Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

Methods for centralized access control for cloud relational database management system resources are performed by systems and devices. The methods utilize a central policy storage, managed externally to database servers, which stores external policies for access to internal database resources at up to fine granularity. Database servers in the processing system each receive external access policies that correspond to users of the system by push or pull operations from the central policy storage, and store the external access policies in a cache of the database servers for databases. For resource access, access conditions are determined via policy engines of database servers based on an external access policy in the cache that corresponds to a user, responsive to a resource access request from a device of the user specifying the internal resource. Data associated with the resource is provided to the user based on the access condition being met.

Methods for centralized access control for cloud relational database management system resources are performed by systems and devices. The methods utilize a central policy storage, managed externally to database servers, which stores external policies for access to internal database resources at up to fine granularity. Database servers in the processing system each receive external access policies that correspond to users of the system by push or pull operations from the central policy storage, and store the external access policies in a cache of the database servers for databases. For resource access, access conditions are determined via policy engines of database servers based on an external access policy in the cache that corresponds to a user, responsive to a resource access request from a device of the user specifying the internal resource. Data associated with the resource is provided to the user based on the access condition being met.

An example memory sub-system includes a memory device and a processing device, operatively coupled to the memory device. The processing device is configured to receive a reset signal from a host computer system in communication with the memory system; identify, by decoding the reset signal, a host event specified by the reset signal; and process the identified host event.

An example memory sub-system includes a memory device and a processing device, operatively coupled to the memory device. The processing device is configured to receive a reset signal from a host computer system in communication with the memory system; identify, by decoding the reset signal, a host event specified by the reset signal; and process the identified host event.

A method of verifying authenticity of a speculative load instruction is disclosed which includes receiving a new speculative source-destination pair (PAIR), wherein the source represents a speculative load instruction and the destination represents an associated destination virtual memory location holding data to be loaded onto a register with execution of the source, checking the PAIR against one or more memory tables associated with non-speculative source-destination pairs, if the PAIR exists in the one or more memory tables, then executing the instruction associated with the source of the PAIR, if the PAIR does not exist, then i) waiting until the speculation of the source instruction has cleared as being non-speculative, ii) updating the one or more memory tables, and iii) executing the instruction associated with the source, and if the speculation of the source instruction of the PAIR does not clear as non-speculative, then the source is nullified.

A method of verifying authenticity of a speculative load instruction is disclosed which includes receiving a new speculative source-destination pair (PAIR), wherein the source represents a speculative load instruction and the destination represents an associated destination virtual memory location holding data to be loaded onto a register with execution of the source, checking the PAIR against one or more memory tables associated with non-speculative source-destination pairs, if the PAIR exists in the one or more memory tables, then executing the instruction associated with the source of the PAIR, if the PAIR does not exist, then i) waiting until the speculation of the source instruction has cleared as being non-speculative, ii) updating the one or more memory tables, and iii) executing the instruction associated with the source, and if the speculation of the source instruction of the PAIR does not clear as non-speculative, then the source is nullified.

Systems, apparatuses, and methods related to an adjustable timer component are described. A memory device includes, a memory controller coupled to the memory device comprising an adjustable timer component. The adjustable timer component is configured to receive a timer generation request and, responsive to receiving the request, store in a cache an active timer entry corresponding to a particular first address, generate a timer corresponding to an active timer entry and the particular first address, and monitor the timer to determine when the timer expires. Responsive to the expiration of the timer, dequeue the timer entry and invalidate the timer entry stored in the cache. The memory device can also include command logic configured to, prior to issuing a second command, query the cache of the adjustable timer component to determine if the cache includes an active timer entry corresponding to the particular second address.

The problem to be solved is to seek an alternative to known addressing methods which provides the same or similar effects or is more secure. Solution The problem is solved by a method (40) of addressing memory in a data-processing apparatus (10) comprising, when a central processing unit (11), while performing a task (31, 32, 33, 34) of the apparatus (10), executes an instruction involving a pointer (59) into a segment (s, r, d, h, f, o, i, c) of the memory: decoding the instruction by means of an instruction decoder (12), generating a virtual address (45) within the memory by means of a safe pointer operator (41) operating on the pointer (59), augmenting the virtual address (45) by an identifier (43) of the task (31, 32, 33, 34) and an identifier (44) of the segment (s, r, d, h, f, o, i, c), said identifiers (43, 44) being hardware-controlled (42), and, based on the augmented address (45), dereferencing the pointer (59) via a memory management unit (13).