公开(公告)号：US20190042732A1

公开(公告)日：2019-02-07

申请号：US15856573

申请日：2017-12-28

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Pradeep Pappachan ,  Reshma Lal ,  Siddhartha Chhabra

IPC: G06F21/53 ,  G06F21/57 ,  G06F13/38

CPC classification number: G06F21/53 ,  G06F13/382 ,  G06F21/51 ,  G06F21/572

Abstract: Technologies for USB controller state integrity protection are disclosed. A computing device reserves an isolated memory region in system memory and programs a base address register of a USB controller with the address of the isolated memory region. The computing device locks the base address register from further chances. The USB controller may store controller state data in a scratchpad buffer located within the isolated memory region. Software executed by a processor may read controller state data from the scratchpad buffer. Secure routing hardware of the computing device controls access to the isolated memory region. The secure routing hardware may allow read and write access by the USB controller and read-only access by software executed by the processor. After storing the controller state data, the computing device may power down the I/O controller. Other embodiments are described and claimed.

公开(公告)号：US20190042477A1

公开(公告)日：2019-02-07

申请号：US16023661

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Abhishek Basak ,  David M. Durham

IPC: G06F12/14 ,  G06F12/0831 ,  G06F13/28 ,  G06F21/78 ,  G06F21/60

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

公开(公告)号：US20190042476A1

公开(公告)日：2019-02-07

申请号：US16023576

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Rajat Agarwal ,  Baiju Patel ,  Kirk Yap

IPC: G06F12/14 ,  G06F21/78 ,  G06F21/64 ,  G06F21/60 ,  H04L9/32 ,  G06F9/455

Abstract: Techniques are described for providing low-overhead cryptographic memory isolation to mitigate attack vulnerabilities in a multi-user virtualized computing environment. Memory read and memory write operations for target data, each operation initiated via an instruction associated with a particular virtual machine (VM), include the generation and/or validation of a message authentication code that is based at least on a VM-specific cryptographic key and a physical memory address of the target data. Such operations may further include transmitting the generated message authentication code via a plurality of ancillary bits incorporated within a data line that includes the target data. In the event of a validation failure, one or more error codes may be generated and provided to distinct trust domain architecture entities based on an operating mode of the associated virtual machine.

公开(公告)号：US20190042431A1

公开(公告)日：2019-02-07

申请号：US15825730

申请日：2017-11-29

Applicant: Intel Corporation

Inventor： Gideon Gerzon ,  Pradeep Pappachan ,  Reshma Lal ,  Siddhartha Chhabra ,  Bin Xing

IPC: G06F12/0831 ,  H04L9/32 ,  G06F13/28 ,  H04L29/06 ,  G06F12/1081

CPC classification number: G06F12/0835 ,  G06F12/1081 ,  G06F13/28 ,  G06T7/00 ,  H04L9/3242 ,  H04L63/126

Abstract: Technologies for secure I/O with MIPI camera devices include a computing device having a camera controller coupled to a camera and a channel identifier filter. The channel identifier filter detects DMA transactions issued by the camera controller and related to the camera. The channel identifier filter determines whether a DMA transaction includes a secure channel identifier or a non-secure channel identifier. If the DMA transaction includes the non-secure channel identifier, the channel identifier filter allows the DMA transaction. If the DMA transaction includes the secure channel identifier, the channel identifier filter determines whether the DMA transaction is targeted to a memory address in a protected memory range associated with the secure channel identifier. If so, the channel identifier filter allows the DMA transaction. If not, the channel identifier filter blocks the DMA transaction. Other embodiments are described and claimed.

公开(公告)号：US20180373647A1

公开(公告)日：2018-12-27

申请号：US15633259

申请日：2017-06-26

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Uttam K. Sengupta ,  Siddhartha Chhabra

IPC: G06F12/14 ,  G06F12/1027 ,  G06F12/1009

Abstract: Technologies for protecting virtual machine memory of a compute device include a virtual machine (VM) instantiated on the compute device, a virtual machine monitor (VMM) established on the compute device to control operation of the VM, a secured memory, and a memory manager. The memory manager receives a memory access request that includes a virtual linear address (LA) from the VM and performs a translation of the LA to a translated host physical address (HPA) of the compute device using one or more page tables associated with the VM and VMM. The memory manager determines whether a secured translation mapping of LA-to-HPA that corresponds to the LA is locked. If the mapping is locked, the memory manager verifies the translation based on a comparison of the translated HPA to a HPA translated using the secured translation mapping and, if verified, performs the memory access request using the translated HPA.

公开(公告)号：US10073977B2

公开(公告)日：2018-09-11

申请号：US14974874

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Reouven Elbaz

IPC: G06F21/00 ,  G06F21/60 ,  G06F13/28 ,  G06F17/30 ,  G06F21/64

CPC classification number: G06F21/602 ,  G06F13/28 ,  G06F16/2365 ,  G06F21/606 ,  G06F21/64 ,  G06F2221/031

Abstract: Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/O data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.

公开(公告)号：US09904805B2

公开(公告)日：2018-02-27

申请号：US14863353

申请日：2015-09-23

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Francis X. Mckeen ,  Carlos V. Rozas ,  Saeedeh Komijani ,  Tamara S. Lehman

IPC: G06F11/30 ,  G06F21/72 ,  H04L9/00 ,  G06F21/64

CPC classification number: G06F21/72 ,  G06F12/1408 ,  G06F21/64 ,  G06F21/78 ,  H04L9/002 ,  H04L9/0637 ,  H04L9/3242 ,  H04L2209/12

Abstract: Memory security technologies are described. An example processing system includes a processor core and a memory controller coupled to the processor core and a memory. The processor core can receive a content read instruction from an application. The processor core can identify a cache line (CL) from a plurality of CLs of a cryptographic cache block (CCB) requested in the content read instruction. The processor core can load, from a cryptographic tree, tree nodes with security metadata. The processor core can retrieve, from the memory, the CCB. The processor core can generate a second MAC from the CCB. The processor core can compare the first MAC with the second MAC. The processor core can decrypt the CCB using security metadata when the first MAC matches the second MAC. The processor core can send at least the identified CL from the decrypted CCB to the application.

公开(公告)号：US09799093B2

公开(公告)日：2017-10-24

申请号：US14864183

申请日：2015-09-24

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Prashant Dewan ,  Michael A. Goldsmith ,  David M. Durham

IPC: G06T1/00 ,  G06T1/60 ,  G06F3/147 ,  G06F21/84 ,  H04N21/426 ,  H04N21/431 ,  H04N21/4367 ,  H04N21/44 ,  H04N21/4408 ,  G06T1/20

CPC classification number: G06T1/60 ,  G06F3/147 ,  G06F21/84 ,  G06T1/20 ,  G09G2358/00 ,  H04N21/42653 ,  H04N21/4318 ,  H04N21/4367 ,  H04N21/44004 ,  H04N21/4408

Abstract: A protected graphics module can send its output to a display engine securely. Secure communications with the display can provide a level of confidentiality of content generated by protected graphics modules against software and hardware attacks.

公开(公告)号：US20170185809A1

公开(公告)日：2017-06-29

申请号：US15457004

申请日：2017-03-13

Applicant: INTEL CORPORATION

Inventor： Eugene M. Kishinevsky ,  Uday R. Savagaonkar ,  Alpa T. Narendra Trivedi ,  Siddhartha Chhabra ,  Baiju V. Patel ,  Men Long ,  Kirk S. Yap ,  David M. Durham

IPC: G06F21/85 ,  G06F21/60 ,  G06F12/14 ,  H04L9/06

CPC classification number: H04L9/0631 ,  G06F12/1408 ,  G06F12/1425 ,  G06F21/602 ,  G06F21/85 ,  G06F2212/1052 ,  G06F2212/402 ,  G09C1/00 ,  H04L2209/125 ,  Y02D10/13

Abstract: Encryption interface technologies are described. A processor can include a system agent, an encryption interface, and a memory controller. The system agent can communicate data with a hardware functional block. The encryption interface can be coupled between the system agent and a memory controller. The encryption interface can receive a plaintext request from the system agent, encrypt the plaintext request to obtain an encrypted request, and communicate the encrypted request to the memory controller. The memory controller can communicate the encrypted request to a main memory of the computing device.

公开(公告)号：US20170185804A1

公开(公告)日：2017-06-29

申请号：US14757387

申请日：2015-12-23

Applicant: Intel Corporation

Inventor： Reouven Elbaz ,  Siddhartha Chhabra ,  Steven B. McGowan

IPC: G06F21/72 ,  H04L9/08 ,  H04L9/06 ,  G06F21/82 ,  G06F13/28

CPC classification number: G06F21/72 ,  G06F13/287 ,  G06F21/82 ,  H04L9/06 ,  H04L9/0877 ,  H04L9/088

Abstract: Various configurations and methods for securing and validating trusted input output (IO) data communications within fabric interconnects of processing circuitry are disclosed herein. As an example, a technique for secure routing of trusted software transactions includes operations of a crypto engine and an IO hub to validate trusted transactions such as DMA read and write transactions received from a trusted IO controller, and configuring the fabrics of the circuitry to prevent re-routing or tampering of data from the trusted transactions. In an example, hardware-based identification and verification of the trusted transactions may be performed with use of content addressable memory at the crypto engine and the respective unsecure fabrics, to identify and enforce the trusted transactions that cannot be re-routed. As a result, rogue agents or entities connected to the unsecure fabrics cannot interfere with or intercept data for trusted transactions.