US 12,242,391 B2
Processors, methods, systems, and instructions to support live migration of protected containers
Carlos V. Rozas, Portland, OR (US); Mona Vij, Hillsboro, OR (US); Rebekah M. Leslie-Hurd, Portland, OR (US); Krystof C. Zmudzinski, Forest Grove, OR (US); Somnath Chakrabarti, Portland, OR (US); Francis X. McKeen, Portland, OR (US); Vincent R. Scarlata, Beaverton, OR (US); Simon P. Johnson, Beaverton, OR (US); Ilya Alexandrovich, Yokneam Illit (IL); Gilbert Neiger, Portland, OR (US); Vedvyas Shanbhogue, Austin, TX (US); and Ittai Anati, Ramat Hasharon (IL)
Assigned to Intel Corporation, Santa Clara, CA (US)
Filed by Intel Corporation, Santa Clara, CA (US)
Filed on Oct. 9, 2023, as Appl. No. 18/378,124.
Application 18/378,124 is a continuation of application No. 17/367,349, filed on Jul. 3, 2021, granted, now 11,782,849.
Application 17/367,349 is a continuation of application No. 16/729,251, filed on Dec. 27, 2019, granted, now 11,055,236, issued on Jul. 6, 2021.
Application 16/729,251 is a continuation of application No. 15/651,771, filed on Jul. 17, 2017, granted, now 10,558,588, issued on Feb. 11, 2020.
Application 15/651,771 is a continuation of application No. 14/752,227, filed on Jun. 26, 2015, granted, now 9,710,401, issued on Jul. 18, 2017.
Prior Publication US 2024/0184717 A1, Jun. 6, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 12/14 (2006.01); G06F 8/41 (2018.01); G06F 9/30 (2018.01); G06F 9/455 (2018.01); G06F 21/53 (2013.01); G06F 21/60 (2013.01)
CPC G06F 12/1408 (2013.01) [G06F 8/41 (2013.01); G06F 9/30145 (2013.01); G06F 9/45558 (2013.01); G06F 12/1441 (2013.01); G06F 12/1483 (2013.01); G06F 21/53 (2013.01); G06F 21/602 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45587 (2013.01); G06F 2212/1052 (2013.01)] 21 Claims
OG exemplary drawing
 
1. A system on a chip comprising:
one or more caches;
a decode unit to decode an instruction;
a cryptographic unit, as a result of the instruction, to:
decrypt a copy of a page with a first cryptographic key, the page to be within an encrypted portion of a virtual machine, wherein the system on a chip is to protect the page within the encrypted portion of the virtual machine from being disclosed to a virtual machine monitor; and
generate an encrypted page based on the decrypted copy of the page with a second, different cryptographic key;
a memory controller, as a result of the instruction, to store the encrypted page generated by the cryptographic unit to a memory location outside of the encrypted portion of the virtual machine; and
a circuit to access a metadata structure, as a result of the instruction, to store metadata associated with the encrypted page in the metadata structure,
wherein the system on a chip is to leave the page within the encrypted portion of the virtual machine valid and readable after the encrypted page has been stored to the memory location outside of the encrypted portion of the virtual machine.