At least some partitionable computer systems comprise complex management (CM) code that manages the system at a high level. The CMI code supports partitioning of the system. For example, the CMI code is used to spawn various partitions in the system. Viruses, bugs, or rogue applications could compromise the integrity and operability of the system if such applications had access to the CM code.
For a detailed description of exemplary embodiments of the invention, reference will now be made to the accompanying drawings in which:
Certain terms are used throughout the following description and claims to refer to particular system components. As one skilled in the art will appreciate, computer companies may refer to a component by different names. This document does not intend to distinguish between components that differ in name but not function. In the following discussion and in the claims, the terms “including” and “comprising” are used in an open-ended fashion, and thus should be interpreted to mean “including, but not limited to . . . .” Also, the term “couple” or “couples” is intended to mean either an indirect, direct, optical or wireless electrical connection. Thus, if a first device couples to a second device, that connection may be through a direct electrical connection, through an indirect electrical connection via other devices and connections, through an optical electrical connection, or through a wireless electrical connection.
Each processor core 20 executes one or more operating systems and applications running under the respective operating systems. Via the memory controllers 22, the cores 20 issue memory requests (e.g., reads, writes) for access to the memory 24. The memory controllers 22 arbitrate among multiple pending memory requests for access to the memory 24.
The memory 24 contained in each computing node is configured, in at least some embodiments, as “partition memory” meaning that memory requests for such memory are interleaved across the memory of multiple computing nodes. By interleaving memory requests across all memory controllers in the partition, an application does not have to be aware of the non-uniform memory access (NUMA) characteristics of the system to achieve satisfactory performance of a symmetric multi-processing (SMP) system.
In various embodiments, the system 10 is “partitionable” meaning that the various computing nodes 12-16 are configured to operate in one or more partitions. A partition comprises various hardware resources (e.g., core 20, memory controller 22, memory 24, and input/output (I/O) resources) and software resources (operating system and applications). Different partitions may run the same or different operating systems and may run the same or different applications.
Executable code termed “complex management (CM) code is executed by one or more of the cores 20 to coordinate the various partitions implemented on the system 10. The CM code spawns the various partitions and reconfigures the partitions as needed upon the hot addition or deletion of hardware resources (e.g., memory 24).
Because the CM code 52 runs outside the control of the operating systems 54 in the various partitions, security mechanisms that the operating systems may implement will generally not be effective to protect the security of the CM code 52. Thus, in accordance with various embodiments, the portion of partition memory in which the CM code 52 runs is restricted from access by operating systems 54 running in the various partitions.
In the embodiment of
In at least some embodiments, the CMI memory address space 66 is smaller than the smallest granule of memory assignable to the various partitions. Any memory assigned to CMI is not available to operating systems or applications. A different protection mechanism that uses a smaller granularity than the mechanism used to protect memory from other partitions can be implemented as desired.
In the partition memory address space, the range of addresses just above the permitted partition memory address space 64 represents partition memory addresses that are not permitted (unpermitted partition memory address space 68). The unpermitted partition memory address space 68 would alias (i.e., by translation of such addresses to fabric accesses) to the same CMI code area 52 as the CMI memory address space 66. The addresses of the unpermitted partition memory address space 68 and the CMI memory address space 66 are different and thus do not overlap, but alias to the same CMI code 52.
As the name suggests, the unpermitted partition memory address space 68 is not permitted as part of the partition memory address space. Such addresses are not reported as being available to the various partitions and operating systems running therein. The CMI memory address space 66 comprises addresses, which alias to the CMI code area 52, that are available by a processor core 20 for execution of the CMI code 52, but only when the processor core 20 is in a complex management (CM) mode of operation. The processor core 20 is caused to transition to the CM mode in accordance with any suitable technique. When a processor core 20 is in the CM mode, that core is permitted to generate CMI addresses for executing the CM code and accessing 52 (which may also contain CM data). When the fabric agent 40 receives an address that is in the CMI memory address space 66, the fabric agent 40 permits such address and associated memory request to complete. In that regard, the fabric agent 40 translates the received CMI memory address to a fabric agent.
As explained above, unpermitted partition memory address space addresses are different than CMI memory address space addresses, and thus can readily be detected and differentiated by, for example, the fabric agent 40, from CMI memory addresses in the CMI memory address space 66. Partition memory addresses in the unpermitted partition memory address space 68 were generated by a processor core 20 that was not in the CM mode. Such address references cannot be trusted. Thus, any partition memory address space address that the fabric agent 40 receives that would alias to the CMI region 52 upon being translated to a fabric address is not permitted and the fabric agent blocks such memory requests from completing. In at least some embodiments, the fabric agent 40 blocks such requests by not permitting the requests to complete and by generating a signal or message that indicates that the occurrence of an address in the unpermitted partition memory address space 68. Such an occurrence may be indicative of a virus, a bug, or other type of malfeasance or inadvertent error.
At 104, method 100 comprises determining whether the address in the memory request is an address in the permitted partition memory address space 64 (P:64), the unpermitted partition memory address space 68 (P:68) or the CMI memory address space 66 (P:CMI). The memory request is permitted to complete at 106 if the address that is the target of the memory request is P:CMI or P:64. A memory request containing an P:68 address (i.e., an address in the unpermitted partition memory address space 68) is blocked from completing at 108.
The above discussion is meant to be illustrative of the principles and various embodiments of the present invention. Numerous variations and modifications will become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such variations and modifications.