The present invention provides a system and method for processor-based security. In one embodiment, the present invention provides a system for providing processor-based security which includes a processor having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor; and a hypervisor program executed by the processor, the hypervisor program instructing the processor to execute the at least one on-chip instruction to create a secure memory area for a software module, the processor encrypting data written to, and decrypting data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value.

In another embodiment, the present invention provides a system for providing processor-based security which includes a processor having a processor core, a cache memory, a plurality of registers for storing at least one hash value, and a memory interface; and at least one on-chip instruction for performing a secure launch of a hypervisor program, the instruction causing the processor to: compute a first hash value over a current state of the hypervisor program; compare the first hash value to a second hash value stored in the plurality of registers; if the first hash value matches the second hash value, allocate a secure storage area in a non-volatile memory external to the processor for use by the hypervisor program; and if the first hash value does not match the second hash value, preventing access to the secure storage area.

In another embodiment, the present invention provides a system for providing processor-based security, which includes a processor having a processor core, a cache memory, a plurality of registers for storing at least one encryption key and at least one hash value, and a memory interface; and a hypervisor program executed by the microprocessor, the hypervisor program pre-programmed to: receive a request for an attestation report from a program executing external to the processor; determine the current state of each of a plurality of trusted software modules executing on the processor; construct a tailored attestation report including status information corresponding only to the plurality of trusted software modules; encrypt and sign the attestation report using the at least one encryption key and the at least one hash value; and transmit the tailored attestation report to the external program.

In another embodiment, the present invention provides a method for providing processor-based security, which includes the steps of: parsing a security segment data structure associated with a software module to determine security requirements for the software module; instructing a processor to execute at least one on-chip instruction to create a secure memory area in a memory external to the processor for use by the software module; assigning the software module to the secure memory area so that the software module can execute using the secure memory area; encrypting data written to, and decrypting data read from, the secure memory area using at least one encryption key stored in a plurality of registers in the processor; and verifying data read from the secure memory area using at least one hash value stored in the plurality of registers in the processor.

In another embodiment, the present invention provides a method for providing processor-based security, which includes the steps of: computing in a processor at least one hash value using a current state of a hypervisor program executed by the processor; comparing the at least one hash value to a second hash value stored in one of a plurality of registers of the processor; if the at least one hash value matches the second hash value, allocating a secure storage area in a memory external to the processor for use by the hypervisor program, and if the at least one hash value does not match the second hash value, block the hypervisor program from accessing the secure storage area.

In another embodiment, the present invention provides a method for providing processor-based security which includes the steps of: receiving at a computer system a request for an attestation report from a program executing external to the computer system; determining the current state of a plurality of trusted software module executing on a processor of the computer system; constructing a tailored attestation report including status information corresponding only to the plurality of trusted software modules executing on the processor; encrypting and signing the attestation report using at least one encryption key and at least one hash value stored in the processor; and transmitting the tailored attestation report to the program.