US 12,079,379 B2
Peripheral component interconnect express protection controller
Denis Remezov, Waterloo (CA); Yin Tan, Waterloo (CA); and Jingshun Chen, Beijing (CN)
Assigned to HUAWEI TECHNOLOGIES CO., LTD., Shenzhen (CN)
Filed by HUAWEI TECHNOLOGIES CO., LTD., Guangdong (CN)
Filed on Dec. 3, 2020, as Appl. No. 17/111,007.
Prior Publication US 2022/0180009 A1, Jun. 9, 2022
Int. Cl. G06F 21/85 (2013.01); G06F 12/10 (2016.01); G06F 12/14 (2006.01); G06F 13/28 (2006.01); G06F 13/40 (2006.01); G06F 13/42 (2006.01); G06F 21/44 (2013.01)
CPC G06F 21/85 (2013.01) [G06F 12/10 (2013.01); G06F 12/14 (2013.01); G06F 13/28 (2013.01); G06F 13/4027 (2013.01); G06F 13/4282 (2013.01); G06F 21/44 (2013.01); G06F 2212/1052 (2013.01); G06F 2213/0026 (2013.01)] 19 Claims
OG exemplary drawing
 
1. A computer system comprising:
at least one central processing unit (CPU);
a TrustZone® Address Space Controller (TZASC) configured to distinguish between secure and nonsecure entities;
a memory device partitioned into a secure memory region and a nonsecure memory region, in accordance with TZASC determinations;
a PCIe root complex subsystem incorporating at least one root port and a PCIe bridge with an integrated PCIe protection controller (PCIPC), each root port being configured to optionally connect to a PCIe endpoint device, the PCIe root complex subsystem configured to:
designate dynamically at runtime the PCIe endpoint device as being a secure endpoint device or as a nonsecure endpoint device; and
determine whether an outbound request originates from a secure component of the computer system or from a nonsecure component of the computer system;
a system interconnect connecting the at least one central processing unit, the memory device, and the PCIe root complex subsystem; and
a system memory management unit configured to translate addresses for direct memory access (DMA) requests from the PCIe endpoint device before the requests are passed into the system interconnect;
the PCIe protection controller is configured to:
forward the outbound request to the PCIe endpoint device if the outbound request originates from the secure component of the computer system;
forward the outbound request to the PCIe endpoint device if the outbound request originates from the nonsecure component of the computer system and the PCIe endpoint device is designated as the nonsecure endpoint device; and
report the outbound request to an access violation handler if the outbound request originates from the nonsecure component of the computer system and the PCIe endpoint device is designated as the secure endpoint device.