	US 12,259,963 B2
	Confidential computing with device memory isolation
Boris Pismenny, Haifa (IL); Miriam Menes, Tel Aviv (IL); Ahmad Atamli, Oxford (GB); Ilan Pardo, Ramat-Hasharon (IL); Ariel Shahar, Jerusalem (IL); and Uria Basher, Ganei Tal (IL)
Assigned to Mellanox Technologies, Ltd, Yokneam (IL)
Filed by MELLANOX TECHNOLOGIES, LTD., Yokneam (IL)
Filed on Feb. 22, 2022, as Appl. No. 17/676,890.
Prior Publication US 2023/0267196 A1, Aug. 24, 2023
Int. Cl. G06F 21/53 (2013.01); G06F 9/50 (2006.01); G06F 13/28 (2006.01); G06F 21/79 (2013.01)

CPC G06F 21/53 (2013.01) [G06F 9/5016 (2013.01); G06F 9/5077 (2013.01); G06F 13/28 (2013.01); G06F 21/79 (2013.01)]

14 Claims

1. A confidential computing (CC) apparatus, comprising:

a CPU, to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs); and

a network device coupled to the CPU and to an external memory, for providing network communication to the CC apparatus,

wherein the CPU comprises a TVM-Monitor (TVMM) distinct from the hypervisor to:

perform management operations on the one or more TVMs;

track allocation messages of memory space that is allocated by the hypervisor in the external memory to the TVMs, to the network device and to the hypervisor;

monitor memory-access requests issued by the network device to the external memory;

check for each monitored memory-access request issued by the network device whether the monitored memory-access request is to a memory segment allocated to the network device issuing the request in the tracked allocation messages; and

deny: (i) memory-access requests issued by the TVMs to the memory space allocated to the network device or to the memory space allocated to the hypervisor, (ii) memory-access requests issued by the network device to the memory space allocated to the TVMS or to the memory space allocated to the hypervisor, and (iii) memory-access requests issued by the hypervisor to the memory space allocated to the TVMs or to the memory space allocated to the network device.