公开(公告)号：US20220222358A1

公开(公告)日：2022-07-14

申请号：US17710723

申请日：2022-03-31

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Dror Caspi ,  Vedvyas Shanbhogue ,  Vincent Scarlata ,  Anjo Lucas Vahldiek-Oberwagner ,  Haidong Xia ,  Mona Vij

IPC: G06F21/60 ,  G06F21/53 ,  G06F21/54 ,  G06F9/455

Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.

公开(公告)号：US20240160717A1

公开(公告)日：2024-05-16

申请号：US18284429

申请日：2022-06-24

Applicant: Intel Corporation

Inventor： Yeluri Raghuram ,  Haidong Xia ,  Uttam Shetty ,  Anil Rao ,  Sudhir Subbarao Bangalore ,  Raghavender Nagarajan ,  Kekuut Hoomkwap ,  Wei Peng

IPC: G06F21/33 ,  G06F21/53 ,  G06F21/57

CPC classification number: G06F21/33 ,  G06F21/53 ,  G06F21/57 ,  G06F2221/034

Abstract: Various systems and methods are described for implementing trust authority or trust attestation verification operations, including for Trust-as-a-Service or Attestation-as-a-Service implementations, in accordance with the techniques discussed herein. In various examples, operations and configurations are described to enable service-to-service attestation using a trust authority, to operate an attestation service, and to coordinate trust operations between relying and requesting parties.

公开(公告)号：US20210218559A1

公开(公告)日：2021-07-15

申请号：US17214095

申请日：2021-03-26

Applicant: Intel Corporation

Inventor： Haidong Xia ,  Mourad Cherfaoui

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L29/08

Abstract: A key caching container provides for the secure storage of cryptographic keys and the secure operation of cryptographic functions for workload containers. A cryptographic call adapter in each workload container converts application cryptographic operation requests made by an application to workload container cryptographic operation requests that are sent to the key caching container. Secure provision of keys is enabled by a key broker service that acts as a proxy for a key management service. A secure enclave within the key caching container stores keys and instructions that perform cryptographic operations in an encrypted format. The key caching container provides a key handle associated with a cryptographic key to a requesting application, which the application uses in subsequent application cryptographic operation requests. The secure enclave is created and managed using security-related instructions in a security-enabled integrated circuit component that is part of a computing system's hardware platform.

公开(公告)号：US12248807B2

公开(公告)日：2025-03-11

申请号：US17134339

申请日：2020-12-26

Applicant: INTEL CORPORATION

Inventor： Ravi Sahita ,  Dror Caspi ,  Vincent Scarlata ,  Sharon Yaniv ,  Baruch Chaikin ,  Vedvyas Shanbhogue ,  Jun Nakajima ,  Arumugam Thiyagarajah ,  Sean Christopherson ,  Haidong Xia ,  Vinay Awasthi ,  Isaku Yamahata ,  Wei Wang ,  Thomas Adelmeyer

IPC: G06F9/48 ,  G06F9/38 ,  G06F9/455 ,  G06F21/60

Abstract: Techniques for migration of a source protected virtual machine from a source platform to a destination platform are descried. A method of an aspect includes enforcing that bundles of state, of a first protected virtual machine (VM), received at a second platform over a stream, during an in-order phase of a migration of the first protected VM from a first platform to the second platform, are imported to a second protected VM of the second platform, in a same order that they were exported from the first protected VM. Receiving a marker over the stream marking an end of the in-order phase. Determining that all bundles of state exported from the first protected VM prior to export of the marker have been imported to the second protected VM. Starting an out-of-order phase of the migration based on the determination that said all bundles of the state exported have been imported.

公开(公告)号：US12113902B2

公开(公告)日：2024-10-08

申请号：US17131684

申请日：2020-12-22

Applicant: Intel Corporation

Inventor： Anjo Lucas Vahldiek-Oberwagner ,  Ravi L. Sahita ,  Mona Vij ,  Dayeol Lee ,  Haidong Xia ,  Rameshkumar Illikkal ,  Samuel Ortiz ,  Kshitij Arun Doshi ,  Mourad Cherfaoui ,  Andrzej Kuriata ,  Teck Joo Goh

IPC: G06F21/53 ,  G06F21/57 ,  G06F21/60 ,  G06F21/72 ,  H04L9/08 ,  H04L9/32 ,  H04L9/40

CPC classification number: H04L9/321 ,  H04L9/3242

Abstract: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.

公开(公告)号：US12013954B2

公开(公告)日：2024-06-18

申请号：US17710723

申请日：2022-03-31

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Dror Caspi ,  Vedvyas Shanbhogue ,  Vincent Scarlata ,  Anjo Lucas Vahldiek-Oberwagner ,  Haidong Xia ,  Mona Vij

IPC: G06F21/60 ,  G06F9/455 ,  G06F21/53 ,  G06F21/54

CPC classification number: G06F21/602 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/54 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.