Field of the Invention
Embodiments of the present invention relate generally to computer processing and, more specifically, to storing secure state information in translation lookaside buffer cache lines.
Description of the Related Art
Many computer systems include a central processing unit (CPU) and one or more parallel processing units (PPUs). The CPU usually executes the overall structure of a software application and then configures the PPUs to implement tasks that are amenable to parallel processing. As part of executing the software application, the CPU and/or the PPU access memory units included in the computer system. For example, while executing a video player application, the PPU could access high definition video that is stored in memory included in the computer system.
To protect high-value assets, such as the aforementioned high definition videos, providers of the assets oftentimes require computer systems to provide security functionality that restricts access to the assets. One technique that some computer systems implement to protect high-value assets involves storing access control information in page tables. However, because the operating system controls the page tables and the operating system is susceptible to security breaches, such a protection scheme is not necessarily secure. Another technique that other computer systems implement to protect high-value assets utilizes a trusted software layer outside of the operating system. However, because the trusted software requires knowledge of the application and trusted software is typically provided by a system vendor, not an application vendor, such a solution is difficult to coordinate. As these techniques illustrate, software-based protection schemes do not provide sufficient protection for high-value assets.
In an effort to overcome the limitations of software-based protection schemes, some computer systems provide hardware-based protection schemes. One type of hardware-based protection scheme involves “carving out” contiguous blocks of secure memory when the computer is initially booted up. In such a scheme, a certain number of contiguous memory blocks are allocated and reserved for use by secure applications. Upon receiving a memory access request via a virtual memory address, hardware-based units translate the virtual memory address to a physical address and then compare the physical memory address to the range of addresses included in the contiguous blocks of secure memory. Based on the results of the comparison, the hardware-based units either allow or reject the memory access request.
Although such a carve-out based protection scheme may satisfy vendor requirements for securing high-value assets, reserving contiguous blocks of memory for secure operations often reduces efficiencies inherent in virtual memory architectures that facilitate dynamic memory allocation. In particular, if executing applications require fewer secure memory blocks than the number of contiguous blocks reserved for secure operations, then valuable memory resources are squandered. By contrast, if executing applications require more secure memory blocks than the number of contiguous blocks reserved for secure operations, then the computer system must increase the number of contiguous blocks of secure memory during operation. Increasing the number of contiguous blocks involves, among other things, relocating existing data, which can reduce the speed at which the computer system executes applications.
As the foregoing illustrates, what is needed in the art is a more effective approach to protecting secure content.