CN116415309A - Method for operating computer system, processor, electronic device, and storage medium - Google Patents

Method for operating computer system, processor, electronic device, and storage medium Download PDF

Info

Publication number
CN116415309A
CN116415309A CN202310442557.XA CN202310442557A CN116415309A CN 116415309 A CN116415309 A CN 116415309A CN 202310442557 A CN202310442557 A CN 202310442557A CN 116415309 A CN116415309 A CN 116415309A
Authority
CN
China
Prior art keywords
mode
entry
sub
computer system
execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310442557.XA
Other languages
Chinese (zh)
Inventor
谢俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Eswin Computing Technology Co Ltd
Original Assignee
Beijing Eswin Computing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Eswin Computing Technology Co Ltd filed Critical Beijing Eswin Computing Technology Co Ltd
Priority to CN202310442557.XA priority Critical patent/CN116415309A/en
Publication of CN116415309A publication Critical patent/CN116415309A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1441Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1483Protection against unauthorised use of memory or access to memory by checking the subject access rights using an access-table, e.g. matrix or list
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1491Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

A method of operation of a computer system, a processor, an electronic device, and a storage medium. The operation method comprises the following steps: allowing a plurality of execution contexts to run in a machine mode of a computer system; and configuring a machine mode to set different authorities for memories used in running the plurality of execution contexts to perform memory isolation. Compared with the traditional (previous) machine mode, the operation method further expands a memory protection mechanism (such as PMP) in the machine mode of the RISC-V architecture, provides a hardware mechanism to ensure isolation of different execution contexts from physical memory, can avoid or reduce security holes of mutual interference of a plurality of execution contexts, and improves the security of a system.

Description

Method for operating computer system, processor, electronic device, and storage medium
Technical Field
Embodiments of the invention relate to a method of operating a computer system, a processor, an electronic device, and a storage medium.
Background
The RISC-V architecture is a modular instruction set architecture defining several optional standard extensions that can provide highly customizable features. RISC-V supports different privilege levels and privilege modes. The privileged modes of RISC-V generally include User Mode (User Mode), supervisor Mode (Supervisor Mode), and Machine Mode (Machine Mode). In applications such as MCU, AIoT, etc., machine-only mode or a combination of machine mode and user mode will typically be used, and typically only one execution context such as real-time operating system (Real Time Operating System, RTOS) needs to be run in machine mode, but in products with higher security requirements, it may also be necessary to additionally run one or more other execution contexts in machine mode, but RISC-V architecture existing standards do not provide isolation mechanisms between multiple execution contexts in machine mode, and security vulnerabilities exist that interfere with each other.
Disclosure of Invention
At least one embodiment of the present disclosure provides a method of operating a computer system, the method of operating comprising: allowing a plurality of execution contexts to run in a machine mode of the computer system; and configuring the machine mode to set different authorities for memories used in the execution of the plurality of context operations for memory isolation.
For example, in a method of operating a computer system provided by at least one embodiment of the present disclosure, the machine mode includes a plurality of sub-modes having different privileges, at least one of the plurality of execution contexts is run in at least one of the plurality of sub-modes, and at least another of the plurality of execution contexts is run in at least another one of the plurality of sub-modes.
For example, in a method of operating a computer system provided by at least one embodiment of the present disclosure, configuring the machine mode to set different permissions for memory used in running the plurality of execution contexts for memory isolation includes: the method includes dividing an entry corresponding to the machine mode in a physical memory protection entry into a plurality of entry groups, the plurality of entry groups being respectively configured to the plurality of sub-modes having different privileges.
For example, in a method of operating a computer system provided by at least one embodiment of the present disclosure, the machine mode includes a first sub-mode and a second sub-mode having a higher privilege level than the first sub-mode, the physical memory protection entries are divided into a plurality of entry groups respectively configured to the plurality of sub-modes having different privileges, including: the physical memory protection entries are divided into a first entry group and a second entry group, and the first entry group and the second entry group are respectively configured to the first sub-mode and the second sub-mode.
For example, in the method of operating a computer system provided in at least one embodiment of the present disclosure, the physical memory protection entries include N entries with index numbers 0 to N-1, the method of operating further includes: setting a parameter X, configuring the first item group to comprise items 0-X, configuring the second item group to comprise items X+1-N-1, wherein X is more than or equal to 0 and less than or equal to N-1, and the matching priority of the address interval corresponding to the index numbers 0-N-1 is reduced according to the sequence from the index numbers 0-N-1 to the large.
For example, in an operation method of a computer system provided in at least one embodiment of the present disclosure, the operation method further includes: allowing a read-write operation to be performed on registers corresponding to the first entry group and the second entry group when the computer system is in the first sub-mode; and when the computer system is in the second sub-mode, allowing or not allowing the read-write operation to be performed on the register corresponding to the second entry group, and not allowing the read-write operation to be performed on the register corresponding to the first entry group.
For example, in an operation method of a computer system provided in at least one embodiment of the present disclosure, the operation method further includes: when the computer system is in the first sub-mode, determining whether the memory corresponding to the first item group has read-write permission and execution permission according to the permission set in the first item group, and determining whether the memory corresponding to the second item group has read-write permission and does not have execution permission according to the permission set in the second item group; when the computer system is in the second sub-mode, no read-write permission and no execution permission are given to the memory corresponding to the first item group, and whether the memory corresponding to the second item group has the read-write permission and the execution permission is determined according to the permission set in the second item group.
For example, in an operation method of a computer system provided in at least one embodiment of the present disclosure, the operation method further includes: processing rules of the first set of entries according to a current actual locking mechanism of the computer system when the computer system is in the first sub-mode; when the computer system is in the first sub-mode, regarding the second set of entries as unlocked, rules in the second set of entries may be arbitrarily modified; treating the first set of entries as locked state when the computer system is in the second sub-mode, rules in the first set of entries not being modifiable; when the computer system is in the second sub-mode, the rules in the second set of entries are processed according to the current actual locking mechanism of the computer system.
For example, in an operation method of a computer system provided in at least one embodiment of the present disclosure, the operation method further includes: and responding to the address interval which is not matched in the physical memory protection entry by the current execution context, and processing by a blacklist mechanism or a whitelist mechanism no matter what mode the current execution context is in, wherein the execution context running in the first sub-mode can access the address space which is not covered by the physical memory protection entry under the blacklist mechanism, and the execution context running in the first sub-mode can not access the address space which is not covered by the physical memory protection entry under the whitelist mechanism.
For example, in a method of operating a computer system provided by at least one embodiment of the present disclosure, the computer system is based on a RISC-V instruction set.
At least one embodiment of the present disclosure also provides a processor comprising: a processor core; an isolation unit configured to: allowing a plurality of execution contexts to run in a machine mode of a computer system, and configuring the machine mode to set different permissions for memory used by the plurality of execution contexts in running for memory isolation.
At least one embodiment of the present disclosure also provides an electronic device including: a memory configured to store computer-executable instructions; and a processor configured to execute the computer-executable instructions, wherein the computer-executable instructions, when executed by the processor, implement the method as in any of the embodiments above.
At least one embodiment of the present disclosure also provides a non-transitory storage medium that non-transitory stores computer-executable instructions, wherein the computer-executable instructions, when executed by a processor, implement the method of any of the embodiments above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings of the embodiments will be briefly described below, and it is apparent that the drawings in the following description relate only to some embodiments of the present disclosure, not to limit the present disclosure.
Fig. 1 is a flowchart of a method of operating a computer system according to some embodiments of the present disclosure.
Fig. 2 is a schematic diagram of a trusted execution environment provided in some embodiments of the present disclosure.
FIG. 3 is a schematic diagram of another trusted execution environment provided by some embodiments of the present disclosure.
Fig. 4 is a schematic view of authority of a physical memory protection entry in a secure supervision mode according to some embodiments of the present disclosure.
Fig. 5 is a schematic view of authority of a physical memory protection entry in a managed machine mode according to some embodiments of the present disclosure.
Fig. 6 is a diagram of permissions for physical memory protection entries provided by some embodiments of the present disclosure.
Fig. 7 is a diagram illustrating rule changes to physical memory protection entries provided in some embodiments of the present disclosure.
Fig. 8 is a schematic diagram of a processor provided in some embodiments of the present disclosure.
Fig. 9 is a schematic diagram of an electronic device according to some embodiments of the present disclosure.
Fig. 10 is a schematic diagram of a non-transitory storage medium provided by some embodiments of the present disclosure.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present disclosure. It will be apparent that the described embodiments are some, but not all, of the embodiments of the present disclosure. All other embodiments, which can be made by one of ordinary skill in the art without the need for inventive faculty, are within the scope of the present disclosure, based on the described embodiments of the present disclosure.
Unless defined otherwise, technical or scientific terms used in this disclosure should be given the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The terms "first," "second," and the like, as used in this disclosure, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, is intended to mean that elements or items preceding the word are included in the listed elements or items following the word, and equivalents thereof, without excluding other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
In order to keep the following description of the embodiments of the present disclosure clear and concise, the present disclosure omits a detailed description of some known functions and known components.
The RISC-V architecture is an open-source instruction set architecture (Instruction Set Architecture, ISA) that aims to provide a standardized instruction set that can be implemented on a variety of chips and hardware platforms. The design of the RISC-V instruction set is intended to be kept as simple as possible, minimizing the number and complexity of instructions, to facilitate hardware implementation and compiler optimization. The RISC-V design has expandability, and can be subjected to custom expansion according to different application requirements, such as adding custom instructions, adding new hardware characteristics and the like. Due to its scalability, RISC-V can be easily implemented on a variety of different hardware platforms, and can be portable among different operating systems and programming languages.
At the same time, as described above, the RISC-V architecture is also a modular instruction set architecture defining several optional standard extensions that can provide highly customizable features. RISC-V supports different privilege levels and privilege modes. The privileged modes of RISC-V generally include User Mode (User Mode), supervisor Mode (Supervisor Mode), and Machine Mode (Machine Mode).
The user mode is the most basic privilege mode, and programs (or execution contexts) in the user mode can access user-level registers, memory, and device resources, but cannot directly access any privilege-level registers or resources. The supervisor mode, also referred to as supervisor mode, has a higher privilege level than the user mode, and programs in the supervisor mode have access to user-level and supervisor-level registers, memory, and device resources, but cannot directly access any machine-level registers or resources. The supervisor mode may be used for implementation of the operating system kernel for low-level system management operations. The machine mode is the highest privilege level and programs in machine mode have access to all registers and resources, including machine-level registers, memory, and device resources. Machine mode is typically used by a boot program or operating system kernel to configure and manage the entire system.
In addition to the above three modes, a fourth privilege Mode may be further defined in the RISC-V architecture, such as a Hypervisor Mode (Hypervisor Mode), which has a different privilege level than the three modes. For example, the privilege of the supervisor mode is equal to greater than the supervisor mode and less than the machine mode.
In MCU and AIoT applications, machine-only mode or a combination of machine mode and user mode is typically employed. Typically, only one execution context of the real-time operating system needs to be run in machine mode, but in products with higher security requirements, multiple execution contexts may need to be additionally run in machine mode. Different execution contexts run with different access requirements to physical memory, a mechanism needs to be provided to ensure that they do not interfere with each other.
Current computer systems (e.g., RISC-V architecture based computer systems) existing standards provide memory protection mechanism extensions (e.g., extended Physical Memory Protection, ePMP) to provide physical memory isolation between machine mode and non-machine mode, but fail to provide hardware mechanism protection for scenarios where physical memory isolation needs to be guaranteed when there are multiple execution contexts in machine mode, and there are security vulnerabilities that interfere with each other.
At least one embodiment of the present disclosure provides a method of operating a computer system, the method of operating comprising: allowing a plurality of execution contexts to run in a machine mode of a computer system; and configuring a machine mode to set different authorities for memories used in running the plurality of execution contexts to perform memory isolation.
In the above embodiments of the disclosure, the memory protection mechanism (for example, PMP) is further extended in the machine mode of the RISC-V architecture relative to the conventional (previous) machine mode, and the provision of the hardware mechanism ensures isolation of different execution contexts from the physical memory, so that security vulnerabilities of the multiple execution contexts interfering with each other can be avoided or reduced, and security of the system is improved.
Various embodiments of the present disclosure will be described below in connection with specific examples.
Fig. 1 is a flowchart of a method of operating a computer system according to some embodiments of the present disclosure. As shown in FIG. 1, the method of operating the computer system includes the following steps S101-S102.
In step S101, a plurality of execution contexts are allowed to run in a machine mode of a computer system.
In step S102, the machine mode is configured to set different permissions for the memories used in the execution of the plurality of context operations for memory isolation.
For example, in one embodiment of the present disclosure, a computer system includes a processor and an operating system, application programs, etc., that are executed by the processor, e.g., the processor may include a processor core, one or more levels of cache, etc. The computer system includes a user mode, a supervisor mode, and a machine mode, and the computer system extends the machine mode to a plurality of sub-modes having different privilege levels. For example, a machine mode includes multiple sub-modes with different privileges.
For example, in one embodiment of the present disclosure, a computer system may be implemented based on a different instruction set architecture. For example, a computer system may select different instruction set architecture implementations according to different requirements and application scenarios. For example, the computer system may be a RISC-V, X, arm, etc., based instruction set architecture, supporting the RISC-V, X86, arm, etc., instruction sets accordingly, as embodiments of the present disclosure are not limited in this regard.
For example, in at least one example, a hardware extension may be added to the processor accordingly, such as by adding a new register in the processor, for extending the machine mode of the computer system to multiple sub-modes with different privilege levels. For example, the newly added register may be a control and status register (Control and Status Register, CSR) which may be a dedicated register independently used to extend the machine mode of the computer system to multiple sub-modes with different privilege levels. For another example, in at least one example, an existing register in a processor may be multiplexed for expanding a machine mode of a computer system into multiple sub-modes with different privilege levels, so long as the original functionality of the multiplexed register itself is not affected.
For example, in one embodiment of the present disclosure, a new CSR register may be stored that indicates whether a computer system (e.g., a processor in a computer system) is currently operating in multiple sub-privileged modes that are extended from machine mode and in which sub-privileged mode that is extended from machine mode.
For example, the mode parameters stored in the added new CSR register may be used to indicate whether the computer system is currently operating in two sub-privileged modes that extend from machine mode. For example, machine mode is extended to two sub-privileged modes: a managed machine mode and a secure supervisory mode. The value of the mode parameter stored in the CSR register may be denoted SM. For example, in one embodiment of the present disclosure, sm=1 means that the computer system is currently operating in a secure supervisory mode, sm=0 means that the computer system is currently operating in a managed machine mode, or sm=0 may also mean that the computer system is currently operating in other privileged modes (e.g., user modes) that are not in a secure supervisory mode. The present disclosure is not limited in this regard and, for example, any parameter that can be distinguished may be used to represent the privilege mode in which the computer system is currently running.
In the above embodiment, the machine mode is extended to two privilege modes, a secure supervisory mode and a managed machine mode, the privilege level of the secure supervisory mode being greater than the privilege level of the managed machine mode. For example, the secure supervisor mode has the highest privilege level and programs in the secure supervisor mode have access to, for example, all registers and resources, including machine-level registers, memory, and device resources.
For example, the secure supervisory mode may have the same privilege level and authority as the normal machine mode (i.e., the machine mode before the extension is not made). In another aspect, the managed machine mode has a privilege level that is only less than the privilege level of the secure supervisory mode. For example, the managed machine mode has a privilege level that is greater than all privilege modes except the secure supervisory mode, and the privilege level of the managed machine mode is less than the privilege level of the secure supervisory mode. For example, a program in managed machine mode may access user-level and supervisor-level registers, memory, and device resources, but not directly access any secure supervisor mode level registers or resources. For example, a program in managed machine mode cannot directly access any machine-level registers or resources.
For example, in one embodiment of the present disclosure, a plurality of execution contexts are allowed to run in a plurality of sub-modes of a computer system having different privilege levels extended by a machine mode, at least one of the plurality of execution contexts running in at least one of the plurality of sub-modes, at least another of the plurality of execution contexts running in at least another one of the plurality of sub-modes. For example, for the two new privileged mode scenario described above, multiple execution contexts may be allowed to run in the secure supervisory mode and the managed machine mode. For example, at least one of the plurality of execution contexts is run in a secure supervisory mode, and at least another one of the plurality of execution contexts is run in a managed machine mode.
For example, in one embodiment of the present disclosure, the plurality of execution contexts includes a first execution context and a second execution context, and the above-described operation method further includes: the first execution context is run in a secure supervisory mode and the second execution context is run in a managed machine mode.
For example, in one embodiment of the present disclosure, the first execution context may be a secure supervisory execution context (or referred to as a secure supervisory context) and the second execution context may be a real-time operating system execution context (or referred to as a real-time operating system context). For example, the method of operation of the computer system of the present disclosure further comprises: running a secure supervisory execution context in secure supervisory mode and running a real-time operating system execution context in managed machine mode. Embodiments of the present disclosure are not limited to the above examples, and the first execution context and the second execution context may be any suitable execution context, respectively, so long as the first execution context and the second execution context need to operate in different privilege modes, and each may be adapted to the technical solutions of the present disclosure, so as to meet the security requirements of the corresponding products.
For example, in one embodiment of the present disclosure, the plurality of execution contexts also includes one or more other execution contexts. For example, in one embodiment of the present disclosure, the one or more other execution contexts may include a secure operating system execution context (or referred to as a secure operating system context), secure firmware, and the like. Embodiments of the present disclosure are not limited to this example, and the one or more other execution contexts may each be any other suitable execution context.
For example, in one embodiment of the present disclosure, the real-time operating system may be any computer operating system capable of meeting the requirements of real-time. For example, examples of real-time operating system execution contexts may include, but are not limited to VxWorks, QNX, freeRTOS, etc. By way of example, the secure operating system (Security Operating System, secOS) execution context may be any operating system used to secure computer systems and data. For example, secure operating system execution contexts may include, but are not limited to, SELinux, trusted Solaris, openBSD, qubs OS, and the like. As an example, the security firmware (Security Firmware) may be any embedded system software for securing computer hardware devices and protecting computer systems from malicious attacks. For example, the Secure firmware may include, but is not limited to, intel Boot Guard, AMD Secure Boot, HP Sure Start, and the like. As an example, a secure supervisory execution context may be used to manage other execution contexts. For example, the secure supervisory execution context may be used to manage real-time operating system execution context, secure firmware, and the like.
Fig. 2 is a schematic diagram of a trusted execution environment provided in some embodiments of the present disclosure.
The trusted execution environment may be a security protection mechanism for protecting software and data in a computer system from malware or unauthorized access. In a trusted execution environment, all components such as hardware, an operating system, an application program and the like must pass verification and are authorized to be executed, so that the attack surface can be reduced, and the security of the system is improved.
In the embodiment shown in FIG. 2, the machine mode is extended to two sub-privileged modes: the managed machine mode and the secure supervisory mode, for example, the method of operating the computer system of the present embodiment further includes: at least one of the one or more other execution contexts is run in at least one of a secure supervisory mode and a managed machine mode.
For example, as shown in FIG. 2, the secure supervisory execution context is run in secure supervisory mode, the real-time operating system execution context, the secure operating system execution context, and the secure firmware are run in managed machine mode. For example, the secure supervisory execution context may be used to control or manage the real-time operating system execution context, the secure operating system execution context, and the secure firmware. In other embodiments of the present disclosure, for example, at least one of the secure operating system execution context and the secure firmware may also operate in a secure supervisory mode with the secure supervisory execution context.
It should be noted that, although only the secure supervisory execution context is illustrated in fig. 2 as being run in the secure supervisory mode, the real-time operating system execution context, the secure operating system execution context, and the secure firmware are run in the managed machine mode, embodiments of the present disclosure are not limited thereto. For example, any suitable number of execution contexts may be run in the secure supervisory mode, and any suitable type of execution context may be run in the secure supervisory mode, the number and type of execution contexts run in the secure supervisory mode being well-defined by different products and the security and/or cost requirements of the products, etc. For example, any suitable number of execution contexts may be run in the managed machine mode, and any suitable type of execution context may be run in the managed machine mode, the number and type of execution contexts run in the managed machine mode being entirely dependent on different products and the security requirements of the products.
For example, in one embodiment of the present disclosure, a secure supervisory execution context may be used to enable isolation of resources used between execution contexts controlled or managed by it. For example, a secure supervisory execution context may enable memory isolation used between execution contexts controlled or managed by it by a logical configuration of memory protection mechanisms. For example, the memory protection mechanism may include MPU (Memory Protection Unit), MMU (Memory Management Unit), physical memory protection (Physical Memory Protection, PMP), and the like. As shown in fig. 2, for example, the secure supervisory execution context may be used to control or manage the real-time operating system execution context, the secure operating system execution context, and the secure firmware, and the secure supervisory execution context may enable memory isolation used between the real-time operating system execution context, the secure operating system execution context, and the secure firmware, etc. by reasonably configuring the memory protection mechanism.
For example, the memory protection mechanism may be a hardware mechanism in the processor for protecting physical memory from modification or reading by unauthorized software or access. For example, memory protection mechanisms are implemented by dividing a memory address space into multiple regions, each of which may have different access rights. The processor compares each memory access request with the region and decides whether to allow access based on the permissions of the region. If the access request does not agree with the region rights, the processor will trigger an exception and block the access. Memory protection mechanisms may be used to protect operating system kernels from user applications, or to protect sensitive data structures from access by malware.
For example, in RISC-V based processors, PMP may be implemented by hardware mechanisms and used to implement protection and access control of memory regions at physical memory addresses. In addition, the PMP provides a programmable memory protection mechanism, so that the program can limit the access right to a specific memory area, thereby improving the safety and stability of the system.
It should be noted that, a horizontal dashed line between the secure supervisory mode and the managed machine mode shown in fig. 2 indicates that the machine mode is extended or divided, and a vertical dashed line between two execution contexts indicates that different execution contexts running in the managed machine mode are resource-isolated.
FIG. 3 is a schematic diagram of another trusted execution environment provided by some embodiments of the present disclosure. The horizontal and vertical dashed lines in fig. 3 have a meaning similar to that in fig. 2.
In the embodiment shown in FIG. 3, as such, the machine mode is extended to two sub-privileged modes: the managed machine mode and the secure supervisory mode, for example, the method of operation of the present embodiment further includes: a user mode is provided in the computer system, wherein the user mode has a privilege level that is less than a privilege level of the machine mode, the user mode allowing for running of at least one application that is executable in at least one of the plurality of execution contexts.
The embodiment shown in FIG. 3 differs from the embodiment shown in FIG. 2 in that the computer system in FIG. 3 provides a user mode in addition to providing multiple sub-modes with different privilege levels in the machine mode of the computer system and allowing at least one of the multiple execution contexts to be run in each of the multiple sub-modes. For example, the privilege level of the user mode is less than the privilege level of the machine mode, the user mode allowing for running at least one application that is executable in at least one of a real-time operating system execution context, a secure operating system execution context, and secure firmware.
For example, in one embodiment of the present disclosure, one or more applications may be run in a real-time operating system execution context (which may also be referred to as a sub-execution context). For example, as shown in FIG. 3, task 1 and task 2 may be run in a real-time operating system execution context, and task 1 and task 2 may be any executable application (e.g., a process or thread). For example, in the case of running the execution context in only machine mode (including managed machine mode and secure supervisory mode), task 1 and task 2 may run in managed machine mode; in the case of running the execution context in a combination of machine mode (including managed machine mode and secure supervisory mode) and user mode, task 1 and task 2 are not run in the managed machine mode, but only task 1 and task 2 are allowed to run in the user mode with lower privilege level, which can further effectively reduce the attack surface and improve the security of the system.
It should be noted that, although an example in which only two applications (i.e., task 1 and task 2) are running in the real-time operating system execution context is illustrated in fig. 3 of the present disclosure, the present disclosure does not impose any limitation on the number of applications that can be run in the real-time operating system execution context. For example, any other number of applications may be run in the real-time operating system execution context, or there may be no applications running in the real-time operating system execution context.
For example, in one embodiment of the present disclosure, any number of applications (which may also be referred to as sub-execution contexts) may be run in a secure operating system execution context. For example, the secure operating system execution context may be service 1 and service 2, e.g., service 1 and service 2 may be any executable program (e.g., an application program or a system program). For example, in the case of running the execution context in only machine mode (including managed machine mode and secure supervisory mode), service 1 and service 2 may run in managed machine mode; in the case of running the execution context in a combination of machine mode (including managed machine mode and secure supervisory mode) and user mode, service 1 and service 2 are not run in the managed machine mode, but only service 1 and service 2 are allowed to run in the user mode with lower privilege level, which can further effectively reduce the attack surface and improve the security of the system.
It should be noted that, although the embodiment of the disclosure is illustrated in fig. 3 with only two applications or system programs (i.e., service 1 and service 2) running in the secure operating system execution context as an example, the disclosure does not impose any limitation on the number of applications that may run in the secure operating system execution context. For example, any other number of applications may or may not be running in the secure operating system execution context.
For example, in one embodiment of the present disclosure, any number of programs may be run in the secure firmware. For example, service 3 and service 4 (which may also be referred to as sub-execution contexts) may be running in secure firmware. For example, in the case of running the execution context in only machine mode (including managed machine mode and secure supervisory mode), service 3 and service 4 may run in managed machine mode; in the case of running the execution context in a combination of machine mode (including managed machine mode and secure supervisory mode) and user mode, service 3 and service 4 are not run in the managed machine mode, but service 3 and service 4 are only allowed to run in the user mode with a lower privilege level, which can further effectively reduce the attack surface and improve the security of the system.
It should be noted that, although the embodiment shown in fig. 3 of the present disclosure uses only two programs (i.e., service 3 and service 4) running in the secure firmware as an example, the present disclosure does not limit the number of applications that can run in the secure firmware. For example, any other number of applications may or may not be running in the secure firmware.
For example, in one embodiment of the present disclosure, transitioning a computer system between different privilege modes includes the steps of: in response to an exception or interrupt occurring to an object execution context operating in object mode, processing the exception or interrupt in secure supervisory mode; returning to the previous object mode after the exception or interrupt is handled.
Herein, an "object execution context" refers to an execution context that is currently running, and an "object mode" refers to a privilege mode in which an execution context that is currently running runs before an exception or interrupt occurs (or before the running is interrupted).
For example, referring again to fig. 2, in the case where the execution context is run in only the machine mode (the machine mode includes the managed machine mode and the secure supervisory mode), the object execution context may be any one of the secure supervisory execution context, the real-time operating system execution context, the secure operating system execution context, and the secure firmware shown in fig. 2, and the object mode may be any one of the secure supervisory mode and the managed machine mode. For example, where the execution context is run in only machine mode (including managed machine mode and secure supervisory mode), the object mode may also be referred to as an object sub-mode.
For example, referring again to fig. 3, in the case of running an execution context in a combination of a machine mode (including a managed machine mode and a secure supervisory mode) and a user mode, the object execution context may be any one of the secure supervisory execution context, the real-time operating system execution context, the secure firmware, and the sub-execution context shown in fig. 3 (e.g., task 1, task 2, service 1, service 2, service 3, or service 4 in fig. 3), and the object mode may be any one of the secure supervisory mode, the managed machine mode, and the user mode.
For example, when an interrupt or exception occurs to the currently running object execution context, the processor automatically saves the current privilege mode to a register called MSTATUS. The MSTATUS register is a privileged mode register that may include status bits associated with the current privileged mode and other privileged modes. For example, in the MSTATUS register, the MPP field stores the privilege mode before an interrupt or exception occurs.
For example, MPP (Machine Previous Privilege) can be a 2-bit register field, with the primary purpose of the MPP field being to be used during exception or interrupt handling. When an exception or interrupt occurs, the processor needs to switch to the appropriate privilege level to handle the exception or interrupt, while the previous privilege level needs to be saved in order to revert to the privilege level before the exception or interrupt occurred after handling the exception or interrupt.
For example, the MPP field contains four values of 00, 01, 10, and 11. When the MPP field is 00 (or may be referred to as mpp=0), it indicates that the previous privilege level is the user mode; when the MPP field is 01 (or may be referred to as mpp=1), it indicates that the previous privilege level is the supervision mode; an MPP field of 10 (or mpp=2) indicates that the previous privilege level is the overseer mode, and an MPP field of 11 (or mpp=3) indicates that the previous privilege level is the machine mode. The present disclosure is not limited thereto, and for example, in the case where the MPP field is 01 (or may be referred to as mpp=1), it may be indicated whether the previous privilege level is the supervised mode or the super-supervised mode in combination with a value of another parameter, for example, another field (e.g., MPV field) in the MSTATUS register.
For example, where the computer system is running the execution context in only machine mode (e.g., including managed machine mode and secure supervisory mode), the value of the MPP is equal to 3.
For example, in one embodiment of the present disclosure, a new CSR may be added that indicates whether or not the computer system (e.g., a processor in the computer system) is operating in both privilege modes extended from the machine mode and in which privilege mode extended from the machine mode before an interrupt or exception occurs. For example, the parameter MPSM stored in the added new CSR can be used to indicate whether to operate in both privilege modes extended from machine mode and in which privilege mode extended from machine mode before an interrupt or exception occurs to the computer system. For example, in one embodiment of the present disclosure, mpsm=1 means that the computer is operating in a secure supervisory mode before an interrupt or exception occurs to the system, mpsm=0 means that the computer system is operating in a managed machine mode before an interrupt or exception occurs, or mpsm=0 may also mean that the computer system is operating in other privileged modes (e.g., user modes) in a non-secure supervisory mode before an interrupt or exception occurs. Embodiments of the present disclosure are not limited to the above examples, and for example, any parameters that can be distinguished may be used to represent the privilege mode under which a computer system is running before an interrupt or exception occurs.
For example, in one embodiment of the present disclosure, when the computer system is powered on, the computer system defaults to operating in a secure supervisory mode; for another example, when the computer system is reset or restarted, the computer system defaults to operating in a secure supervisory mode.
For example, in one embodiment of the present disclosure, a secure supervisory mode is entered to handle an interrupt or exception before returning to the object mode prior to the interrupt or exception. For example, when an interrupt or exception occurs to an object execution context running in a computer system, resulting in the object execution context being interrupted from running, the current privilege mode will first be saved into an extended added register, such that the value of the MPSM indicates the privilege mode before the interrupt or exception occurred; thereafter, the SM will be rewritten to 1 by hardware (for example, a security supervision unit to be described below), switch to a security supervision mode, process an exception or interrupt in the security supervision mode, and return to the previous object mode after the exception or interrupt is processed.
For example, when an exception or interrupt occurs in an object mode among a plurality of sub-modes, resulting in the execution of the currently executed object execution context being interrupted, the execution returns to the previous object mode after the exception or interrupt is handled.
For example, in the case of running an execution context in only machine mode (e.g., including managed machine mode and secure supervisory mode), the value of the first parameter is used to represent a previous object mode for returning to the previous object mode according to the value of the first parameter after an exception or interrupt is handled. As an example, the first parameter is MPSM. For example, after processing the exception or interrupt, the MRET instruction may be returned to the location where the object execution context was interrupted from running.
For example, in the case of running an execution context in a combination of a machine mode (e.g., including a managed machine mode and a secure supervisory mode) and a user mode, at least one of a value of a first parameter and a value of a second parameter is used to collectively represent a previous object mode to return to the previous object mode according to at least one of the value of the first parameter and the value of the second parameter after an exception or interrupt is handled. As an example, the first parameter is MPSM and the second parameter is MPP. For example, after processing the exception or interrupt, the MRET instruction may be returned to the location where the object execution context was interrupted from running.
For example, the MRET instruction may be an instruction in a processor (e.g., a processor based on a RISC-V architecture) instruction set for returning from machine mode to a previously run privilege level (e.g., which may be user mode or supervisor mode). For example, prior to using an MRET instruction, execution in a machine mode or debug mode of the processor is required, and it is ensured that the previous privilege mode state has been saved prior to executing the MRET instruction.
For example, if a program generates a debug request, the debug mode may be used to debug and troubleshoot the program, and after the debug request is processed, the program may be switched to the privileged mode that was previously run by the DRET instruction. For example, prior to using a DRET instruction, it is necessary to ensure that the previous privilege mode state has been saved prior to executing the DRET instruction. For example, dcsr.prv in the RISC-V architecture is a field of the debug control and status register (Debug Control and Status Register), the parameters of which represent the privilege level of the processor prior to processing the debug request. The value range of dcsr.prv field is 0-3, specifically, dcsr.prv=0 is user mode, dcsr.prv=3 is machine mode. For example, a register dcsr.sm may be used to store the privilege mode before entering debug mode, with dcsr.sm=0 representing the managed machine mode and dcsr.sm=1 representing the secure supervisory mode.
For example, after processing the debug request in debug mode, the processor switches to a privileged mode of operation prior to the program according to the value of at least one of dcsr.prv and dcsr.sm. For example, the user mode is returned when dcsr.prv=0, the secure supervision mode is returned when dcsr.prv=3 and dcsr.sm=0, and the managed machine mode is returned when dcsr.prv=3 and dcsr.sm=1.
For example, in one embodiment of the present disclosure, where the execution context is run in only machine mode (e.g., including managed machine mode and secure supervisory mode), when an interrupt or exception occurs in the managed machine mode, the object execution context will be caused to be interrupted to run, the value of SM indicating the current managed machine mode will first be saved into the extended added register, such that the value of MPSM indicates the privileged mode before the interrupt or exception occurred, i.e., the MPSM saved in the extended added register at that time is equal to 0 (i.e., the value of SM of the current managed machine mode saved); the SM will then be rewritten by hardware to 1, switch to secure supervisory mode, the processor handles the exception or interrupt in secure supervisory mode, and after the exception or interrupt is handled, execute the MRET instruction and return to the previous managed machine mode based on mpsm=0.
For example, in one embodiment of the present disclosure, when an interrupt or exception occurs in the secure supervisory mode, the interrupt or exception is still handled in the secure supervisory mode. For example, when an interrupt or exception occurs in the secure supervisory mode, the object execution context will be caused to be interrupted running, the value of SM indicating the current secure supervisory mode will first be saved into the extended increment register, such that the value of MPSM indicates the privileged mode before the interrupt or exception occurred, i.e., the value of MPSM saved in the extended increment register at this time is equal to 1 (i.e., the value of MPSM is equal to the value of SM of the current secure supervisory mode saved); after that, SM will be rewritten by hardware to 1, switch to secure supervisory mode, processor processes exception or interrupt in secure supervisory mode, and execute MRET instruction after the exception or interrupt is processed, and return to previous secure supervisory mode based on mpsm=1.
For example, in one embodiment of the present disclosure, where the execution context is run in a combination of machine mode (e.g., including managed machine mode and secure supervisory mode) and user mode, when the value of the second parameter corresponds to the user mode, the user mode is returned after the exception or interrupt is handled; returning to the secure supervisory mode after the exception or interrupt is handled when the value of the second parameter corresponds to the machine mode and the value of the first parameter corresponds to the secure supervisory mode; or returning to the managed machine mode after the exception or interrupt is handled when the value of the second parameter corresponds to the machine mode and the value of the first parameter corresponds to the managed machine mode.
For example, when an interrupt or exception occurs in user mode, the object execution context will be caused to be interrupted running, the value of SM indicating the current user mode will first be saved into the extended increment register, so that the value of MPSM indicates the privileged mode before the interrupt or exception occurred, i.e., the MPSM saved in the extended increment register at this time is equal to 0 (i.e., the value of SM of the current user mode saved), and the value of MPP is also equal to 0; after that, the SM will be rewritten by hardware to 1, switch to the secure supervisory mode, the processor processes the exception or interrupt in the secure supervisory mode, and execute the MRET instruction after the exception or interrupt is processed, and return to the previous user mode based on mpp=0, i.e., when mpp=0, return to the user mode regardless of the value of the MPSM.
For example, when an interrupt or exception occurs in user mode, if a particular execution code needs to run in sm=0 machine mode (i.e., managed machine mode), e.g., an ECALL instruction issuing a system call request is executed in user mode, the processor may switch to secure supervisor mode, for example, and then switch to managed machine mode to handle the interrupt or exception, and may execute the MRET instruction after the exception or interrupt is handled, and return directly from managed machine mode to the previous user mode based on mpp=0.
For example, when an interrupt or exception occurs in managed machine mode, the object execution context will be caused to be interrupted running, the value of SM indicating the current managed machine mode will first be saved into the extended increment register, such that the value of MPSM indicates the privileged mode before the interrupt or exception occurred, i.e., when the MPSM saved in the extended increment register is equal to 0 (i.e., the value of SM of the current managed machine mode saved), and the value of MPP is equal to 3; after that, the SM will be rewritten by hardware into 1, switch to the secure supervisory mode, the processor processes the exception or interrupt in the secure supervisory mode, and execute the MRET instruction after the exception or interrupt is processed, and return to the previous managed machine mode based on mpp=3 and mpsm=0, i.e. when mpp=3, indicate that the privileged mode before the interrupt occurs is the machine mode, and further determine that the privileged mode before the interrupt occurs is the managed machine mode in which the machine mode is extended according to mpsm=0. The processor is thus able to return to the managed machine mode based on mpp=3 and mpsm=0.
For example, when an interrupt or exception occurs in the secure supervisory mode, the interrupt or exception is still handled in the secure supervisory mode. For example, when an interrupt or exception occurs in the secure supervision mode, the object execution context will be caused to be interrupted running, the value of SM indicating the current secure supervision mode will first be saved into the extended increment register, such that the value of MPSM indicates the privileged mode before the interrupt or exception occurred, i.e., the MPSM saved in the extended increment register at this time is equal to 1 (i.e., the value of SM of the current secure supervision mode saved), and the value of MPP is equal to 3; after that, the SM will be rewritten to 1 by hardware, switch to the secure supervisory mode, the processor processes the exception or interrupt in the secure supervisory mode, and execute the MRET instruction after the exception or interrupt is processed, and return to the previous secure supervisory mode based on mpp=3 and mpsm=1, i.e. indicate that the privileged mode before the interrupt occurs is the machine mode when mpp=3, and further judge that the privileged mode before the interrupt occurs is the secure supervisory mode extended by the machine mode according to mpsm=1. The processor can therefore return to the secure supervisory mode based on mpp=3 and mpsm=1.
In at least some embodiments of the present disclosure, extensions are made in the machine mode of the RISC-V architecture, including hardware extensions, for example, to extend the original machine mode into multiple sub-modes with different privilege levels to provide a trusted execution environment, and to provide an isolation mechanism between execution contexts, so as to avoid or reduce security vulnerabilities that interfere with each other, thereby effectively reducing the attack surface and improving the security of the system.
Fig. 4 is a schematic view of authority of a physical memory protection entry in a secure supervision mode according to some embodiments of the present disclosure. Fig. 5 is a schematic view of authority of a physical memory protection entry in a managed machine mode according to some embodiments of the present disclosure.
For example, in RISC-V, PMP (Physical Memory Protection) is used to protect memory of a particular physical address range from modification or reading by unauthorized access. For example, the PMP mechanism may be implemented in a processor and the PMP may be configured by programming in PMP entries. For example, in order to configure a machine mode to set different permissions for memory used in a plurality of execution context operations for memory isolation, an entry corresponding to the machine mode among physical memory protection entries (or referred to as PMP entries) is divided into a plurality of entry groups, which are respectively configured to a plurality of sub-modes having different privileges. For example, in the case where the machine mode includes a secure supervisory mode and a managed machine mode, the entries corresponding to the machine mode among the physical memory protection entries are divided into two entry groups respectively configured to the secure supervisory mode and the managed machine mode having different privileges.
For example, as shown in fig. 4 and 5, the PMP entry is made up of a corresponding pmpcfg register for configuring the mode of operation of the entry in the PMP and a pmpaddr register for specifying the protected physical address range. For example, the pmpcfg register may configure the mode of operation of each PMP entry. For example, the pmpcfg register may configure access rights (e.g., read and write rights and execution rights), lock bits (e.g., denoted as L or pmpcfg.l), address range types, and the like for each PMP entry. For example, it is determined whether the current PMP entry is locked (or referred to as "locked") by the value of lock bit L. The current PMP entry cannot be modified when it is locked; conversely, the current PMP entry may be modified when it is not locked. For example, the address range type may indicate that the address range protected by the current PMP entry is applicable to that privilege mode (e.g., secure supervisor mode or managed machine mode). For example, in RISC-V, the pmpcfg register may be written using a csrw instruction (e.g., csrwpmpcfg0, value), where value is the value used to configure the pmpcfg register.
For example, the pmpaddr register is used to specify the physical address range of each PMP entry. Each pmpaddr register is used to specify the physical address range of one PMP entry. The pmpaddr register may be written by a csrw instruction (e.g., csrwpmpaddr0, value), where value is the value used to configure the pmpaddr register. The number and bit width of the PMP registers may be set or configured as desired, which is not subject to any limitation by the present disclosure.
For example, where the machine mode includes a first sub-mode (e.g., a secure supervisory mode) and a second sub-mode (e.g., a managed machine mode) that is higher in privilege level than the first sub-mode, the physical memory protection entries are divided into a first entry group and a second entry group, and the first entry group and the second entry group are configured to the first sub-mode and the second sub-mode, respectively.
For example, in at least one example of the present disclosure, a hardware extension may be added to the processor accordingly, e.g., by adding a new register in the processor for storing an entry group boundary value SMB that divides an entry corresponding to the machine mode from among the physical memory protection entries (or PMP entries) into a plurality of entry groups.
For example, as shown in FIGS. 4 and 5, the physical memory protection entries include N entries with index numbers 0-N-1, with entries 0-N-1 including fields pmpcfg 0-pmpcfgN-1 and pmpaddr 0-pmpaddrN-1, respectively, of the register. If the parameter value (or the item grouping boundary value) SMB stored or set in the new register is added to be X, the first item group is configured to include items 0 to X, and the second item group is configured to include items x+1 to N-1. For example, 0.ltoreq.X.ltoreq.N-1, the X value being considered invalid when the written or set X value is not within the numerical range of the configuration. For example, in some embodiments, the reset value for SMB is N-1. As another example, in at least one example, an existing register in the processor (e.g., an mseccfg register introduced in an extended ePMP in RISC-V) may be reused in place of the newly added register to achieve the same purpose as described above, so long as the original function of the reused register itself is not affected.
For example, as shown in fig. 4 and 5, after configuring the value of the SMB, the index number of the accessed entry and the value of the SMB are compared according to the value of the SMB, thereby judging which entry group (for example, the first entry group or the second entry group) the currently accessed entry belongs to, and each PMP entry may be stored to which entry group specifically corresponds through an additional newly added register or a multiplexed register. For example, a new added register or a multiplexed register stores therein one SML field for each PMP entry, with a value of 1 for SML indicating that the entry corresponds to the first entry group and a value of 0 for SML indicating that the entry corresponds to the second entry group.
For example, the newly added register may be a control and status register (Control and Status Register, CSR) that may be a dedicated register that is independently used to divide the physical memory protection entries of the computer system into multiple sets of entries having different access privilege levels. For another example, in at least one example, an existing register in the processor may be multiplexed for dividing the physical memory protection entries of the computer system into dedicated registers having multiple sets of entries of different access privilege levels, so long as the original functionality of the multiplexed registers themselves is not affected. For example, in at least one example, ePMP (Extended Physical Memory Protection) extended in RISC-V may be multiplexed, an mseccfg register may be introduced in the ePMP extension, an SMB field may be added to the mseccfg register to store an entry packet boundary value, and the value of the SMB field may represent an entry packet boundary value X.
For example, in at least one example of the present disclosure, a new register may also be added or an existing register (e.g., an mseccfg register) may be multiplexed for recording whether the SMB field is valid. For example, for simplicity of description, the MML field of the multiplex mseccfg register is used to record whether the SMB field is valid or not is described below as an example. For example, when the value of MML is equal to 1, the SMB field representing the entry packet boundary value defined in the present disclosure is valid and not modifiable; when the value of MML is equal to 0, the SMB field representing the entry packet boundary value defined in the present disclosure is invalid and changeable, and an entry corresponding to the machine mode among PMP entries is not divided. For example, SMB can be arbitrarily modified when mml=0 and the SMB value does not have an effect; when the value of SMB is set, if the value of MML is changed to 1, the SMB field is validated and cannot be changed, that is, in the case of mml=1, the entries corresponding to the machine mode in the physical memory protection entries (or referred to as PMP entries) may be divided into a plurality of entry groups (for example, a first entry group and a second entry group) according to the value of the SMB field.
It should be noted that, although values of a plurality of parameters are represented by 0 or 1 in the present disclosure to represent different states, the present disclosure is not limited thereto, and parameter values may be set in any size or form as long as different states can be distinguished.
For example, in RISC-V based processors, the PMP (Physical Memory Protection) mechanism specifies how the processor protects memory from unauthorized access. For example, in a PMP mechanism, multiple PMP entries may be set to define different memory regions, and each entry may specify different access rights. For example, in RISC-V, the matching order of PMP entries is decreasing in order of decreasing index number, and if a memory access matches or matches a plurality of PMP entries, the processor will use the PMP entry with the smallest index number to determine access rights.
For example, the matching priority of the address sections corresponding to index numbers 0 to N-1 decreases in the order of the index numbers 0 to N-1 from small to large. As shown in fig. 4 and 5, since the mechanism of the packet boundary is set and the PMP entry group dedicated to the safety supervision mode is always above the entry group dedicated to the managed machine mode, it can be ensured that the PMP entry group dedicated to the safety supervision mode always has a high priority. When different entries are configured for the same address, and when an access command is matched to the same address, since the PMP mechanism specifies that the matching priority of the address intervals decreases in the order of the index number from small to large, the PMP entry with the smallest index number has the highest priority, and thus when the address to be accessed by an access command is matched to a plurality of PMP entries corresponding to the same address (e.g., a plurality of PMP entries correspond to different privilege levels), the access command accesses the PMP entry with the highest priority. By the priority configuration, the execution context running in the low privilege mode can be prevented from accessing the special memory of the execution context in the high privilege mode by configuring the special PMP entry to be the same as the special memory space in the high privilege mode, so that the safety and the reliability of the system are improved.
For example, in at least one example of the present disclosure, when the computer system is in a first sub-mode (secure supervisor mode), read and write operations are allowed for registers corresponding to a first set of entries (secure supervisor mode specific) and a second set of entries (managed machine mode specific); when the computer system is in the second sub-mode (managed machine mode), the register corresponding to the second item group is allowed or not allowed to be read and written, and the register corresponding to the first item group is not allowed to be read and written.
For example, as shown in fig. 4, when sm=1, the computer system is in a secure supervision mode, in which case, the read-write operation is allowed to be performed on registers corresponding to the first entry group (sml=1) and the second entry group (sml=0); when sm=0, as shown in fig. 5, if the computer system is in the managed machine mode, in this case, the read-write operation may be allowed for the register corresponding to the second entry group, and the read-write operation may not be allowed for the register corresponding to the first entry group. For another example, in some embodiments of the present disclosure, when sm=0, if the computer system is in managed machine mode, in this case, the read-write operation may not be allowed for the register corresponding to the second entry group. For example, a new or multiplexed register storing an MMMC field (shown in fig. 6 to be described below) may be added for whether the PMP register in the case where sm=0 and sml=0 can be read and written. For example, when mmmc=0, the read-write operation is not allowed for the register of sml=0 in the case of sm=0; when mmmc=1, the case of sm=0 allows the read and write operations to the register of sml=0.
For example, in some embodiments of the present disclosure, when the computer system is in the first sub-mode (sm=1), there is no execution authority for the memory corresponding to the second entry group (sml=0), whether there is a read-write authority and an execution authority for the memory corresponding to the first entry group (sml=1) is determined according to the authority set in the first entry group, and whether there is a read-write authority for the memory corresponding to the second entry group (sml=0) is determined according to the authority set in the second entry group; when the computer system is in the second sub-mode, the memory corresponding to the first item group is free of read-write permission and execution permission, and whether the memory corresponding to the second item group is provided with the read-write permission and the execution permission is determined according to the permission set in the second item group.
For example, when the computer system is in the first sub-mode (sm=1), if the memory corresponding to the entry a is set in the entry a in the first entry group to be read/writable only by a certain execution context (or a specific number of execution contexts), the other execution contexts do not have read/write permission to the memory corresponding to the entry a, if the memory corresponding to the entry a is set in the entry a in the first entry group to be executable only by a certain execution context (or a specific number of execution contexts), the other execution contexts do not have execution permission to the memory corresponding to the entry a, and if the memory corresponding to the entry a is set in the entry a in the first entry group to be read/writable only by a certain execution context (or a specific number of execution contexts) and to be executed, the other execution contexts do not have read/write permission and execution permission to the memory corresponding to the entry a. For example, when the computer system is in the first sub-mode (sm=1), if the memory corresponding to the entry B is set in the entry B in the second entry group to be readable/writable only by a certain execution context (or specific several execution contexts), the other execution contexts do not have the read/write authority to the memory corresponding to the entry B.
For example, when the computer system is in the second sub-mode, if the memory corresponding to the entry B is set in the entry B in the second entry group to be read/written by only a certain execution context (or a specific number of execution contexts), the other execution contexts do not have read/write permission to the memory corresponding to the entry B, if the memory corresponding to the entry B is set in the entry B in the second entry group to be executed by only a certain execution context (or a specific number of execution contexts), the other execution contexts do not have execution permission to the memory corresponding to the entry B, and if the memory corresponding to the entry B is set in the entry B in the second entry group to be read/written by only a certain execution context (or a specific number of execution contexts) and executed, the other execution contexts do not have read/write permission and execution permission to the memory corresponding to the entry B.
Fig. 6 is a diagram of permissions for physical memory protection entries provided by some embodiments of the present disclosure.
For example, as shown in fig. 6, when sm=0 and the computer system is in managed machine mode, if sml=0 (i.e., the physical memory protection entry accessed is an entry dedicated to managed machine mode), the computer system cannot read and write the pmpaddr register and the pmpcfg register in the PMP entry with mmmc=0; when an instruction performs a read/write operation on the pmpaddr register, the value is always returned to 0 when the instruction performs a read operation on the pmpcfg register, and is always ignored when the instruction performs a write operation on the pmpcfg register. For another example, when sm=0 and the computer system is in managed machine mode, if sml=0 (i.e., the physical memory protection entry accessed is an entry dedicated to managed machine mode), the computer system may read and write the pmpaddr register and the pmpcfg register in the PMP entry if mmmc=1.
For example, as shown in fig. 6, when sm=0 and the computer system is in managed machine mode, if sml=1 (i.e., the physical memory protection entry accessed is an entry dedicated to secure supervision mode), the computer system cannot read and write the pmpaddr register and the pmpcfg register in the PMP entry. For example, it is considered illegal when an instruction performs a read/write operation on the pmpaddr register, always returns a value of 0 when an instruction performs a read operation on the pmpcfg register, and is always ignored when an instruction performs a write operation on the pmpcfg register.
For example, as shown in fig. 6, when sm=1, the computer system is in secure supervisor mode, and the computer system can read and write the pmpaddr register and the pmpcfg register in the PMP entry, whether sml=0 (i.e., the accessed physical memory protection entry is a managed machine mode-specific entry) or sml=1 (i.e., the accessed physical memory protection entry is a secure supervisor mode-specific entry).
Fig. 7 is a diagram illustrating rule changes to physical memory protection entries provided in some embodiments of the present disclosure.
As shown in fig. 7, when the value of MML is equal to 1, the SMB field of the entry packet boundary value is valid and cannot be changed.
For example, in some embodiments of the present disclosure, for the value of L corresponding to each entry in the pmpcfg register, the rules of the first set of entries are processed according to the current actual locking mechanism of the computer system when the computer system is in the first sub-mode (e.g., when the computer system is in the first sub-mode, the current actual locking mechanism refers to each entry in the first set of entries indicating that the current entry is in a locked state or an unlocked state in the actual or true meaning of the L value it contains, i.e., l=0 in the entry indicates that the entry is not locked, l=1 in the entry indicates that the entry is locked), i.e., l=1 in the current entry indicates that the entry is locked or unalterable, and l=0 in the current entry indicates that the entry is not locked or altered; when the computer system is in the first sub-mode, the second group of entries are regarded as unlocked no matter what the value of L is, the rules in the second group of entries can be modified at will, whether the memory address corresponding to the second group of entries is subjected to read-write operation (namely, the original read-write authority (or RW enhanced)) can be reserved) or not can be determined according to the authority set in the second group of entries, and the memory address corresponding to the second group of entries can not be subjected to the operation (namely, X modified); when the computer system is in the second sub-mode, regarding the first group of items as a locking state no matter what the value of L is, and not modifying rules in the first group of items (not performing read-write operation and executing operation on the first items); when the computer system is in the second sub-mode, the rules in the second set of entries are processed according to the current actual locking mechanism of the computer system, i.e., the entry is locked or unalterable when l=1 in the current entry, and the entry is not locked or altered when l=0 in the current entry.
For example, as shown in fig. 7, when the value of MML is equal to 0, the SMB field of the entry group boundary value is invalid and can be changed at will, at which time the value of SMB does not act on PMP entries, and entries corresponding to machine mode among PMP entries are not substantially divided according to the value of SMB, although the value of SMB can be set. For example, the execution context running in the machine mode may be configured with the corresponding dedicated entry group and the set SMB value is not validated, respectively, by setting the value of SMB with mml=0, and then the set SMB value may be validated and not changed by modifying the value of MML to 1, at which time the entry corresponding to the machine mode in the physical memory protection entry (or referred to as PMP entry) may be divided into a plurality of entry groups (e.g., a first entry group and a second entry group) according to the value of SMB. For example, when mml=0, the lock state (i.e., the value of L) of each of the PMP entries corresponding to the machine mode handles the rules of the entry according to the current actual locking mechanism of the computer system, i.e., the entry is locked or not modifiable when l=1 in the current entry, and is not locked or modifiable when l=0 in the current entry.
For example, in some embodiments of the present disclosure, processing is performed by a blacklist mechanism or a whitelist mechanism in response to address intervals for which the current execution context does not match in the physical memory protection entry, regardless of the mode in which the current execution context is in. For example, under a blacklist mechanism, an execution context running in a first sub-mode may access an address space that is not covered by a physical memory protection entry; under the whitelist mechanism, the execution context running in the first sub-mode may not access the address space not covered by the physical memory protection entry.
In the above embodiment of the present disclosure, a memory protection mechanism (for example, PMP) is further extended in a machine mode of RISC-V architecture, and a hardware mechanism is provided to ensure isolation of different execution contexts from physical memory, so as to avoid or reduce security vulnerabilities that mutually interfere with each other, and improve security of a system.
As shown in fig. 8, some embodiments of the present disclosure also provide a processor 100, the processor 100 including a processor core 110 and an isolation unit 120.
For example, in one embodiment of the present disclosure, the processor core 110 of the processor 100 may be based on RISC-V, X, arm, etc. instruction set architecture, supporting the RISC-V instruction set, X86 instruction set, arm instruction set, etc. accordingly, the present disclosure is not limited in particular as to what architecture the processor 100 is based on, and the computer system is running on the processor 100. For computer systems running through processor core 110, isolation unit 120 is configured to: allowing a plurality of execution contexts to run in a machine mode of a computer system; and configuring a machine mode to set different authorities for memories used in running the plurality of execution contexts to perform memory isolation.
In at least one embodiment of the present disclosure, the processor core 110 may be a single-threaded processor or a multi-threaded processor, may be a scalar processor or a superscalar processor, etc.; the process 100 may also include one or more levels of cache and may further include a memory management unit or the like. Embodiments of the present disclosure are not limited to other components or compositions of processors.
For example, the functions and method steps that may be implemented by the processor 100 may be referred to any of the functions and method steps described above with reference to fig. 1 to 7, which are not described in detail herein.
The above embodiments of the present disclosure provide a processor, which further expands a memory protection mechanism (e.g., PMP) in a machine mode of a RISC-V architecture, and provides a hardware mechanism to ensure isolation of physical memory by different execution contexts, thereby avoiding or reducing security vulnerabilities that mutually interfere with each other, and improving security of a system.
Some embodiments of the present disclosure also provide an electronic device. Fig. 9 is a schematic diagram of an electronic device provided in some embodiments of the present disclosure.
As shown in fig. 9, an electronic device 500 according to an embodiment of the present disclosure includes a processor 501 and a memory 502, the processor 501 and the memory 502 being interconnected by a bus 503. For example, the processor 501 shown in fig. 9 may be the processor 100 shown in fig. 8.
The processor 501 may perform various actions and processes in accordance with programs or code stored in the memory 502. In particular, the processor 501 may be an integrated circuit chip with signal processing capabilities. For example, the processor 501 may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, and may implement or perform the various methods and steps disclosed in embodiments of the present disclosure. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, and may be an X86 architecture or an ARM architecture or the like.
Memory 502 is used for non-transitory storage of computer-executable instructions and processor 501 is used for execution of computer-executable instructions. The computer-executable instructions, when executed by the processor 501, implement the method of operation provided by at least one embodiment of the present disclosure.
For example, the memory 502 may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (ddr SDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), synchronous Link Dynamic Random Access Memory (SLDRAM), and direct memory bus random access memory (DRRAM). It should be noted that the memory of the methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
Embodiments of the present disclosure also provide a non-transitory storage medium, which may be a non-transitory computer-readable storage medium. The non-transitory storage medium is used to non-transitory store computer-executable instructions that, when executed by a computer, implement the methods of operation provided by at least some embodiments of the present disclosure.
Fig. 10 is a schematic diagram of a non-transitory storage medium provided by some embodiments of the present disclosure. As shown in fig. 10, the non-transitory storage medium 600 may non-transitory store computer-executable instructions 610, which when executed by a computer, the computer-executable instructions 610 implement the methods of operation provided by any of the embodiments of the present disclosure.
Similarly, the non-transitory storage medium in embodiments of the present disclosure may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. It should be noted that the memory of the methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
Embodiments of the present disclosure also provide a computer program product or computer program comprising computer instructions stored in a non-transitory storage medium. A processor of a computer device reads the computer instructions from a non-transitory storage medium, the processor executing the computer instructions, causing the computer device to perform a method of operation provided in accordance with at least one embodiment of the present disclosure.
The technical effects of the electronic device and the non-transitory storage medium are the same as those of the operation method, and are not described here again.
It is noted that the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises at least one executable instruction for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In general, the various example embodiments of the disclosure may be implemented in hardware or special purpose circuits, software, firmware, logic, or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While aspects of the embodiments of the present disclosure are illustrated or described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that the blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
For the purposes of this disclosure, the following points are also noted:
(1) The drawings of the embodiments of the present disclosure relate only to the structures related to the embodiments of the present disclosure, and other structures may refer to the general design.
(2) In the drawings for describing embodiments of the present disclosure, thicknesses and dimensions of layers or structures are exaggerated for clarity. It will be understood that when an element such as a layer, film, region or substrate is referred to as being "on" or "under" another element, it can be "directly on" or "under" the other element or intervening elements may be present.
(3) The embodiments of the present disclosure and features in the embodiments may be combined with each other to arrive at a new embodiment without conflict.
The foregoing is merely a specific embodiment of the disclosure, but the scope of the disclosure is not limited thereto and should be determined by the scope of the claims.

Claims (13)

1. A method of operation of a computer system, comprising:
allowing a plurality of execution contexts to run in a machine mode of the computer system; and
the machine mode is configured to set different permissions for memory used in running the plurality of execution contexts for memory isolation.
2. The method of operation of claim 1, wherein the machine mode comprises a plurality of sub-modes having different privileges, at least one of the plurality of execution contexts operating in at least one of the plurality of sub-modes, at least another of the plurality of execution contexts operating in at least another of the plurality of sub-modes.
3. The method of operation of claim 2, wherein configuring the machine mode to set different permissions for memory used in the plurality of execution context runs for memory isolation comprises:
The method includes dividing an entry corresponding to the machine mode in a physical memory protection entry into a plurality of entry groups, the plurality of entry groups being respectively configured to the plurality of sub-modes having different privileges.
4. The method of operation of claim 3 wherein the machine mode comprises a first sub-mode and a second sub-mode having a higher privilege level than the first sub-mode,
dividing the physical memory protection entries into a plurality of entry groups, the plurality of entry groups respectively configured to a plurality of sub-modes having different privileges, comprising:
the physical memory protection entries are divided into a first entry group and a second entry group, and the first entry group and the second entry group are respectively configured to the first sub-mode and the second sub-mode.
5. The method of operation of claim 4, wherein the physical memory protection entries comprise N entries having index numbers 0-N-1, the method of operation further comprising:
setting a parameter X, configuring the first item group to comprise items 0-X, configuring the second item group to comprise items X+1-N-1,
wherein X is more than or equal to 0 and less than or equal to N-1, and the matching priority of the address interval corresponding to the index numbers 0-N-1 is reduced according to the sequence from the index numbers 0-N-1 to the large.
6. The method of operation of claim 4, further comprising:
allowing a read-write operation to be performed on registers corresponding to the first entry group and the second entry group when the computer system is in the first sub-mode;
and when the computer system is in the second sub-mode, allowing or not allowing the read-write operation to be performed on the register corresponding to the second entry group, and not allowing the read-write operation to be performed on the register corresponding to the first entry group.
7. The method of operation of claim 4, further comprising:
when the computer system is in the first sub-mode, determining whether the memory corresponding to the first item group has read-write permission and execution permission according to the permission set in the first item group, and determining whether the memory corresponding to the second item group has read-write permission according to the permission set in the second item group;
when the computer system is in the second sub-mode, no read-write permission and no execution permission are given to the memory corresponding to the first item group, and whether the memory corresponding to the second item group has the read-write permission and the execution permission is determined according to the permission set in the second item group.
8. The method of operation of claim 4, further comprising:
processing rules of the first set of entries according to a current actual locking mechanism of the computer system when the computer system is in the first sub-mode;
when the computer system is in the first sub-mode, regarding the second set of entries as unlocked, rules in the second set of entries may be arbitrarily modified;
treating the first set of entries as locked state when the computer system is in the second sub-mode, rules in the first set of entries not being modifiable;
when the computer system is in the second sub-mode, the rules in the second set of entries are processed according to the current actual locking mechanism of the computer system.
9. The method of operation of claim 4, further comprising:
in response to an address interval for which the current execution context does not match in the physical memory protection entry, regardless of the mode in which the current execution context is in, processing is performed by either a blacklist mechanism or a whitelist mechanism,
wherein under the blacklist mechanism, an execution context running in the first sub-mode may access an address space not covered by the physical memory protection entry, and under the whitelist mechanism, an execution context running in the first sub-mode may not access an address space not covered by the physical memory protection entry.
10. The method of operation of any of claims 1-9, wherein the computer system is based on a RISC-V instruction set.
11. A processor, comprising:
a processor core;
an isolation unit configured to: allowing a plurality of execution contexts to run in a machine mode of a computer system, and configuring the machine mode to set different permissions for memory used by the plurality of execution contexts in running for memory isolation.
12. An electronic device, comprising:
a memory configured to store computer-executable instructions; and
a processor configured to execute the computer-executable instructions,
wherein the computer executable instructions, when executed by the processor, implement the method according to any of claims 1-10.
13. A non-transitory storage medium storing non-transitory computer-executable instructions, wherein the computer-executable instructions, when executed by a processor, implement the method of any one of claims 1-10.
CN202310442557.XA 2023-04-23 2023-04-23 Method for operating computer system, processor, electronic device, and storage medium Pending CN116415309A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310442557.XA CN116415309A (en) 2023-04-23 2023-04-23 Method for operating computer system, processor, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310442557.XA CN116415309A (en) 2023-04-23 2023-04-23 Method for operating computer system, processor, electronic device, and storage medium

Publications (1)

Publication Number Publication Date
CN116415309A true CN116415309A (en) 2023-07-11

Family

ID=87049448

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310442557.XA Pending CN116415309A (en) 2023-04-23 2023-04-23 Method for operating computer system, processor, electronic device, and storage medium

Country Status (1)

Country Link
CN (1) CN116415309A (en)

Similar Documents

Publication Publication Date Title
US10565132B2 (en) Dynamic configuration and peripheral access in a processor
CN111651778B (en) Physical memory isolation method based on RISC-V instruction architecture
JP4925422B2 (en) Managing access to content in data processing equipment
TWI570589B (en) Apparatus for providing trusted computing
US20140006692A1 (en) Memory protection
GB2440968A (en) Protecting system control registers in a data processing apparatus
KR20150038574A (en) Methods, systems, and computer readable medium for active monitoring, memory protection and integrity verification of target devices
WO2018104711A1 (en) Memory protection logic
US20180113816A1 (en) Memory protecting unit and method for protecting a memory address space
US9158710B2 (en) Page coloring with color inheritance for memory pages
CN112818327A (en) TrustZone-based user-level code and data security credibility protection method and device
US10923203B2 (en) Semiconductor device and method of operating semiconductor device
CN112749397A (en) System and method
US11416421B2 (en) Context-based protection system
US10628611B2 (en) Exclusive execution environment within a system-on-a-chip computing system
CN116415309A (en) Method for operating computer system, processor, electronic device, and storage medium
US20180196956A1 (en) Security architecture and method
CN116522413A (en) Method for operating computer system, processor, electronic device, and storage medium
US11989425B2 (en) Apparatus and method for controlling access to a set of memory mapped control registers
Yiu The Next Steps in the Evoluation of Embedded Processors for the Smart Connected Era,”
US20180322277A1 (en) System management mode privilege architecture
Ng et al. A Realization of IO Physical Memory Protection for RISC-V Systems
WO2022128142A1 (en) Apparatus and method for managing access to data memory by executable codes based on execution context

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination