Methods and devices for executing trusted applications on processor with support for protected execution environments
地域:
Grand Cayman
摘要
Disclosed herein are methods, devices, and apparatuses, including computer programs stored on computer-readable media, for executing applications. One of the methods includes: establishing an enclave in a first physical processing unit of a processor; recording a first trust declaration declared by a first application, the first trust declaration declaring whether the first application trusts any application to execute with the first application on the first physical processing unit; assigning the first application to a first logical processing unit hosted on the first physical processing unit; providing a set of enclave entry instructions for the first logical processing unit to execute, to cause the first logical processing unit to enter the enclave when a predefined entering condition is satisfied; and providing a set of enclave exit instructions for the first logical processing unit to execute, to cause the first logical processing unit to exit the enclave when a predefined exiting condition is satisfied.
說明書
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
This application is a continuation of U.S. application Ser. No. 16/773,187, filed on Jan. 27, 2020, which is a continuation of International Application No. PCT/CN2019/083466, filed Apr. 19, 2019, the entire contents of all of which are incorporated herein by reference.
The specification relates generally to computer technologies, and more particularly, to methods and devices for executing trusted applications on a processor with support for protected execution environments.
A processor is circuitry that can be used to carry out instructions specified in a computer program. The processor may include an arithmetic logic unit (ALU) that performs arithmetic and logic operations. The processor may also include registers that supply operands to the ALU and store results produced by the ALU. The processor may further include a control unit that coordinates the operations of the ALU, the registers, and other components, including, e.g., one or more levels of cache, one or more levels of translation lookaside buffers (TLBs), and one or more memory controllers.
權(quán)利要求
What is claimed is:1. A computer-implemented method for executing applications, the method comprising:assigning a first application to a first logical processing unit hosted on a first physical processing unit of a processor; providing a set of enclave entry instructions for the first logical processing unit to execute, to cause the first logical processing unit to enter an enclave when a predefined entering condition is satisfied, wherein the predefined entering condition is satisfied when all logical processing units hosted on the first physical processing unit are loaded with applications and all loaded applications are declared as trusted by the first application; and providing a set of enclave exit instructions for the first logical processing unit to execute, to cause the first logical processing unit to exit the enclave when a predefined exiting condition is satisfied. 2. The method of claim 1 , wherein the set of enclave entry instructions instructs the first logical processing unit to determine whether the predefined entering condition is satisfied by performing steps comprising:updating an entry status record to indicate that the first logical processing unit is loaded with the first application and is waiting to enter the enclave; determining whether all logical processing units hosted on the first physical processing unit are loaded with applications; and in response to a determination that not all logical processing units hosted on the first physical processing unit are loaded with applications, repeating the determination of whether all logical processing units hosted on the first physical processing unit are loaded with applications. 3. The method of claim 2 , wherein the set of enclave entry instructions instructs the first logical processing unit to determine whether the predefined entering condition is satisfied by performing steps further comprising:in response to a determination that all logical processing units hosted on the first physical processing unit are loaded with applications, determining whether all loaded applications are declared as trusted by the first application based on a first trust declaration by the first application, the first trust declaration declaring whether the first application trusts any application to execute with the first application on the first physical processing unit; and in response to a determination that not all loaded applications are declared as trusted by the first application, repeating the determination of whether all loaded applications are declared as trusted by the first application. 4. The method of claim 3 , wherein the set of enclave entry instructions instructs the first logical processing unit to determine whether the predefined entering condition is satisfied by performing steps further comprising:in response to a determination that all loaded applications are declared as trusted by the first application based on the first trust declaration, carrying out processes associated with entering the enclave. 5. The method of claim 1 , wherein the set of enclave entry instructions instructs the first logical processing unit to determine whether the predefined entering condition is satisfied by performing steps further comprising:determining whether a timeout limit is reached; and in response to a determination that the timeout limit is reached, executing the set of enclave exit instructions. 6. The method of claim 1 , wherein the set of enclave entry instructions instructs the first logical processing unit to determine whether the predefined entering condition is satisfied by performing steps further comprising:determining whether an exit condition is triggered; and in response to a determination that the exit condition is reached, executing the set of enclave exit instructions. 7. The method of claim 1 , wherein the predefined exiting condition is satisfied when all logical processing units hosted on the first physical processing unit that have been loaded with applications declared as trusted by the first application have started executing the set of enclave exit instructions. 8. The method of claim 1 , wherein the set of enclave exit instructions instructs the first logical processing unit to determine whether the predefined exiting condition is satisfied by performing steps comprising:updating an exit status record to indicate that the first logical processing unit is loaded with the first application and is waiting to exit the enclave; and determining whether there is at least one other logical processing unit hosted on the first physical processing unit that has been loaded with an application declared as trusted by the first application based on a first trust declaration by the first application, the first trust declaration declaring whether the first application trusts any application to execute with the first application on the first physical processing unit. 9. The method of claim 8 , wherein the set of enclave exit instructions instructs the first logical processing unit to determine whether the predefined exiting condition is satisfied by performing steps further comprising:in response to a determination that there is at least one other logical processing unit hosted on the first physical processing unit that has been loaded with an application declared as trusted by the first application based on the first trust declaration, sending a termination command to each of the at least one other logical processing unit requesting the at least one other logical processing unit to execute the set of enclave exit instructions. 10. The method of claim 9 , wherein the set of enclave exit instructions instructs the first logical processing unit to determine whether the predefined exiting condition is satisfied by performing steps further comprising:determining whether each of the at least one other logical processing unit has started executing the set of enclave exit instructions; and in response to a determination that not each of the at least one other logical processing unit has started executing the set of enclave exit instructions, repeating the determination of whether the at least one other logical processing unit has started executing the set of enclave exit instructions. 11. The method of claim 10 , wherein the set of enclave exit instructions instructs the first logical processing unit to determine whether the predefined exiting condition is satisfied by performing steps further comprising:in response to a determination that each of the at least one other logical processing unit has started executing the set of enclave exit instructions, carrying out processes associated with exiting the enclave. 12. The method of claim 1 , further comprising:providing an interface for obtaining a first trust declaration by the first application, the first trust declaration declaring whether the first application trusts any application to execute with the first application on the first physical processing unit. 13. The method of claim 12 , further comprising:recording the first trust declaration in a memory space of the first physical processing unit. 14. The method of claim 12 , further comprising:recording the first trust declaration in a memory space shared by all physical processing units of the processor. 15. The method of claim 12 , further comprising:recording the first trust declaration in a memory space located outside of the processor. 16. The method of claim 1 , wherein the processor comprises the first physical processing unit and at least one other physical processing unit. 17. The method of claim 1 , wherein the first physical processing unit hosts the first logical processing unit and at least one other logical processing unit. 18. A device for executing applications, comprising:a processor including one or more physical processing units; and a computer-readable instruction code storage coupled to the one or more physical processing units and having instructions stored thereon that are executable by the one or more physical processing units to perform: assigning a first application to a first logical processing unit hosted on a first physical processing unit of the processor; providing a set of enclave entry instructions for the first logical processing unit to execute, to cause the first logical processing unit to enter an enclave when a predefined entering condition is satisfied, wherein the predefined entering condition is satisfied when all logical processing units hosted on the first physical processing unit are loaded with applications and all loaded applications are declared as trusted by the first application; and providing a set of enclave exit instructions for the first logical processing unit to execute, to cause the first logical processing unit to exit the enclave when a predefined exiting condition is satisfied. 19. A non-transitory computer-readable medium having stored therein instructions that, when executed by a processor of a device, cause the device to perform a method for executing applications, the method comprising:assigning a first application to a first logical processing unit hosted on a first physical processing unit of the processor; providing a set of enclave entry instructions for the first logical processing unit to execute, to cause the first logical processing unit to enter an enclave when a predefined entering condition is satisfied, wherein the predefined entering condition is satisfied when all logical processing units hosted on the first physical processing unit are loaded with applications and all loaded applications are declared as trusted by the first application; and providing a set of enclave exit instructions for the first logical processing unit to execute, to cause the first logical processing unit to exit the enclave when a predefined exiting condition is satisfied.
意見反饋
使用該功能遇到問題