PROVIDING ISOLATION IN VIRTUALIZED SYSTEMS USING TRUST DOMAINS

摘要

Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, the processing device includes a processing core to execute a tenant workload and a resource management capability to manage the tenant workload, the resource management capability including a hypervisor and the tenant workload including a virtual machine running on top of the hypervisor, and reference a micro-architectural structure a micro-architectural structure that is access-controlled against software access to obtain at least one key identifier, ID, corresponding to an encryption key assigned to the tenant workload, the key ID to allow the processing device to decrypt memory pages assigned to the tenant workload responsive to the processing device executing in the context of the tenant workload, the memory pages assigned to the tenant workload encrypted with the encryption key. The micro-architectural structure is to hold meta-data attributes for each physical memory page and the meta-data attributes are direct indexed by the physical page address of the physical memory page.