U.S. patent application number 14/228994 was filed with the patent office on 2015-10-01 for virtualization based intra-block workload isolation.
This patent application is currently assigned to Intel Corporation. The applicant listed for this patent is Intel Corporation. Invention is credited to SIDDHARTHA CHHABRA, PRASHANT DEWAN, DAVID M. DURHAM, XIAOZHU KANG, ALPA T. NARENDRA TRIVEDI, UDAY R. SAVAGAONKAR, UTTAM K. SENGUPTA.
Application Number | 20150278512 14/228994 |
Document ID | / |
Family ID | 54190795 |
Filed Date | 2015-10-01 |
United States Patent
Application |
20150278512 |
Kind Code |
A1 |
DEWAN; PRASHANT ; et
al. |
October 1, 2015 |
VIRTUALIZATION BASED INTRA-BLOCK WORKLOAD ISOLATION
Abstract
Generally, this disclosure provides systems, devices, methods
and computer readable media for virtualization-based intra-block
workload isolation. The system may include a virtual machine
manager (VMM) module to create a secure virtualization environment
or sandbox. The system may also include a processor block to load
data into a first region of the sandbox and to generate a workload
package based on the data. The workload package is stored in a
second region of the sandbox. The system may further include an
operational block to fetch and execute instructions from the
workload package.
Inventors: |
DEWAN; PRASHANT; (Hillsboro,
OR) ; SENGUPTA; UTTAM K.; (Portland, OR) ;
CHHABRA; SIDDHARTHA; (Hillsboro, OR) ; DURHAM; DAVID
M.; (Beaverton, OR) ; KANG; XIAOZHU;
(Freemont, CA) ; SAVAGAONKAR; UDAY R.; (Portland,
OR) ; NARENDRA TRIVEDI; ALPA T.; (Hillsboro,
OR) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Intel Corporation |
Santa Clara |
CA |
US |
|
|
Assignee: |
Intel Corporation
Santa Clara
CA
|
Family ID: |
54190795 |
Appl. No.: |
14/228994 |
Filed: |
March 28, 2014 |
Current U.S.
Class: |
713/176 ; 718/1;
726/17 |
Current CPC
Class: |
G06F 21/554 20130101;
G06F 2009/45587 20130101; G06F 9/5011 20130101; G06F 9/45504
20130101; H04L 9/3247 20130101; G06F 9/45558 20130101; G06F
2213/0038 20130101; G06F 9/5072 20130101; G06F 21/84 20130101; G06F
21/53 20130101 |
International
Class: |
G06F 21/53 20060101
G06F021/53; H04L 9/32 20060101 H04L009/32; G06F 9/455 20060101
G06F009/455 |
Claims
1. A system for intra-block workload isolation, said system
comprising: a virtual machine manager (VMM) module to create a
secure virtualization environment (sandbox); a processor block to
load data into a first region of said sandbox; said processor block
further to generate a workload package, associated with said
workload, said workload package based on said data and stored in a
second region of said sandbox; and an operational block to fetch
and execute instructions from said workload package.
2. The system of claim 1, wherein said VMM is further to set access
controls of said second region of said sandbox to provide
intra-block isolation of code, data and state information
associated with said workload.
3. The system of claim 1, wherein said VMM is further to set access
controls of said second region of said sandbox to a non-executable
mode.
4. The system of claim 3, wherein said VMM is further to set access
controls of said second region of said sandbox to an executable
mode for said operational block during a selected period of
execution of said workload package.
5. The system of claim 1, wherein said operational block is further
to write results to a third region of said sandbox, said results
based on execution of said workload package.
6. The system of claim 1, wherein said processor block is further
to cryptographically authenticate said data.
7. The system of claim 1, wherein said VMM is further to provide
page table based translation between virtual and physical addresses
associated with said sandbox and further to provide
read/write/execute access control associated with said
addresses.
8. The system of claim 1, wherein said operational block is
selected from the group consisting of a graphics processing unit, a
device controller, a wireless communications interface, a digital
signal processor and an audio processor.
9. The system of claim 1, wherein said system is a
system-on-a-chip.
10. The system of claim 1, wherein said system is a smart phone, a
laptop computing device, a smart TV or a smart tablet.
11. The system of claim 1, further comprising a user interface,
wherein said user interface is a touch screen.
12. A method for intra-block workload isolation, said method
comprising: creating a secure virtualization environment (sandbox)
associated with a processor block of a system, said sandbox managed
by a virtual machine manager (VMM); loading data into said sandbox;
authenticating said data; generating a workload package, associated
with said workload, said workload package based on said data and
stored in a non-executable region of memory in said sandbox; and
submitting said workload package to an operational block of said
system for execution from said sandbox.
13. The method of claim 12, further comprising setting access
controls on said sandbox to provide intra-block isolation of code,
data and state information associated with said workload.
14. The method of claim 12, wherein said submitting further
comprises requesting said VMM to enable said operational block to
fetch and execute instructions from said workload package.
15. The method of claim 12, further comprising receiving results
from said operational block, said results based on said
execution.
16. The method of claim 15, wherein said receiving further
comprises requesting said VMM to enable said operational block to
write to a region of memory in said sandbox.
17. The method of claim 12, wherein said operational block is
selected from the group consisting of a graphics processing unit, a
device controller, a wireless communications interface, a digital
signal processor and an audio processor.
18. The method of claim 12, wherein said authenticating further
comprises verifying an encryption signature.
19. The method of claim 12, wherein said VMM provides page table
based translation between virtual and physical addresses associated
with said sandbox and further provides read/write/execute access
control associated with said addresses.
20. At least one computer-readable storage medium having
instructions stored thereon which when executed by a processor
result in the following operations for intra-block workload
isolation, said operations comprising: creating a secure
virtualization environment (sandbox) associated with a processor
block of a system, said sandbox managed by a virtual machine
manager (VMM); loading data into said sandbox; authenticating said
data; generating a workload package, associated with said workload,
said workload package based on said data and stored in a
non-executable region of memory in said sandbox; and submitting
said workload package to an operational block of said system for
execution from said sandbox.
21. The computer-readable storage medium of claim 20, further
comprising the operation of setting access controls on said sandbox
to provide intra-block isolation of code, data and state
information associated with said workload.
22. The computer-readable storage medium of claim 20, wherein said
submitting further comprises the operation of requesting said VMM
to enable said operational block to fetch and execute instructions
from said workload package.
23. The computer-readable storage medium of claim 20, further
comprising the operation of receiving results from said operational
block, said results based on said execution.
24. The computer-readable storage medium of claim 23, wherein said
receiving further comprises the operation of requesting said VMM to
enable said operational block to write to a region of memory in
said sandbox.
25. The computer-readable storage medium of claim 18, wherein said
authenticating further comprises the operation of verifying an
encryption signature.
26. The computer-readable storage medium of claim 18, wherein said
VMM provides page table based translation between virtual and
physical addresses associated with said sandbox and further
provides read/write/execute access control associated with said
addresses.
Description
FIELD
[0001] The present disclosure relates to intra-block workload
isolation, for example on component blocks of a system-on-a-chip
(SoC), and more particularly, to intra-block workload isolation
employing a security engine or virtual machine manager (VMM).
BACKGROUND
[0002] Computing systems, such as, for example a system-on-a-chip
(SoC) or other types of platforms, typically have one or more
processors or cores as well as other operational blocks or
components which may include device controllers, graphics
processors, audio processors, communication modules, etc. These
operational blocks are often capable of executing multiple
workloads in a manner similar to that in which a processor may
execute multiple threads. Security issues can arise in this
situation. An untrusted workload executing on an operational block
can inadvertently or maliciously interfere with the execution of
another workload on that same operational block (i.e., intra-block
interference). For example, different workloads executing on a
media engine (graphics, imaging, video, etc.) may potentially
interfere with each other (whether maliciously or inadvertently),
thereby disrupting the normal flow or desired operation of the
workloads.
[0003] Although access control mechanisms may be available for
inter-block transactions and/or block-to-memory transactions, these
techniques do not address the problem of intra-block interference
which is becoming increasingly important as the industry moves
further towards heterogeneous computing and parallel workload
execution.
BRIEF DESCRIPTION OF THE DRAWINGS
[0004] Features and advantages of embodiments of the claimed
subject matter will become apparent as the following Detailed
Description proceeds, and upon reference to the Drawings, wherein
like numerals depict like parts, and in which:
[0005] FIG. 1 illustrates a top level system diagram of one example
embodiment consistent with the present disclosure;
[0006] FIG. 2 illustrates a block diagram of one example embodiment
consistent with the present disclosure;
[0007] FIG. 3 illustrates a flowchart of operations of one example
embodiment consistent with the present disclosure;
[0008] FIG. 4 illustrates a block diagram of another example
embodiment consistent with the present disclosure;
[0009] FIG. 5 illustrates a flowchart of operations of another
example embodiment consistent with the present disclosure; and
[0010] FIG. 6 illustrates a system diagram of a platform of another
example embodiment consistent with the present disclosure.
[0011] Although the following Detailed Description will proceed
with reference being made to illustrative embodiments, many
alternatives, modifications, and variations thereof will be
apparent to those skilled in the art.
DETAILED DESCRIPTION
[0012] Generally, this disclosure provides systems, devices,
methods and computer readable media for virtualization-based
intra-block workload isolation. A system, for example a
system-on-a-chip (SoC), may include a processing block (core or
CPU), memory and one or more other operational blocks or components
such as, for example, a device controller, graphics processor
(GPU), audio processor, imaging device, communication module, etc.
Each operational block may be configured to execute multiple
workloads. The workloads may be generated by the CPU and submitted
as a workload package to the operational block for execution. The
workload may be generated and securely stored in memory, for
example using virtualization and page-table based access, to
contain the workload in a sandbox. A virtual machine manager (VMM),
or other type of security engine, may be configured to allow the
operational block to execute the workload from the sandbox in a
particular context such that any other code executing on that
operational block, including other workloads in other sandboxes,
may not access that sandbox. Virtualization may therefore be used
to provide workload isolation within an operational block,
including isolation of code, data (memory or register contents) and
state information associated with the workload, as will be
described in greater detail below. The VMM may also be configured
to allow the operational block to securely write back results into
the sandbox, based on the workload execution.
[0013] FIG. 1 illustrates a top level system diagram 100 of one
example embodiment consistent with the present disclosure. A system
102, which may be a system-on-a-chip (SoC) or other type of
computing or communication platform, fixed or mobile, is shown to
include a number of blocks or components including a processor 104,
memory 106, a VMM 108 and one or more operational blocks 110-1, . .
. 110-n configured for workload isolation.
[0014] In some embodiments, a third party entity (not shown), for
example an internet service vendor, may send requests to system
102. To fulfill these requests, processor 104 may generate and
submit a workload to one of the operational blocks 110 for
execution along with other workloads. The results of the execution
may be returned to the third party entity and the processor 102 may
attest to the security or integrity of the results due to the
workload isolation capabilities of the system, as will be described
in greater detail below.
[0015] FIG. 2 illustrates a block diagram 200 of one example
embodiment consistent with the present disclosure. Processor 104
may be configured to execute one or more processes (or threads),
for example process A 202, process B 204 and process C 206. These
processes may include an operating system (OS), applications or any
other system or user software components. One or more of these
processes 202, 204, 206 may be in communication with external or
third party entities, for example internet service vendors, that
make requests of the processes. These requests may eventually be
tasked to one or more of the operational blocks 110 in the form of
generated workloads, as described below.
[0016] Operational blocks 110 are shown to include a block engine
214 which may be a processor or circuit configured to execute one
or more workloads, for example workload A 216, workload B 218 and
workload C 220. The workloads may be associated with (e.g.,
generated by or on behalf of) the processes. For example, workload
A 216 may be associated with process A 202, etc., although this
need not be the case. The workloads may be isolated from each
other, for example through virtualization hardware support or other
suitable mechanisms, to provide security and prevent unintentional
or malicious interference between workloads on a given operational
block.
[0017] A CPU virtualization 208 is generated by VMM 208 as an
interface between the processor 104, processes 202, 204, 206,
memory 106 and the operational blocks 110. Page tables may be used
as part of this virtualization to translate between physical and
virtual addresses and to maintain access controls (e.g.,
read/write/execute) to the protected regions or pages 210 of memory
106 which are associated with the sandbox. Similarly, a device
virtualization 212 is generated by VMM 208 as an interface between
the operational blocks 110 and processor 104 and memory 106 based
on page tables and access controls.
[0018] The VMM is configured to provide virtualization environments
that act as secure containers or sandboxes for the workloads. The
sandbox is protected from the process that is hosting it and is
protected from the OS and other processes on processor 104, so that
malware on the platform cannot interfere with the generation of the
workload. The sandbox is also protected from other workloads and
software components executing on the operational block. In some
embodiments, the VMM may set the access controls, for the region of
the sandbox containing the workload package, to be non-executable
for all entities other than the code inside the sandbox. The
sandbox thus provides workload isolation within an operational
block, including isolation of code, data (memory or register
contents) and state information associated with the workload.
[0019] In some embodiments, the operational blocks may include a
memory access controller configured to monitor the context of the
workloads and enforce access control policies (e.g.,
read/write/execute permissions).
[0020] FIG. 3 illustrates a flowchart of operations 300 of one
example embodiment consistent with the present disclosure. The
interaction between operations of processor 104, on the left side
of the figure, and the operations of block 110, on the right side
of the figure is shown in greater detail. At operation 302, the
processor receives a request, for example from a third party or
other entity. The request may include code and/or data in any
suitable format. The processor, at operation 304, creates a secure
virtualization environment (e.g., sandbox) using VMM 108 or any
other type of security engine. At operation 306, the processor
loads the code/data into a region (or pages) of the sandbox and, at
operation 308, authenticates it, for example using cryptographic
techniques or any other suitable verification mechanism. At
operation 310, the processor generates a workload package based on
the provided code/data or based on additional information obtained
from another source or created locally. The workload package is
also stored in the sandbox, for example in a second region that may
or may not overlap to any extent with the first region. The
workload package may be generated from the provided code/data
through any suitable type of translation, conversion, unpacking
and/or decryption process. The generated workload package may
include instructions suitable for execution by an engine of the
operational block.
[0021] At operation 312, the processor requests the VMM to setup
device virtualization, including page tables, through which the
operational block may access the workload package. At operation
314, the workload package is submitted to the operational
block.
[0022] At operation 320, the operational block sets the block
engine to a secure or protected mode, which may be a hardware mode
of the block engine or a state identifier maintained by the VMM. In
this secure mode, the engine may only fetch and execute
instructions from the sandbox designated by the VMM. At operations
322 and 324, the operational block collects and executes the
workload package by fetching instructions (and data) from the
sandbox. Results of the execution may be written back, at operation
326, to a third region of the sandbox, which may or may not overlap
to any extent with the other regions. At operation 316, the
processor collects these results and may return them to the third
party requesting entity. The processor may also attest to the
security or integrity of the results based on the workload
isolation.
[0023] In some embodiments, the workload package may be generated
by an embedded security engine such as, for example, a converged
security engine (CSE) or a converged security manageability engine
(CSME). The CSE may be configured to spawn a process to create the
workload package in response to an application request. The CSE
spawned process is isolated from other CPU software, processes and
applications to provide protection from interference or
attacks.
[0024] In some embodiment, the CSE may be configured to encrypt the
code/data as a Binary Large Object (BLOB) and cryptographically
bind it to the operational block using the VMM. Only an authorized
operational block may be configured to decrypt the code/data to
obtain the workload package. The VMM may identify the authorized
operational block and provide the credentials needed for
decryption. This embodiment may be particularly useful for
relatively "dumb" devices, such as for example a display element,
that do not execute code and/or may not share an address space with
the processor.
[0025] FIG. 4 illustrates a block diagram 400 of another example
embodiment consistent with the present disclosure. A simplified
example is shown that includes just two operational blocks: a
graphics processing unit (GPU) 110-1 and a display engine 110-2.
The GPU 110-1 is generally configured to generate a display surface
(e.g., a bitmap to be displayed) while the display engine 110-2 is
generally configured to provide the driving signals to a display
element to cause the display surface to be displayed.
[0026] In this example, a third party 402 may submit a request to
the system to display an image of some sort. The request may
specify the image at any level of abstractness (for example,
ranging from a general description down to individual pixels) and
may include data, code, pseudo-code and/or algorithms that may be
used to generate the image. Process 404, on processor 104, may
receive this code/data and load it into a virtualization and
page-table based container or sandbox where it will be protected
from other processes 202, 204, 206 including the OS. Process 404
may be configured to verify the authenticity of the code/data and
use it to generate a workload package for the GPU 110-1. The
workload package may include GPU understandable machine code.
Access controls for the memory region (pages) of the sandbox that
holds the generated workload package may be set, for example by the
VMM 108, to non-executable status to prevent unintended execution
by any other unauthorized processes or processing blocks.
[0027] The VMM 108 may further be requested to allow the GPU, for
example through block engine 214, to fetch and execute instructions
from the workload package in the sandbox. The execution of these
instructions forms the basis for display generating workload 406
which may be configured to generate a display surface that
corresponds to the request from third party 402. The generated
display surface may be stored in a region of the sandbox dedicated
to workload results. The VMM may be configured to allow the display
engine 110-2 to access this results region of the sandbox. In some
embodiments, however, the results may be transmitted directly from
the GPU 110-1 to the display engine 110-2, in which case the
results may be encrypted and a key (for decryption) may be provided
to the display engine in a secure manner through the VMM.
[0028] The VMM 108 may also be configured to arbitrate between
requests for display resources from multiple sandboxes, each
sandbox executing a display generating workload. For example, if
there are multiple requests for Z-order priority (an image plane or
surface from one sandbox overlapping an image plane from another
sandbox), the VMM may decide the priority and determine which
portions of the images are displayed. The VMM can provide the
cryptographic resources needed by the display engine 110-2 to
display surfaces on behalf of multiple sandboxes. The display
engine may be configured to keep track of which surfaces belong to
which sandbox and to prevent workload requests from any sandbox to
read a surface that does not belong to it. Similarly, the display
engine 110-2 may be configured to enforce the Z-order, as requested
by the workload of the sandbox. The display engine may also be
configured to generate a snapshot of the configuration of display
surfaces and send it to the sandbox as proof of visibility of the
surface. The display engine may further notify the sandbox whenever
the configuration of display surfaces does not conform to the
configuration requested by the sandbox.
[0029] FIG. 5 illustrates a flowchart of operations 500 of another
example embodiment consistent with the present disclosure. The
operations provide a method for virtualization-based intra-block
workload isolation. At operation 510, a secure virtualization
environment (sandbox) is created. The sandbox is associated with a
processor block of a system and managed by a virtual machine
manager (VMM). At operation 520, data is loaded into the sandbox.
The data loading may be performed by the processor block. At
operation 530, the data is authenticated. At operation 540, a
workload package is generated based on the data. The workload
package, which is associated with the workload, is stored in a
non-executable region of memory in the sandbox. At operation 550,
the workload package is submitted to an operational block of the
system for execution from the sandbox.
[0030] FIG. 6 illustrates a system diagram 600 of one example
embodiment consistent with the present disclosure. The system 600
may be a mobile platform 610 or computing device such as, for
example, a smart phone, smart tablet, personal digital assistant
(PDA), mobile Internet device (MID), convertible tablet, notebook
or laptop computer, desktop computer, server, smart television or
any other device whether fixed or mobile. The device may generally
present various interfaces to a user via a display element 670 such
as, for example, a touch screen, liquid crystal display (LCD) or
any other suitable display type.
[0031] The system 600 is shown to include a processor 104. In some
embodiments, processor 104 may be implemented as any number of
processor cores. The processor (or processor cores) may be any type
of processor, such as, for example, a micro-processor, an embedded
processor, a digital signal processor (DSP), a network processor, a
field programmable gate array or other device configured to execute
code. Processor 104 may be a single-threaded core or, a
multithreaded core in that it may include more than one hardware
thread context (or "logical processor") per core. System 600 is
also shown to include a memory 106 coupled to the processor 104.
The memory 106 may be any of a wide variety of memories (including
various layers of memory hierarchy and/or memory caches) as are
known or otherwise available to those of skill in the art. System
600 is also shown to include a VMM module 108, or other suitable
security engine, as described previously.
[0032] System 600 is also shown to include any number of
operational blocks 110 which may include an input/output (IO)
system or controller 650 which may be configured to enable or
manage data communication between processor 104 and other elements
of system 600 or other elements (not shown) external to system 600.
Operational blocks 110 may also include a wireless communication
interface 620 configured to enable wireless communication between
system 600 and any external entity, for example, through a wireless
communication transceiver 660. The wireless communications may
conform to or otherwise be compatible with any existing or yet to
be developed communication standards including mobile phone
communication standards. Operational blocks 110 may also include a
graphics processor (or GPU) 630 and a display engine 640 configured
to drive display element 670. Operational blocks 110 may be
configured to provide intra-block workload isolation, as described
herein, employing the security capabilities of VMM module 108.
[0033] It will be appreciated that in some embodiments, the various
components of the system 600 may be combined in a system-on-a-chip
(SoC) architecture. In some embodiments, the components may be
hardware components, firmware components, software components or
any suitable combination of hardware, firmware or software.
[0034] Embodiments of the methods described herein may be
implemented in a system that includes one or more storage mediums
having stored thereon, individually or in combination, instructions
that when executed by one or more processors perform the methods.
Here, the processor may include, for example, a system CPU (e.g.,
core processor) and/or programmable circuitry. Thus, it is intended
that operations according to the methods described herein may be
distributed across a plurality of physical devices, such as
processing structures at several different physical locations.
Also, it is intended that the method operations may be performed
individually or in a subcombination, as would be understood by one
skilled in the art. Thus, not all of the operations of each of the
flow charts need to be performed, and the present disclosure
expressly intends that all subcombinations of such operations are
enabled as would be understood by one of ordinary skill in the
art.
[0035] The storage medium may include any type of tangible medium,
for example, any type of disk including floppy disks, optical
disks, compact disk read-only memories (CD-ROMs), compact disk
rewritables (CD-RWs), digital versatile disks (DVDs) and
magneto-optical disks, semiconductor devices such as read-only
memories (ROMs), random access memories (RAMs) such as dynamic and
static RAMs, erasable programmable read-only memories (EPROMs),
electrically erasable programmable read-only memories (EEPROMs),
flash memories, magnetic or optical cards, or any type of media
suitable for storing electronic instructions.
[0036] "Circuitry", as used in any embodiment herein, may include,
for example, singly or in any combination, hardwired circuitry,
programmable circuitry, state machine circuitry, and/or firmware
that stores instructions executed by programmable circuitry. An app
may be embodied as code or instructions which may be executed on
programmable circuitry such as a host processor or other
programmable circuitry. A module, as used in any embodiment herein,
may be embodied as circuitry. The circuitry may be embodied as an
integrated circuit, such as an integrated circuit chip.
[0037] Thus, the present disclosure provides systems, devices,
methods and computer readable media for virtualization-based
intra-block workload isolation. The following examples pertain to
further embodiments.
[0038] According to example 1 there is provided a system for
intra-block workload isolation. The system may include a virtual
machine manager (VMM) module to create a secure virtualization
environment (sandbox). The system of this example may also include
a processor block to load data into a first region of the sandbox.
The processor block of this example may be further configured to
generate a workload package, associated with the workload, the
workload package based on the data and stored in a second region of
the sandbox. The system of this example may further include an
operational block to fetch and execute instructions from the
workload package.
[0039] Example 2 may include the elements of the foregoing example,
and the VMM is further to set access controls of the second region
of the sandbox to provide intra-block isolation of code, data and
state information associated with the workload.
[0040] Example 3 may include the elements of the foregoing
examples, and the VMM is further to set access controls of the
second region of the sandbox to a non-executable mode.
[0041] Example 4 may include the elements of the foregoing
examples, and the VMM is further to set access controls of the
second region of the sandbox to an executable mode for the
operational block during a selected period of execution of the
workload package.
[0042] Example 5 may include the elements of the foregoing
examples, and the operational block is further to write results to
a third region of the sandbox, the results based on execution of
the workload package.
[0043] Example 6 may include the elements of the foregoing
examples, and the processor block is further to cryptographically
authenticate the data.
[0044] Example 7 may include the elements of the foregoing
examples, and the VMM is further to provide page table based
translation between virtual and physical addresses associated with
the sandbox and further to provide read/write/execute access
control associated with the addresses.
[0045] Example 8 may include the elements of the foregoing
examples, and the operational block is selected from the group
consisting of a graphics processing unit, a device controller, a
wireless communications interface, a digital signal processor and
an audio processor.
[0046] Example 9 may include the elements of the foregoing
examples, and the system is a system-on-a-chip.
[0047] Example 10 may include the elements of the foregoing
examples, and the system is a smart phone, a laptop computing
device, a smart TV or a smart tablet.
[0048] Example 11 may include the elements of the foregoing
examples, and further including a user interface, and the user
interface is a touch screen.
[0049] According to example 12 there is provided a method for
intra-block workload isolation. The method of this example may
include creating a secure virtualization environment (sandbox)
associated with a processor block of a system, the sandbox managed
by a virtual machine manager (VMM). The method of this example may
also include loading data into the sandbox. The method of this
example may further include authenticating the data. The method of
this example may further include generating a workload package,
associated with the workload, the workload package based on the
data and stored in a non-executable region of memory in the
sandbox. The method of this example may further include submitting
the workload package to an operational block of the system for
execution from the sandbox.
[0050] Example 13 may include the elements of the foregoing
examples, and further include setting access controls on the
sandbox to provide intra-block isolation of code, data and state
information associated with the workload.
[0051] Example 14 may include the elements of the foregoing
examples, and the submitting further includes requesting the VMM to
enable the operational block to fetch and execute instructions from
the workload package.
[0052] Example 15 may include the elements of the foregoing
examples, and further include receiving results from the
operational block, the results based on the execution.
[0053] Example 16 may include the elements of the foregoing
examples, and the receiving further includes requesting the VMM to
enable the operational block to write to a region of memory in the
sandbox.
[0054] Example 17 may include the elements of the foregoing
examples, and the operational block is a graphics processing unit,
a device controller, a wireless communications interface, a digital
signal processor or an audio processor.
[0055] Example 18 may include the elements of the foregoing
examples, and the authenticating further includes verifying an
encryption signature.
[0056] Example 19 may include the elements of the foregoing
examples, and the VMM provides page table based translation between
virtual and physical addresses associated with the sandbox and
further provides read/write/execute access control associated with
the addresses.
[0057] According to example 20 there is provided a system for
intra-block workload isolation. The system of this example may
include a means for creating a secure virtualization environment
(sandbox) associated with a processor block of a system, the
sandbox managed by a virtual machine manager (VMM). The system of
this example may also include a means for loading data into the
sandbox. The system of this example may further include a means for
authenticating the data. The system of this example may further
include a means for generating a workload package, associated with
the workload, the workload package based on the data and stored in
a non-executable region of memory in the sandbox. The system of
this example may further include a means for submitting the
workload package to an operational block of the system for
execution from the sandbox.
[0058] Example 21 may include the elements of the foregoing
examples, and further include a means for setting access controls
on the sandbox to provide intra-block isolation of code, data and
state information associated with the workload.
[0059] Example 22 may include the elements of the foregoing
examples, and the means for submitting further includes means for
requesting the VMM to enable the operational block to fetch and
execute instructions from the workload package.
[0060] Example 23 may include the elements of the foregoing
examples, and further include a means for receiving results from
the operational block, the results based on the execution.
[0061] Example 24 may include the elements of the foregoing
examples, and the means for receiving further includes means for
requesting the VMM to enable the operational block to write to a
region of memory in the sandbox.
[0062] Example 25 may include the elements of the foregoing
examples, and the operational block is a graphics processing unit,
a device controller, a wireless communications interface, a digital
signal processor or an audio processor.
[0063] Example 26 may include the elements of the foregoing
examples, and the means for authenticating further includes means
for verifying an encryption signature.
[0064] Example 27 may include the elements of the foregoing
examples, and the VMM provides means for page table based
translation between virtual and physical addresses associated with
the sandbox and further provides means for read/write/execute
access control associated with the addresses.
[0065] According to another example there is provided at least one
computer-readable storage medium having instructions stored thereon
which when executed by a processor, cause the processor to perform
the operations of the method as described in any of the examples
above.
[0066] According to another example there is provided an apparatus
including means to perform a method as described in any of the
examples above.
[0067] The terms and expressions which have been employed herein
are used as terms of description and not of limitation, and there
is no intention, in the use of such terms and expressions, of
excluding any equivalents of the features shown and described (or
portions thereof), and it is recognized that various modifications
are possible within the scope of the claims. Accordingly, the
claims are intended to cover all such equivalents. Various
features, aspects, and embodiments have been described herein. The
features, aspects, and embodiments are susceptible to combination
with one another as well as to variation and modification, as will
be understood by those having skill in the art. The present
disclosure should, therefore, be considered to encompass such
combinations, variations, and modifications.
* * * * *