A plurality of computing devices are communicatively coupled to each other via a network, and each of the plurality of computing devices is operably coupled to one or more of a plurality of storage devices. One or more of the computing devices and/or the storage devices may be used to rebuild data that may be lost due to a power failure.

An apparatus comprises processing circuitry to issue memory access requests specifying a target address identifying a location to be accessed in a memory system; and a memory protection unit (MRU) comprising permission checking circuitry to check whether a memory access request issued by the processing circuitry satisfies access permissions specified in a memory protection table stored in the memory system. The memory protection table comprises memory protection entries each specifying access permissions for a corresponding address region of variable size within an address space, where the variable size can be a number of bytes other than a power of 2.

According to one embodiment, a key search circuit includes a hit determination circuit that determines whether a key search request hits a content stored in a search result buffer, and an update determination circuit that determines whether to update the content stored in the search result buffer. When the hit determination circuit determines that the key search request hits the search result buffer, the key search circuit outputs the search result stored in the search result buffer to an encryption/decryption circuit. When the update determination circuit determines to update the search result buffer, the key search circuit updates the content stored in the search result buffer with the key search request and a search result obtained from a range table.

The disclosed computer-implemented method may include (1) receiving, from an external host processor via a cache-coherent interconnect, a request to access a host address of a coherent memory space of the external host processor, (2) when the request is to read data from the host address, (a) performing an in-line transformation on the data to generate second data and (b) writing the second data to the physical address of the device-attached physical memory mapped to the host address, and (3) when the request is to read data from the host address, (a) reading the data from the physical address of the device-attached physical memory mapped to the host address, (b) performing a reversing in-line transformation on the data to generate second data, and (c) returning the second data to the external host processor via the cache-coherent interconnect. Various other methods, systems, and computer-readable media are also disclosed.

A computer-implemented method includes the following operations. A transactional lock elision transaction including a critical section is executed. The critical section is processed. After the processing of the critical section and prior to a commit point in the transactional lock elision transaction, a status of a lock is checked. Responsive to a determination that a status of the lock is free, a result of the transactional lock elision transaction is committed.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating signed addresses. One of the methods includes receiving, by a component from a device, a plurality of first requests, each first request for a physical address and including a virtual address, determining, by the component, a first physical address using the virtual address, generating a first signature for the first physical address, and providing, to the device, a response that includes the first signature, receiving, from the device, a plurality of second requests, each second request for access to a second physical address and including a second signature, determining, by the component for each of the plurality of second requests, whether the second physical address is valid using the second signature, and for each second request for which the second physical address is determined to be valid, servicing the corresponding second request.

A method for monitoring memory access behavior of a sample process is provided. A processing unit of a computer device determines a page table of the sample process based on a page directory base address of the sample process, where each entry of the page table includes first information, the first information indicates whether the entry has been assigned a guest physical address, the entry that has been assigned the guest physical address includes second information that is used to indicate an access permission of the assigned guest physical address; determines a target entry from the page table, the target entry has been assigned a guest physical address, and an access permission is execution allowed; determines a target host physical address corresponding to the target guest physical address that is assigned to the target entry; and monitors behavior of accessing memory space indicated by the target host physical address.

Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

Apparatuses, methods, and programs for performing a translation of a virtual address of a memory access to a physical address associated with a memory location to be accessed are disclosed. A page table descriptor is accessed when performing the translation, which comprises translation parameters for the translation. The descriptor further comprises an integrity check value, wherein the integrity check value is dependent on the translation parameters.

Systems, apparatuses, and methods related to a domain register of a processor in a computer system are described. The computer system has a memory configured to at least store instructions of routines that are classified in multiple predefined, non-hierarchical domains. The processor stores in the domain register an identifier of a current domain of a routine that is being executed in the processor. The processor is configured to perform security operations based on the content of the domain register and the security settings specified respectively for the predefined, non-hierarchical domains.