WO2018058566A1 - Mémoire étendue pour moniteur de transfert smm - Google Patents

Mémoire étendue pour moniteur de transfert smm Download PDF

Info

Publication number
WO2018058566A1
WO2018058566A1 PCT/CN2016/101183 CN2016101183W WO2018058566A1 WO 2018058566 A1 WO2018058566 A1 WO 2018058566A1 CN 2016101183 W CN2016101183 W CN 2016101183W WO 2018058566 A1 WO2018058566 A1 WO 2018058566A1
Authority
WO
WIPO (PCT)
Prior art keywords
page
memory
encrypted
smm
stm
Prior art date
Application number
PCT/CN2016/101183
Other languages
English (en)
Inventor
Jiewen Jacques YAO
Vincent J. Zimmer
Original Assignee
Intel Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corporation filed Critical Intel Corporation
Priority to CN201680088855.1A priority Critical patent/CN109937407B/zh
Priority to DE112016007289.9T priority patent/DE112016007289T5/de
Priority to PCT/CN2016/101183 priority patent/WO2018058566A1/fr
Publication of WO2018058566A1 publication Critical patent/WO2018058566A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • G06F12/0866Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches for peripheral storage systems, e.g. disk cache
    • G06F12/0868Data transfer between cache memory and other subsystems, e.g. storage devices or host systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/1009Address translation using page tables, e.g. page table structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1032Reliability improvement, data loss prevention, degraded operation etc
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement

Definitions

  • Embodiments described herein generally relate to information processing and security, more particularly, to extending the memory available for use by a system management mode (SMM) transfer monitor (STM) of a computer system.
  • SMM system management mode
  • STM transfer monitor
  • system management mode refers to an operating mode of x86-family central processor units (CPUs) in which all normal execution, including the operating system (OS) , is suspended based on the occurrence of a system mode interrupt (SMI) and special system software is executed with special privileges (such as access to all system memories) .
  • SMM may be used to handle system-wide functions like power management, hardware control, OS validation, cryptography, or proprietary original equipment manufacturer (OEM) -designed code.
  • SMM is generally used only by system firmware, not by generic applications or even general-purpose system software. In this way, the SMM is able to offer an isolated computing environment that operates independently of the operating system, any hypervisors (HVs) , or any other application software.
  • HVs hypervisors
  • the SMM may be used as an attack vector for malware, such as rootkits.
  • malware such as rootkits.
  • the executable code in the SMM may be firmware-based and error-free, a variety of techniques for tampering with the operation of the SMM have been reported. For instance, data objects (such as variables, parameter values, function calls, etc. ) may be passed to the SMM by the OS, and these data objects may be exploited to gain access to the SMM’s special privilege level.
  • data objects such as variables, parameter values, function calls, etc.
  • SMM operates outside the reach of anti-malware programs that are installed on and under the control of the operating system.
  • VT Virtual Technology
  • VT defines a primary monitor mode wherein virtual machine monitor (VMM) or HVs are able to de-privilege guest OSs.
  • VMM virtual machine monitor
  • HV HV
  • SMI SMI handler
  • SMM may initiate, based on detecting an SMI, with the current state of the processor being saved and all other processes being stopped. High privilege operations may then be performed, such as, for example, debugging, hardware management, security functions, emulation, etc., followed by the computing device resuming operation based on the saved state.
  • the VMM or HV may themselves require monitoring since there is no assurance that these high privilege programs will not be used for nefarious operations.
  • peer monitoring by a program in the normal execution environment may be difficult or even impossible since the VMM or HV maintain a highest privilege in the computing system.
  • SMRAM system management ram
  • the SMRAM may be used to maintain the STM.
  • the STM is loaded into a portion of the top segment of SMRAM referred to as the monitor segment, or MSEG, which is set aside for use by the STM.
  • FIG. 1 is a high-level block diagram illustrating a basic relationship between operating modes of a central processing unit (CPU) according to embodiments described herein.
  • CPU central processing unit
  • FIG. 2 is a block diagram illustrating a computer system in the example form of a general-purpose machine.
  • FIG. 3 is a diagram illustrating an exemplary hardware and software architecture of a computing device such as the one depicted in FIG. 2, in which various interfaces between hardware components and software components are shown.
  • FIG. 4 is a block diagram illustrating processing devices according to some embodiments.
  • FIG. 5 is a block diagram illustrating an example MSEG portion of SMRAM reserved for the STM according to a standard implementation.
  • FIG. 6 is a block diagram illustrating an MSEG and an EMSEG virtual memory, according to certain embodiments.
  • FIG. 7 is a block diagram illustrating a physical memory page (P-MSEG) in the MSEG, virtual memory pages (V-EMSEG) in the EMSEG and storage memory pages (S-EMSEG) in external storage, according to certain embodiments.
  • P-MSEG physical memory page
  • V-EMSEG virtual memory pages
  • S-EMSEG storage memory pages
  • FIG. 8 is a flow diagram illustrating a method for initializing the EMSEG and allocating a page swap file in the external storage, according to certain embodiments.
  • FIG. 9 is a flow diagram illustrating a method for allocating pages of V-EMSEG to an STM process, according to certain embodiments.
  • FIG. 10 is a flow diagram illustrating a method for extending the memory available for use by the STM, according to certain embodiments.
  • FIG. 11 is a flow diagram illustrating a method for reclaiming the set of virtual memory pages allocated to the STM, according to certain embodiments.
  • FIG. 12 is a block diagram illustrating the P-MSEG page in the MSEG, V-EMSEG pages in EMSEG, S-EMSEG pages in external storage, and a communication buffer between the MSEG and the external storage, according to certain embodiments.
  • FIG. 13 is a flow diagram illustrating a method for extending the memory available for use by an STM with the aid of a VMM, according to certain embodiments.
  • aspects of the embodiments are directed to extending the memory (e.g., MSEG in SMRAM) available for use by a system management mode (SMM) transfer monitor (STM) of a computer system.
  • the computer system may be one physical machine, or may be distributed among multiple physical machines, such as by role or function, or by process thread in the case of a cloud computing distributed model.
  • certain operations may run in virtual machines that in turn are executed on one or more physical machines. It will be understood by persons of skill in the art that features of the invention may be realized by a variety of different suitable machine implementations.
  • the SMRAM that is accessible during the SMM often has size limitations.
  • a typical memory configuration for STM only provides for 2MB or 3MB for use as the MSEG. This may be insufficient since the STM needs to construct a full system execution environment, like a stack for each processor, a virtual machine control structure (VMCS) for each processor, an external page table (EPT) for an SMM guest, an extended page table (EPT) for an SMM guest, a page table for itself, an area to record protected resources, an area to record the BIOS resource, the STM kernel itself, etc.
  • VMCS virtual machine control structure
  • EPT external page table
  • EPT extended page table
  • FIG. 1 is a high-level block diagram illustrating a basic relationship between operating modes of a central processing unit (CPU) according to embodiments described herein.
  • CPU central processing unit
  • Normal mode 102 there are two operating modes: Normal mode 102, and SMM 104.
  • SMM 104 There may be additional operating modes for the CPU, and a practical computer system may support many additional operations; but for the sake of clarity the two modes of interest are detailed.
  • the CPU executes the code of a hypervisor (e.g., virtual machine monitor) when the computer system is configured to run virtual machines as.
  • hypervisor e.g., virtual machine monitor
  • the computer system may execute one or more operating systems, including a variety of device and system drivers, and application programs.
  • SMM 104 is reserved for the execution of specialized firmware that may access the secure SMRAM, typically for the purpose of configuring the computer system, checking the integrity of software to be executed in normal mode 102, and various other purposes.
  • SMM 104 may be compromised, and therefore embodiments of a more robust configuration for STM that may provide more memory for use as the MSEG are described herein.
  • the CPU may transition from normal mode 102 to SMM 104.
  • the SMM 104 may be called by a program, such as a system driver, or some other portion of an operating system (e.g., a VMM via a VMCALL) , for instance, running in normal mode 102.
  • the CPU may also transition from SMM 104 to normal mode 102 based on a call from a SMM process, such as a system control interrupt (SCI) from the STM.
  • SCI system control interrupt
  • the calls to transition from normal mode 102 to SMM 104 and vice versa may be accompanied by a passing of some data 108, e.g., code, variables, parameters, and the like as described below.
  • FIG. 2 is a block diagram illustrating a computer system in the example form of a general-purpose machine.
  • programming of the computer system 200 according to one or more particular algorithms produces a special-purpose machine upon execution of that programming.
  • the computer system 200 may operate in the capacity of either a server or a client machine in server-client network environments, or it may act as a peer machine in peer-to-peer (or distributed) network environments.
  • the computer system 200 may take any suitable form factor, such as a personal computer (PC) workstation, a server, whether rack-mounted, or stand-alone, a mainframe computer, a cluster computing system, or the like, a set-top box, as well as a mobile or portable computing system, such as a laptop/notebook PC, an onboard vehicle system, wearable device, a tablet PC, a hybrid tablet, a personal digital assistant (PDA) , a mobile telephone or, more generally, any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • PC personal computer
  • server whether rack-mounted, or stand-alone
  • mainframe computer a mainframe computer
  • a cluster computing system or the like
  • set-top box such as well as a mobile or portable computing system, such as a laptop/notebook PC, an onboard vehicle system, wearable device, a tablet PC, a hybrid tablet, a personal digital assistant (PDA) , a mobile telephone or, more generally, any
  • Example computer system 200 includes at least one processor 202 (e.g., a central processing unit (CPU) , a graphics processing unit (GPU) or both, processor cores, compute nodes, etc. ) , a main memory 204 and a static memory 206, which communicate with each other via a link 208 (e.g., bus) .
  • the computer system 200 may further include a video display unit 210, an alphanumeric input device 212 (e.g., a keyboard) , and a user interface (UI) navigation device 214 (e.g., a mouse) .
  • the video display unit 210, input device 212 and UI navigation device 214 are incorporated into a touch screen display.
  • the computer system 200 may additionally include a storage device 216 (e.g., a drive unit) , a signal generation device 218 (e.g., a speaker) , a network interface device (NID) 220, and one or more sensors (not shown) , such as a global positioning system (GPS) sensor, compass, accelerometer, or other sensor.
  • a storage device 216 e.g., a drive unit
  • a signal generation device 218 e.g., a speaker
  • NID network interface device
  • sensors not shown
  • GPS global positioning system
  • GPS global positioning system
  • the storage device 216 includes a machine-readable medium 222 on which is stored one or more sets of data structures and instructions 224 (e.g., software) embodying or utilized by any one or more of the methodologies or functions described herein.
  • the instructions 224 may also reside, completely or at least partially, within the main memory 204, static memory 206, and/or within the processor 202 during execution thereof by the computer system 200, with the main memory 204, static memory 206, and the processor 202 also constituting machine-readable media.
  • machine-readable medium 222 is illustrated in an example embodiment to be a single medium, the term “machine-readable medium” may include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more instructions 224.
  • the term “machine-readable medium” shall also be taken to include any tangible medium that is capable of storing, encoding or carrying instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure or that is capable of storing, encoding or carrying data structures utilized by or associated with such instructions.
  • the term “machine-readable medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media.
  • machine-readable media include non-volatile memory, including but not limited to, by way of example, semiconductor memory devices (e.g., electrically programmable read-only memory (EPROM) , electrically erasable programmable read-only memory (EEPROM) ) and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
  • semiconductor memory devices e.g., electrically programmable read-only memory (EPROM) , electrically erasable programmable read-only memory (EEPROM)
  • EPROM electrically programmable read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory devices e.g., electrically erasable programmable read-only memory (EEPROM)
  • EPROM electrically programmable read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory devices e.g., electrically erasable
  • NID 220 may take any suitable form factor.
  • NID 220 is in the form of a network interface card (NIC) that interfaces with processor 202 via link 208.
  • link 208 includes a PCI Express (PCIe) bus, including a slot into which the NIC form-factor may engage.
  • NID 220 is a network interface circuit laid out on a motherboard together with local link circuitry, processor interface circuitry, other input/output circuitry, memory circuitry, storage device and peripheral controller circuitry, and the like.
  • NID 220 is a peripheral that interfaces with link 208 via a peripheral input/output port such as a universal serial bus (USB) port.
  • NID 220 transmits and receives data over transmission medium 226, which may be wired or wireless (e.g., radio frequency, infra-red or visible light spectra, etc. ) , fiber optics, or the like.
  • FIG. 3 is a diagram illustrating an exemplary hardware and software architecture of a computing device such as the one depicted in FIG. 2, in which various interfaces between hardware components and software components are shown. As indicated by HW, hardware components are represented below the divider line, whereas software components denoted by SW reside above the divider line.
  • processing devices 302 which may include one or more microprocessors, digital signal processors, etc., each having one or more processor cores, are interfaced with memory management device 304 and system interconnect 306.
  • Memory management device 304 provides mappings between virtual memory used by processes being executed, and the physical memory. Memory management device 304 may be an integral part of a central processing unit which also includes the processing devices 302.
  • Interconnect 306 includes a backplane such as memory, data, and control lines, as well as the interface with input/output devices, e.g., PCI, USB, etc.
  • Memory 308 e.g., dynamic random access memory -DRAM
  • non-volatile memory 309 such as flash memory (e.g., electrically-erasable read-only memory –EEPROM, NAND Flash, NOR Flash, etc. ) are interfaced with memory management device 304 and interconnect 306 via memory controller 310.
  • This architecture may support direct memory access (DMA) by peripherals in some embodiments.
  • DMA direct memory access
  • I/O devices including video and audio adapters, non-volatile storage, external peripheral links such as USB, Bluetooth, etc., as well as network interface devices such as those communicating via Wi-Fi or LTE-family interfaces, are collectively represented as I/O devices and networking 312, which interface with interconnect 306 via corresponding I/O controllers 314.
  • pre-OS pre-operating system
  • BIOS system basic input/output system
  • UEFI unified extensible firmware interface
  • System management mode represents code executed in a special-purpose operating mode of processing devices 302 that is provided for handling system-wide functions like power management, system hardware control, or proprietary OEM designed code.
  • SMM is intended for use by system firmware, not by applications software or general-purpose systems software, though SMM may be called by a system management interrupt (SMI) initiated by the software stack.
  • SMM provides a distinct and isolated processor environment that operates transparently to the operating system or executive and software applications.
  • Processing devices 302 execute the SMM code in a separate address space (e.g. SMRAM) that is inaccessible to other operating modes of the processing devices 302.
  • SMRAM system management interrupt
  • Operating system (OS) 318 provides a kernel that controls the hardware devices, manages memory access for programs in memory, coordinates tasks and facilitates multi-tasking, organizes data to be stored, assigns memory space and other resources, loads program binary code into memory, initiates execution of the application program which then interacts with the user and with hardware devices, and detects and responds to various defined interrupts. Also, operating system 318 provides device drivers, and a variety of common services such as those that facilitate interfacing with peripherals and networking, that provide abstraction for application programs so that the applications do not need to be responsible for handling the details of such common operations. Operating system 318 additionally provides a graphical user interface (GUI) that facilitates interaction with the user via peripheral devices such as a monitor, keyboard, mouse, microphone, video camera, touchscreen, and the like.
  • GUI graphical user interface
  • Runtime system 320 implements portions of an execution model, including such operations as putting parameters onto the stack before a function call, the behavior of disk input/output (I/O) , and parallel execution-related behaviors. Runtime system 320 may also perform support services such as type checking, debugging, or code generation and optimization.
  • Libraries 322 include collections of program functions that provide further abstraction for application programs. These include shared libraries, dynamic linked libraries (DLLs) , for example. Libraries 322 may be integral to the operating system 318, runtime system 320, or may be added-on features, or even remotely-hosted. Libraries 322 define an application program interface (API) through which a variety of function calls may be made by application programs 324 to invoke the services provided by the operating system 318. Application programs 324 are those programs that perform useful tasks for users, beyond the tasks performed by lower-level system programs that coordinate the basis operability of the computing device itself.
  • API application program interface
  • FIG. 4 is a block diagram illustrating an example of processing devices 302 according to some embodiments.
  • CPU 410 may contain one or more processing cores 412. As an illustrative example, CPU 410 may be an x86-type of processor.
  • Processing devices 302 may also include a graphics processing unit (GPU) 414.
  • GPU 414 may be a specialized co-processor that offloads certain computationally-intensive operations, particularly those associated with graphics rendering, from CPU 410.
  • CPU 410 and GPU 414 generally work collaboratively, sharing access to memory resources, I/O channels, etc.
  • Processing devices 302 also include caretaker processor 416.
  • Caretaker processor 416 generally does not participate in the processing work to carry out software code as CPU 410 and GPU 414 do. In some embodiments, caretaker processor 416 does not share memory space with CPU 410 and GPU 414, and is therefore not arranged to execute operating system or application programs. Instead, caretaker processor 416 may execute dedicated firmware that supports the technical workings of CPU 410, GPU 414, and other components of the computer system. In some embodiments, caretaker processor is implemented as a microcontroller device, which may be physically present on the same integrated circuit die as CPU 410, or may be present on a distinct integrated circuit die. Caretaker processor 416 may also include a dedicated set of I/O facilities to enable it to communicate with external entities.
  • caretaker processor 416 is implemented using a manageability engine (ME) or platform security processor (PSP) .
  • ME manageability engine
  • PSP platform security processor
  • the hardware, software, and other components illustrated in FIGS. 2-4 may be configured, temporarily or permanently, to perform the operations of the methods described herein.
  • FIG. 5 is a block diagram illustrating an example MSEG 502 portion of SMRAM reserved for the STM according to a standard implementation.
  • the physical address 504 in the MSEG 502 is the only way to allocate memory by the SMM to the STM process since no additional memory is available, virtual or otherwise.
  • the embodiments described herein are provided to remove some of the runtime barriers (e.g., limited amount of memory for MSEG) to having a peer monitor/SMM Transfer Monitor (STM) being used by a system.
  • the STM which may have many memory intensive features, but only a limited amount SMRAM.
  • the MSEG used by the STM may be exhausted by having too many CPUs.
  • Embodiments described herein relieve such MSEG space pressure by using a virtual memory crypto-paging technique to balloon the memory footprint for the STM while at the same time avoiding disruption by potentially hostile code.
  • the typical SMRAM in an SMM top segment is 8 MB, or 16MB and this limited amount may be called upon to support a confidential debugger, a BIOS SMI Handler and the STM. As noted above, this leaves a typical configuration for STM of only 2MB or 3MB.
  • Embodiments described herein provide a way to extend memory usage in STM using a virtual memory concept that includes security considerations. In this way, it is possible for the STM have access to only 2 or 3 MB of physical MSEG but have access to an arbitrary amount of virtual MSEG (e.g., extended MSEG or EMSEG) .
  • FIG. 6 is a block diagram illustrating an MSEG 502 and an EMSEG 602 virtual memory, according to certain embodiments.
  • the extended MSEG (EMSEG 602) provides a virtual memory to support the STM.
  • the solid line indicates the current mapping between virtual address 604 of EMSEG 602 to physical address 504 of MSEG 502.
  • the dotted lines indicate possible mappings between other virtual addresses of EMSEG 602 and MSEG 502. Further details of these mappings will be discussed below.
  • the external storage 606 may include a storage device to hold the data corresponding to the virtual addresses in the EMSEG 602.
  • the external storage 606 may be physical memory, or NV storage such as NVMe/UFS/NAND flash memory.
  • FIG. 7 is a block diagram illustrating a physical memory page (P-MSEG) in a first memory MSEG 502, virtual memory pages (V-EMSEG) in EMSEG 602 and storage memory pages (S-EMSEG) in second memory external storage 606, according to certain embodiments.
  • P-MSEG physical memory page
  • V-EMSEG virtual memory pages
  • S-EMSEG storage memory pages
  • the EMSEG 602 is an extended MSEG memory space.
  • the P-EMSEG is a physical memory page (e.g., “2” ) , reserved in traditional MSEG 502, that may be mapped to the virtual memory in EMSEG 602.
  • the V-EMSEG are virtual memory pages in EMSEG 602 for use by STM processes.
  • the STM is able to setup a page table to map a V-EMSEG (e.g., “1” , “2” or “3” ) page to a P-EMSEG page.
  • the S-EMSEG are the storage pages (e.g., a page swap file) for memory pages of the EMSEG 602.
  • the S-EMSEG storage pages data are stored in external storage 606.
  • the S-EMSEG (e.g., swap file) should match the size of V-EMSEG virtual pages.
  • the EMSEG 602 provides a virtual memory to support the STM. From the point of view of the STM application, only the virtual address pages of V-EMSEG are visible and the STM uses these addresses. The STM application does not need to know the P-EMSEG and S-EMSEG addresses since the STM core will handle the virtual memory mapping for V-EMSEG to the P-EMSEG and S-EMSEG addresses.
  • FIG. 8 is a flow diagram illustrating a method for initializing the EMSEG and allocating a page swap file in the external storage, according to certain embodiments.
  • the STM core records the range of EMSEG 602 based on the EMSEG base address and the EMSEG size.
  • the STM sets up paging (e.g., empty page table) for the virtual pages (e.g., V-EMSEG) of the EMSEG 602.
  • the STM core sets up the page swap file “PageFile. bin” in the external storage 606.
  • FIG. 9 is a flow diagram illustrating a method 900 for allocating pages of V-EMSEG to an STM process, according to certain embodiments.
  • the STM process calls function VirtAllocatePages () to access the EMSEG 602.
  • the STM core attempts to find a free virtual page in of the V-EMSEG virtual pages of EMSEG 602. If there are no free pages of V-EMSEG then, at operation 906, the STM core returns a null (e.g., no free EMSEG memory) result. If there is a free page of V-EMSEG then, at operation 908, the STM core returns the address in V-EMSEG to the STM process.
  • the allocation stage there is no need to enable mapping from V-EMSEG to P-MSEG. The mapping may be performed when the STM process attempts to access V-EMSEG.
  • FIG. 10 is a flow diagram illustrating a method 1000 for extending the memory available for use by the STM, according to certain embodiments.
  • the STM application attempts to access an allocated virtual memory page in V-EMSEG.
  • the STM application may access the V-EMSEG page at the address of the corresponding P-MSEG page in the MSEG 502.
  • the STM core attempts to find a free page available in the P-MSEG. If the STM core does find a free page in the P-MSEG then, at operation 1014, the STM core specifies the address of the free page in the P-MSEG for the V-EMSEG page in the page table. If the STM core does not find a free page in the P-MSEG then, at operation 1008, the STM core selects a page in the P-MSEG for replacement according to a page replacement policy.
  • the page replacement policy could specify that a page in the P-MSEG is selected based on a time period since the page has been accessed being greater than a threshold value or greater than the time period since being accessed of all other pages in the P-MSEG.
  • the page replacement policy could specify that a page in the P-MSEG is selected based on a time period since the page has been in the P-MSEG being greater than a threshold value or greater than the time period since being in the P-MSEG of all other pages in the P-MSEG.
  • the STM core encrypts the selected page in the P-MSEG.
  • the STM core may generate a code to encrypt the page, the code comprising a key generated using a random number generator.
  • the STM core may store the code in a region of the MSEG 502 that stores data that maynot be moved to the external storage 606.
  • the STM core may move the encrypted selected page from the P-MSEG to the S-EMSEG, so that the method may proceed to operation 1014 where the STM core specifies the address of the selected page in the P-MSEG for the V-EMSEG page in the page table.
  • the STM core determines if the page table specifies a corresponding encrypted page in the S-EMSEG for the V-EMSEG page. If the page table does not specify a page then, at operation 1022 the STM application may access the V-EMSEG page at the specified address of the available page in the P-MSEG or of the selected page in the P-MSEG depending on whether the method has progressed from operation 1006 to 1014 or from operation 1012 to 1014.
  • the STM core copies the corresponding encrypted page from the S-EMSEG to the address of the available page in the P-MSEG or of the selected page in the P-MSEG depending on whether the method has progressed from operation 1006 to 1014 or from operation 1012 to 1014.
  • the STM core decrypts the corresponding encrypted page in the P-MSEG (e.g., using the key described above) and proceeds to operation 1022 so that the STM application may access the V-EMSEG page at the specified address of the available page in the P-MSEG or of the selected page in the P-MSEG depending on whether the method has progressed from operation 1006 to 1014 or from operation 1012 to 1014.
  • FIG. 11 is a flow diagram illustrating a method 1100 for reclaiming the set of virtual memory pages allocated to the STM, according to certain embodiments.
  • STM wants to tear down the EMSEG 602
  • STM Core broadcasts teardown message at operation 1102.
  • the STM application teardown callback function stored in the V-EMSEG will disappear, and the STM application may do the final clear up work in the V-EMSEG.
  • the STM core deletes the page swap file “PageFile. bin” in the external storage device 606.
  • the STM core may also delete the encryption key/code stored in the MSEG 502 at operation 1106.
  • FIG. 12 is a block diagram illustrating the P-MSEG page in MSEG 502, V-EMSEG pages in EMSEG 602, S-EMSEG pages in external storage 606 and a communication buffer 1202 between the MSEG 502 and the external storage 606, according to certain embodiments.
  • the STM may have dedicated storage for firmware usage, for example, an NVMe partition. Current UEFI BIOS supports non-SPI boot path, and all data/code/variable are stored in different NVMe partition. Alternatively, the STM may work with a VMM to setup an isolation policy for an NVMe partition. If the STM may leverage VMM capabilities, especially if the VMM and STM are both products of a same manufacturer.
  • a communication buffer 1202 may be used to transfer data 1204 between the STM (e.g., MSEG 502) and the external storage device 606. As noted above, this may be accomplished with the help of a VMM as explained with regard to FIG. 13 below.
  • the P-MSEG and S-EMSEG pages may be moved from one physical memory to the other as encrypted data with the VMM having to know any key/code being used to secure the pages.
  • FIG. 13 is a flow diagram illustrating a method 1300 for extending the memory available for use by an STM with the aid of a VMM, according to certain embodiments.
  • the STM When the STM need to access external storage 606, at operation 1302, the STM creates a SetJump point (e.g., saving the state of the STM application) and, at operation 1304, sends a request to the pre-allocated communication buffer 1202 between STM/VMM.
  • the request may include a page of P-MSEG that is to be moved to the S-EMSEG of external storage 606.
  • the STM signals a system control interrupt (SCI) and ResumeGuest to VMM so that the VMM will check the communication buffer 1202.
  • SCI system control interrupt
  • the VMM will receive the SCI and an SCI handler of the VMM will check communication buffer (e.g., and retrieve any pages in the buffer) .
  • the VMM will access the S-EMSEG and obtain any data (e.g., pages) requested by the STM (or copy pages retrieved from the buffer to the S-EMSEG) .
  • the VMM knows that the request is from STM because of the SCI, therefore the VMM may safely copy data from S-EMSEG to communication buffer.
  • the VMM only does copying of the data to and from the buffer, the VMM does not do any encryption/decryption because the VMM does not know have access to the key/code generated for encrypting/decrypting.
  • the data in communication buffer 1202 is still cypher text, not plain text until it is received in the MSEG 502.
  • the VMM uses VMCALL to signal the STM regarding data copied by the VMM into or out of the communication buffer 1202.
  • the STM will find a FarJump point and start executing the STM application based on the state information saves at the earlier SetJump point.
  • the STM copies data (e.g., pages) from communication buffer 1202 to P-EMSEG. Then STM decrypts the data at the MSEG 502 as explained above.
  • Example 1 is a system comprising a processor and a memory coupled to the processor, the memory including instructions which, when executed by the processor, cause the system to: in response to receiving a request from a system management mode (SMM) process to access a virtual memory page allocated to the SMM process in a page table: based on a determination that a page is available in the first memory, specify an address of the available page in the first memory for the virtual memory page in the page table; and based on a determination that a page is not available in the first memory: select a page in the first memory according to a page replacement policy; encrypt the selected page in the first memory; move the encrypted selected page from the first memory to a second memory; and specify an address of the selected page in the first memory for the virtual memory page in the page table.
  • SMM system management mode
  • Example 2 the subject matter of Example 1 optionally includes instructions which, when executed by the processor, cause the system to: based on the page table specifying the address of the available page in the first memory and an address of an encrypted page in the second memory for the virtual memory page: move the specified encrypted page from the second memory to the address of the available page in the first memory; and decrypt the specified encrypted page in the first memory; and based on the page table specifying the address of the selected page in the first memory and the address of an encrypted page in the second memory for the virtual memory page: move the specified encrypted page from the second memory to the address of the selected page in the first memory; and decrypt the specified encrypted page in the first memory.
  • Example 3 the subject matter of any one or more of Examples 1–2 optionally include wherein the SMM process comprises a system management mode transfer monitor (STM) and the first memory comprises a monitor segment (MSEG) portion of system management ram (SMRAM) reserved for the STM.
  • STM system management mode transfer monitor
  • MSEG monitor segment
  • SMRAM system management ram
  • Example 4 the subject matter of Example 3 optionally includes wherein: the virtual memory page comprises an extended MSEG reserved for the STM; the second memory comprises a page swap file in a physical storage device; and the page swap file is of a size equal to the size of the extended MSEG.
  • Example 5 the subject matter of Example 4 optionally includes instructions which, when executed by the processor, cause the system to: reclaim the extended MSEG reserved for the STM; and delete the page swap file in the physical storage device.
  • Example 6 the subject matter of any one or more of Examples 1–5 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been accessed being greater than a threshold value.
  • Example 7 the subject matter of any one or more of Examples 1–6 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been in the first memory being greater than a threshold value.
  • Example 8 the subject matter of any one or more of Examples 4–7 optionally include instructions which, when executed by the processor, cause the system to generate a code to encrypt and decrypt the pages, the code comprising a key generated using a random number generator.
  • Example 9 the subject matter of Example 8 optionally includes instructions which, when executed by the processor, cause the system to store the code in a region of the first memory that stores data that cannot be moved to the second memory.
  • Example 10 the subject matter of Example 9 optionally includes instructions which, when executed by the processor, cause the system to: reclaim the extended MSEG reserved for the STM; and delete the code stored in the first memory.
  • Example 11 the subject matter of any one or more of Examples 1–10 optionally include instructions which, when executed by the processor, cause the system to: in order to move the encrypted selected page from the first memory to the second memory: create a jump point in the SMM process; move the encrypted selected page from the first memory to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; send a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the encrypted selected page in the communication buffer; cause the VMM to move the encrypted selected page from the communication buffer to the second memory; and resume the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • Example 12 the subject matter of any one or more of Examples 2–11 optionally include instructions which, when executed by the processor, cause the system to: in order to move the specified encrypted page from the second memory to the first memory: create a jump point in the SMM process; send a request for the specified encrypted page to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; send a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the request in the communication buffer; cause the VMM to move the specified encrypted page from the second memory to the communication buffer; move the specified encrypted page from the communication buffer to the first memory; decrypt the specified encrypted page in the first memory; and resume the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • SCI system control interrupt
  • Example 13 is a method for extending memory available to a system management mode (SMM) process, the method comprising: in response to receiving a request from an SMM process to access a virtual memory page allocated to the SMM process in a page table: based on a determination that a page is available in the first memory, specifying an address of the available page in the first memory for the virtual memory page in the page table; and based on a determination that a page is not available in the first memory: selecting a page in the first memory according to a page replacement policy; encrypting the selected page in the first memory; moving the encrypted selected page from the first memory to a second memory; and specifying an address of the selected page in the first memory for the virtual memory page in the page table.
  • SMM system management mode
  • Example 14 the subject matter of Example 13 optionally includes based on the page table specifying the address of the available page in the first memory and an address of an encrypted page in the second memory for the virtual memory page: moving the specified encrypted page from the second memory to the address of the available page in the first memory; and decrypting the specified encrypted page in the first memory; and based on the page table specifying the address of the selected page in the first memory and the address of an encrypted page in the second memory for the virtual memory page: moving the specified encrypted page from the second memory to the address of the selected page in the first memory; and decrypting the specified encrypted page in the first memory.
  • Example 15 the subject matter of any one or more of Examples 13–14 optionally include wherein the SMM process comprises a system management mode transfer monitor (STM) and the first memory comprises a monitor segment (MSEG) portion of system management ram (SMRAM) reserved for the STM.
  • STM system management mode transfer monitor
  • MSEG monitor segment
  • SMRAM system management ram
  • Example 16 the subject matter of Example 15 optionally includes wherein: the virtual memory page comprises an extended MSEG reserved for the STM; the second memory comprises a page swap file in a physical storage device; and the page swap file is of a size equal to the size of the extended MSEG.
  • Example 17 the subject matter of Example 16 optionally includes reclaiming the extended MSEG reserved for the STM; and deleting the page swap file in the physical storage device.
  • Example 18 the subject matter of any one or more of Examples 13–17 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been accessed being greater than a threshold value.
  • Example 19 the subject matter of any one or more of Examples 13–18 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been in the first memory being greater than a threshold value.
  • Example 20 the subject matter of any one or more of Examples 16–19 optionally include generating a code to encrypt and decrypt the pages, the code comprising a key generated using a random number generator.
  • Example 21 the subject matter of Example 20 optionally includes storing the code in a region of the first memory that stores data that cannot be moved to the second memory.
  • Example 22 the subject matter of Example 21 optionally includes reclaiming the extended MSEG reserved for the STM; and deleting the code stored in the first memory.
  • Example 23 the subject matter of any one or more of Examples 13–22 optionally include in order to move the encrypted selected page from the first memory to the second memory: creating a jump point in the SMM process; moving the encrypted selected page from the first memory to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; sending a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the encrypted selected page in the communication buffer; causing the VMM to move the encrypted selected page from the communication buffer to the second memory; and resuming the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • Example 24 the subject matter of any one or more of Examples 14–23 optionally include in order to move the specified encrypted page from the second memory to the first memory: creating a jump point in the SMM process; sending a request for the specified encrypted page to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; sending a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the request in the communication buffer; causing the VMM to move the specified encrypted page from the second memory to the communication buffer; moving the specified encrypted page from the communication buffer to the first memory; decrypting the specified encrypted page in the first memory; and resuming the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • SCI system control interrupt
  • Example 25 is at least one computer-readable storage medium having instructions stored thereon, which when executed by a processor of a machine, cause the machine to: in response to receiving a request from a system management mode (SMM) process to access a virtual memory page allocated to the SMM process in a page table: based on a determination that a page is available in the first memory, specify an address of the available page in the first memory for the virtual memory page in the page table; and based on a determination that a page is not available in the first memory: select a page in the first memory according to a page replacement policy; encrypt the selected page in the first memory; move the encrypted selected page from the first memory to a second memory; and specify an address of the selected page in the first memory for the virtual memory page in the page table.
  • SMM system management mode
  • Example 26 the subject matter of Example 25 optionally includes instructions stored thereon which, when executed by the processor, cause the machine to: based on the page table specifying the address of the available page in the first memory and an address of an encrypted page in the second memory for the virtual memory page: move the specified encrypted page from the second memory to the address of the available page in the first memory; and decrypt the specified encrypted page in the first memory; and based on the page table specifying the address of the selected page in the first memory and the address of an encrypted page in the second memory for the virtual memory page: move the specified encrypted page from the second memory to the address of the selected page in the first memory; and decrypt the specified encrypted page in the first memory.
  • Example 27 the subject matter of any one or more of Examples 25–26 optionally include wherein the SMM process comprises a system management mode transfer monitor (STM) and the first memory comprises a monitor segment (MSEG) portion of system management ram (SMRAM) reserved for the STM.
  • STM system management mode transfer monitor
  • MSEG monitor segment
  • SMRAM system management ram
  • Example 28 the subject matter of any one or more of Examples 25–27 optionally include wherein: the virtual memory page comprises an extended MSEG reserved for the STM; the second memory comprises a page swap file in a physical storage device; and the page swap file is of a size equal to the size of the extended MSEG.
  • Example 29 the subject matter of Example 28 optionally includes instructions stored thereon which, when executed by the processor, cause the machine to: reclaim the extended MSEG reserved for the STM; and delete the page swap file in the physical storage device.
  • Example 30 the subject matter of any one or more of Examples 23–29 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been accessed being greater than a threshold value.
  • Example 31 the subject matter of any one or more of Examples 23–30 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been in the first memory being greater than a threshold value.
  • Example 32 the subject matter of any one or more of Examples 26–31 optionally include instructions which, when executed by the processor, cause the machine to generate a code to encrypt and decrypt the pages, the code comprising a key generated using a random number generator.
  • Example 33 the subject matter of Example 32 optionally includes instructions which, when executed by the processor, cause the machine to store the code in a region of the first memory that stores data that cannot be moved to the second memory.
  • Example 34 the subject matter of Example 33 optionally includes instructions which, when executed by the processor, cause the machine to: reclaim the extended MSEG reserved for the STM; and delete the code stored in the first memory.
  • Example 35 the subject matter of any one or more of Examples 23–34 optionally include instructions which, when executed by the processor, cause the machine to: in order to move the encrypted selected page from the first memory to the second memory: create a jump point in the SMM process; move the encrypted selected page from the first memory to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; send a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the encrypted selected page in the communication buffer; cause the VMM to move the encrypted selected page from the communication buffer to the second memory; and resume the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • Example 36 the subject matter of any one or more of Examples 24–35 optionally include instructions which, when executed by the processor, cause the system to: in order to move the specified encrypted page from the second memory to the first memory: create a jump point in the SMM process; send a request for the specified encrypted page to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; send a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the request in the communication buffer; cause the VMM to move the specified encrypted page from the second memory to the communication buffer; move the specified encrypted page from the communication buffer to the first memory; decrypt the specified encrypted page in the first memory; and resume the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • SCI system control interrupt
  • Example 37 is at least one machine-readable medium including instructions, which when executed by a machine, cause the machine to perform operations of any of the methods of Examples 13-24.
  • Example 38 is an apparatus comprising means for performing any of the methods of Examples 13-24.
  • Example 39 is an apparatus for extending memory available to a system management mode (SMM) process, the apparatus comprising: means for responding to a request from an SMM process to access a virtual memory page allocated to the SMM process in a page table, the means comprising: means for, based on a determination that a page is available in the first memory, specifying an address of the available page in the first memory for the virtual memory page in the page table; and means for, based on a determination that a page is not available in the first memory, using: means for selecting a page in the first memory according to a page replacement policy; means for encrypting the selected page in the first memory; means for moving the encrypted selected page from the first memory to a second memory; and means for specifying an address of the selected page in the first memory for the virtual memory page in the page table.
  • SMM system management mode
  • Example 40 the subject matter of Example 39 optionally includes means for, based on the page table specifying the address of the available page in the first memory and an address of an encrypted page in the second memory for the virtual memory page, using: means for moving the specified encrypted page from the second memory to the address of the available page in the first memory; and means for decrypting the specified encrypted page in the first memory; and means for, based on the page table specifying the address of the selected page in the first memory and the address of an encrypted page in the second memory for the virtual memory page, using: means for moving the specified encrypted page from the second memory to the address of the selected page in the first memory; and means for decrypting the specified encrypted page in the first memory.
  • Example 41 the subject matter of any one or more of Examples 39–40 optionally include wherein the SMM process comprises a system management mode transfer monitor (STM) and the first memory comprises a monitor segment (MSEG) portion of system management ram (SMRAM) reserved for the STM .
  • STM system management mode transfer monitor
  • MSEG monitor segment
  • SMRAM system management ram
  • Example 42 the subject matter of Example 41 optionally includes wherein: the virtual memory page comprises an extended MSEG reserved for the STM; the second memory comprises a page swap file in a physical storage device; and the page swap file is of a size equal to the size of the extended MSEG.
  • Example 43 the subject matter of Example 42 optionally includes means for reclaiming the extended MSEG reserved for the STM; and means for deleting the page swap file in the physical storage device.
  • Example 44 the subject matter of any one or more of Examples 39–43 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been accessed being greater than a threshold value.
  • Example 45 the subject matter of any one or more of Examples 39–44 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been in the first memory being greater than a threshold value.
  • Example 46 the subject matter of any one or more of Examples 42–45 optionally include means for generating a code to encrypt and decrypt the pages, the code comprising a key generated using a random number generator.
  • Example 47 the subject matter of Example 46 optionally includes means for storing the code in a region of the first memory that stores data that cannot be moved to the second memory.
  • Example 48 the subject matter of Example 47 optionally includes reclaiming the extended MSEG reserved for the STM; and deleting the code stored in the first memory.
  • Example 49 the subject matter of any one or more of Examples 39–48 optionally include means for moving the encrypted selected page from the first memory to the second memory, the means comprising: means for creating a jump point in the SMM process; means for moving the encrypted selected page from the first memory to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; means for sending a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the encrypted selected page in the communication buffer; means for causing the VMM to move the encrypted selected page from the communication buffer to the second memory; and means for resuming the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • Example 50 the subject matter of any one or more of Examples 40–49 optionally include means for moving the encrypted selected page from the first memory to the second memory, the means comprising: means for creating a jump point in the SMM process; means for sending a request for the specified encrypted page to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; means for sending a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the request in the communication buffer; means for causing the VMM to move the specified encrypted page from the second memory to the communication buffer; means for moving the specified encrypted page from the communication buffer to the first memory; means for decrypting the specified encrypted page in the first memory; and resuming the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • SCI system control interrupt
  • Example 51 is a system for extending memory available to a system management mode (SMM) process, the system comprising: a SMM memory module configured to respond to a request from the SMM process to access a virtual memory page allocated to the SMM process in a page table, by using: a page table module configured to, based on a determination that a page is available in the first memory, specify an address of the available page in the first memory for the virtual memory page in the page table; and a page selection module configured to, based on a determination that a page is not available in the first memory, select a page in the first memory according to a page replacement policy and use; an encryption module configured to encrypt the selected page in the first memory; a page transfer module configured to move the encrypted selected page from the first memory to a second memory; and the page table module configured to specify an address of the selected page in the first memory for the virtual memory page in the page table.
  • SMM system management mode
  • Example 52 the subject matter of Example 51 optionally includes the SMM memory module further configured to respond to the request from the SMM process by: based on the page table specifying the address of the available page in the first memory and an address of an encrypted page in the second memory for the virtual memory page, causing: the page transfer module to move the specified encrypted page from the second memory to the address of the available page in the first memory; the encryption module to decrypt the specified encrypted page in the first memory; and based on the page table specifying the address of the selected page in the first memory and the address of an encrypted page in the second memory for the virtual memory page, causing: the page transfer module to move the specified encrypted page from the second memory to the address of the selected page in the first memory; the encryption module to decrypt the specified encrypted page in the first memory.
  • Example 53 the subject matter of any one or more of Examples 51–52 optionally include wherein the SMM process comprises a system management mode transfer monitor (STM) and the first memory comprises a monitor segment (MSEG) portion of system management ram (SMRAM) reserved for the STM.
  • STM system management mode transfer monitor
  • MSEG monitor segment
  • SMRAM system management ram
  • Example 54 the subject matter of any one or more of Examples 51–53 optionally include wherein: the virtual memory page comprises an extended MSEG reserved for the STM; the second memory comprises a page swap file in a physical storage device; and the page swap file is of a size equal to the size of the extended MSEG.
  • Example 55 the subject matter of Example 54 optionally includes a teardown module configured to: reclaim the extended MSEG reserved for the STM; and delete the page swap file in the physical storage device.
  • a teardown module configured to: reclaim the extended MSEG reserved for the STM; and delete the page swap file in the physical storage device.
  • Example 56 the subject matter of any one or more of Examples 51–55 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been accessed being greater than a threshold value.
  • Example 57 the subject matter of any one or more of Examples 51–56 optionally include wherein the page replacement policy specifies that a page in the first memory is selected based on a time period since the page has been in the first memory being greater than a threshold value.
  • Example 58 the subject matter of any one or more of Examples 52–57 optionally include the encryption module further configured to generate a code to encrypt and decrypt the pages, the code comprising a key generated using a random number generator.
  • Example 59 the subject matter of Example 58 optionally includes the encryption module further configured to store the code in a region of the first memory that stores data that cannot be moved to the second memory.
  • Example 60 the subject matter of Example 59 optionally includes a teardown module configured to: reclaim the extended MSEG reserved for the STM; and delete the code stored in the first memory.
  • a teardown module configured to: reclaim the extended MSEG reserved for the STM; and delete the code stored in the first memory.
  • Example 61 the subject matter of any one or more of Examples 51–60 optionally include the SMM memory module further configured to move the encrypted selected page from the first memory to the second memory by: creating a jump point in the SMM process; causing the page transfer module to move the encrypted selected page from the first memory to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; sending a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the encrypted selected page in the communication buffer; causing the VMM to move the encrypted selected page from the communication buffer to the second memory; and resuming the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • Example 62 the subject matter of any one or more of Examples 52–61 optionally include the SMM memory module further configured to move the corresponding encrypted page from the second memory to the first memory by: creating a jump point in the SMM process; sending a request for the corresponding encrypted page to a communication buffer between the SMM process and a virtual machine monitor (VMM) ; sending a system control interrupt (SCI) to the VMM indicating that the SMM process has placed the request in the communication buffer; causing the VMM to move the corresponding encrypted page from the second memory to the communication buffer; causing the page transfer module to move the corresponding encrypted page from the communication buffer to the first memory; causing the encryption module to decrypt the corresponding encrypted page in the first memory; and resuming the SMM process from the jump point in the SMM process.
  • VMM virtual machine monitor
  • SCI system control interrupt
  • inventive subject matter has been described with reference to specific example embodiments, various modifications and changes may be made to these embodiments without departing from the broader scope of embodiments of the present disclosure.
  • inventive subject matter may be referred to herein, individually or collectively, by the term “invention” merely for convenience and without intending to voluntarily limit the scope of this application to any single disclosure or inventive concept if more than one is, in fact, disclosed.
  • the term “or” may be construed in either an inclusive or exclusive sense. Moreover, plural instances may be provided for resources, operations, or structures described herein as a single instance. Additionally, boundaries between various resources, operations, modules, engines, and data stores are somewhat arbitrary, and particular operations are illustrated in a context of specific illustrative configurations. Other allocations of functionality are envisioned and may fall within a scope of various embodiments of the present disclosure. In general, structures and functionality presented as separate resources in the example configurations may be implemented as a combined structure or resource. Similarly, structures and functionality presented as a single resource may be implemented as separate resources. These and other variations, modifications, additions, and improvements fall within a scope of embodiments of the present disclosure as represented by the appended claims. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

Une mémoire virtuelle est attribuée à un processus de mode de gestion de système (SMM) pour étendre une mémoire sécurisée réservée au SMM. Le processus SMM demande une page de la mémoire virtuelle pour laquelle aucun mappage n'existe dans la mémoire sécurisée : si une page est disponible dans la mémoire sécurisée, la page de mémoire virtuelle est mappée sur la page disponible et si une page n'est pas disponible, une page dans la mémoire sécurisée est sélectionnée pour être remplacée par la page de mémoire virtuelle. La page sélectionnée est chiffrée et déplacée vers un dispositif de stockage externe. La page de mémoire virtuelle est mappée à l'adresse de la page sélectionnée dans la première mémoire. Si un mappage existe pour la page de mémoire virtuelle à des données chiffrées dans le dispositif de stockage externe, alors ces données sont déplacées vers l'adresse de mémoire sécurisée mappée vers la page de mémoire virtuelle et décryptées avant que la page de mémoire virtuelle ne soit accédée.
PCT/CN2016/101183 2016-09-30 2016-09-30 Mémoire étendue pour moniteur de transfert smm WO2018058566A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201680088855.1A CN109937407B (zh) 2016-09-30 2016-09-30 用于smm传输监控器的扩展存储器
DE112016007289.9T DE112016007289T5 (de) 2016-09-30 2016-09-30 Erweiterter speicher für smm-transfermonitor
PCT/CN2016/101183 WO2018058566A1 (fr) 2016-09-30 2016-09-30 Mémoire étendue pour moniteur de transfert smm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/101183 WO2018058566A1 (fr) 2016-09-30 2016-09-30 Mémoire étendue pour moniteur de transfert smm

Publications (1)

Publication Number Publication Date
WO2018058566A1 true WO2018058566A1 (fr) 2018-04-05

Family

ID=61762521

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/101183 WO2018058566A1 (fr) 2016-09-30 2016-09-30 Mémoire étendue pour moniteur de transfert smm

Country Status (3)

Country Link
CN (1) CN109937407B (fr)
DE (1) DE112016007289T5 (fr)
WO (1) WO2018058566A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020099946A1 (en) * 1998-04-30 2002-07-25 Howard C. Herbert Cryptographically protected paging subsystem
US20050044338A1 (en) * 2003-08-21 2005-02-24 Texas Instruments Incorporated Virtual-to-physical address conversion in a secure system
US20070208954A1 (en) * 2006-02-28 2007-09-06 Red. Hat, Inc. Method and system for designating and handling confidential memory allocations
US20070277160A1 (en) * 2006-05-24 2007-11-29 Noam Camiel System and method for virtual memory and securing memory in programming languages
US20090187769A1 (en) * 2008-01-23 2009-07-23 Noam Camiel System and method for an autonomous software protection device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7222062B2 (en) * 2003-12-23 2007-05-22 Intel Corporation Method and system to support a trusted set of operational environments using emulated trusted hardware
US7552419B2 (en) * 2004-03-18 2009-06-23 Intel Corporation Sharing trusted hardware across multiple operational environments
US7948977B2 (en) * 2006-05-05 2011-05-24 Broadcom Corporation Packet routing with payload analysis, encapsulation and service module vectoring
US9374436B2 (en) * 2012-12-13 2016-06-21 Qualcomm Incorporated Loading a re-directed web page on a web browser of a client device in a communications system
US9639671B2 (en) * 2014-05-27 2017-05-02 Assured Information Security, Inc. Secure execution of encrypted program instructions

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020099946A1 (en) * 1998-04-30 2002-07-25 Howard C. Herbert Cryptographically protected paging subsystem
US20050044338A1 (en) * 2003-08-21 2005-02-24 Texas Instruments Incorporated Virtual-to-physical address conversion in a secure system
US20070208954A1 (en) * 2006-02-28 2007-09-06 Red. Hat, Inc. Method and system for designating and handling confidential memory allocations
US20070277160A1 (en) * 2006-05-24 2007-11-29 Noam Camiel System and method for virtual memory and securing memory in programming languages
US20090187769A1 (en) * 2008-01-23 2009-07-23 Noam Camiel System and method for an autonomous software protection device

Also Published As

Publication number Publication date
CN109937407B (zh) 2024-04-30
DE112016007289T5 (de) 2019-06-19
CN109937407A (zh) 2019-06-25

Similar Documents

Publication Publication Date Title
CN106605233B (zh) 使用处理器提供可信执行环境
CN109918919B (zh) 认证变量的管理
KR102102090B1 (ko) Arm® trustzone™ 구현을 위한 펌웨어 기반 신뢰 플랫폼 모듈
US8032741B2 (en) Method and apparatus for virtualization of a multi-context hardware trusted platform module (TPM)
US10776524B2 (en) Secure communication channel for system management mode
KR20200036732A (ko) 신뢰 컨테이너들의 고속 론칭을 위한 기술들
US9781117B2 (en) Multinode hubs for trusted computing
US20140229942A1 (en) Isolated guest creation in a virtualized computing system
US20110093861A1 (en) Assigning A Portion Of Physical Computing Resources To A Logical Partition
JP7072123B2 (ja) トラステッド実行環境を加速されたグラフィック処理ユニット
US9612887B2 (en) Firmware-related event notification
US20220405385A1 (en) Secure container construction device and method executable by android application, and computer-readable recording medium on which program thereof is recorded
CN112149144A (zh) 聚合密码引擎
Göttel et al. Developing secure services for IoT with OP-TEE: a first look at performance and usability
US9734325B1 (en) Hypervisor-based binding of data to cloud environment for improved security
US9846592B2 (en) Versatile protected input/output device access and isolated servicing for virtual machines
Sun et al. Leap: Trustzone based developer-friendly tee for intelligent mobile apps
US10394295B2 (en) Streamlined physical restart of servers method and apparatus
US20160378686A1 (en) Memory encryption exclusion method and apparatus
WO2018058566A1 (fr) Mémoire étendue pour moniteur de transfert smm
CN112241309B (zh) 一种数据安全方法、装置、cpu、芯片及计算机设备
US11513825B2 (en) System and method for implementing trusted execution environment on PCI device
US10241821B2 (en) Interrupt generated random number generator states
Freed Scaling EPA-RIMM with Multicore System Management Interrupt Handlers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16917316

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16917316

Country of ref document: EP

Kind code of ref document: A1