A processor comprises a core, a cache, and a ZCM manager in communication with the core and the cache. In response to an access request from a first software component, wherein the access request involves a memory address within a cache line, the ZCM manager is to (a) compare an OTAG associated with the memory address against a first ITAG for the first software component, (b) if the OTAG matches the first ITAG, complete the access request, and (c) if the OTAG does not match the first ITAG, abort the access request. Also, in response to a send request from the first software component, the ZCM manager is to change the OTAG associated with the memory address to match a second ITAG for a second software component. Other embodiments are described and claimed.

An apparatus to facilitate data cache security is disclosed. The apparatus includes a cache memory to store data; and prefetch hardware to pre-fetch data to be stored in the cache memory, including a cache set monitor hardware to determine critical cache addresses to monitor to determine processes that retrieve data from the cache memory; and pattern monitor hardware to monitor cache access patterns to the critical cache addresses to detect potential side-channel cache attacks on the cache memory by an attacker process.

An access request is received. The access request comprises a physical page address corresponding to a primary memory block of a memory device, an input security key, and a logical page address corresponding to the physical page address. The input security key is provided as input to a (CAM) block that stores a plurality of security keys to verify that the input security key matches a stored security key. A location of the stored security key is checked to verify that it corresponds to the logical page address included in the access request based a predetermined mapping. Based on verifying that the stored security key corresponds to the logical page address included in the access request, the physical page address corresponding to the primary memory block is accessed.

A memory circuit includes: a memory configured to store a data unit and parity bits, the parity bits including data parity bits based on the data unit and write address parity bits based on a write address associated with the stored data unit; a write address port configured to receive the write address for the stored data unit; a first decoding circuit configured to determine when a data error exists based on the stored data unit and the data parity bits; a second decoding circuit configured to generate a decoded write address from a read address and the write address parity bits; and an error detecting circuit configured to determine when an address error exists based on a comparison of the decoded write address to the read address.

A method of encrypting data in a nonvolatile memory device (NVM) includes; programming data in selected memory cells, sensing the selected memory cells at a first time during a develop period to provide random data, sensing the selected memory cells at a second time during the develop period to provide main data, encrypting the main data using the random data to generate encrypted main data, and outputting the encrypted main data to an external circuit, wherein the randomness of the random data is based on a threshold voltage distribution of the selected memory cells.

A method for operating a computing device for a control unit of a motor vehicle. The computing device including a processor core, and is configured to control an exchange of data between a connectivity zone and a security zone. The security zone includes at least one component which is necessary to drive the vehicle and has an elevated relevance with regard to safety. The connectivity zone including at least one component whose operation requires communication outside of the vehicle but is not required to drive the vehicle and does not have an elevated relevance with regard to safety. At least one first program executable by the computing device is assigned to a non-trustworthy zone, and at least one further program is assigned to a trustworthy zone. The component of the connectivity zone is assigned to the non-trustworthy zone, and the component of the security zone being assigned to the trustworthy zone.

In examples there is a computing device comprising a processor, the processor having a memory management unit. The computing device also has a memory that stores instructions that, when executed by the processor, cause the memory management unit to receive a memory access instruction comprising a virtual memory address; translate the virtual memory address to a physical memory address of the memory, and obtain permission information associated with the physical memory address. Responsive to the permission information indicating that metadata is permitted to be associated with the physical memory address, a check is made of a metadata summary table stored in the physical memory to check whether metadata is compatible with the physical memory address. Responsive to the check being unsuccessful, a trap is sent to system software of the computing device in order to trigger dynamic allocation of physical memory for storing metadata associated with the physical memory address.

Systems and methods authenticate storage devices. In one implementation, a computer-implemented method is provided for authenticating a storage device. According to the method, a manifest that identifies a destination is receive. A transfer station reads a digital signature from the storage device. The digital signature is validated and, based on the validation of the digital signature, a transfer of one or more files from the storage device via the transfer station is authorized to the destination identified in the manifest.

Restricting peripheral device protocols in confidential compute architectures, the method including: receiving a first address translation request from a peripheral device supporting a first protocol, wherein the first protocol supports cache coherency between the peripheral device and a processor cache; determining that a confidential compute architecture is enabled; and providing, in response to the first address translation request, a response including an indication to the peripheral device to not use the first protocol.

A plurality of computing devices are communicatively coupled to each other via a network, and each of the plurality of computing devices is operably coupled to one or more of a plurality of storage devices. One or more of the computing devices and/or the storage devices may be used to rebuild data that may be lost due to a power failure.