公开(公告)号：US12135801B2

公开(公告)日：2024-11-05

申请号：US17820628

申请日：2022-08-18

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Siddhartha Chhabra ,  Bin Xing ,  Pradeep M. Pappachan ,  Reshma Lal

IPC: G06F21/00 ,  G06F13/20 ,  G06F13/28 ,  G06F21/57 ,  G06F21/60 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  H04L9/32 ,  H04L9/40 ,  G06F21/51 ,  H04L9/06

Abstract: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.

公开(公告)号：US11836262B2

公开(公告)日：2023-12-05

申请号：US17958621

申请日：2022-10-03

Applicant: Intel Corporation

Inventor： Salessawi Ferede Yitbarek ,  Lawrence A. Booth, Jr. ,  Brent D. Thomas ,  Reshma Lal ,  Pradeep M. Pappachan ,  Akshay Kadam

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/76 ,  H04L9/08 ,  H04L9/14

CPC classification number: G06F21/606 ,  G06F21/76 ,  H04L9/0827 ,  H04L9/14 ,  G06F2221/2149

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

公开(公告)号：US11755748B2

公开(公告)日：2023-09-12

申请号：US18068106

申请日：2022-12-19

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Luis S. Kida ,  Reshma Lal

IPC: G06F21/60 ,  G06F12/1009 ,  G06F12/14 ,  G06F21/78 ,  G06T1/20 ,  H04L9/14

CPC classification number: G06F21/602 ,  G06F12/1009 ,  G06F12/1458 ,  G06F21/78 ,  G06T1/20 ,  H04L9/14 ,  G06F2212/1052 ,  G06F2221/2149

Abstract: Embodiments are directed to trusted local memory management in a virtualized GPU. An embodiment of an apparatus includes one or more processors including a trusted execution environment (TEE); a GPU including a trusted agent; and a memory, the memory including GPU local memory, the trusted agent to ensure proper allocation/deallocation of the local memory and verify translations between graphics physical addresses (PAs) and PAs for the apparatus, wherein the local memory is partitioned into protection regions including a protected region and an unprotected region, and wherein the protected region to store a memory permission table maintained by the trusted agent, the memory permission table to include any virtual function assigned to a trusted domain, a per process graphics translation table to translate between graphics virtual address (VA) to graphics guest PA (GPA), and a local memory translation table to translate between graphics GPAs and PAs for the local memory.

公开(公告)号：US11741230B2

公开(公告)日：2023-08-29

申请号：US17451922

申请日：2021-10-22

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F21/60

CPC classification number: G06F21/57 ,  G06F21/602

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

公开(公告)号：US20230026602A1

公开(公告)日：2023-01-26

申请号：US17958621

申请日：2022-10-03

Applicant: Intel Corporation

Inventor： Salessawi Ferede Yitbarek ,  Lawrence A. Booth, JR. ,  Brent D. Thomas ,  Reshma Lal ,  Pradeep M. Pappachan ,  Akshay Kadam

IPC: G06F21/60 ,  G06F21/76 ,  H04L9/08 ,  H04L9/14

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

公开(公告)号：US11496314B2

公开(公告)日：2022-11-08

申请号：US16718460

申请日：2019-12-18

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal

IPC: H04L9/32 ,  G06F21/60 ,  H04L9/08

Abstract: Embodiments are directed to providing integrity-protected command buffer execution. An embodiment of an apparatus includes a computer-readable memory comprising one or more command buffers and a processing device communicatively coupled to the computer-readable memory to read, from a command buffer of the computer-readable memory, a first command received from a host device, the first command executable by one or more processing elements on the processing device, the first command comprising an instruction and associated parameter data, compute a first authentication tag using a cryptographic key associated with the host device, the instruction and at least a portion of the parameter data, and authenticate the first command by comparing the first authentication tag with a second authentication tag computed by the host device and associated with the command.

公开(公告)号：US20220140993A1

公开(公告)日：2022-05-05

申请号：US17573023

申请日：2022-01-11

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Rakesh A. Ughreja ,  Kumar N. Dwarakanath ,  Victoria C. Moore

IPC: H04L9/00 ,  G06F9/54 ,  G06F21/83 ,  G06F21/44 ,  G06F21/84 ,  G06F21/57 ,  G06F21/60 ,  H04L9/08

Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.

公开(公告)号：US11157623B2

公开(公告)日：2021-10-26

申请号：US16280351

申请日：2019-02-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

公开(公告)号：US20200349265A1

公开(公告)日：2020-11-05

申请号：US16931543

申请日：2020-07-17

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US20190205087A1

公开(公告)日：2019-07-04

申请号：US16290307

申请日：2019-03-01

Applicant: Intel Corporation

Inventor： Sudha Krishnakumar ,  Reshma Lal ,  Pradeep M. Pappachan ,  Kar Leong Wong ,  Steven B. McGowan ,  Adeel A. Aslam

IPC: G06F3/16 ,  H04L29/08 ,  H04L29/06 ,  G06F15/167 ,  H04L9/32

CPC classification number: G06F3/165 ,  G06F3/162 ,  G06F15/167 ,  H04L9/32 ,  H04L63/126 ,  H04L65/1069 ,  H04L65/4069 ,  H04L65/605 ,  H04L67/146

Abstract: Technologies for cryptographic protection of I/O audio data include a computing device with a cryptographic engine and an audio controller. A trusted software component may request an untrusted audio driver to establish an audio session with the audio controller that is associated with an audio codec. The trusted software component may verify that a stream identifier associated with the audio session received from the audio driver matches a stream identifier received from the codec. The trusted software may program the cryptographic engine with a DMA channel identifier associated with the codec, and the audio controller may assert the channel identifier in each DMA transaction associated with the audio session. The cryptographic engine cryptographically protects audio data associated with the audio session. The audio controller may lock the controller topology after establishing the audio session, to prevent re-routing of audio during a trusted audio session. Other embodiments are described and claimed.