公开(公告)号：US20190294559A1

公开(公告)日：2019-09-26

申请号：US15934916

申请日：2018-03-23

Applicant: Intel Corporation

Inventor： VEDVYAS SHANBHOGUE ,  JOSEPH NUZMAN ,  BAIJU PATEL

IPC: G06F12/14 ,  G06F21/52 ,  G06F12/02

Abstract: Systems, methods, and apparatuses for defending against cross-privilege linear access are described. For example, an implementation of an apparatus comprising privilege level storage to store a current privilege level and address check circuitry coupled to the privilege level storage, wherein the address check circuitry is to determine whether a linear address associated with an instruction is allowed to access a partition of a linear address space of the apparatus based upon a comparison of the current privilege level and a most significant bit of the linear address is described.

公开(公告)号：US20180004947A1

公开(公告)日：2018-01-04

申请号：US15201444

申请日：2016-07-02

Applicant: Intel Corporation

Inventor： XIAONING LI ,  RAVI L. SAHITA ,  VEDVYAS SHANBHOGUE

IPC: G06F21/56 ,  G06F21/52

CPC classification number: G06F21/566 ,  G06F21/52 ,  G06F2221/033

Abstract: One embodiment provides a system. The system includes a processor comprising at least one processing unit; a memory; and control transfer (CT) logic. The CT logic is to determine whether a next instruction is a control transfer termination (CTT) when a prior instruction is a control transfer instruction (CTI). The CT logic is to determine whether the CTT is an external CTT, if the next instruction is the CTT; determine whether the prior instruction is an external CTI, if the CTT is the external CTT; and notify an external CTT fault, if the prior instruction is not the external CTI.

公开(公告)号：US20230291567A1

公开(公告)日：2023-09-14

申请号：US17692930

申请日：2022-03-11

Applicant: Intel Corporation

Inventor： VIDHYA KRISHNAN ,  SIDDHARTHA CHHABRA ,  VEDVYAS SHANBHOGUE ,  XIAOYU RUAN ,  ADITYA NAVALE ,  JULIEN CARRENO

IPC: H04L9/32 ,  H04L9/08 ,  G06F12/14 ,  G06T1/60

CPC classification number: H04L9/3242 ,  H04L9/0877 ,  G06F12/1408 ,  G06T1/60

Abstract: Described herein is a paging technique that can be implemented in any accelerator with attached memory and support for operating on encrypted data when the CPU is not within the trusted compute base (TCB). Memory storing data that is encrypted using hardware physical address (HPA)-based encrypted can be paged out of accelerator device memory by decoupling encryption from the hardware physical address and re-encrypting the data for page-out. Upon page-in, the data is decrypted, the integrity and authenticity of the data is verified, then the data is re-encrypted using HPA-based encryption.

公开(公告)号：US20160378688A1

公开(公告)日：2016-12-29

申请号：US14752227

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： CARLOS V. ROZAS ,  MONA VIJ ,  REBEKAH M. LESLIE-HURD ,  KRYSTOF C. ZMUDZINSKI ,  SOMNATH CHAKRABARTI ,  FRANCIS X. MCKEEN ,  VINCENT R. SCARLATA ,  SIMON P. JOHNSON ,  ILYA ALEXANDROVICH ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  ITTAI ANATI

IPC: G06F12/14 ,  G06F9/30 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

Abstract translation: 处理器包括解码单元，用于解码指示受保护的容器存储器的页面的指令以及受保护的容器存储器之外的存储位置。 执行单元响应于该指令，是确保在受保护的容器存储器具有写保护状态时不存在对受保护的容器存储器的页的可写引用。 执行单元是加密受保护的容器存储器的页面的副本。 在确保没有可写入引用之后，执行单元将页面的加密副本存储到受保护的容器存储器外部的存储位置。 执行单元将保护的容器存储器的页面保留在写保护状态中，该保护状态在加密的副本已被存储到存储位置之后也是有效和可读的。

公开(公告)号：US20160371191A1

公开(公告)日：2016-12-22

申请号：US15250787

申请日：2016-08-29

Applicant: Intel Corporation

Inventor： CARLOS V. ROZAS ,  ILYA ALEXANDROVICH ,  ITTAI ANATI ,  ALEX BERENZON ,  MICHAEL A. GOLDSMITH ,  BARRY E. HUNTLEY ,  ANTON IVANOV ,  SIMON P. JOHNSON ,  REBEKAH M. LESLIE-HURD ,  FRANCIS X. MCKEEN ,  GILBERT NEIGER ,  RINAT RAPPOPORT ,  SCOTT D. RODGERS ,  UDAY R. SAVAGAONKAR ,  VINCENT R. SCARLATA ,  VEDVYAS SHANBHOGUE ,  WESLEY H. SMITH ,  WILLIAM C. WOOD

IPC: G06F12/0875 ,  G06F12/1027

Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

Abstract translation: 说明和逻辑为安全的飞地页面缓存提供了高级分页功能。 实施例包括多个硬件线程或处理核心，用于存储分配给由硬件线程可访问的安全空间的共享页面地址的安全数据的高速缓存。 解码级将指定所述共享页地址的第一指令解码为操作数，并且执行单元标记对应于共享页地址的飞地页高速缓存映射的条目，以阻止所述第一或第二硬件线程中的任一个的新转换的创建 访问共享页面。 第二指令被解码以执行，第二指令指定所述安全飞地作为操作数，并且执行单元记录当前访问与安全飞地相对应的飞地页面高速缓存中的安全数据的硬件线程，并且当任何 的硬件线程退出安全飞地。

公开(公告)号：US20200159673A1

公开(公告)日：2020-05-21

申请号：US16686379

申请日：2019-11-18

Applicant: Intel Corporation

Inventor： RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  DAVID A. KOUFATY ,  ASIT K. MALLICK ,  ARUMUGAM THIYAGARAJAH ,  BARRY E. HUNTLEY ,  DEEPAK K. GUPTA ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  BAIJU V. PATEL

IPC: G06F12/14 ,  G06F9/455 ,  G06F12/1009 ,  G06F12/1027

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20160378490A1

公开(公告)日：2016-12-29

申请号：US14752079

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： MICHAEL LEMAY ,  DAVID M. DURHAM ,  BARRY E. HUNTLEY ,  VEDVYAS SHANBHOGUE ,  RAVI L. SAHITA ,  RAVI RAJWAR

IPC: G06F9/38 ,  G06F11/07

CPC classification number: G06F9/3802 ,  G06F9/3004 ,  G06F9/30076 ,  G06F9/30145 ,  G06F9/30167 ,  G06F9/30189 ,  G06F9/46 ,  G06F11/0745 ,  G06F11/0751

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for protecting confidential data with transactional processing in execute-only memory. The system may include a memory module configured to store an execute-only code page. The system may also include a transaction processor configured to enforce a transaction region associated with at least a portion of the code page. The system may further include a processor configured to execute a load instruction fetched from the code page, the load instruction configured to load at least a portion of the confidential data from an immediate operand of the load instruction if a transaction mode of the transaction region is enabled.

Abstract translation: 通常，本公开提供了用于在仅执行存储器中用事务处理保护机密数据的系统，设备，方法和计算机可读介质。 该系统可以包括被配置为存储仅执行代码页的存储器模块。 系统还可以包括配置成强制与代码页的至少一部分相关联的事务区域的事务处理器。 该系统还可以包括：处理器，其被配置为执行从代码页取出的加载指令，所述加载指令被配置为如果交易区域的交易模式是来自加载指令的即时操作数，则加载秘密数据的至少一部分 启用

公开(公告)号：US20210406055A1

公开(公告)日：2021-12-30

申请号：US16911445

申请日：2020-06-25

Applicant: Intel Corporation

Inventor： UTKARSH Y. KAKAIYA ,  SANJAY K. KUMAR ,  PHILIP LANTZ ,  GILBERT NEIGER ,  RAJESH SANKARAN ,  VEDVYAS SHANBHOGUE

IPC: G06F9/455 ,  G06F9/30 ,  G06F9/50 ,  G06F9/54

Abstract: In one embodiment, a processor comprises: a first configuration register to store quality of service (QoS) information for a process address space identifier (PASID) value associated with a first process; and an execution circuit coupled to the first configuration register, where the execution circuit, in response to a first instruction, is to obtain command data from a first location identified in a source operand of the first instruction, insert the QoS information and the PASID value into the command data, and send a request comprising the command data to a device coupled to the processor, to enable the device to use the QoS information of a plurality of requests to manage sharing between a plurality of processes. Other embodiments are described and claimed.

公开(公告)号：US20210109684A1

公开(公告)日：2021-04-15

申请号：US17131731

申请日：2020-12-22

Applicant: Intel Corporation

Inventor： VEDVYAS SHANBHOGUE ,  JASON W. BRANDT ,  RAVI L. SAHITA ,  BARRY E. HUNTLEY ,  BAIJU V. PATEL

IPC: G06F3/06 ,  G06F9/30 ,  G06F21/52 ,  G06F9/38 ,  G06F12/1009 ,  G06F12/109 ,  G06F12/1027 ,  G06F12/1081 ,  G06F12/1045 ,  G06F12/14 ,  G06F12/1036

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

公开(公告)号：US20190318082A1

公开(公告)日：2019-10-17

申请号：US16452916

申请日：2019-06-26

Applicant: INTEL CORPORATION

Inventor： ABHISHEK BASAK ,  RAVI SAHITA ,  VEDVYAS SHANBHOGUE

IPC: G06F21/52 ,  G06F12/06

Abstract: Various embodiments are generally directed to techniques for control flow protection with minimal performance overhead, such as by utilizing one or more micro-architectural optimizations to implement a shadow stack (SS) to verify a return address before returning from a function call, for instance. Some embodiments are particularly directed to a computing platform, such as an internet of things (IoT) platform, that overlaps or parallelizes one or more SS access operations with one or more data stack (DS) access operations.