HK40058957B - Secure predictors for speculative execution - Google Patents

Description

Security predictor for speculative execution

Technical Field

This disclosure relates to a secure predictor for speculative execution.

Background Technology

Side-channel attacks relying on processor branch prediction and speculative execution have been publicly disclosed. For Intel x86 processors, the first of these attacks was initially labeled Spectre, but other variations or categories of these attacks also exist. In short, these attacks rely on training a branch predictor to execute attacker-selected code to load secret data of the target into cache memory after a change in process/context and/or privilege level. The target code used by the attacker may originate from the target process or a shared library, making its execution legitimate for the target process. After the attacker process regains control of the processor, the attacker can measure the time required to read data from the same location in the cache, thus determining what target data is present in the cache and, consequently, the value of the data in the target process. Mitigating these attacks is crucial for secure and reliable computing.

Attached Figure Description

This disclosure can be best understood from the following detailed description when read in conjunction with the accompanying drawings. It should be emphasized that, by convention, the various features in the drawings are not to scale. Rather, for clarity, the dimensions of the various features have been arbitrarily enlarged or reduced.

Figure 1 is a block diagram of an example of an integrated circuit for executing instructions with security prediction.

Figure 2 is a block diagram of an example predictor circuit for secure prediction.

Figure 3 is a block diagram of an example of a system for executing instructions with safety prediction.

Figure 4 is a flowchart of an example of a technique for executing instructions with security prediction.

Figure 5 is a flowchart illustrating an example of a technique for executing instructions with predictions based on a subset of the predictor entry set during a predictor reset operation.

Detailed Implementation

Overview

This document discloses implementations of a security predictor for speculative execution. Some implementations can be used to eliminate or reduce the likelihood of side-channel attacks (e.g., Spectre-class attacks) on processors (e.g., CPUs such as x86, ARM, and/or RISC-V CPUs) more effectively than previously known solutions.

Systems and methods for secure prediction are disclosed. Integrated circuits (e.g., processors or microcontrollers) can be configured to decode and execute instructions in an instruction set architecture (ISA) (e.g., RISC V instruction set). The integrated circuits can implement pipelined architectures. The integrated circuits may include predictor circuitry (e.g., branch predictors) for improving performance by reducing latency in instruction execution within the pipelined architecture. The predictor circuitry accesses prediction data placed in entries, which can be used to determine the prediction for the corresponding instruction.

Integrated circuits can be configured to detect when a security domain transition occurs for software being executed by the integrated circuit. For example, a security domain transition can be detected based on implicitly or explicitly decoding instructions associated with it. For instance, special instructions used to indicate security domain boundaries in the software can be used, or existing instructions can be interpreted to cause a security domain transition. In some implementations, a security domain transition can be detected based on receiving an interrupt signal.

When a security domain transition is detected, the predictor's state, including the set of predictor entries, can be reset to prevent data in that state from passing information between security domains. Since the predictor's state can be large and resetting the entire state may take multiple clock cycles, the predictor can be configured to operate in one or more constrained modes to prevent the predictor from generating predictions using predictor entries marked for reset during a time interval specified for the reset operation. For example, in constrained mode, predictor circuitry can be prohibited from generating predictions to facilitate speculative execution during the reset time interval. For example, in constrained mode, predictor circuitry can be configured to generate static predictions independent of predictor entries during the reset time interval. In some implementations, predictor circuitry can include a hybrid predictor that can generate predictions based on a subset of its predictor states. For example, in constrained mode, predictor circuitry can be configured to generate predictions based on a subset of predictor entries, where disjoint subsets of predictor entries are unavailable when reset. In some implementations, the duration of the reset operation time interval is fixed, which can provide benefits such as preventing information leakage via timing variations and/or preventing jitter (e.g., for real-time applications).

As used herein, the term "circuit" refers to an arrangement of electronic components (e.g., transistors, resistors, capacitors, and/or inductors) configured to perform one or more functions. For example, a circuit may include one or more transistors interconnected to form logic gates that collectively perform a logic function.

As used herein, the term "microarchitectural state" refers to a portion of the state (e.g., data bits) of an integrated circuit (e.g., a processor or microcontroller) that cannot be directly accessed by the software executing the integrated circuit. For example, microarchitectural state may include data stored in a cache and/or data stored by a control flow predictor for predicting control flow execution.

Details

Figure 1 is a block diagram of an example of an integrated circuit 110 for executing instructions with security prediction. For example, the integrated circuit 110 may be a processor, microprocessor, microcontroller, or IP core. The integrated circuit 110 includes predictor circuitry 120 and security domain transition detection circuitry 130. For example, predictor circuitry 120 may include a value predictor, memory dependency predictor, prefetch predictor, control flow predictor, branch predictor, branch history table, branch destination buffer, and/or return address stack predictor. For example, predictor circuitry 120 may be configured to generate a prediction for speculative execution of instructions using data stored in one or more entries selected from any of the predictor entry sets when operating in a first mode (e.g., standard or normal mode). For example, security domain transition detection circuitry 130 may detect when the integrated circuit 110 (e.g., the processor) performs a context switch to a different process, or a switch from a user process to the operating system (kernel mode), or a switch from the operating system to the hypervisor (hypervisor mode). In some embodiments, security domain transition detection circuitry 130 may detect transitions based on the decoding of instructions that are explicitly or implicitly associated with a security domain transition. In some implementations, the security domain transition detection circuit 130 may detect a transition based on a received interrupt signal. The predictor circuit 120 includes a predictor reset circuit 140 configured to reset the state of the predictor circuit 120 when the security domain transition detection circuit 130 detects a security domain transition event. For example, the set of predictor entries may be stored entirely or partially in SRAM and may require multiple clock cycles to fully reset. While performing a reset operation, the predictor circuit 120 may be configured to avoid using some or all of the predictor states scheduled for reset (e.g., a subset of predictor entries). For example, during the time interval used to perform the reset, the predictor circuit 120 may completely disable prediction, generate static predictions independent of any predictor entries, or generate predictions based on a subset of the predictor entry set that has already been reset (e.g., a subset of entries stored in triggers and that can be immediately reset upon detection of a security domain transition). For example, the predictor circuit 120 may include a hybrid predictor that can generate predictions using a subset of its predictor entries. In some implementations, a reset operation can be performed during a fixed-duration time interval, which can prevent information leakage in the form of a reset delay and prevent jitter sources (e.g., to improve the performance of real-time applications). For example, predictor circuit 120 can be implemented as predictor circuit 210 of FIG2. For example, integrated circuit 110 can be used to implement technique 400 of FIG4.

For example, integrated circuit 110 can be configured to use security domain transition detection circuit 130 to detect security domain transitions for the software being executed by integrated circuit 110, and in response to the security domain transition, change the mode 120 of the predictor circuit from a first mode to a second mode, and invoke a reset of the predictor entry set by inputting a reset signal to predictor reset circuit 140. The second mode can prevent predictor circuit 120 from using at least a first subset of predictor entries in the predictor entry set to generate predictions. Integrated circuit 110 can be configured to change the mode of the predictor circuit back to the first mode to resume normal prediction after the predictor state reset is completed. In some embodiments, integrated circuit 110 can be configured to change the mode of predictor circuit 120 to a third mode in response to partial completion of the reset, which allows predictor circuit 120 to use the second subset of the predictor entry set that has been reset, while preventing the use of a third subset of the predictor entry set that has not yet been reset. The second and third subsets can be non-empty and disjoint subsets of the first subset. Integrated circuit 110 can be configured to generate a prediction based on predictor entries in a second subset before a reset is complete. In some embodiments, operation in the second mode prevents predictor circuit 120 from generating a prediction. In some embodiments, operation in the second mode prevents predictor circuit 120 from using all predictor entries in the predictor entry set and causes predictor circuit 120 to generate a static prediction. In some embodiments, operation in the second mode causes predictor circuit 120 to generate a prediction based on predictor entries in a second subset of the predictor entry set that do not intersect with the first subset of predictor entries. For example, when operating in the first mode, predictor circuit 120 may generate a prediction based on a prediction determined according to the second subset of the predictor entry set and a combination of one or more predictions determined according to one or more corresponding additional subsets of the predictor entry set that do not intersect with the second set. In some embodiments, security domain transition detection circuit 130 is configured to detect a security domain transition based on decoding instructions associated with the security domain transition. In some embodiments, security domain transition detection circuit 130 is configured to detect a security domain transition based on receiving an interrupt signal. In some implementations, the time interval between invoking a reset and changing the predictor circuitry to the first mode has a fixed duration, which can prevent timing information leakage via the reset operation and/or reduce or eliminate jitter.

Figure 2 is a block diagram of an example predictor circuit 210 for security prediction. Prediction circuit 210 includes prediction determination circuit 230; prediction data table 240 with predictor entries; prediction update circuit 250; and predictor reset circuit 252. For example, prediction determination circuit 230 can be configured to determine a prediction 260 (e.g., branch prediction or value prediction) for an instruction based on data in entries of prediction data table 240 corresponding to the instruction. However, when a security domain transition has been detected, a predictor reset signal can be input to predictor circuit 210 to cause predictor reset circuit 252 to perform a reset of the predictor entries stored in prediction data table 240, and a prediction mode selection signal can be input to predictor circuit 210 to modify how prediction determination circuit generates prediction 260. For example, changing the mode of predictor circuit 210 can cause prediction 260 to be generated as a static prediction independent of predictor entries in prediction data table 240 or prevent the generation of prediction 260. For example, changing the mode of predictor circuit 210 can enable prediction 260 to be generated by accessing only a subset of predictor entries (e.g., entries stored in triggers) in prediction data table 240 that have been reset in an early stage of the reset operation. For example, predictor circuit 210 can be used in technique 400 of FIG4.

For example, predictor circuit 210 may include a branch predictor and prediction 260 may include a prediction of whether the branch instruction will be adopted. For example, entries in prediction data table 240 may include a corresponding counter (e.g., a two-bit saturation counter) reflecting the frequency at which the corresponding branch instruction has been adopted recently. In some embodiments, predictor circuit 210 includes a branch history table. For example, entries in prediction data table 240 may include a corresponding shift register reflecting the branch history of the most recent corresponding branch instruction. For example, entries in prediction data table 240 may be indexed by a program counter. In a first mode (e.g., standard or normal mode), prediction determination circuit 230 may be configured to determine prediction 260 for the instruction based on data in the entries of prediction data table 240 corresponding to the instruction. For example, if the saturation counter in the corresponding entry of prediction data table 240 is above a threshold, prediction 260 for the branch instruction may be "adopted". For example, in a second mode (e.g., restricted reset mode), prediction determination circuit 230 may be configured to determine prediction 260 for the instruction as a static prediction. For example, in a second mode (e.g., a restricted reset mode), the prediction determination circuit 230 can be configured to determine the prediction 260 for the instruction based on data from a subset of the predictor entries that have been reset in the early stages of the reset operation and are available for safe use.

The prediction update circuit 250 is configured to update the prediction data table 240 after an instruction is executed. For example, when a branch instruction is used, the prediction update circuit 250 may increment the saturation counter in the entry of the prediction data table 240 corresponding to the branch instruction. For example, when no branch instruction is used, the prediction update circuit 250 may decrement the saturation counter in the entry of the prediction data table 240 corresponding to the branch instruction.

Predictor reset circuit 252 can be configured to perform a reset operation on the set of predictor entries stored in prediction data table 240. For example, when a security domain transition is detected, the predictor circuitry can receive a predictor reset signal from the detector circuitry, which can cause predictor reset circuit 252 to initiate a reset of the predictor entries in prediction data table 240. For example, some or all of the predictor entries in prediction data table 240 may be stored in SRAM. Resetting all predictor entries (e.g., setting the entry value to zero or some other default or initial value) may require multiple clock cycles. For example, a complete reset operation can be performed by predictor reset circuit 252 over a time interval spanning multiple clock cycles. In some implementations, some predictor entries in prediction data table 240 may be stored in flip-flops or registers, which can be cleared or reset within a single clock cycle when a predictor reset signal is received. For example, a subset of predictor entries stored in flip-flops can be cleared within the first clock cycle after receiving the predictor reset signal, while another disjoint subset of predictor entries stored in SRAM can be reset over a longer time interval (e.g., by utilizing a series of writes to different portions of the SRAM).

Figure 3 is a block diagram of an example of a system 300 for executing instructions with security prediction. System 300 includes a memory 302 storing instructions and an integrated circuit 310 configured to execute the instructions. For example, integrated circuit 310 may be a processor, microprocessor, microcontroller, or IP core. Integrated circuit 310 includes interconnect interface circuitry 312; a cache 314; an instruction decoder buffer 320 configured to store instructions fetched from memory 302; an instruction decoder circuitry 330 configured to decode instructions from the instruction decoder buffer 320 and pass the corresponding microinstructions to one or more execution resource circuits (340, 342, 344, and 346) for execution; a predictor circuitry 350; and a security domain transition detection circuitry 360. For example, predictor circuitry 350 may be implemented as predictor circuitry 210 of Figure 2. For example, integrated circuit 310 may be configured to implement technique 400 of Figure 4.

Interconnect interface circuitry 312 (e.g., bus interface circuitry) is configured to transmit data to and receive data from an external device including memory 302. For example, interconnect interface circuitry 312 may be configured to fetch instructions from memory 302 and store them in instruction decoding buffer 320 while the instructions are processed by the pipelined architecture of integrated circuit 310. For example, interconnect interface circuitry 312 may be configured to write data generated by executing instructions to memory 302 during the write-back phase of the pipeline. For example, interconnect interface circuitry 312 may fetch data blocks (e.g., instructions). Interconnect interface circuitry 312 may be configured to use cache 314 to optimize data transfer.

Integrated circuit 310 includes an instruction decoder buffer 320 configured to store instructions fetched from memory 302, which are then decoded for execution. For example, the instruction decoder buffer 320 may have a depth that facilitates the pipeline and/or superscalar architecture of integrated circuit 310 (e.g., 4, 8, 12, 16, or 24 instructions). Instructions may be members of an instruction set supported by integrated circuit 310 (e.g., RISC V instruction set, x86 instruction set, ARM instruction set, or MIPS instruction set).

Integrated circuit 310 includes one or more execution resource circuits (340, 342, 344, and 346) configured to execute instructions or microinstructions to support an instruction set. For example, the instruction set could be a RISC V instruction set. For example, one or more execution resource circuits (340, 342, 344, and 346) could include adders, shifters (e.g., barrel shifters), multipliers, and/or floating-point units. One or more execution resource circuits (340, 342, 344, and 346) can update the state of integrated circuit 310, including internal registers and/or flags or status bits (not explicitly shown in Figure 3) and microarchitectural state, based on the result of instruction execution. The result of instruction execution can also be written to memory 302 (e.g., during subsequent stages of pipelined execution).

Integrated circuit 310 includes instruction decoder circuitry 330, which is configured to decode instructions in instruction decoder buffer 320. Instruction decoder buffer 320 may use one or more execution resource circuits (340, 342, 344, and 346) to translate instructions into corresponding microinstructions that are executed internally by integrated circuit 310. Instruction decoder circuitry 330 is configured to schedule instructions for execution using predictions from predictor circuitry 350 and to implement speculative execution.

Integrated circuit 310 includes predictor circuitry 350 configured to generate predictions to enable speculative execution. Predictor entries of predictor circuitry 350 may store data (e.g., counters) used to determine predictions for instructions (e.g., branch instructions). For example, predictor circuitry 350 may include a value predictor, a memory-dependent predictor, a prefetch predictor, a control flow predictor, a branch predictor, a branch history table, a branch target buffer, and/or a return address stack predictor. For example, predictor circuitry 350 may be configured to, when operating in a first mode (e.g., standard or normal mode), use data stored in one or more entries from any selected set of predictor entries to generate predictions for speculative execution of instructions. Predictor circuitry 350 may support resetting of the predictor entry set, which can be invoked when a security domain transition occurs in the software being executed by integrated circuitry 310, to prevent the data of the predictor entries from being used for side-channel information leakage. Since a reset operation may require more than one clock cycle to complete, predictor circuit 350 may also support a restrictive mode that prevents the use of predictor entries scheduled for the reset during the time interval allocated for performing the reset operation. For example, predictor circuit 350 may support a restrictive mode that disables predictor circuit 350 and prevents prediction generation during the time interval allocated for resetting the predictor state. For example, predictor circuit 350 may support a restrictive mode that causes predictor circuit 350 to generate static predictions during the time interval allocated for resetting the predictor state. For example, predictor circuit 350 may support a restrictive mode that causes predictor circuit 350 to generate predictions using only a subset of predictor entries that have already been reset during the early stages of the reset operation. In some implementations, predictor circuit 350 is a hybrid predictor configured to generate predictions based on one or more subsets of the predictor entry set. For example, predictor circuit 350 can combine predictions from multiple corresponding subsets of predictor entries using a majority voting scheme, a fixed hierarchy or priority of subsets, a meta-prediction selecting predictions from an available subset, or a prediction confidence score used to evaluate predictions generated using the corresponding subsets. For example, these hybrid schemes can be used to determine reasonable predictions when a portion of the predictor entry set is unavailable during a reset operation.

Integrated circuit 310 includes security domain transition circuitry 360, configured to detect when software being executed by integrated circuit 310 changes from one security domain to another. For example, security domain transition detection circuitry 360 can detect a transition when integrated circuit 310 performs a context switch between different processes, receives an interrupt, switches from a user process to the operating system, or switches from the operating system to a hypervisor. In some embodiments, security domain transition detection circuitry 360 can detect a security domain transition based on decoding (e.g., using instruction decoder circuitry 330) instructions associated with the security domain transition. The decoded instructions can be explicitly or implicitly associated with the security domain transition. For example, the decoded instructions can be specific instructions whose explicit purpose is to signal the software author's intention to enforce a security domain boundary immediately before or after the instruction. For example, the instruction could be a procedure call or return instruction implicitly associated with the security domain transition. In some embodiments, security domain transition detection circuitry 360 can detect a security domain transition based on receiving an interrupt signal. When a security domain transition is detected, the security domain transition detection circuit 360 can send a mode selection signal and/or a reset signal to the predictor circuit 350.

For example, integrated circuit 310 can be configured to use security domain transition detection circuit 360 to detect security domain transitions in the software being executed by integrated circuit 310, and in response to a security domain transition, change the mode 350 of the predictor circuit from a first mode to a second mode and invoke a reset of the predictor entry set. The second mode prevents the predictor circuit 350 from using at least a first subset of predictor entries in the predictor entry set to generate predictions. Integrated circuit 310 can be configured to change the mode of the predictor circuit back to the first mode after the reset is complete to restore normal prediction. In some embodiments, integrated circuit 310 can be configured to change the mode of the predictor circuit 350 to a third mode in response to partial completion of the reset, which allows the predictor circuit 350 to use a second subset of the predictor entry set that has been reset, while preventing the use of a third subset of the predictor entry set that has not yet been reset. The second and third subsets can be non-empty and disjoint subsets of the first subset. Integrated circuit 310 can be configured to generate predictions based on predictor entries in the second subset before the reset is complete. In some embodiments, operation in the second mode prevents the predictor circuit 350 from generating predictions. In some embodiments, operation in the second mode prevents the predictor circuit 350 from using all entries in the predictor entry set and causes the predictor circuit 350 to generate static predictions. In some embodiments, operation in the second mode causes the predictor circuit 350 to generate predictions based on predictor entries in a second subset of the predictor entry set that do not intersect with the first subset of predictor entries. For example, when operating in the first mode, the predictor circuit 350 may generate predictions based on a combination of predictions determined according to the second subset of the predictor entry set and one or more predictions determined according to one or more corresponding additional subsets of the predictor entry set that do not intersect with the second set. In some embodiments, the security domain transition detection circuit 360 is configured to detect security domain transitions based on decoding instructions associated with the security domain transition. In some embodiments, the security domain transition detection circuit 360 is configured to detect security domain transitions based on receiving an interrupt signal. In some implementations, the time interval between invoking a reset and changing the predictor circuitry to the first mode has a fixed duration, which can prevent timing information leakage via the reset operation and/or reduce or eliminate jitter.

Figure 4 is a flowchart of an example of technique 400 for executing instructions with security prediction. Technique 400 includes detecting a security domain transition for software being executed by an integrated circuit (410); in response to the security domain transition, invoking a reset of the predictor entry set (420) and changing the mode of the predictor circuit from a first mode to a second mode (430); during the reset interval, continuing execution of the predictor circuit using one or more restriction modes to restrict access to predictor entries (440); and after the reset is complete, changing the mode of the predictor circuit back to the first mode (450) and continuing execution using the first mode with full access to predictor entries (460). For example, the predictor circuit may include a control flow predictor, a value predictor, a branch predictor, a branch history table, a branch destination buffer, and/or a return address stack predictor. For example, technique 400 may be implemented using the integrated circuit 110 of Figure 1. For example, technique 400 may be implemented using the predictor circuit 210 of Figure 2. For example, technique 400 may be implemented using the system 300 of Figure 3.

Technique 400 includes detecting security domain transitions (410) in software being executed by an integrated circuit (e.g., integrated circuit 310), the integrated circuit including predictor circuitry configured to generate predictions for speculative execution of instructions when operating in a first mode (e.g., standard or normal standard) using data stored in one or more entries from any selection of a set of predictor entries. In some embodiments, security domain transitions (410) can be detected based on decoding instructions associated with the security domain transition. For example, specific instructions that can be used to explicitly indicate security domain boundaries in the software can be decoded. For example, instructions serving another purpose (e.g., procedure call or return instructions) may be implicitly associated with security domain transitions, and security domain transitions (410) can be detected based on decoding one of these implicitly associated instructions. In some embodiments, security domain transitions (410) are detected based on receiving interrupt signals. For example, some interrupts may be associated with security domain transitions, or all interrupts may be associated with security domain transitions. In some implementations, a security domain transition (410) is detected based on the decoding of an instruction and also on the internal state of an integrated circuit (e.g., a processor) associated with the security domain transition. For example, a security domain transition (410) may be detected based on decoding or executing an exception return instruction and on the privileged mode of the destination with a value associated with the security domain transition, wherein the processor state record will return which privileged mode.

When a security domain transition has been detected (in operation 415), technique 400 includes, in response to the security domain transition, changing the mode of the predictor circuitry from a first mode to a second mode (430) and invoking a reset (420) of the predictor entry set. The second mode can prevent the predictor circuitry from generating predictions using at least a first subset of the predictor entries in the predictor entry set. For example, operating in the second mode can prevent the predictor circuitry from generating predictions. For example, operating in the second mode can prevent the predictor circuitry from using all of the predictor entry sets and can cause the predictor circuitry to generate static predictions. In some embodiments, operating in the second mode causes the predictor circuitry to generate predictions based on predictor entries in a second subset of the predictor entry set that do not intersect with the first subset of predictor entries. For example, the predictor circuitry may include a hybrid predictor capable of generating predictions based on one or more subsets of predictor entries included in its predictor state. For example, the predictor circuitry can combine predictions from multiple corresponding subsets of predictor entries using a majority voting scheme, a fixed hierarchy or priority of subsets, a meta-prediction selecting predictions from available subsets, or a prediction confidence score based on predictions generated using the corresponding subsets. In normal mode, the predictor circuitry can generate predictions by combining predictions from multiple subsets of the predictor entry set. For example, when operating in a first mode, the predictor circuitry can generate predictions based on a combination of predictions determined according to a second subset of the predictor entry set and one or more predictions based on one or more corresponding additional subsets of the predictor entry set that do not intersect with the second set. For example, in a second mode (e.g., a restricted mode), the predictor circuitry can be configured to determine predictions based solely on one or more subsets of predictor entries, as these become available during a reset operation.

Technique 400 includes continuing execution of one or more restricted modes (440) for the predictor circuitry to use, which restrict access to predictor entries during the reset time interval. For example, the continue execution instruction (440) may include using a prediction determined by the predictor circuitry operating in a second mode to facilitate speculative execution. In some implementations, when operating in the second mode, the predictor circuitry does not generate a prediction and continues (440) without any benefit of speculative execution until the reset operation is complete. For example, technique 500 of FIG. 5 may be implemented to utilize additional portions of the predictor entry set, as they become available during the reset operation, to improve the predictor's performance for continuing speculative execution (440).

When the reset (in operation 445) is complete, technique 400 includes changing the mode of the predictor circuitry to a first mode (e.g., standard or normal mode) after the reset is complete (450). In some implementations, the time interval between invoking the reset (420) and changing the mode of the predictor circuitry to the first mode (450) has a fixed duration. Limiting this time interval to a fixed duration can provide benefits such as preventing information leakage across security domain boundaries in the form of timing information and/or preventing jitter sources (e.g., for real-time applications).

After the predictor circuit mode has changed back to a first mode (e.g., standard or normal mode) (450), technique 400 includes continuing execution (460) using the first mode with full access to the predictor entries. After a period of time following continued execution with prediction updates (e.g., using prediction update circuit 250) (460), the predictor state, including the set of predictor entries, can stabilize and converge to a useful value of the conditions adjusted to the new security domain. Figure 5 is a flowchart of an example of technique 500 for executing instructions with predictions based on a subset of the predictor entry set during a predictor reset operation.

Figure 5 is a flowchart illustrating an example of technique 500 for executing instructions with predictions based on a subset of the predictor entry set during a predictor reset operation. Technique 500 includes changing the mode of the predictor circuitry to a third mode (e.g., an additional, less restrictive mode) in response to partial completion of the reset (510). This allows the predictor circuitry to utilize a second subset of the predictor entry set that has been reset while preventing the use of a third subset of the predictor entry set that has not yet been reset. The second and third subsets can be non-empty and disjoint subsets of the first subset. Technique 500 includes generating predictions based on the predictor entries in the second subset before the reset is complete (520). For example, technique 500 can be used to utilize additional subsets of predictor entries in a hybrid predictor when these subsets become available during the reset operation.

In a first aspect, the subject matter described herein can be embodied in an integrated circuit for executing instructions, the integrated circuit including predictor circuitry configured to, when operating in a first mode, generate a prediction for speculative execution of instructions using data stored in one or more entries selected from a set of predictor entries, wherein the integrated circuit is configured to: detect a security domain transition of software being executed by the integrated circuit; in response to the security domain transition, change the mode of the predictor circuitry from the first mode to a second mode and invoke a reset of the set of predictor entries, wherein the second mode prevents the predictor circuitry from using at least a first subset of predictor entries in the set of predictor entries to generate a prediction; and after the reset is completed, change the mode of the predictor circuitry back to the first mode.

In a second aspect, the subject matter described herein can be embodied in a method comprising detecting a security domain transition of software being executed by an integrated circuit, the integrated circuit including a predictor circuit configured to, when operating in a first mode, generate a prediction for speculative execution of instructions using data stored in one or more entries from any selected set of predictor entries; in response to a security domain transition, change the mode of the predictor circuit from the first mode to a second mode and invoke a reset of the predictor entry set, wherein the second mode prevents the predictor circuit from using at least a first subset of the predictor entries in the predictor entry set to generate a prediction; and after the reset is completed, change the mode of the predictor circuit back to the first mode.

While this disclosure has been described in conjunction with certain embodiments, it should be understood that this disclosure is not limited to the disclosed embodiments, but rather is intended to cover various modifications and equivalent arrangements included within the scope of the appended claims, the scope of which is to be interpreted in the broadest possible sense to cover all such modifications and equivalent structures permitted by law.

Claims (28)

1. An integrated circuit for executing instructions, comprising: A predictor circuit, configured to, when operating in a first mode, generate a prediction for speculative execution of an instruction using data stored in one or more entries selected from any of a predictor entry set, wherein the integrated circuit is configured to: Detect the security domain transition of the software being executed by the integrated circuit; In response to the security domain transition, the mode of the predictor circuit is changed from the first mode to the second mode and the reset of the predictor entry set is invoked, wherein the second mode prevents the predictor circuit from using at least a first subset of the predictor entries in the predictor entry set to generate predictions. During at least a portion of the reset time interval, one or more instructions continue to be executed using the second mode for the predictor circuit, wherein the reset time interval is between the invocation of the reset and the completion of the reset; In response to the partial completion of the reset, the mode of the predictor circuit is changed to a third mode, which enables the predictor circuit to use a second subset of the predictor entry set that has been reset, while preventing the use of a third subset of the predictor entry set that has not yet been reset, wherein the second subset and the third subset are non-empty subsets that do not intersect with the first subset. Before the reset is completed, predictions are generated based on the predictor entries in the second subset; and After the reset is completed, the mode of the predictor circuit is changed to the first mode. 2. The integrated circuit of claim 1, wherein operation in the second mode prevents the predictor circuit from generating a prediction. 3. The integrated circuit of claim 1, wherein operation in the second mode prevents the predictor circuit from using all of the predictor entries in the set and causes the predictor circuit to generate a static prediction. 4. The integrated circuit of claim 1, wherein operating in the second mode causes the predictor circuit to generate predictions based on predictor entries in a fourth subset of the predictor entry set that do not intersect with the first subset of the predictor entries. 5. The integrated circuit of claim 4, wherein, when operating in the first mode, the predictor circuit generates a prediction based on a combination of a prediction determined according to the fourth subset of the predictor entry set and one or more predictions based on one or more corresponding additional subsets of the predictor entry set that do not intersect with the fourth subset. 6. The integrated circuit of claim 1, wherein the integrated circuit is configured to detect the security domain transition based on decoding of instructions associated with the security domain transition. 7. The integrated circuit of claim 6, wherein the integrated circuit is configured to detect the security domain transition based on the internal state of the integrated circuit associated with the security domain transition. 8. The integrated circuit of claim 1, wherein the integrated circuit is configured to detect the security domain transition based on receiving an interrupt signal. 9. The integrated circuit of claim 1, wherein the time interval between invoking the reset and changing the mode of the predictor circuit to the first mode has a fixed duration. 10. The integrated circuit of claim 1, wherein the predictor circuit includes a control flow predictor. 11. The integrated circuit of claim 1, wherein the predictor circuit comprises a value predictor. 12. The integrated circuit of claim 1, wherein the predictor circuit includes a branch history table. 13. The integrated circuit of claim 1, wherein the predictor circuit includes a branch target buffer. 14. The integrated circuit of claim 1, wherein the predictor circuit includes a return address stack predictor. 15. A method comprising: The security domain transition of the software being executed by the integrated circuit is detected. The integrated circuit includes a predictor circuit configured to generate a prediction for speculative execution of instructions when operating in a first mode, using data stored in one or more entries selected from any of the predictor entry sets. In response to the security domain transition, the mode of the predictor circuit is changed from the first mode to the second mode and the reset of the predictor entry set is invoked, wherein the second mode prevents the predictor circuit from using at least a first subset of the predictor entries in the predictor entry set to generate predictions. During at least a portion of the reset time interval, one or more instructions continue to be executed using the second mode for the predictor circuit, wherein the reset time interval is between the invocation of the reset and the completion of the reset; In response to the partial completion of the reset, the mode of the predictor circuit is changed to a third mode, which enables the predictor circuit to use the second subset of the predictor entry set that has been reset, while preventing the use of the third subset of the predictor entry set that has not yet been reset, wherein the second subset and the third subset are non-empty and disjoint subsets of the first subset. Before the reset is completed, predictions are generated based on the predictor entries in the second subset; and After the reset is completed, the mode of the predictor circuit is changed to the first mode. 16. The method of claim 15, wherein operating in the second mode prevents the predictor circuit from generating a prediction. 17. The method of claim 15, wherein operating in the second mode prevents the predictor circuit from using all of the predictor entries in the set and causes the predictor circuit to generate a static prediction. 18. The method of claim 15, wherein operating in the second mode causes the predictor circuitry to generate predictions based on predictor entries in a fourth subset of the predictor entry set that do not intersect with the first subset of the predictor entries. 19. The method of claim 18, wherein, when operating in the first mode, the predictor circuit generates a prediction based on a combination of a prediction determined according to the fourth subset of the predictor entry set and one or more predictions based on one or more corresponding additional subsets of the predictor entry set that do not intersect with the fourth subset. 20. The method of claim 15, wherein the security domain transition is detected based on the decoding of instructions associated with the security domain transition. 21. The method of claim 20, wherein the security domain transition is detected based on the internal state of the integrated circuit associated with the security domain transition. 22. The method of claim 15, wherein the security domain transition is detected based on a received interrupt signal. 23. The method of claim 15, wherein the time interval between invoking the reset and changing the mode of the predictor circuit to the first mode has a fixed duration. 24. The method of claim 15, wherein the predictor circuitry includes a control flow predictor. 25. The method of claim 15, wherein the predictor circuitry includes a value predictor. 26. The method of claim 15, wherein the predictor circuit includes a branch history table. 27. The method of claim 15, wherein the predictor circuitry includes a branch target buffer. 28. The method of claim 15, wherein the predictor circuitry includes a return address stack predictor.