Methods and apparatus relating to zero-redundancy tag storage for bucketed allocators are described. In some embodiments, memory stores a memory page. The memory page includes a metadata page and a plurality of slots. The metadata page includes information corresponding to the plurality of slots. Decode circuitry decodes an instruction that includes a source operand. Execution circuitry executes the decoded instruction according to the source operand to load a first tag for a first slot of the plurality of slots in response to a memory access request directed at the first slot of the plurality of slots. The memory access request is allowed to proceed in response to a match between the first tag and a second tag of a pointer of the memory access request. The memory page stores a separate tag in proximity to each of the plurality of slots. Other embodiments are also disclosed and claimed.

In an embodiment, an apparatus includes a memory access controller to be coupled to a memory and a memory management unit (MMU) coupled to the memory access controller. The MMU is to receive a memory transaction comprising an original transaction security attribute from a first device; responsive to the memory transaction comprising a first physical address of the memory, transmit the memory transaction to the memory access controller; and responsive to the memory transaction comprising a virtual address, generate a translated memory transaction comprising a translated physical address of the memory based on the virtual address and a translated transaction security attribute and transmit the translated memory transaction to the memory access controller, the translated physical address and the translated transaction security attribute associated with an operating system (OS) memory region of the memory associated with an OS. Other embodiments are described and claimed.

An apparatus is provided for determining, for use in a tag-guarded memory, a selected tag value from a plurality of tag values. The apparatus comprises ordered list generation circuitry to receive an excluded tag vector comprising a plurality of fields, where each field is associated with a tag value and identifies whether the associated tag value is excluded from use. The ordered list generation circuitry is arranged to generate, from the excluded tag vector, an ordered list of non-excluded tag values. The apparatus further comprises count determination circuitry to determine, using the excluded tag vector and an identified start tag value, a count value indicative of a number of non-excluded tag values occurring in a region of the excluded tag vector bounded by an initial field and a field corresponding to the start tag value. The apparatus also comprises tag selection circuitry to determine the selected tag value from the ordered list based on the count value and an identified offset which indicates a required number of non-excluded tag values between the start tag value and the selected tag value.

A data access manager is provided on a computing device to manage access to secure files stored in memory. The data access manager intercepts function calls from applications to the memory management unit and determines whether an application is allowed to access secure data stored in the memory of the computing device. When an initial request to map the data is received, the data access manager maps both secure data and clear data, obtaining pointers to both secure and clear data. When an application has permission to access the requested data, the data access manager returns the pointer to the clear data. When an application does not have permission to access the requested data, the data access manager returns the pointer to the secure data.

Embodiments are directed to trusted local memory management in a virtualized GPU. An embodiment of an apparatus includes one or more processors including a trusted execution environment (TEE); a GPU including a trusted agent; and a memory, the memory including GPU local memory, the trusted agent to ensure proper allocation/deallocation of the local memory and verify translations between graphics physical addresses (PAs) and PAs for the apparatus, wherein the local memory is partitioned into protection regions including a protected region and an unprotected region, and wherein the protected region to store a memory permission table maintained by the trusted agent, the memory permission table to include any virtual function assigned to a trusted domain, a per process graphics translation table to translate between graphics virtual address (VA) to graphics guest PA (GPA), and a local memory translation table to translate between graphics GPAs and PAs for the local memory.

A secure processor and a semiconductor system including the same is provided. Provided is a system on chip comprising a secure processor, wherein the secure processor includes: a random access memory (RAM) including a RAM cache area storing a page and a timestamp table storing a timestamp, an encryption/decryption engine configured to encrypt the page by using the timestamp, and a direct memory access (DMA) module configured to transmit the encrypted page to a swap area of a first memory disposed outside the system on chip, wherein the first memory includes a tag table area storing a tag generated by the encryption/decryption engine encrypting the page and a timestamp backup area backing up the timestamp, and the swap area, the tag table area, and the time stamp backup area are backed up in a second memory disposed outside the system on chip.

Methods and systems for enabling secure memory transactions in a memory controller are disclosed. Responsive to determining that an incoming request is for a secure memory transaction, the incoming request is placed in a secure request container. The memory container then enters a state where re-ordering between requests for secure memory transactions placed in the secure request container and requests for non-secure memory transactions from other containers is prevented in a scheduling queue.

Embodiments are directed to providing a secure address translation service. An embodiment of a system includes a memory device to store memory data in a plurality of physical pages shared by a plurality of devices, a first table to map each page of memory to an associated bundle identifier (ID) that identifies one or more devices having access to a page of memory, a second table to map each bundle ID to page access permissions that define access to one or more pages associated with a bundle ID and a translation agent to receive requests from the plurality of devices to perform memory operations on the memory and determine page access permissions for requests received from the plurality of devices using the first table and the second table.

According to a first aspect, execution logic is configured to perform a linear capability transfer operation which transfers a physical capability from a partition of a first software modules to a partition of a second of software module without retaining it in the partition of the first. According to a second, alternative or additional aspect, the execution logic is configured to perform a sharding operation whereby a physical capability is divided into at least two instances, which may later be combined.

A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, using VMPageIn and VMPageOut instructions, can build virtual machines in key domains and page VM pages in and out of key domains.