Provided is a control method of controlling locking or unlocking of storage using a blockchain. The control method includes: determining, when first request information indicating a lock/unlock request, that is a lock request or an unlock request, is received from a terminal, whether a keyholder identified by reading keyholder information stored in the blockchain matches an owner of the terminal that has transmitted the first request information, the keyholder information indicating a person having the authority to lock or unlock the storage; performing lock/unlock processing when the keyholder is determined to match the owner, the lock/unlock processing being processing for causing the storage to lock or unlock in accordance with the first request information; and performing first storage processing after the lock/unlock processing is performed, the first storage processing being processing of storing, in the blockchain, transaction data indicating that the lock/unlock processing has been performed.

An apparatus to facilitate security of a shared memory resource is disclosed. The apparatus includes a memory device to store memory data, wherein the memory device comprises a plurality of private memory pages associated with one or more trusted domains and a cryptographic engine to encrypt and decrypt the memory data, including a key encryption table having a key identifier associated with each trusted domain to access a private memory page, wherein a first key identifier is generated to perform direct memory access (DMA) transfers for each of a plurality of input/output (I/O) devices.

TLB poisoning attacks take advantage of security issues of translation lookaside buffer (TLB) management on SEV processors in Secure Encrypted Virtualization (SEV) virtual machines (VMs). In various embodiments, a hypervisor may poison TLB entries between two processes of a SEV VM to compromise the integrity and confidentiality of the SEV VM. Variants of TLB poisoning attacks and end-to-end attacks are shown to be successful on both Advanced Micro Devices (AMD) SEV and SEV-Encrypted State (SEV-ES). Countermeasures for thwarting TLB poisoning attacks include hardware-enforced TLB flush processes and re-exec schemes that, among other things, prevent attackers from manipulating TLB entries and causing a privileged victim process to execute malicious code in an attempt to bypass a password authentication.

Methods and apparatus relating to scalable access control checking for cross-address-space data movement are described. In an embodiment, a memory stores an InterDomain Permissions Table (IDPT) having a plurality of entries. At least one entry of the IDPT provides a relationship between a target address space identifier and a plurality of requester address space identifiers. A hardware accelerator device allows access to a target address space, corresponding to the target address space identifier, by one or more of requesters, corresponding to the plurality of requester address space identifiers, respectively, based at least in part on the relationship provided by the at least one entry of the IDPT. Other embodiments are also disclosed and claimed.

In a controller that operates a control program which executes sequence control or the like together with a data processing program which executes a complex arithmetic operation or the like, I/O resource information is shared with a shared memory, and an access right to the I/O resource information by the data processing program is controlled using read-in prohibited information and write-in permitted information.

According to one or more embodiments of the present invention, a computer implemented method includes enabling, by a secure interface control of a computer system, a non-secure entity of the computer system to access a page of memory shared between the non-secure entity and a secure domain of the computer system based on the page being marked as non-secure with a secure storage protection indicator of the page being clear. The secure interface control can verify that the secure storage protection indicator of the page is clear prior to allowing the non-secure entity to access the page. The secure interface control can provide a secure entity of the secure domain with access to the page absent a check of the secure storage protection indicator of the page.

A storage device including: a bridge board to receive a first command; an authenticator to receive user information; and a memory device to receive the first command from the bridge board, the memory device includes a memory controller which determines a status of the memory device, provides status information including the determined status of the memory device to the bridge board, determines the status of the memory device as an unlocked status or a locked status, the bridge board includes a transceiver which communicates with the host through an interface, a register which stores interface information, and a bridge board controller which generates a first response to the first command in a format corresponding to the interface using the interface information, and provides the first response to a host, the first response includes a status bit which inhibits or allows a write operation with respect to the memory device.

A data storage device includes a nonvolatile memory device, a volatile memory device, a data encryption circuit configured to encrypt data outputted from the nonvolatile memory device, a data decryption circuit configured to decrypt encrypted data output from the data encryption circuit and configured to provide the decrypted data to the volatile memory device, and a processor configured to perform a first process that controls installation of a first in-storage program in the data storage device, a second process configured to manage a mapping table storing a relation between a logical address and a physical address of the nonvolatile memory device, and a third process configured to execute the first in-storage program.

Methods, systems, and devices for access control configurations for inter-processor communications are described to support reconfiguration of a dynamic access control configuration at a device. For example, additional configuration fields may be added to existing access control rules of the device, where these additional fields may be configured by a processor sending information to a receiving processor, via a shared memory resource or region of the device. The additional fields may include a read-only value which may specify a processor which has exclusive write permission for a memory region of the share memory. This value may indicate the sending processor of the memory region, and the value may be set by access control hardware when the additional field is changed. Other processors of the device may be prevented from writing to the memory region.

A method includes receiving, at a controller of a computational storage (CS) device, a request to allocate computational storage to an application of a host device. The request includes a resource set ID associated with the application. The method further includes identifying a memory range within a memory region of the CS device. The method further includes storing, in a data structure associated with the resource set ID, an association between a memory range identifier (ID) of the memory range, the memory region, and an offset within the memory region. The method further includes sending the memory range ID to the host device.