Memory regions may be protected based on occurrence of an event in a computing device. Subsystems of the computing device may store information in a memory controller identifying memory regions to be erased upon occurrence of an event, such as a system or subsystem crash. The memory controller may control erasing the memory regions in response to an indication associated with the event. A memory dump may be performed after the memory regions have been erased.

Encryption of a BIOS using a programmable logic device (PLD) is described. A PLD may include a static random-access memory area including programmable logic in a Lookup Table to receive a request to authenticate a basic input/output system (BIOS) executing on a processor coupled to the PLD. The PLD may calculate a hash value of a message associated with the BIOS using a Secure Hash Algorithm (SHA). The PLD may also include a random-access memory area including a first embedded random access memory block (EBR) to store a first portion of a 256-bit message digest associated with the message, a fifth portion of the 256-bit message digest, and second, third, fourth, sixth, seventh, and eighth EBRs to store second, third, fourth, sixth, seventh, and eighth portions of the 256-bit message digest, respectively.

In one example in accordance with the present disclosure, a method may include retrieving, at a memory management unit (MMU), encrypted data from a memory via direct memory access and determining, at the MMU, a peripheral that is the intended recipient of the encrypted data. The method may also include accessing an application key used for transmission between an application and the peripheral, wherein the application key originates from the application and decrypting, at the MMU, the encrypted data using the application key and transmitting the decrypted data to the peripheral.

Encrypted memory access using page table attributes is disclosed. One example is a memory system including a memory controller at a memory interface. The memory controller includes an encryptor to control a plurality of memory access keys respectively associated with memory regions, where each memory region is allocated to a respective client, and an access manager to receive an access request from a client, the access request including a client access key to access a memory element. The access manager looks up a memory access key from a page table attribute associated with a physical address of the memory element, and determines if the access request is valid by comparing the client access key with the memory access key associated with the memory region that includes the memory element. Based on the determination and a mode of operation, the access manager provides a response to the access request.

Systems and methods for implementing access control by systems-on-chip (SoCs). An example SoC may comprise an access control unit employed to: receive a message comprising an access control data item; validate the message using a value of a message digest function of contents of the message and a value of a state variable reflecting a state of communications between the access control unit and a programming agent that has initiated the message, wherein the value of the state variable is derived from a previous value of the message digest function calculated within a current communication session between the access control unit and the programming agent; update the state variable using the value of the message digest function of the contents of the message; and control, using the access control data item, access by an initiator device to a target device.

Embodiments are generally directed apparatuses, methods, techniques and so forth to select two or more processing units of the plurality of processing units to process a workload, and configure a circuit switch to link the two or more processing units to process the workload, the two or more processing units each linked to each other via paths of communication and the circuit switch.

Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

System and techniques for multi-tenant cryptographic memory isolation are described herein. A multiple key total memory encryption (MKTME) circuitry may receive a read request for encrypted memory. Here, the read request may include an encrypted memory address that itself includes a sequence of keyid bits and physical address bits. The MKTME circuitry may retrieve a keyid-nonce from a key table using the keyid bits. The MKTME circuitry may construct a tweak from the keyid-nonce, the keyid bits, and the physical address bits. The MKTME circuitry may then decrypt data specified by the read request using the tweak and a common key.

Devices and techniques are disclosed herein for verifying host generated physical addresses at a memory device during a host-resident FTL mode of operation to ameliorate erroneous or potentially malicious access to the memory device.

A replaceable item for a host device includes a non-volatile memory and logic. The non-volatile memory stores passwords or authentication values, and/or a cryptographic key. The logic permits retrieval of a predetermined maximum number of the passwords from the non-volatile memory to authenticate the replaceable item within the host device. The predetermined maximum number of the passwords is less than the total number of the passwords.