In one embodiment, a processor includes a memory hierarchy and a core coupled to the memory hierarchy. The memory hierarchy stores encrypted data, and the core includes circuitry to access the encrypted data stored in the memory hierarchy, decrypt the encrypted data to yield decrypted data, perform an entropy test on the decrypted data, and update a processor state based on a result of the entropy test. The entropy test may include determining a number of data entities in the decrypted data whose values are equal to one another, determining a number of adjacent data entities in the decrypted data whose values are equal to one another, determining a number of data entities in the decrypted data whose values are equal to at least one special value from a set of special values, or determining a sum of n highest data entity value frequencies.

A processor includes a register to store an encoded pointer to a variable in stack memory. The encoded pointer includes an encrypted portion and a fixed plaintext portion of a memory address corresponding to the variable. The processor further includes circuitry to, in response to a memory access request for associated with the variable, decrypt the encrypted portion of the encoded pointer to obtain first upper address bits of the memory address and a memory allocation size for a variable, decode the encoded pointer to obtain the memory address, verify the memory address is valid based, at least in part on the memory allocation size, and in response to determining that the memory address is valid, allow the memory access request.

Methods, systems, and apparatuses for unlocking a persistent region in memory are disclosed. An information handling apparatus includes a controller, a memory coupled to the controller, the memory having a persistent region that can either be locked or unlocked, and a firmware configured to determine whether the persistent region of the memory is locked, obtain a stored passphrase from a storage device if the persistent region is locked, and use the passphrase to unlock the persistent region of the memory.

A cellular modem processor can include dedicated processing engines that implement specific, complex data processing operations. To implement PDCCH decoding, a cellular modem can include a pipeline having multiple processing engines, with the processing engines including functional units that execute instructions corresponding to different stages in the PDCCH decoding process. Flow control and data synchronization between instructions can be provided using a hybrid of firmware-based flow control and hardware-based data dependency management.

In one example in accordance with the present disclosure, a method may include receiving, by a processor on a system on a chip (SoC), a request to encrypt a subset of data accessed by a process. The method may also include receiving, at a page encryption hardware unit of the SoC, a system call from an operating system on behalf of the process, to generate an encrypted memory page corresponding to the subset of data. The method may also include generating, by the page encryption hardware unit, an encryption/decryption key for the first physical memory address. The encryption/decryption key may not be accessible by the operating system. The method may also include encrypting, by the page encryption hardware unit, the subset of data to the physical memory address using the encryption/decryption key and storing, by the page encryption hardware unit, the encryption/decryption key in a key store.

A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

An apparatus has tag checking circuitry responsive to a target address to: identify a guard tag stored in a memory system in association with a block of one or more memory locations, the block containing a target memory location identified by the target address, perform a tag check based on the guard tag and an address tag associated with the target address, and in response to detecting a mismatch in the tag check, perform an error response action. The apparatus also has tag mapping storage circuitry to store mapping information indicative of a mapping between guard tag values and corresponding address tag values. The tag checking circuitry remaps at least one of the guard tag and the address tag based on the mapping information stored by the tag mapping storage circuitry to generate a remapped tag for use in the tag check.

An apparatus to facilitate data cache security is disclosed. The apparatus includes a cache memory to store data; and prefetch hardware to pre-fetch data to be stored in the cache memory, including a cache set monitor hardware to determine critical cache addresses to monitor to determine processes that retrieve data from the cache memory; and pattern monitor hardware to monitor cache access patterns to the critical cache addresses to detect potential side-channel cache attacks on the cache memory by an attacker process.

An access request is received. The access request comprises a physical page address corresponding to a primary memory block of a memory device, an input security key, and a logical page address corresponding to the physical page address. The input security key is provided as input to a (CAM) block that stores a plurality of security keys to verify that the input security key matches a stored security key. A location of the stored security key is checked to verify that it corresponds to the logical page address included in the access request based a predetermined mapping. Based on verifying that the stored security key corresponds to the logical page address included in the access request, the physical page address corresponding to the primary memory block is accessed.

A processor, a system, a machine readable medium, and a method. The processor comprises first circuitry to: encrypt a first code image using a first code key; load the encrypted first code image into a memory area allocated in memory for the first code image by an operating system miming on the processor; and send to the operating system a substitute key that corresponds to the first code key, wherein the first code key is concealed from the operating system; and an instruction cache including control circuitry; and second circuitry coupled to the instruction cache, the second circuitry to: receive the substitute key from the operating system; in response to a first request from the operating system to execute the first code image to instantiate a first process, perform a first cryptographic function using a hardware key to generate the first code key from the substitute key; and program the control circuitry of the instruction cache with the first code key to enable the first code image to be decrypted using the first code key.