US 9,811,475 B2
Methods and apparatus for a secure sleep state
Krystof C. Zmudzinski, Forest Grove, OR (US); Matthew E. Hoekstra, Forest Grove, OR (US); John L. Manferdelli, San Francisco, CA (US); and Bin Xing, Hillsboro, OR (US)
Assigned to INTEL CORPORATION, Santa Clara, CA (US)
Filed by Krystof C. Zmudzinski, Forest Grove, OR (US); Matthew E. Hoekstra, Forest Grove, OR (US); John L. Manferdelli, San Francisco, CA (US); and Bin Xing, Hillsboro, OR (US)
Filed on Jun. 29, 2012, as Appl. No. 13/538,154.
Prior Publication US 2014/0006799 A1, Jan. 2, 2014
Int. Cl. G06F 21/00 (2013.01); G06F 12/14 (2006.01); G06F 9/44 (2006.01); G06F 21/57 (2013.01); G06F 1/32 (2006.01); G06F 21/62 (2013.01); G06F 21/81 (2013.01)
CPC G06F 12/1408 (2013.01) [G06F 1/3206 (2013.01); G06F 1/3237 (2013.01); G06F 1/3243 (2013.01); G06F 9/4418 (2013.01); G06F 21/57 (2013.01); G06F 21/6209 (2013.01); G06F 21/81 (2013.01); G06F 1/3287 (2013.01); G06F 2221/2107 (2013.01); G06F 2221/2143 (2013.01); Y02B 60/1221 (2013.01); Y02B 60/1239 (2013.01); Y02B 60/1282 (2013.01); Y02B 60/32 (2013.01)] 27 Claims
OG exemplary drawing
 
1. A method to manage secure sleep state transitions in a computing platform including at least one processor, an operating system to control the computing platform, a basic input/output system to boot the computing platform, and a main memory, the method comprising:
in response to a trigger to place the computing platform in a secure sleep state:
encrypting content in the main memory, the content in the main memory including critical regions which must be decrypted before the operating system can control operation of the computing platform and other regions which do not need to be decrypted before the operating system can control the operation of the computing platform; and,
placing the computing platform in the secure sleep state;
in response to an initiation of a resume procedure to resume the computing platform from the secure sleep state:
booting the computing platform with the basic input/output system;
before passing control of the computing platform from the basic input/output system to the operating system, initiating a virtual machine monitor to execute on the at least one processor;
decrypting the critical regions of the main memory with the virtual machine monitor executing on the at least one processor; and
after the critical regions of the main memory have been decrypted and before the other regions of the main memory which do not need to be decrypted before the operating system can control the operation of the computing platform have been decrypted, passing control of the computing platform from the basic input/output system to the operating system; and
after the operating system has received control of the computing platform from the basic input/output system and in response to at least one of a fault or violation triggered by an attempt to access the main memory:
decrypting, with the virtual machine monitor executing on the at least one processor, the data at a location in at least one of the other regions of the main memory.