-
1.发明公开A TWEAKABLE ENCRYPION MODE FOR MEMORY ENCRYPTION WITH PROTECTION AGAINST REPLAY ATTACKS 有权OPTIMIERBARERVERSCHLÜSSELUNGSMODUSFÜREINESPEICHERVERSCHLÜSSELUNGMIT SCHUTZ GEGEN REPLAY-ATTACKEN
公开(公告)号:EP2619705A2
公开(公告)日:2013-07-31
申请号:EP11827696.3
申请日:2011-09-24
申请人: Intel Corporation
发明人: GUERON, Shay , GERZON, Gideon , ANATI, Ittai , DOWECK, Jacob , MAOR, Moshe
CPC分类号: G06F12/1408 , G06F21/52 , G06F21/64
摘要: A method and apparatus for protecting against hardware attacks on system memory is provided. A mode of operation for block ciphers enhances the standard XTS-AES mode of operation to perform memory encryption by extending a tweak to include a "time stamp" indicator. An incrementing mechanism using the "time stamp" indicator generates a tweak which separates different contexts over different times such that the effect of "Type 2 replay attacks" is mitigated.
摘要翻译: 提供了一种用于防止对系统存储器的硬件攻击的方法和装置。 用于块密码的操作模式增强了标准的XTS-AES操作模式,通过扩展调整以包括“时间戳”指示符来执行存储器加密。 使用“时间戳”指示符的递增机制产生了在不同时间分离不同上下文的调整,使得“类型2重放攻击”的效果得到缓解。
-
公开(公告)号:EP3014461A1
公开(公告)日:2016-05-04
申请号:EP14818405.4
申请日:2014-05-30
申请人: Intel Corporation
发明人: GERZON, Gideon , STARK, Jared W. , DISKIN, Gal
IPC分类号: G06F13/40
CPC分类号: G06F21/52
摘要: An example processing system may comprise: a stack pointer configured to reference a first return address stored on a stack; a return address buffer pointer configured to reference a second return address stored in a return address buffer; and a return address verification logic configured, responsive to receiving a return instruction, to compare the first return address to the second return address.
-
公开(公告)号:EP3688649A1
公开(公告)日:2020-08-05
申请号:EP17927819.7
申请日:2017-09-29
申请人: INTEL Corporation
-
公开(公告)号:EP3326102A1
公开(公告)日:2018-05-30
申请号:EP16828187.1
申请日:2016-06-20
申请人: Intel Corporation
发明人: LAL, Reshma , MCGOWAN, Steven B. , CHHABRA, Siddhartha , GERZON, Gideon , XING, Bin , PAPPACHAN, Pradeep M. , ELBAZ, Reouven
CPC分类号: H04L9/0631 , G06F13/28 , H04L9/0618 , H04L9/0822 , H04L9/3242
摘要: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.
-
公开(公告)号:EP3025266A1
公开(公告)日:2016-06-01
申请号:EP14829313.7
申请日:2014-07-15
申请人: Intel Corporation
发明人: ROZAS, Carlos V. , ANATI, Ittai , GERZON, Gideon , GUERON, Shay , JOHNSON, Simon P. , MCKEEN, Francis X. , SAVAGAONKAR, Uday R. , SCARLATA, Vincent R.
CPC分类号: H04L9/3239 , G06F9/3004 , G06F12/1441 , G06F21/71 , G06F2221/2111
摘要: Embodiments of an invention for measuring a secure enclave are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first, a second, and a third instruction. The execution unit is to execute the first, the second, and the third instruction. Execution of the first instruction includes initializing a measurement field in a control structure of a secure enclave with an initial value. Execution of the second instruction includes adding a region to the secure enclave. Execution of the third instruction includes measuring a subregion of the region.
摘要翻译: 公开了用于测量安全飞地的发明的实施例。 在一个实施例中,处理器包括指令单元和执行单元。 指令单元将接收第一,第二和第三指令。 执行单元执行第一条,第二条和第三条指令。 第一指令的执行包括用初始值初始化安全区域的控制结构中的测量字段。 第二条指令的执行包括向安全飞地增加一个区域。 第三条指令的执行包括测量该地区的一个子地区。
-
公开(公告)号:EP3885958A1
公开(公告)日:2021-09-29
申请号:EP21175141.7
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, an apparatus comprises: a memory to store a data structure including a key identifier corresponding to an encryption key assigned to a first tenant workload, a guest physical address corresponding to a host physical memory page assigned to the first tenant workload, and metadata attributes for the host physical memory page; and a processor. The processor includes: an instruction decoder to decode a plurality of instructions, the plurality of instructions including a first instruction to create a tenant workload control structure and a second instruction to create a tenant workload thread control structure; and one or more execution units to execute one or more of the plurality of instructions to create a first tenant workload control structure for managing metadata of the first tenant workload, create a first tenant workload thread control structure for maintaining execution state of the first tenant workload. The data structure is access-controlled against software access. The first tenant workload thread control structure is access-controlled against software access. The host physical memory page is encrypted with the encryption key. The one or more execution units, when executing the first tenant workload using the guest physical address, are to reference the data structure to obtain the key identifier to allow the apparatus to access and decrypt the host physical memory page.
-
公开(公告)号:EP3657378A1
公开(公告)日:2020-05-27
申请号:EP20152004.6
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, the processing device includes a processing core to execute a tenant workload and a resource management capability to manage the tenant workload, the resource management capability including a hypervisor and the tenant workload including a virtual machine running on top of the hypervisor, and reference a micro-architectural structure a micro-architectural structure that is access-controlled against software access to obtain at least one key identifier, ID, corresponding to an encryption key assigned to the tenant workload, the key ID to allow the processing device to decrypt memory pages assigned to the tenant workload responsive to the processing device executing in the context of the tenant workload, the memory pages assigned to the tenant workload encrypted with the encryption key. The micro-architectural structure is to hold meta-data attributes for each physical memory page and the meta-data attributes are direct indexed by the physical page address of the physical memory page.
-
公开(公告)号:EP3457311A1
公开(公告)日:2019-03-20
申请号:EP18189207.6
申请日:2018-08-15
申请人: INTEL Corporation
发明人: SAHITA, Ravi L. , PATEL, Baiju V. , HUNTLEY, Barry E. , NEIGER, Gilbert , KHOSRAVI, Hormuzd M. , OUZIEL, Ido , DURHAM, David M. , SCHOINAS, Ioannis T. , CHHABRA, Siddhartha , ROZAS, Carlos V. , GERZON, Gideon
摘要: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.
-
9.发明授权
公开(公告)号:EP2619705B1
公开(公告)日:2017-12-27
申请号:EP11827696.3
申请日:2011-09-24
申请人: Intel Corporation
发明人: GUERON, Shay , GERZON, Gideon , ANATI, Ittai , DOWECK, Jacob , MAOR, Moshe
CPC分类号: G06F12/1408 , G06F21/52 , G06F21/64
摘要: A method and apparatus for protecting against hardware attacks on system memory is provided. A mode of operation for block ciphers enhances the standard XTS-AES mode of operation to perform memory encryption by extending a tweak to include a "time stamp" indicator. An incrementing mechanism using the "time stamp" indicator generates a tweak which separates different contexts over different times such that the effect of "Type 2 replay attacks" is mitigated.
-
公开(公告)号:EP4020238A1
公开(公告)日:2022-06-29
申请号:EP21197466.2
申请日:2021-09-17
申请人: INTEL Corporation
发明人: TOLL, Thomas , JAYARAM MASTI, Ramya , HUNTLEY, Barry E. , VON BOKERN, Vincent , CHHABRA, Siddhartha , KHOSRAVI, Hormuzd M. , SHANBHOGUE, Vedvyas , GERZON, Gideon
IPC分类号: G06F12/14 , G06F12/1036
摘要: A method is described. The method includes executing a memory access instruction for a software process or thread. The method includes creating a memory access request for the memory access instruction having a physical memory address and a first identifier of a realm that the software process or thread execute from. The method includes receiving the memory access request and determining a second identifier of a realm from the physical memory address. The method also includes servicing the memory access request because the first identifier matches the second identifier.
-
-
-
-
-
-
-
-
-
搜索结果
14 条记录 (耗时 0.028 秒)
