Search

EP-4216089-B1 - DEVICE SECURITY MANAGER ARCHITECTURE FOR TRUSTED EXECUTION ENVIRONMENT INPUT/OUTPUT (TEE-IO) CAPABLE SYSTEM-ON-A-CHIP INTEGRATED DEVICES

EP4216089B1EP 4216089 B1EP4216089 B1EP 4216089B1EP-4216089-B1

Inventors

  • KAKAIYA, UTKARSH Y.
  • YAO, JIEWEN

Dates

Publication Date
20260506
Application Date
20230118

Claims (11)

  1. An apparatus comprising: a hardware processor core (102) configurable to implement a trust domain manager (101) to manage one or more virtual machines as a respective trust domain isolated from a virtual machine monitor (110B); and a device security manager circuit (136) to be coupled between the hardware processor core (102) and an input/output device (106), wherein the device security manager circuit (136) is to, in response to a trusted and unencrypted request from the trust domain manager (101) to a control interface of the device security manager circuit, access a state of a trusted device interface of the input/output device (106) for a trust domain of the trust domain manager (101), and provide a corresponding response to the trust domain manager (101), wherein the device security manager circuit (136) comprises a set of one or more registers (137) as the control interface of the device security manager circuit, and wherein the set of one or more registers (137) comprises a set of one or more protected registers that are accessible by the trust domain manager (101) and not accessible by the virtual machine monitor (110B) of the one or more virtual machines, or the set of one or more registers (137) implements a management trusted device interface of the device security manager circuit (136) that is accessible by the trust domain and not accessible by a second trust domain managed by the trust domain manager (101).
  2. The apparatus of claim 1, wherein, if the set of one or more registers (137) implements the management trusted device interface of the device security manager circuit (136), the control interface of the device security manager circuit (136) comprises a protected trust domain mode, and the device security manager circuit (136) is to access the state of the trusted device interface of the input/output device (106) in response to the protected trust domain mode being enabled and the trusted and unencrypted request including a trusted execution environment field that indicates the trusted and unencrypted request is from a trusted entity.
  3. The apparatus of claim 2, wherein the management trusted device interface of the device security manager circuit (136) is to not accept the trusted and unencrypted request in response to the protected trust domain mode being disabled.
  4. The apparatus of claim 3, wherein the device security manager circuit (136) is to: lock configuration of the input/output device (106) in response to the protected trust domain mode being enabled; monitor the input/output device (106) for a re-configuration or an error event; disable the protected trust domain mode in response to the re-configuration; and disable the protected trust domain mode in response to the error event.
  5. The apparatus of any one of claims 1 to 4, wherein the device security manager circuit (136) is to, in response to the trusted and unencrypted request from the trust domain manager (101) to the control interface of the device security manager circuit (136), transition the state of the trusted device interface according to a Trusted Execution Environment Device Interface Security Protocol standard.
  6. A method comprising: managing (1202) one or more virtual machines as a respective trust domain, isolated from a virtual machine monitor (110B), by a trust domain manager (101) implemented by a hardware processor core (102); sending (1204) a trusted and unencrypted request from the trust domain manager (101) to a control interface of a device security manager circuit (136) of an input/output device (106) coupled to the hardware processor core (102); accessing (1206), in response to the trusted and unencrypted request, a state of a trusted device interface of the input/output device (106) for a trust domain of the trust domain manager (101); and receiving (1208) a corresponding response by the trust domain manager (101), wherein the device security manager circuit (136) comprises a set of one or more registers (137) as the control interface of the device security manager circuit, and wherein the set of one or more registers (137) comprises a set of one or more protected registers that are accessible by the trust domain manager (101) and not accessible by the virtual machine monitor (110B) of the one or more virtual machines, or the set of one or more registers (137) implements a management trusted device interface of the device security manager circuit (136) that is accessible by the trust domain and not accessible by a second trust domain managed by the trust domain manager (101).
  7. The method of claim 6, wherein, if the set of one or more registers (137) comprises the set of one or more protected registers, the receiving comprises performing a read or a write on the set of one or more protected registers.
  8. The method of claim 6, wherein, if the set of one or more registers (137) implements the management trusted device interface of the device security manager circuit (136), the control interface of the device security manager circuit (136) comprises a protected trust domain mode, and the accessing the state of the trusted device interface of the input/output device (106) is in response to the protected trust domain mode being enabled and the trusted and unencrypted request including a trusted execution environment field that indicates the trusted and unencrypted request is from a trusted entity.
  9. The method of claim 8, further comprising not accepting, by the management trusted device interface of the device security manager circuit (136), the trusted and unencrypted request in response to the protected trust domain mode being disabled.
  10. The method of claim 9, further comprising: locking configuration of the input/output device (106) in response to the protected trust domain mode being enabled; monitoring the input/output device (106) for a re-configuration or an error event; disabling the protected trust domain mode in response to the re-configuration; and disabling the protected trust domain mode in response to the error event.
  11. The method of any one of claims 6 to 10, further comprising: in response to the trusted and unencrypted request from the trust domain manager (101) to the control interface of the device security manager circuit (136), transitioning the state of the trusted device interface according to a Trusted Execution Environment Device Interface Security Protocol standard.

Description

TECHNICAL FIELD The disclosure relates generally to electronics, and, more specifically, an example of the disclosure relates to circuitry for implementing a device security manager for integrated devices that utilize input/output extensions for trust domains. BACKGROUND A processor, or set of processors, executes instructions from an instruction set, e.g., the instruction set architecture (ISA). The instruction set is the part of the computer architecture related to programming, and generally includes the native data types, instructions, register architecture, addressing modes, memory architecture, interrupt and exception handling, and external input and output (IO). It should be noted that the term instruction herein may refer to a macro-instruction, e.g., an instruction that is provided to the processor for execution, or to a micro-instruction, e.g., an instruction that results from a processor's decoder decoding macro-instructions. The document US 2021/026543 A1describes an apparatus to facilitate security of a shared memory resource, which includes a memory device to store memory data a system agent to receive requests from one or more input/output (I/O) devices to access the memory data memory and trusted translation components having trusted host physical address (HPA) permission tables (HPTs) to validate memory address translation requests received from trusted I/O devices to access pages in memory associated with trusted domains. SUMMARY The present invention provides an apparatus and a method as defined by the claims. BRIEF DESCRIPTION OF THE DRAWINGS The present disclosure is illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which: Figure 1 illustrates a block diagram of a computer system including a plurality of cores having a trust domain manager, a memory, and an input/output (IO) device including a device security manager (e.g., circuit) according to examples of the disclosure.Figure 2 illustrates a functional diagram of a host coupled to a discrete IO device according to examples of the disclosure.Figure 3 illustrates a block diagram of a trust domain manager coupled to a device security manager and its components used for managing interactions between the trust domain manager and the device security manager for a discrete IO device according to examples of the disclosure.Figure 4 illustrates a block diagram of a trust domain manager coupled to a device security manager and its components used for managing interactions between the trust domain manager and the device security manager for an integrated IO device according to examples of the disclosure.Figure 5 illustrates a block diagram of a trust domain manager communicating with a device security manager with encrypted messages according to examples of the disclosure.Figure 6 illustrates a block diagram of a trust domain manager communicating with a device security manager with trusted (e.g., and unencrypted) messages via a set of one or more control and status registers (CSRs) according to examples of the disclosure.Figure 7 illustrates a block diagram of a trust domain manager communicating with a device security manager with trusted (e.g., and unencrypted) messages via a set of one or more registers implemented as a special trusted device interface (e.g., device security manager (DSM) trusted device interface (TDI)) according to examples of the disclosure.Figure 8 illustrates a functional diagram of a host coupled to an integrated IO device according to examples of the disclosure.Figure 9A illustrates a block diagram of the configuration space and registers of an integrated IO device according to examples of the disclosure.Figure 9B illustrates an example of a TDX-IO designated vendor-specific extended capability (DVSEC) according to examples of the disclosure.Figure 9C illustrates an example format of the fields of a TDX-IO designated vendor-specific extended capability (DVSEC) according to examples of the disclosure.Figure 9D illustrates an example format of device security manager (DSM) registers according to examples of the disclosure.Figure 9E illustrates an example format of a device security manager capabilities (DSM caps) register according to examples of the disclosure.Figure 10 illustrates a block diagram of a trust domain manager implementing a virtual device security manager according to examples of the disclosure.Figure 11 illustrates a block diagram of a virtual device security manager implemented on a co-processor according to examples of the disclosure.Figure 12 is a flow diagram illustrating operations of a method for accessing state of a trusted device interface of an input/output device according to examples of the disclosure.Figure 13A is a block diagram illustrating a generic vector friendly instruction format and class A instruction templates thereof according to examples of the disclosure.Figure 13B is a block diag