1. Field of the Invention
The invention relates to computer system security and, more particularly, to techniques for providing secure input architecture for a computer system.
2. Description of the Related Art
Today, data flow related to a hardware device and between hardware devices, operating systems and applications is not protected in most computer systems. Thus, for example, when typing sensitive data, e.g., a password, on a keyboard, the sensitive data may be compromised. The lack of protection is common to both universal serial bus (USB) input devices and legacy input devices. Legacy input devices include PS/2 keyboard, PS/2 mice and serial mice, which have associated I/O address space (ports) and interrupt lines. In general, the term input device includes any device that can directly input characters into a computer system, without translation, and any device that can direct a screen pointer and cause a change of focus. Broadly, all input data from a device driver has traditionally been routed to operating system (OS) queues, via an interface that is supplied with the OS. The OS of the computer system has then controlled the routing and final destination of the input data.
As is well known, the universal serial bus (USB) standard defines various USB classes, such as a human interface device (HID) class, which details the common operation of input devices, e.g., keyboards, mice, etc. Today, there are three types of USB host controller (HC) interfaces, i.e., universal, open and enhanced. Each of the USB HC interfaces has a system footprint similar to that shown in FIG. 1. In general, each USB HC 106, implemented within a computer system 100, has peripheral component interconnect (PCI) configuration space registers 108 that establish the location of memory or input/output (I/O) mapped registers 110, a system memory 104 presence (where a USB HC driver manages a list of transactions that are to be processed by the USB HC 106, via bus master access) and an interrupt line. The USB HC 106 communicates with the system memory 104, via a memory controller 102. The memory controller 102 is coupled to the USB HC 106, by a system bus 122, and is coupled to the system memory 104, by a memory bus 120. USB supports plug ‘n’ play capability with dynamically loadable (and unloadable) USB device drivers. The loading of an appropriate USB device driver is facilitated through the implementation of a product identification (PID)/vendor identification (VID) combination.
In general terms, a virtual machine (VM) is software that creates a guest environment (guest) between a hardware platform, i.e., a host computer system, and one or more end users. A VM typically creates a number of different guests on a single host computer system, each of which emulates the host computer system. The software that provides this VM capability is often referred to as a virtual machine monitor (VMM) or hypervisor. The VMM may control the execution of multiple guests, e.g., operating systems and/or applications. Typically, the VMM provides each guest the appearance of full control over a complete computer system (i.e., memory, central processing unit (CPU) and all peripheral devices). Fundamentally, VMMs work by intercepting and emulating operations for one or more guests. Unfortunately, VMMs have not secured input data to a guest, or between guests. As such, each guest may be subject to corruption by another guest or may adversely affect operation of a host computer system.
Accordingly, it would be desirable to provide a more secure environment for operation of computer systems, particularly those that implement virtual machines.