A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

A method includes receiving a memory access request comprising a first memory address and translating the first memory address to a second memory address using a first page table associated with the first virtual machine. The first page table indicates whether the memory of the first virtual machine is encrypted. The method further includes determining that the first virtual machine is nested within a second virtual machine and translating the second memory address to a third memory address using a second page table associated with the second virtual machine. The second page table indicates whether the memory of the second virtual machine is encrypted.

A computing system includes a host and a storage device. The host includes a host memory, and the storage device includes a processor, a semiconductor memory device and a device memory which caches mapping information of the semiconductor memory device. In operation, the processor transmits to the host read data and mapping table entry information of a logical address region corresponding to the read data in response to a read request. The mapping table entry information is transmitted to the host based on features of the logical address region. Additionally, the host may transmit a read buffer request corresponding to the mapping table entry information to the storage device, and the storage device may transmit mapping information corresponding to the read buffer request to the host, which then stores the mapping information in the host memory.

An apparatus and method for managing different page tables for different privilege levels. For example, one embodiment of a processor comprises: a first control register to store a first base address associated with program code executed at a first privilege level; a second control register to store a second base address associated with program code executed at a second privilege level lower than the first privilege level; and address translation circuitry to identify a first base translation table using the first base address responsive to a first address translation request originating from the program code executed at the first privilege level and to identify a second base translation table using the second base address responsive to a second address translation request originating from the program code executed at the second privilege level.

Aspects of the disclosure provide for implementing host address space identifiers for non-uniform memory access (NUMA) locality in virtual machines. A method of the disclosure includes determining, by a virtual machine (VM), that a guest memory page is to be moved from a first virtual NUMA node of the VM to a second virtual NUMA node of the VM. The method also includes updating, one or more designated bits of a guest physical address (GPA) of the memory page to include a host address space identifier (HASID) of the second virtual NUMA node, where the guest page table maps the GPA of the memory page to a corresponding guest virtual address (GVA) of the VM and where the HASID associates the GPA of the memory page with a corresponding virtual NUMA node locality, and accessing by the VM, the updated GPA.

According to one or more embodiments of the present invention, a computer implemented method includes enabling, by a secure interface control of a computer system, a non-secure entity of the computer system to access a page of memory shared between the non-secure entity and a secure domain of the computer system based on the page being marked as non-secure with a secure storage protection indicator of the page being clear. The secure interface control can verify that the secure storage protection indicator of the page is clear prior to allowing the non-secure entity to access the page. The secure interface control can provide a secure entity of the secure domain with access to the page absent a check of the secure storage protection indicator of the page.

There is provided a data processing apparatus and method of data processing. The data processing apparatus comprises storage circuitry to store a hierarchy of page tables comprising an intermediate level page table. Each entry of the intermediate level page table comprises base address information of a next level page table and control information indicating whether an addressing function has been applied to reorder physical storage locations of entries of the next level page table. Address translation circuitry is provided to perform address translations in response to receipt of a virtual address by performing a lookup in a next level page table dependent on the base address information and a page table index from the virtual address. When the control information indicates that the addressing function has been applied, the lookup is performed at a modified storage location generated by applying the addressing function to the page table index.

A controller is provided. The controller creates a page table including page table entries including mapping information for translating a virtual address to a physical address. Each of the page table entries includes: a virtual page number, a physical frame number, valid information, and size information. The virtual page number is included in a virtual address, the physical frame number is included in a physical address, the valid information includes a first predetermined number of bits, and the size information includes a second predetermined number of bits. The first predetermined number of bits represents an address translation range in a page table entry or a number of page table entries to be grouped, and the size information represents a size indicated by each bit of the first predetermined number of bits.

A method of translating a virtual address into a physical memory address in an ARM System Memory Management Unit version 3 (SMMUv3) system includes searching a Configuration Cache memory for a matching tag that matches an associated tag upon receiving the virtual address and the associated tag, and extracting, in a single memory lookup cycle, a matching data field associated with the matching tag when the matching tag is found in the Configuration Cache memory. A matching data field of the Configuration Cache memory includes a matching Stream Table Entry (STE) and a matching Context Descriptor (CD), both associated with the matching tag. The Configuration Cache memory may be configured as a content-addressable memory. The method further includes storing entries associated with a multiple memory lookup cycle virtual address-to-physical address translation into the Configuration Cache memory, each of the entries including a tag, an associated STE and an associated CD.

Translating virtual addresses to second addresses by a memory controller local to one or more memory devices, wherein the memory controller is not local to a processor, a buffer for storing a plurality of Page Table Entries, or a Page Walk Cache for storing a plurality of page directory entries, the method including by the memory controller: receiving a page directory base and a plurality of memory offsets from the processor; reading a first level page directory entry using the page directory base and a first level memory offset; combining the second level offset and the first level page directory entry; reading a second level page directory entry using the first level page directory entry and the second level memory offset; sending to the processor the first level page directory entry or the second level page directory entry; and sending a page table entry to the processor.