M. K. ; Hickman Donna R. ; Lockhart Robert P. ; Saddler Nancy B. ; Stange Patricia A., System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential.
Nardone Joseph M. ; Mangold Richard P. ; Pfotenhauer Jody L. ; Shippy Keith L. ; Aucsmith David W. ; Maliszewski Richard L. ; Graunke Gary L., Tamper resistant methods and apparatus.
Nardone Joseph M. ; Mangold Richard T. ; Pfotenhauer Jody L. ; Shippy Keith L. ; Aucsmith David W. ; Maliszewski Richard L. ; Graunke Gary L., Tamper resistant methods and apparatus.
Nardone Joseph M. ; Mangold Richard P. ; Pfotenhauer Jody L. ; Shippy Keith L. ; Aucsmith David W. ; Maliszewski Richard L. ; Graunke Gary L., Tamper resistant player for scrambled contents.
Robinson, Scott H.; Espinosa, Gustavo P.; Bennett, Steven M., Accessing private data about the state of a data processing machine from storage that is publicly accessible.
Robinson, Scott H.; Espinosa, Gustavo P.; Bennett, Steven M., Accessing private data about the state of a data processing machine from storage that is publicly accessible.
Robinson, Scott H.; Espinosa, Gustavo P.; Bennett, Steven M., Accessing private data about the state of a data processing machine from storage that is publicly accessible.
Johnson, Richard C.; Morgan, Andrew; Anvin, H. Peter; Torvalds, Linus, Architecture, system, and method for operating on encrypted and/or hidden information.
Johnson, Richard C.; Morgan, Andrew; Anvin, H. Peter; Torvalds, Linus, Architecture, system, and method for operating on encrypted and/or hidden information.
Jeyasingh,Stalinselvaraj; Anderson,Andrew V.; Bennett,Steven M.; Cota Robles,Erik; Kagi,Alain; Neiger,Gilbert; Uhlig,Richard, Chipset support for managing hardware interrupts in a virtual machine system.
Jeyasingh,Stalinselvaraj; Anderson,Andrew V.; Bennett,Steven M.; Cota Robles,Erik; Kagi,Alain; Neiger,Gilbert; Uhlig,Richard, Chipset support for managing hardware interrupts in a virtual machine system.
Bennett,Steve; Anderson,Andrew V.; Jeyasingh,Stalinselvaraj; Kagi,Alain; Neiger,Gilbert; Uhlig,Richard; Zou,Xiang; Kozuch,Michael A., Control over faults occurring during the operation of guest software in the virtual-machine architecture.
Ellison, Carl M.; Golliver, Roger A.; Herbert, Howard C.; Lin, Derrick C.; McKeen, Francis X.; Neiger, Gilbert; Reneris, Ken; Sutton, James A.; Thakkar, Shreekant S.; Mittal, Millind, Controlling access to multiple memory zones in an isolated execution environment.
Ellison, Carl M.; Golliver, Roger A.; Herbert, Howard C.; Lin, Derrick C.; McKeen, Francis X.; Neiger, Gilbert; Reneris, Ken; Sutton, James A.; Thakkar, Shreekant S.; Mittal, Millind, Generating a key hieararchy for use in an isolated execution environment.
Ellison, Carl M.; Golliver, Roger A.; Herbert, Howard C.; Lin, Derrick C.; McKeen, Francis X.; Neiger, Gilbert; Reneris, Ken; Sutton, James A.; Thakkar, Shreekant S.; Mittal, Milland, Managing a secure platform using a hierarchical executive architecture in isolated execution mode.
Bennett,Steven M.; Cota Robles,Erik; Jeyasingh,Stalinselvaraj; Neiger,Gilbert; Uhlig,Richard, Mechanism to control hardware interrupt acknowledgement in a virtual machine system.
McKeen, Francis X.; Smith, Lawrence O.; Chaffin, Benjamin Crawford; Cornaby, Michael P.; Bigbee, Bryant, Mechanism to handle events in a machine with isolated execution.
McKeen, Francis X.; Smith, Lawrence O.; Chaffin, Benjamin Crawford; Cornaby, Michael P.; Bigbee, Bryant, Mechanism to handle events in a machine with isolated execution.
McKeen, Francis X.; Smith, Lawrence O.; Chaffin, Benjamin Crawford; Cornaby, Michael P.; Bigbee, Bryant, Mechanism to handle events in a machine with isolated execution.
Brickell, Ernest; Graunke, Gary; Stevens, William A.; Vembu, Balaji, Method and apparatus for authenticated, recoverable key distribution with no database secrets.
Bennett, Steven M.; Anderson, Andrew V.; Cota Robles, Erik; Jeyasingh, Stalinselvaraj; Kagi, Alain; Neiger, Gilbert; Uhlig, Richard, Method and apparatus for facilitating recognition of an open event window during operation of guest software in a virtual machine environment.
Bennett, Steven M.; Anderson, Andrew V.; Cota-Robles, Erik; Jeyasingh, Stalinselvaraj; Kagi, Alain; Neiger, Gilbert; Uhlig, Richard, Method and apparatus for facilitating recognition of an open event window during operation of guest software in a virtual machine environment.
Zeng, Thomas; Touzni, Azzedine; Tzeng, Tzung Ren; Bostley, Phil J., Method and apparatus for preventing unauthorized access to contents of a register under certain conditions when performing a hardware table walk (HWTW).
Ellison, Carl M.; Golliver, Roger A.; Herbert, Howard C.; Lin, Derrick C.; McKeen, Francis X.; Neiger, Gilbert; Reneris, Ken; Sutton, James A.; Thakkar, Shreekant S.; Mittal, Millind, Method and system for scrubbing an isolated area of memory after reset of a processor operating in isolated execution mode if a cleanup flag is set.
Neiger,Gilbert; Chou,Stephen; Cota Robles,Erik; Jevasingh,Stalinselvaraj; Kagi,Alain; Kozuch,Michael; Uhlig,Richard; Schoenberg,Sebastian, Method for resolving address space conflicts between a virtual machine monitor and a guest operating system.
Neiger,Gilbert; Chou,Stephen; Cota Robles,Erik; Jeyasingh,Stalinselvaraj; Kagi,Alain; Kozuch,Michael; Uhlig,Richard; Schoenberg,Sebastian, Method for resolving address space conflicts between a virtual machine monitor and a guest operating system.
Neiger, Gilbert; Chou, Stephen; Cota-Robles, Erik; Jeyasingh, Stalinselvaraj; Kagi, Alain; Kozuch, Michael; Uhlig, Richard, Processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor.
Bennett,Steven M.; Anderson,Andrew V.; Cota Robles,Erik; Jeyasingh,Stalinselvaraj; K��gi,Alain; Neiger,Gilbert; Uhlig,Richard; Mondal,Sanjoy K.; Brandt,Jason, Providing support for single stepping a virtual machine in a virtual machine environment.
Uhlig,Richard; Neiger,Gilbert; Cota Robles,Erik; Jeyasingh,Stalinselvaraj; Kagi,Alain; Kozuch,Michael; Bennett,Steven M, Reclaiming existing fields in address translation data structures to extend control over memory accesses.
Ellison, Carl M.; Golliver, Roger A.; Herbert, Howard C.; Lin, Derrick C.; McKeen, Francis X.; Neiger, Gilbert; Sutton, James A.; Thakkar, Shreekant S.; Mittal, Millind; Reneris, Ken, Resetting a processor in an isolated execution environment.
Neiger,Gilbert; Anderson,Andrew V.; Bennett,Steven M.; Brandt,Jason; Cota Robles,Erik; Jeyasingh,Stalinselvaraj; K채gi,Alain; Mondal,Sanjoy K.; Parthasarathy,Rajesh; Rodgers,Dion; Smith,Lawrence O.; Uhlig,Richard A., Support for nested fault in a virtual machine environment.
Cota Robles,Erik C.; Campbell,Randolph L.; Hall,Clifford D.; Neiger,Gilbert; Uhlig,Richard A., System and method for binding virtual machines to hardware contexts.
Neiger, Gilbert; Bennett, Steven M.; Cota-Robles, Erik; Schoenberg, Sebastian; Hall, Clifford D.; Rodgers, Dion; Smith, Lawrence O.; Anderson, Andrew V.; Uhlig, Richard A.; Kozuch, Michael; Glew, Andy, System and method for controlling switching between VMM and VM using enabling value of VMM timer indicator and VMM timer value having a specified time.
Cota Robles,Erik; Schoenberg,Sebastian; Jeyasingh,Stalinselvaraj; Kagi,Alain; Kozuch,Michael; Neiger,Gilbert; Uhlig,Richard, Tracking operating system process and thread execution and virtual machine execution in hardware or in a virtual machine monitor.
Bennett,Steven M.; Anderson,Andrew V.; Jeyasingh,Stalinselvaraj; Kagi,Alain; Neiger,Gilbert; Uhlig,Richard; Kozuch,Michael; Smith,Lawrence; Rodgers,Scott, Vectoring an interrupt or exception upon resuming operation of a virtual machine.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.