An integrated circuit (122) includes an on-chip boot ROM (132) holding boot code, a non-volatile security identification element (140) having non-volatile information determining a less secure type or more secure type, and a processor (130). The processor (130) is coupled to the on-chip boot ROM (132) and to the non-volatile security identification element (140) to selectively execute boot code depending on the non-volatile information of the non-volatile security identification element (140). Other technology such as processors, methods of operation, processes of manufacture, wireless communications apparatus, and wireless handsets are also disclosed.

Apparatus comprises a multi-threaded processing element to execute processing threads as one or more process groups each of one or more processing threads, each process group having a process group identifier unique amongst the one or more process groups and being associated by capability data with a respective memory address range in a virtual memory address space; and memory address translation circuitry to translate a virtual memory address to a physical memory address by a processing thread of one of the process groups; the memory address translation circuitry being configured to associate, with a translation of a given virtual memory address to a corresponding physical memory address, permission data defining one or more process group identifiers representing respective process groups permitted to access the given virtual memory address, and to inhibit access to the given virtual memory address in dependence on the capability data associated with the process group of the processing thread requesting the memory access and a detection of whether the permission data defines the process group identifier of the process group of the processing thread requesting the memory access.

Techniques for memory assisted inline encryption/decryption are described. An example includes an encryption data structure engine to provide a key, data, and a tweak to the encryption/decryption engine, wherein the encryption data structure engine is to: read an index value from an encryption data structure lookup data structure entry using an address, the entry to include the index value and a guest page physical address (GPPA), retrieve, based on the index value, an entry from the encryption data structure, the entry to include a logical block address (LBA) base, a key identifier, and at least one GPPA in a sequence of GPPAs, generate a LBA using a position of the GPPA from the encryption data structure lookup data structure entry in the sequence of GPPAs, and retrieve a key based on the key identifier, wherein the encryption engine to encrypt data using the retrieved key, and the generated LBA.

A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

In one embodiment, the method includes receiving, at a storage device, a request. The request includes a request message authentication code and write protect information. The write protect information includes at least one of start address information and length information. The start address information indicates a logical block address at which a memory area in a non-volatile memory of the storage device starts, and the length information indicates a length of the memory area. The method also includes generating, at the storage device, a message authentication code based on (1) at least one of the start address information and the length information, and (2) a key stored at the storage device; authenticating, at the storage device, the request based on the generated message authentication code and the request message authentication code; and processing, at the storage device, the request based on a result of the authenticating.

Example implementations include a system of secure decryption by virtualization and translation of physical encryption keys, the system having a key translation memory operable to store at least one physical mapping address corresponding to at least one virtual key address, a physical key memory operable to store at least one physical encryption key at a physical memory address thereof; and a key security engine operable generate at least one key address translation index, obtain, from the key translation memory, the physical mapping address based on the key address translation index and the virtual key address, and retrieve, from the physical key memory, the physical encryption key stored at the physical memory address.

A method, system and apparatus for protecting a program from making out of bounds memory references, including determining whether an instruction makes out of bound references where the instruction that loads data from or stores data to a buffer refers to addresses that are outside the bounds of the buffer, and responsive to the determining that the instruction refers to addresses that are partially out of bounds, changing an execution of the load or the store including modifying the starting address specified in the instruction, a length of data specified in the instruction, or a value for an out of bounds reference to load or store data that is within the bounds of the buffer.

An integrated circuit (122) includes an on-chip boot ROM (132) holding boot code, a non-volatile security identification element (140) having non-volatile information determining a less secure type or more secure type, and a processor (130). The processor (130) is coupled to the on-chip boot ROM (132) and to the non-volatile security identification element (140) to selectively execute boot code depending on the non-volatile information of the non-volatile security identification element (140). Other technology such as processors, methods of operation, processes of manufacture, wireless communications apparatus, and wireless handsets are also disclosed.

Memory access circuitry controls access to memory based on ownership information defining, for a given memory region, an owner realm specified from among two or more realms, each realm corresponding to at least a portion of a software processes running on processing circuitry. The owner realm has a right to exclude other realms from accessing data stored within the given memory region. When security configuration parameters for a given realm specify that the given realm is associated with a trusted intermediary realm identified by the security configuration parameters, the trusted intermediary realm may be allowed to perform at least one realm management function for the given realm, e.g. provision of secret keys and/or saving/restoring of security configuration parameters. This can enable use cases where multiple instances of the same realm with common parameters need to be established on the same system at different times or on different systems.

A hardware control system and a hardware control method are provided. The hardware control system is for controlling a function circuit, and includes a first transformation circuit, a second transformation circuit and an analysis circuit. The first transformation circuit transforms a command from an operating system to an intermediate address. The second transformation circuit transforms the intermediate address to a permission physical address according to an identifier of the operating system, wherein the permission physical address consists of a hardware physical address and a permission value. The analysis circuit analyzes the permission physical address to generate the hardware physical address and the permission value, and determines a control value corresponding to the hardware physical address according to the permission value. The control value is for permitting the operating system to control the function circuit.