US 11,055,236 B2
Processors, methods, systems, and instructions to support live migration of protected containers
Carlos V. Rozas, Portland, OR (US); Mona Vij, Hillsboro, OR (US); Rebekah M. Leslie-Hurd, Portland, OR (US); Krystof C. Zmudzinski, Forest Grove, OR (US); Somnath Chakrabarti, Portland, OR (US); Francis X. Mckeen, Portland, OR (US); Vincent R. Scarlata, Beaverton, OR (US); Simon P. Johnson, Beaverton, OR (US); Ilya Alexandrovich, Yokneam Illit (IL); Gilbert Neiger, Portland, OR (US); Vedvyas Shanbhogue, Austin, TX (US); and Ittai Anati, Ramat Hasharon (IL)
Assigned to Intel Corporation, Santa Clara, CA (US)
Filed by Intel Corporation, Santa Clara, CA (US)
Filed on Dec. 27, 2019, as Appl. No. 16/729,251.
Application 16/729,251 is a continuation of application No. 15/651,771, filed on Jul. 17, 2017, granted, now 10,558,588.
Application 15/651,771 is a continuation of application No. 14/752,227, filed on Jun. 26, 2015, granted, now 9,710,401, issued on Jul. 18, 2017.
Prior Publication US 2020/0142838 A1, May 7, 2020
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 12/14 (2006.01); G06F 21/60 (2013.01); G06F 9/30 (2018.01); G06F 21/53 (2013.01); G06F 8/41 (2018.01); G06F 9/455 (2018.01)
CPC G06F 12/1408 (2013.01) [G06F 8/41 (2013.01); G06F 9/30145 (2013.01); G06F 9/45558 (2013.01); G06F 12/1441 (2013.01); G06F 12/1483 (2013.01); G06F 21/53 (2013.01); G06F 21/602 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45587 (2013.01); G06F 2212/1052 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system on a chip comprising:
a decode unit to decode an instruction;
an execution unit, in response to the instruction, to:
access a control structure in response to the instruction, the control structure to store a plurality of cryptographic keys capable of being migrated from a source computer system to a destination computer system;
decrypt a copy of data with a first cryptographic key, the data to be within an encrypted portion of a virtual machine, wherein the system on a chip protects the data within the encrypted portion of the virtual machine from being disclosed to a virtual machine monitor;
generate encrypted data based on the decrypted copy of the data with a second, different cryptographic key; and
store the encrypted data generated by the execution unit to a memory location outside of the encrypted portion of the virtual machine,
wherein the system on a chip is to leave the data within the encrypted portion of the virtual machine valid and readable after the encrypted data has been stored to the memory location outside of the encrypted portion of the virtual machine.