公开(公告)号：EP4379592A3

公开(公告)日：2024-08-28

申请号：EP24170687.8

申请日：2018-08-15

申请人： INTEL Corporation

发明人： Sahita, Ravi L. ,  Patel, Baiju V. ,  Huntley, Barry E. ,  Neiger, Gilbert ,  Khosravi, Hormuzd M. ,  Ouziel, Ido ,  Durham, David M. ,  Schoinas, Ioannis T. ,  Chhabra, Siddhartha ,  Rozas, Carlos V. ,  Gerzon, Gideon

IPC分类号： G06F21/71 ,  G06F21/79

CPC分类号： G06F21/71 ,  G06F21/79

摘要： Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, an apparatus comprises: a memory encryption engine to protect memory using encryption; and a processor to execute one or more instructions to allow a virtual machine manager (VMM) to manage a trust domain (TD). The processor is to support at least one of a first instruction to add a memory page to the TD, wherein execution of the first instruction is to use an address of TD control structure, an address of a source page, and an address of destination page to: copy the source memory page to the destination page using an encryption key identified in the TD control structure, a second instruction, wherein execution of the second instruction is to initialize the TD control structure for a TD and generate the encryption key, or a third instruction, wherein execution of the third instruction is to enter the TD and load a saved state of the TD from a data structure.

公开(公告)号：EP3671521A1

公开(公告)日：2020-06-24

申请号：EP19203470.0

申请日：2019-10-16

申请人： INTEL Corporation

发明人： Ouziel, Ido ,  Aharon, Arie ,  Caspi, Dror ,  Chaikin, Baruch ,  Doweck, Jacob ,  Gerzon, Gideon ,  Huntley, Barry E. ,  McKeen, Francis X. ,  Neiger, Gilbert ,  Rozas, Carlos V. ,  Sahita, Ravi L. ,  Shanbhogue, Vedvyas ,  Zaltsman, Assaf ,  Khosravi, Hormuzd M.

IPC分类号： G06F21/79 ,  G06F21/60 ,  G06F12/14

摘要： Implementations described provide hardware support for the co-existence of restricted and non-restricted encryption keys on a computing system. Such hardware support may comprise a processor having a core, a hardware register to store a bit range to identify a number of bits, of physical memory addresses, that define key identifiers (IDs) and a partition key ID identifying a boundary between non-restricted and restricted key IDs. The core may allocate at least one of the non-restricted key IDs to a software program, such as a hypervisor. The core may further allocate a restricted key ID to a trust domain whose trust computing base does not comprise the software program. A memory controller coupled to the core may allocate a physical page of a memory to the trust domain, wherein data of the physical page of the memory is to be encrypted with an encryption key associated with the restricted key ID.

公开(公告)号：EP4379592A2

公开(公告)日：2024-06-05

申请号：EP24170687.8

申请日：2018-08-15

申请人： INTEL Corporation

发明人： Sahita, Ravi L. ,  Patel, Baiju V. ,  Huntley, Barry E. ,  Neiger, Gilbert ,  Khosravi, Hormuzd M. ,  Ouziel, Ido ,  Durham, David M. ,  Schoinas, Ioannis T. ,  Chhabra, Siddhartha ,  Rozas, Carlos V. ,  Gerzon, Gideon

IPC分类号： G06F21/79

CPC分类号： G06F21/71 ,  G06F21/79

摘要： Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, an apparatus comprises: a memory encryption engine to protect memory using encryption; and a processor to execute one or more instructions to allow a virtual machine manager (VMM) to manage a trust domain (TD). The processor is to support at least one of a first instruction to add a memory page to the TD, wherein execution of the first instruction is to use an address of TD control structure, an address of a source page, and an address of destination page to: copy the source memory page to the destination page using an encryption key identified in the TD control structure, a second instruction, wherein execution of the second instruction is to initialize the TD control structure for a TD and generate the encryption key, or a third instruction, wherein execution of the third instruction is to enter the TD and load a saved state of the TD from a data structure.

公开(公告)号：EP4372597A2

公开(公告)日：2024-05-22

申请号：EP24166601.5

申请日：2015-08-14

申请人： INTEL Corporation

发明人： Leslie-Hurd, Rebekah M. ,  McKeen, Francis X. ,  Rozas, Carlos V. ,  Zmudzinski, Krystof C.

IPC分类号： G06F21/79

CPC分类号： G06F21/74 ,  G06F21/79 ,  G06F12/1441

摘要： The present disclosure provides a processor device comprising a processor core and a memory controller coupled with the processor core to provide access to main memory. The main memory is to include a protected region of an application address space to store secured pages. The processor core is to perform operations in response to a content copy instruction, the content copy instruction to indicate an address of a source page and an address of a target page in the protected region of the application address space. The operations include to: initialize the target page in the protected region of the application address space; select content of the source page to be copied; copy the selected content to the target page in the protected region of the application address space; and modify an access permission level of the target page.

公开(公告)号：EP3671474A1

公开(公告)日：2020-06-24

申请号：EP19209897.8

申请日：2019-11-19

申请人： Intel Corporation

发明人： Ouziel, Ido ,  Aharon, Arie ,  Caspi, Dror ,  Chaikin, Baruch ,  Doweck, Jacob ,  Gerzon, Gideon ,  Huntley, Barry E. ,  McKeen, Francis X. ,  Neiger, Gilbert ,  Rozas, Carlos V. ,  Sahita, Ravi L. ,  Shanbhogue, Vedvyas ,  Zaltsman, Assaf

IPC分类号： G06F12/14 ,  G06F21/12 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F9/455 ,  G06F21/53

摘要： A processor includes a processor core. A register of the core is to store:
a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.

公开(公告)号：EP2889800A1

公开(公告)日：2015-07-01

申请号：EP14192166.8

申请日：2014-11-06

申请人： Intel Corporation

发明人： Scarlata, Vincent R. ,  Johnson, Simon P. ,  Beker, Vladimir ,  Walker, Jesse ,  Rozas, Carlos V. ,  Santoni, Amy L. ,  Anati, Ittai ,  Makaram, Raghunandan ,  Mckeen, Francis X. ,  Savagaonkar, Uday R.

IPC分类号： G06F21/74

CPC分类号： G06F12/1466 ,  G06F21/74 ,  G06F2212/1052

摘要： Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a plurality of processing devices communicatively coupled to the architecturally protected memory, each processing device comprising a first processing logic to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory, or preventing an unauthorized access to the architecturally protected memory; wherein each processing device further comprises a second processing logic to establish a secure communication channel with a second processing device of the processing system, employ the secure communication channel to synchronize a platform identity key representing the processing system, and transmit a platform manifest comprising the platform identity key to a certification system.

摘要翻译： 用于将输出表面位图安全传送到显示引擎的系统和方法。 一个示例处理系统包括：架构受保护的存储器; 以及多个处理设备，通信地耦合到架构保护的存储器，每个处理设备包括第一处理逻辑，以通过执行驻留在架构受保护的存储器中的指令中的至少一个来执行架构保护的执行环境，或者防止未授权的 访问架构保护的内存; 其中每个处理设备还包括第二处理逻辑，用于与所述处理系统的第二处理设备建立安全通信信道，使用所述安全通信信道来同步代表所述处理系统的平台标识密钥，并发送包括所述平台的平台清单 认证系统的身份密钥。

公开(公告)号：EP4372597A3

公开(公告)日：2024-07-10

申请号：EP24166601.5

申请日：2015-08-14

申请人： INTEL Corporation

发明人： Leslie-Hurd, Rebekah M. ,  McKeen, Francis X. ,  Rozas, Carlos V. ,  Zmudzinski, Krystof C.

IPC分类号： G06F12/14 ,  G06F21/53 ,  G06F21/74 ,  G06F21/79

CPC分类号： G06F21/74 ,  G06F21/79 ,  G06F12/1441

摘要： The present disclosure provides a processor device comprising a processor core and a memory controller coupled with the processor core to provide access to main memory. The main memory is to include a protected region of an application address space to store secured pages. The processor core is to perform operations in response to a content copy instruction, the content copy instruction to indicate an address of a source page and an address of a target page in the protected region of the application address space. The operations include to: initialize the target page in the protected region of the application address space; select content of the source page to be copied; copy the selected content to the target page in the protected region of the application address space; and modify an access permission level of the target page.

公开(公告)号：EP2889800B1

公开(公告)日：2017-06-28

申请号：EP14192166.8

申请日：2014-11-06

申请人： Intel Corporation

发明人： Scarlata, Vincent R. ,  Johnson, Simon P. ,  Beker, Vladimir ,  Walker, Jesse ,  Rozas, Carlos V. ,  Santoni, Amy L. ,  Anati, Ittai ,  Makaram, Raghunandan ,  Mckeen, Francis X. ,  Savagaonkar, Uday R.

IPC分类号： G06F21/74 ,  G06F12/14

CPC分类号： G06F12/1466 ,  G06F21/74 ,  G06F2212/1052