A solid state drive having a drive aggregator and multiple component solid state drives. Different component solid state drives in solid state drive are configured with different optimizations of memory/storage operations. An address map in the solid state drive is used by the drive aggregator to host different namespaces in the component solid state drives based on optimization requirements of the namespaces and based on the optimizations of memory operations that have been implement in the component solid state drives.

An operating method of a system-on-chip includes outputting a prefetch command in response to an update of mapping information on a first read target address, the update occurring in a first translation lookaside buffer storing first mapping information of a second address with respect to a first address, and storing, in response to the prefetch command, in a second translation lookaside buffer, second mapping information of a third address with respect to at least some second addresses of an address block including a second read target address.

A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

A method for monitoring memory access behavior of a sample process is provided. A processing unit of a computer device determines a page table of the sample process based on a page directory base address of the sample process, where each entry of the page table includes first information, the first information indicates whether the entry has been assigned a guest physical address, the entry that has been assigned the guest physical address includes second information that is used to indicate an access permission of the assigned guest physical address; determines a target entry from the page table, the target entry has been assigned a guest physical address, and an access permission is execution allowed; determines a target host physical address corresponding to the target guest physical address that is assigned to the target entry; and monitors behavior of accessing memory space indicated by the target host physical address.

Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

Systems and methods for encryption support for virtual machines. An example method may comprise initializing, by a firmware module associated with a virtual machine running on a host computer system, an exclusion range register associated with the virtual machine with a value specifying a first portion of guest memory, wherein the first portion of the guest memory comprises an exclusion range marked as reserved; encrypting, by the firmware using an ephemeral encryption key, a second portion of the guest memory; booting, by a hypervisor of the host computer system, the virtual machine; and responsive to intercepting, by the hypervisor, a privileged instruction executed by the virtual machine, performing at least one of: copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory.

A processor of an aspect includes a decode unit to decode an aperture access instruction, and an execution unit coupled with the decode unit. The execution unit, in response to the aperture access instruction, is to read a host physical memory address, which is to be associated with an aperture that is to be in system memory, from an access protected structure, and access data within the aperture at a host physical memory address that is not to be obtained through address translation. Other processors are also disclosed, as are methods, systems, and machine-readable medium storing aperture access instructions.

Systems, apparatuses, and methods related to a domain register of a processor in a computer system are described. The computer system has a memory configured to at least store instructions of routines that are classified in multiple predefined, non-hierarchical domains. The processor stores in the domain register an identifier of a current domain of a routine that is being executed in the processor. The processor is configured to perform security operations based on the content of the domain register and the security settings specified respectively for the predefined, non-hierarchical domains.

A processor supporting a translation lookaside buffer (TLB) modification instruction for updating a hardware-managed TLB is disclosed. A page table (PT) entry (PTE) corresponding to a virtual memory address is identified by a PT walking circuit walking the PT and a corresponding TLB entry is created. An execution circuit in the processor executes a TLB modification instruction to cause the TLB entry corresponding to the virtual memory address to be updated based on an update to the PT mapping information in the PTE corresponding to the virtual memory address. In one example, a portion of the PT mapping information in a PTE corresponding to a virtual memory address is stored in a TLB mapping information in a TLB entry corresponding to the virtual memory address in response to the TLB modification instruction being executed by the execution circuit without invalidating the TLB entry.