A type of translation lookaside buffer (TLB) invalidation instruction is described which specifically targets a first type of TLB which stores combined stage-1-and-2 entries which depend on both stage 1 translation data and the stage 2 translation data, and which is configured to ignore a TLB invalidation command which invalidates based on a first set of one or more invalidation conditions including an address-based invalidation condition depending on matching of intermediate address. A second type of TLB other than the first type ignores the invalidation command triggered by the first type of TLB invalidation instruction. This approach helps to limit the performance impact of stage 2 invalidations in systems supporting a combined stage-1-and-2 TLB which cannot invalidate by intermediate address.

Various embodiments set forth techniques for taking a snapshot of virtual memory of a virtual machine. One technique includes allocating, in a persistent memory, one or more blocks associated with a virtual memory, annotating a first portion of the virtual memory for copying in a first pass, copying the first portion into the one or more blocks in the persistent memory in the first pass, receiving a write request associated with the first portion, and in response to receiving the write request: applying the write request to the first portion and annotating the first portion for copying in a second pass subsequent to the first pass.

An example memory array page table walk can include using an array of memory cells configured to store a page table. The page table walk can include using sensing circuitry coupled to the array. The page table walk can include using a controller coupled to the array. The controller can be configured to operate the sensing circuitry to determine a physical address of a portion of data by accessing the page table in the array of memory cells. The controller can be configured to operate the sensing circuitry to cause storing of the portion of data in a buffer.

An operating method of a system-on-chip includes outputting a prefetch command in response to an update of mapping information on a first read target address, the update occurring in a first translation lookaside buffer storing first mapping information of a second address with respect to a first address, and storing, in response to the prefetch command, in a second translation lookaside buffer, second mapping information of a third address with respect to at least some second addresses of an address block including a second read target address.

A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

A computer system includes a physical memory having a first page table and a second page table, and an address translation module. The first page table includes primary page table entries, where each page table entry among the primary page table entries is configured to store a mapping of a virtual memory address to a physical memory address and auxiliary information. The second page table includes secondary page table entries each storing at least one further auxiliary information, where each secondary page table entry corresponds to a primary page table entry in the first page table. The address translation module is configured to, in response to receiving a request from a processor, walk through the first page table to identify a primary page table entry and consecutively identify a location of a corresponding secondary page table entry based on a location of the primary page table entry.

Systems and methods for encryption support for virtual machines. An example method may comprise initializing, by a firmware module associated with a virtual machine running on a host computer system, an exclusion range register associated with the virtual machine with a value specifying a first portion of guest memory, wherein the first portion of the guest memory comprises an exclusion range marked as reserved; encrypting, by the firmware using an ephemeral encryption key, a second portion of the guest memory; booting, by a hypervisor of the host computer system, the virtual machine; and responsive to intercepting, by the hypervisor, a privileged instruction executed by the virtual machine, performing at least one of: copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory.

Systems and methods are provided to perform fine-grained memory accesses using a memory controller. The memory controller can access elements stored in memory across multiple dimensions of a matrix. The memory controller can perform accesses to non-contiguous memory locations by skipping zero or more elements across any dimension of the matrix.