公开(公告)号：US11386017B2

公开(公告)日：2022-07-12

申请号：US16232143

申请日：2018-12-26

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Eric Innis

IPC: H04L9/32 ,  H04L9/08 ,  G06F21/60 ,  G06F21/76 ,  G06F12/14 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L41/28 ,  G06F21/79 ,  H04L41/046 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure authentication and programming of an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment, which receives a unique device identifier from the accelerator, validates a device certificate for the device identifier, authenticates the accelerator in response to validating the accelerator, validates attestation information of the accelerator, and establishes a secure channel with the accelerator. The trusted execution environment may securely program a data key and a bitstream key to the accelerator, and may encrypt a bitstream image and securely program the bitstream image to the accelerator. The accelerator and a tenant may securely exchange data protected by the data key. The trusted execution environment may be a secure enclave, and the accelerator may be a field programmable gate array (FPGA). Other embodiments are described and claimed.

公开(公告)号：US09769129B2

公开(公告)日：2017-09-19

申请号：US14922931

申请日：2015-10-26

Applicant: Intel Corporation

Inventor： Vinay Phegade ,  Anand Rajan ,  Simon Johnson ,  Vincent Scarlata ,  Carlos Rozas ,  Nikhil Deshpande

IPC: G06F21/60 ,  G06F21/57 ,  G06F21/64 ,  H04L29/06

CPC classification number: H04L63/0428 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F2221/2105 ,  H04L63/126 ,  H04L63/302

Abstract: An apparatus for sharing information between entities includes a processor and a trusted execution module executing on the processor. The trusted execution module is configured to receive first confidential information from a first client device associated with a first entity, seal the first confidential information within a trusted execution environment, receive second confidential information from a second client device associated with a second entity, seal the second confidential information within the trusted execution environment, and execute code within the trusted execution environment. The code is configured to compute a confidential result based upon the first confidential information and the second confidential information.

公开(公告)号：US09698989B2

公开(公告)日：2017-07-04

申请号：US13949213

申请日：2013-07-23

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Carlos Rozas ,  Simon Johnson ,  Uday Savagaonkar ,  Ittai Anati ,  Francis McKeen ,  Michael Goldsmith

IPC: H04L9/32 ,  G06F21/12 ,  G06F21/53

CPC classification number: H04L9/3213 ,  G06F21/12 ,  G06F21/53 ,  H04L9/3263

Abstract: Embodiments of an invention for feature licensing in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to initialize a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes determining whether a requested feature is licensed for use in the secure enclave.

公开(公告)号：US20240220274A1

公开(公告)日：2024-07-04

申请号：US18608444

申请日：2024-03-18

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi L. Sahita ,  Vincent Scarlata ,  Barry E. Huntley

IPC: G06F9/4401 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/78 ,  H04L9/30 ,  H04L9/32

CPC classification number: G06F9/4403 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/78 ,  H04L9/30 ,  H04L9/32 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2009/45595

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

公开(公告)号：US20230333824A1

公开(公告)日：2023-10-19

申请号：US18307257

申请日：2023-04-26

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Alpa Trivedi ,  Reshma Lal ,  Marcela S. Melara ,  Michael Steiner ,  Anjo Vahldiek-Oberwagner

IPC: G06F8/40

CPC classification number: G06F8/40

Abstract: Attestation of operations by tool chains is described. An example of a storage medium includes instructions for receiving source code for processing of a secure workload of a tenant; selecting at least a first compute node to provide computation for the workload; processing the source code by an attestable tool chain to generate machine code for the first compute node, including performing one or more conversions of the source code by one or more convertors to generate converted code and generating an attestation associated with each code conversion, and receiving machine code for the first compute node and generating an attestation associated with the first compute node; and providing each of the attestations from the first stage and the second stage for verification.

公开(公告)号：US11575672B2

公开(公告)日：2023-02-07

申请号：US16723688

申请日：2019-12-20

Applicant: Intel Corporation

Inventor： Salessawi Ferede Yitbarek ,  Pradeep M. Pappachan ,  Vincent Scarlata ,  Reshma Lal

IPC: H04L29/06 ,  H04L9/40 ,  G06F21/62

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent executes an attestation algorithm to generate a first secure attestation for the first I/O device and a second secure attestation for the second I/O device, obtains a peer-to-peer communication key, and forwards the peer-to-peer communication key to the first I/O device and a second I/O device to enable secure peer-to-peer communication between the first I/O device and the second I/O device over a communication link secured by the peer-to-peer communication key. Other embodiments are described and claimed.

公开(公告)号：US20210336994A1

公开(公告)日：2021-10-28

申请号：US17133803

申请日：2020-12-24

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Alpa Trivedi ,  Reshma Lal

IPC: H04L29/06 ,  G06F9/50

Abstract: Attestation support in cloud computing environments is described. An example of an apparatus includes one or more processors to process data, including data related to hosting of workloads for one or more tenants; an orchestration element to receive a request for support of a workload of a tenant according to a selected membership policy, the orchestration element to select a set of one or more compute nodes to provide computation for the workload; and a security manager to receive the membership policy and to receive attestations from the selected compute nodes and, upon determining that the attestations meet the requirements of the membership policy, to add the one or more compute nodes to a group of compute nodes to provide computation for the workload.

公开(公告)号：US20190155636A1

公开(公告)日：2019-05-23

申请号：US16234731

申请日：2018-12-28

Applicant: Intel Corporation

Inventor： Ned Smith ,  Bing Zhu ,  Vincent Scarlata ,  Kapil Sood ,  Francesc Guim Bernat

IPC: G06F9/455

Abstract: Technologies for hybrid virtualization and secure enclave include a computing device and an edge orchestrator. The edge orchestrator securely provisions a container-enclave policy to the computing device. A VMM of the computing device constructs a platform services enclave that includes the container-enclave policy. The platform services enclave requests a local attestation report from an application enclave, and the application enclave generates the attestation report using secure enclave support of a compute engine of the computing device. The attestation report is indicative of a virtualization context of the application enclave, and may include a VM flag, a VMM flag, and a source address of the application enclave. The platform services enclave enforces the container-enclave policy based on the virtualization context of the application enclave. The platform services enclave may control access to functions of the computing device based on the virtualization context. Other embodiments are described and claimed.

公开(公告)号：US20190132136A1

公开(公告)日：2019-05-02

申请号：US16232143

申请日：2018-12-26

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Eric Innis

IPC: H04L9/32 ,  H04L9/08 ,  G06F21/60 ,  G06F21/76

Abstract: Technologies for secure authentication and programming of an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment, which receives a unique device identifier from the accelerator, validates a device certificate for the device identifier, authenticates the accelerator in response to validating the accelerator, validates attestation information of the accelerator, and establishes a secure channel with the accelerator. The trusted execution environment may securely program a data key and a bitstream key to the accelerator, and may encrypt a bitstream image and securely program the bitstream image to the accelerator. The accelerator and a tenant may securely exchange data protected by the data key. The trusted execution environment may be a secure enclave, and the accelerator may be a field programmable gate array (FPGA). Other embodiments are described and claimed.

公开(公告)号：US20230409340A1

公开(公告)日：2023-12-21

申请号：US18307650

申请日：2023-04-26

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi L. Sahita ,  Vincent Scarlata ,  Barry E. Huntley

IPC: G06F9/4401 ,  G06F9/455 ,  G06F12/1009 ,  H04L9/30 ,  H04L9/32 ,  G06F21/78

CPC classification number: G06F9/4403 ,  G06F9/45558 ,  G06F12/1009 ,  H04L9/30 ,  G06F2009/45579 ,  G06F21/78 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2009/45595 ,  H04L9/32

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.