A memory chip comprises a first memory controller, a first data storage zone, a security unit and an address configuration unit. The first data storage zone is coupled to the first memory controller, and represented by a first physical address range. The security unit is coupled to the first memory controller. The address configuration unit is coupled to the first memory controller. The memory chip is configured to be coupled between a host controller and another memory chip. The another memory chip comprises a second data storage zone represented by a second physical address range. The address configuration unit records one or more relationships of a logical address range corresponding to the first physical address range and the second physical address range. The security unit is configured to encrypt and decrypt data in the first data storage zone and the second data storage zone.

Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security measures may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a secure access key. In some cases, a customer may define and store a user-defined access key in the fuse array. In other cases, a manufacturer of the memory device may define a manufacturer-defined access key (e.g., an access key based on fuse identification (FID), a secret access key), where a host device coupled with the memory device may obtain the manufacturer-defined access key according to certain protocols. The memory device may compare an access key included in a command directed to the memory device with either the user-defined access key or the manufacturer-defined access key to determine whether to permit or prohibit execution of the command based on the comparison.

Embodiments herein describe a memory controller that has an encryption path and a bypass path. Using an indicator (e.g., a dedicated address range), an outside entity can inform the memory controller whether to use the encryption path or the bypass path. For example, using the encryption path when performing a write request means the memory controller encrypts the data before it was stored, while using the bypass path means the data is written into memory without be encrypted. Similarly, using the encryption path when performing a read request means the controller decrypts the data before it is delivered to the requesting entity, while using the bypass path means the data is delivered without being decrypted.

An instruction is provided to perform a reset address translation protection operation when executed. Executing the instruction includes determining, by a processor, that an address translation protection bit in a specified translation table entry associated with a storage block is to be reset. Based on determining that the address translation protection bit is to be reset, executing the instruction includes resetting the address translation protection bit to deactivate write protection for the storage block. The resetting is absent waiting for an action by one or more other processors of the computing environment.

In one embodiment, a method for method for managing a virtual service in an information handling system includes: identifying, by a virtual image of a plurality of virtual images of the virtual service, a device setting to be modified, the device setting associated with a device of the information handling system, each of the plurality of virtual images having respective device settings; accessing, by a host service, a protected namespace of a plurality of protected namespaces, the protected namespace associated with the virtual image; identifying, by the host service, a device index stored in the protected namespace, the device index pointing to a device-specific function associated with the device, the device-specific function stored in a translation table; accessing, by the host service, the device-specific function stored in the translation table based on the device index; and causing, by the host service, the device-specific function to modify the device setting.

According to a first aspect, execution logic is configured to perform a linear capability transfer operation which transfers a physical capability from a partition of a first software modules to a partition of a second of software module without retaining it in the partition of the first. According to a second, alternative or additional aspect, the execution logic is configured to perform a sharding operation whereby a physical capability is divided into at least two instances, which may later be combined.

A virtualized system is provided. The virtualized system includes: a memory device; a processor configured to provide a virtualization environment; a direct memory access device configured to perform a function of direct memory access to the memory device; and a memory management circuit configured to manage a core access of the processor to the memory device and a direct access of the direct memory access device to the memory device. The processor is further configured to provide: a plurality of guest operating systems that run independently from each other on a plurality of virtual machines of the virtualization environment; and a hypervisor configured to control the plurality of virtual machines in the virtualization environment and control the memory management circuit to block the direct access when a target guest operating system controlling the direct memory access device, among the plurality of guest operating systems is rebooted.

The problem to be solved is to seek an alternative to known addressing methods which provides the same or similar effects or is more secure. Solution The problem is solved by a method (40) of addressing memory in a data-processing apparatus (10) comprising, when a central processing unit (11), while performing a task (31, 32, 33, 34) of the apparatus (10), executes an instruction involving a pointer (59) into a segment (s, r, d, h, f, o, i, c) of the memory: decoding the instruction by means of an instruction decoder (12), generating a virtual address (45) within the memory by means of a safe pointer operator (41) operating on the pointer (59), augmenting the virtual address (45) by an identifier (43) of the task (31, 32, 33, 34) and an identifier (44) of the segment (s, r, d, h, f, o, i, c), said identifiers (43, 44) being hardware-controlled (42), and, based on the augmented address (45), dereferencing the pointer (59) via a memory management unit (13).

Memory allocation circuitry allocate a memory region in memory, and bounded pointer generation circuitry generates bounded pointers including a revocable bounded pointer that provides a pointer value and range information identifying an address range of the memory region. The memory allocation circuitry provides, at a header location in the memory, a header for the memory region with a first token field which is initialized to a first token value associated with the memory region. The memory allocation circuitry is responsive to the deallocation of the memory region to modify the stored value in the first token field of the header. In response to a request to generate a memory address using the revocable bounded pointer, a use authentication check prevents generation of the memory address when it is determined that the stored value in the first token field has been changed.

A technique for controlling access to a set of memory mapped control registers. The apparatus has processing circuitry for executing program code to perform data processing operations, and a set of memory mapped control registers for storing control information used to control operation of the processing circuitry. Further, a lockdown register used to store a lockdown value. The processing circuitry is arranged to execute store instructions to perform write operations to a memory address space . Thethe processing circuitry is arranged to prevent a write operation being performed to change the control information in the memory mapped control registers . This significantly reduces the prospect of an attacker seeking to exploit a software vulnerability to change the control information in the memory mapped control registers.