Examples may include techniques to decrease a live migration time for a virtual machine (VM). Examples include selecting data to copy or not copy during a live migration of the VM from a source host server to a destination host server.

An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

Systems, methods, and circuitries are disclosed for a per-process memory encryption system. At least one translation lookaside buffer (TLB) is configured to encode key identifiers for keys in one or more bits of either the virtual memory address or the physical address. The process state memory configured to store a first process key table for a first process that maps key identifiers to unique keys and a second process key table that maps the key identifiers to different unique keys. The active process key table memory configured to store an active key table. In response to a request for data corresponding to a virtual memory address, the at least one TLB is configured to provide a key identifier for the data to the active process key table to cause the active process key table to return the unique key mapped to the key identifier.

Systems, methods, and circuitries are disclosed for a per-process memory encryption system. At least one translation lookaside buffer (TLB) is configured to encode key identifiers for keys in one or more bits of either the virtual memory address or the physical address. The process state memory configured to store a first process key table for a first process that maps key identifiers to unique keys and a second process key table that maps the key identifiers to different unique keys. The active process key table memory configured to store an active key table. In response to a request for data corresponding to a virtual memory address, the at least one TLB is configured to provide a key identifier for the data to the active process key table to cause the active process key table to return the unique key mapped to the key identifier.

To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.

A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

A data processing system (2) including one or more transaction buffers (16, 18, 20) storing address translation data executes translation buffer invalidation instructions TLBI within respective address translation contexts VMID, ASID, X. Translation buffer invalidation signals generated as a consequence of execution of the translation buffer invalidation instructions are broadcast to respective translation buffers and include signals which specify the address translation context of the translation buffer invalidation instruction that was executed. This address translation context specified within the translation buffer invalidation signals is used to gate whether or not those translation buffer invalidation signals when received by translation buffers which are potential targets for the invalidation are or are not flushed. The address translation context data provided within the translation buffer invalidation signals may also be used to control whether or not local memory transactions for a local transactional memory access are or are not aborted upon receipt of the translation buffer invalidation signals.

A method includes receiving a memory access request comprising a first memory address and translating the first memory address to a second memory address using a first page table associated with the first virtual machine. The first page table indicates whether the memory of the first virtual machine is encrypted. The method further includes determining that the first virtual machine is nested within a second virtual machine and translating the second memory address to a third memory address using a second page table associated with the second virtual machine. The second page table indicates whether the memory of the second virtual machine is encrypted.

Aspects of the disclosure provide for implementing host address space identifiers for non-uniform memory access (NUMA) locality in virtual machines. A method of the disclosure includes determining, by a virtual machine (VM), that a guest memory page is to be moved from a first virtual NUMA node of the VM to a second virtual NUMA node of the VM. The method also includes updating, one or more designated bits of a guest physical address (GPA) of the memory page to include a host address space identifier (HASID) of the second virtual NUMA node, where the guest page table maps the GPA of the memory page to a corresponding guest virtual address (GVA) of the VM and where the HASID associates the GPA of the memory page with a corresponding virtual NUMA node locality, and accessing by the VM, the updated GPA.

A network processing device identifies a first request to access a line of memory in a remote memory resource and determines, based on the address of the line of memory, that the line of memory is associated with a sparse region in a memory pool. The address is provided as an input to a probabilistic data structure, where the probabilistic data structure is to generate a result to identify whether the line of memory includes a common data pattern. The network processing device returns the common data pattern as a response to the first request if the result of the probabilistic data structure indicates that the first line of memory includes the common data pattern.