公开(公告)号：US20240202314A1

公开(公告)日：2024-06-20

申请号：US18084428

申请日：2022-12-19

Applicant: Intel Corporation

Inventor： Mona Vij ,  Dmitrii Kuvaiskii ,  Bin Xing ,  Krystof Zmudzinski ,  Scott Constable

IPC: G06F21/53

CPC classification number: G06F21/53 ,  G06F2221/034

Abstract: Techniques and mechanisms for a processor core to execute an instruction for a hardware (HW) thread to have access to a trusted execution environment (TEE). In an embodiment, execution of the instruction includes determining whether any sibling HW thread, which is currently active, is also currently approved to access the TEE. TEE access by the HW thread is conditioned upon a requirement that any sibling HW thread is either currently inactive, is currently in the same TEE, or is currently approved to enter the TEE. In another embodiment, execution of another instruction, for the HW thread to exit the TEE, includes or otherwise results in system software being conditionally notified of an opportunity to wake up one or more sibling HW threads.

公开(公告)号：US11373013B2

公开(公告)日：2022-06-28

申请号：US16234871

申请日：2018-12-28

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US20190251257A1

公开(公告)日：2019-08-15

申请号：US15897406

申请日：2018-02-15

Applicant: Intel Corporation

Inventor： Francis McKeen ,  Bin Xing ,  Krystof Zmudzinski ,  Carlos Rozas ,  Mona Vij

IPC: G06F21/55 ,  G06F21/53

CPC classification number: G06F21/556 ,  G06F12/145 ,  G06F12/1491 ,  G06F21/53 ,  G06F2212/1052 ,  G06F2221/2149

Abstract: A processor includes a processing core to identify a code comprising a plurality of instructions to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, the address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping in the address translation data structures to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, an address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping stored in the address translation data structure.

公开(公告)号：US20230205869A1

公开(公告)日：2023-06-29

申请号：US17561412

申请日：2021-12-23

Applicant: Intel Corporation

Inventor： Scott Constable ,  Bin Xing ,  Yuan Xiao ,  Krystof Zmudzinski ,  Mona Vij ,  Mark Shanahan ,  Francis McKeen ,  Ittai Anati

IPC: G06F21/53 ,  G06F9/30

CPC classification number: G06F21/53 ,  G06F9/30145 ,  G06F9/30105

Abstract: Systems, methods, and apparatuses relating efficient exception handling in trusted execution environments are described. In an embodiment, a hardware processor includes a register, a decoder, and execution circuitry. The register has a field to be set to enable an architecturally protected execution environment at one of a plurality of contexts for code in an architecturally protected enclave in memory. The decoder is to decode an instruction having a format including a field for an opcode, the opcode to indicate that the execution circuitry is to perform a context change. The execution circuitry is to perform one or more operations corresponding to the instruction, the one or more operations including changing, within the architecturally protected enclave, from a first context to a second context.

公开(公告)号：US10761996B2

公开(公告)日：2020-09-01

申请号：US16147191

申请日：2018-09-28

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi Sahita ,  Rajesh Sankaran ,  Siddhartha Chhabra ,  Abhishek Basak ,  Krystof Zmudzinski ,  Rupin Vakharwala

IPC: G06F12/00 ,  G06F12/1009 ,  G06F12/14 ,  G06F9/30 ,  G06F9/455 ,  G06F21/57 ,  G06F21/53

Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.

公开(公告)号：US11625275B2

公开(公告)日：2023-04-11

申请号：US17109742

申请日：2020-12-02

Applicant: Intel Corporation

Inventor： Krystof Zmudzinski ,  Siddhartha Chhabra ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Luis S. Kida ,  Pradeep M. Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F9/445 ,  G06F9/50 ,  G06F9/455 ,  G06F21/62 ,  G06F12/1009 ,  G06F9/46 ,  G06F13/28 ,  G06F21/85 ,  G06F21/78 ,  G06F21/53 ,  G06F21/57 ,  H04L9/32 ,  H04W12/30 ,  H04W12/48 ,  H04L69/16

Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

公开(公告)号：US20220091998A1

公开(公告)日：2022-03-24

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L12/24 ,  G06F21/79 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US11163913B2

公开(公告)日：2021-11-02

申请号：US16234871

申请日：2018-12-28

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US20210117576A1

公开(公告)日：2021-04-22

申请号：US17109742

申请日：2020-12-02

Applicant: Intel Corporation

Inventor： Krystof Zmudzinski ,  Siddhartha Chhabra ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Luis S. Kida ,  Pradeep M. Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F9/455 ,  G06F9/46 ,  G06F9/50 ,  G06F12/1009 ,  G06F13/28 ,  G06F21/53 ,  G06F21/57 ,  G06F21/62 ,  G06F21/85 ,  H04L9/32

Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

公开(公告)号：US10558584B2

公开(公告)日：2020-02-11

申请号：US14312112

申请日：2014-06-23

Applicant: Intel Corporation

Inventor： Krystof Zmudzinski

IPC: G06F12/14 ,  G06F12/08 ,  G06F12/1009 ,  G06F12/12 ,  G06F12/0815 ,  G06F21/62 ,  G06F12/0882 ,  G06F12/121 ,  G06F21/60

Abstract: The present application is directed to employing intermediary structures for facilitating access to secure memory. A secure driver (SD) may be loaded into the device to reserve a least a section of memory in the device as a secure page cache (SPC). The SPC may protect application data from being accessed by other active applications in the device. Potential race conditions may be avoided through the use of a linear address manager (LAM) that maps linear addresses (LAs) in an application page table (PT) to page slots in the SPC. The SD may also facilitate error handling in the device by reconfiguring VEs that would otherwise be ignored by the OS.