公开(公告)号：US20220137955A1

公开(公告)日：2022-05-05

申请号：US17454564

申请日：2021-11-11

Applicant: Intel Corporation

Inventor： Nivedita AGGARWAL ,  Prashant DEWAN ,  Subrata BANIK ,  Ofir SHWARTZ ,  Baiju V. PATEL ,  Yazan SIAM ,  Kumar DWARAKANATH ,  Vincent ZIMMER

IPC: G06F8/654 ,  G06F1/24 ,  G06F11/36

Abstract: A method of handling a firmware update for a device is disclosed, comprising: determining a device to be in an updatable state; setting the device into an updating state after determining the updatable state; and after the device is in the updating state, writing a firmware update to memory for the device. After writing the firmware update, the device is switchable to a working state in which the device operates based on the firmware update.

公开(公告)号：US20200004953A1

公开(公告)日：2020-01-02

申请号：US16024547

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Michael LEMAY ,  David M. DURHAM ,  Michael E. KOUNAVIS ,  Barry E. HUNTLEY ,  Vedvyas SHANBHOGUE ,  Jason W. BRANDT ,  Josh TRIPLETT ,  Gilbert NEIGER ,  Karanvir GREWAL ,  Baiju V. PATEL ,  Ye ZHUANG ,  Jr-Shian TSAI ,  Vadim SUKHOMLINOV ,  Ravi SAHITA ,  Mingwei ZHANG ,  James C. FARWELL ,  Amitabh DAS ,  Krishna BHUYAN

IPC: G06F21/53 ,  G06F12/02

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

公开(公告)号：US20220027287A1

公开(公告)日：2022-01-27

申请号：US17496327

申请日：2021-10-07

Applicant: Intel Corporation

Inventor： Ravi L. SAHITA ,  Gilbert NEIGER ,  Vedvyas SHANBHOGUE ,  David M. DURHAM ,  Andrew V. ANDERSON ,  David A. KOUFATY ,  Asit K. MALLICK ,  Arumugam THIYAGARAJAH ,  Barry E. HUNTLEY ,  Deepak K. GUPTA ,  Michael LEMAY ,  Joseph F. CIHULA ,  Baiju V. PATEL

IPC: G06F12/14 ,  G06F12/1009 ,  G06F12/1027 ,  G06F9/455

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20210019172A1

公开(公告)日：2021-01-21

申请号：US17042114

申请日：2018-06-28

Applicant: INTEL CORPORATION

Inventor： Baiju V. PATEL ,  Kapil SOOD ,  Weigang LI ,  Ping YU ,  Changzheng WEI ,  Junyuan WANG ,  Xin ZENG

IPC: G06F9/455 ,  G06F21/60 ,  G06F21/53 ,  G06F21/64 ,  G06F12/14

Abstract: A cryptographic data item utilized to derive a first cryptographic key employed by a first memory controller for implementing a first cryptographically protected execution environment for storing memory pages associated with a virtual machine may be received from a first host system via a first secure communication channel. The cryptographic data item may be transmitted to a second host system via a second secure communication channel for implementing a second cryptographically protected environment on the second host system. The first host system may be caused to migrate the memory pages of the virtual machine via an unsecured communication channel to the second host system for storing in the second cryptographically protected execution environment.