Embodiments of techniques and systems for increasing efficiencies in computing systems using virtual memory are described. In embodiments, instructions which are located in two memory pages in a virtual memory system, such that one of the pages does not permit execution of the instructions located therein, are identified and then executed under temporary permissions that permit execution of the identified instructions. In various embodiments, the temporary permissions may come from modified virtual memory page tables, temporary virtual memory page tables which allow for execution, and/or emulators which have root access. In embodiments, per-core virtual memory page tables may be provided to allow two cores of a computer processor to operate in accordance with different memory access permissions. In embodiments, a physical page permission table may be utilized to provide for maintenance and tracking of per-physical-page memory access permissions. Other embodiments may be described and claimed.

In an example embodiment, a hardware mechanism for protecting user-level software from privileged system software is leveraged to protect in-memory databases in container implementations in a cloud. This hardware mechanism takes the form of an enclave. An enclave is a portion of a CPU that shields application code and data from accesses by other software, including higher-privileged software. Memory pages belonging to an enclave reside in the enclave page cache (EPC), which cannot be accessed by code outside of the enclave. This helps ensure that (1) applications built on top of in-memory database are securely trusted, (2) and a trusted path architecture is provided for enclaves allowing in-memory databases to run securely on top of untrusted cloud platform.

Address translation circuitry (16) translates a virtual address specified by a memory access request issued by requester circuitry into a target physical address (PA). Requester-side filtering circuitry (20) performs a granule protection lookup based on the target PA and a selected physical address space (PAS) associated with the memory access request, to determine whether to allow the memory access request to be passed to a cache or interconnect. In the granule protection lookup, the requester-side filtering circuitry obtains granule protection information corresponding to a target granule of physical addresses including the target PA, which indicates at least one allowed PAS associated with the target granule, and blocks the memory access request when the granule protection information indicates that the selected PAS is not an allowed PAS.

Techniques for providing secure erase of data stored on a storage device may be provided. For example, a storage device comprising a first layer of firmware that is configured to receive access requests for data stored on a storage device may be in communication with a second layer of firmware. The second layer of firmware may be configured to receive, from the first layer of firmware, a request to erase a portion of the data stored on the storage device and verify the first layer of firmware before processing the erase request. In an embodiment, upon verifying the first layer of firmware, the second layer of firmware may block subsequent read requests for one or more physical blocks of the storage device that correspond to the portion of the data indicated in the erase request.

A management system for managing a cache memory including a randomization module configured for generating a random value for each process of accessing the cache memory, and for transforming addresses of the cache memory with said random value into randomized addresses, a history table configured to store therein on each line an identification pair associating a random value corresponding to an access process, with an identifier of the corresponding access process, so forming identification pairs that are operative to dynamically partition the cache memory while registering the access to the cache memory, and a state machine configured to manage each process of accessing the cache memory according to the identification pairs stored in the history table.

Embodiments are provided for protecting boot block space in a memory device. Such a memory device may include a memory array having a protected portion and a serial interface controller. The memory device may have a register that enables or disables access to the portion when data indicating whether to enable or disable access to the portion is written into the register via a serial data in (SI) input.

A realm management unit (RMU) maintains an ownership table specifying ownership entries for corresponding memory regions defining ownership attributes specifying, from among a plurality of realms, an owner realm of the corresponding region. Each realm corresponds to at least a portion of at least one software process. The owner realm has a right to exclude other realms from accessing data stored in the corresponding region. Memory access is controlled based on the ownership table. In response to a region fuse command specifying a fuse target address indicative contiguous regions of memory to be fused into a fused group of regions, a region fuse operation updates the ownership table to indicate that the ownership attributes for the fused group of regions are represented by a single ownership entry. This provides architectural support for enabling improvement of TLB performance.

Provided is a method for optimising memory writing in a device implementing a cryptography module and a client module calling functions implemented by the cryptography module. The device includes a random access memory including a first memory zone that is secured and dedicated to the cryptography module and a second memory zone dedicated to the client module. When the client module calls a series of functions implemented by the cryptography module including a first function and at least one second function, with each second function executed following the first function or from a further second function and providing a runtime result added to a runtime result of the preceding series function, each runtime result is added to a value contained in a buffer memory allocated in the first memory. The buffer memory value is copied to the second memory zone following the execution of the last function of the series.

Methods, systems, and devices for error correction management are described. A system may include a memory device that supports internal detection and correction of corrupted data, and whether such detection and correction functionality is operating properly may be evaluated. A known error may be included (e.g., intentionally introduced) into either data stored at the memory device or an associated error correction codeword, among other options, and data or other indications subsequently generated by the memory device may be evaluated for correctness in view of the error. Thus, either the memory device or a host device coupled with the memory device, among other devices, may determine whether error detection and correction functionality internal to the memory device is operating properly.

Requester circuitry 4 issues an access request specifying a target physical address (PA) and a target physical address space (PAS) identifier identifying a target PAS. Prior to a point of physical aliasing (PoPA), a pre-PoPA memory system component 24, 8 treats aliasing PAs from different PASs which actually correspond to the same memory system resource as if they correspond to different memory system resources. A post-PoPA memory system component 6 treats the aliasing PAs as referring to the same memory system resource. When the target PA and target PAS of a read-if-hit-pre-PoPA request hit in a pre-PoPA cache 24, a data response is returned to the requester circuitry 4. If the read-if-hit-pre-PoPA request misses in the pre-PoPA cache 24, a no-data response is returned. The read-if-hit-pre-PoPA request is safe to issue speculatively while waiting for security checks to be performed, improving performance.