公开(公告)号：US08959576B2

公开(公告)日：2015-02-17

申请号：US13828676

申请日：2013-03-14

Applicant: Intel Corporation

Inventor： Manoj R. Sastry ,  Ioannis T. Schoinas ,  Daniel M. Cermak

IPC: G06F21/62

CPC classification number: G06F21/74 ,  G06F21/57 ,  G06F21/78

Abstract: Method, apparatus, and system for qualifying CPU transactions with security attributes. Immutable security attributes are generated for transactions initiator by a CPU or processor core that identifying the execution mode of the CPU/core being trusted or untrusted. The transactions may be targeted to an Input/Output (I/O) device or system memory via which a protected asset may be accessed. Policy enforcement logic blocks are implemented at various points in the apparatus or system that allow or deny transactions access to protected assets based on the immutable security attributes generated for the transactions. In one aspect, a multiple-level security scheme is implemented under which a mode register is updated via a first transaction to indicate the CPU/core is operating in a trusted execution mode, and security attributes are generated for a second transaction using execution mode indicia in the mode register to verify the transaction is from a trusted initiator.

Abstract translation: 用于对具有安全属性的CPU事务进行限定的方法，设备和系统。 由CPU或处理器核心为事务发起者生成不可变的安全属性，用于识别CPU /核心被信任或不可信任的执行模式。 这些事务可以被定向到可被访问受保护资产的输入/输出（I / O）设备或系统存储器。 策略执行逻辑块在设备或系统中的不同点实现，其允许或拒绝事务基于为事务生成的不可变安全属性而访问被保护资产。 在一个方面，实现多级安全方案，在该级别下，通过第一事务来更新模式寄存器以指示CPU /核心以可信执行模式运行，并且使用执行模式标记为第二事务生成安全属性 在模式寄存器中验证事务来自可信发起者。

公开(公告)号：US09112867B2

公开(公告)日：2015-08-18

申请号：US14304307

申请日：2014-06-13

Applicant: Intel Corporation

Inventor： Manoj R. Sastry ,  Ioannis T. Schoinas ,  Daniel M. Cermak

IPC: G06F12/14 ,  H04L29/06 ,  G06F21/62 ,  G06F21/78

CPC classification number: H04L63/10 ,  G06F12/1458 ,  G06F21/6218 ,  G06F21/78

Abstract: A method and system for enforcing access control to system resources and assets. Security attributes associated with devices that initiate transactions in the system are automatically generated and forwarded with transaction messages. The security attributes convey access privileges assigned to each initiator. One or more security enforcement mechanisms are implemented in the system to evaluate the security attributes against access policy requirements to access various system assets and resources, such as memory, registers, address ranges, etc. If the privileges identified by the security attributes indicate the access request is permitted, the transaction is allowed to proceed. The security attributes of the initiator scheme provides a modular, consistent secure access enforcement scheme across system designs.

Abstract translation: 一种执行对系统资源和资产的访问控制的方法和系统。 与系统中发起事务的设备相关联的安全属性将自动生成并使用事务消息进行转发。 安全属性传达分配给每个启动器的访问权限。 在系统中实现一个或多个安全执行机制以根据访问策略要求评估安全属性以访问诸如存储器，寄存器，地址范围等的各种系统资产和资源。如果由安全属性标识的特权指示访问 允许请求，允许交易进行。 启动器方案的安全属性提供跨系统设计的模块化，一致的安全访问实施方案。