公开(公告)号：US10713177B2

公开(公告)日：2020-07-14

申请号：US15260893

申请日：2016-09-09

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Baiju V. Patel ,  Gur Hildesheim ,  Ron Rais ,  Andrew V. Anderson ,  Jason W. Brandt ,  David M. Durham ,  Barry E. Huntley ,  Raanan Sade ,  Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Arumugam Thiyagarajah

IPC: G06F12/1009 ,  G06F12/14 ,  G06F9/455

Abstract: A processing system includes a processing core to execute a virtual machine (VM) comprising a guest operating system (OS) and a memory management unit, communicatively coupled to the processing core, comprising a storage device to store an extended page table entry (EPTE) comprising a mapping from a guest physical address (GPA) associated with the guest OS to an identifier of a memory frame, a first plurality of access right flags associated with accessing the memory frame in a first page mode referenced by an attribute of a memory page identified by the GPA, and a second plurality of access right flags associated with accessing the memory frame in a second page mode referenced by the attribute of the memory page identified by the GPA.

公开(公告)号：US20200169383A1

公开(公告)日：2020-05-28

申请号：US16776467

申请日：2020-01-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Michael E. Kounavis ,  Santosh Ghosh ,  Sergej Deutsch ,  Anant Vithal Nori ,  Jayesh Gaur ,  Sreenivas Subramoney ,  Karanvir S. Grewal

IPC: H04L9/06 ,  G06F12/1027 ,  G06F9/30

Abstract: A processor comprises a first register to store an encoded pointer to a memory location. First context information is stored in first bits of the encoded pointer and a slice of a linear address of the memory location is stored in second bits of the encoded pointer. The processor also includes circuitry to execute a memory access instruction to obtain a physical address of the memory location, access encrypted data at the memory location, derive a first tweak based at least in part on the encoded pointer, and generate a keystream based on the first tweak and a key. The circuitry is to further execute the memory access instruction to store state information associated with memory access instruction in a first buffer, and to decrypt the encrypted data based on the keystream. The keystream is to be generated at least partly in parallel with accessing the encrypted data.

公开(公告)号：US10599547B2

公开(公告)日：2020-03-24

申请号：US15827890

申请日：2017-11-30

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Andrew V. Anderson ,  Richard A. Uhlig ,  David M. Durham ,  Ronak Singhal ,  Xiangbin Wu ,  Sailesh Kottapalli

IPC: G06F11/34 ,  G06F9/455 ,  G06F11/30 ,  G06F13/24

Abstract: Embodiments of an invention for monitoring the operation of a processor are disclosed. In one embodiment, a system includes a processor and a hardware agent external to the processor. The processor includes virtualization logic to provide for the processor to operate in a root mode and in a non-root mode. The hardware agent is to verify operation of the processor in the non-root mode based on tracing information to be collected by a software agent to be executed by the processor in the root mode.

公开(公告)号：US10585809B2

公开(公告)日：2020-03-10

申请号：US15089140

申请日：2016-04-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis ,  Sergej Deutsch ,  Karanvir S. Grewal ,  Joseph F. Cihula ,  Saeedeh Komijani

IPC: G06F12/14 ,  G06F7/04 ,  G06F11/00 ,  G06F9/44 ,  G06F21/64 ,  G06F21/79

Abstract: Apparatus, systems, computer readable storage mediums and/or methods may provide memory integrity by using unused physical address bits (or other metadata passed through cache) to manipulate cryptographic memory integrity values, allowing software memory allocation routines to control the assignment of pointers (e.g., implement one or more access control policies). Unused address bits (e.g., because of insufficient external memory) passed through cache, may encode key domain information in the address so that different key domain addresses alias to the same physical memory location. Accordingly, by mixing virtual memory mappings and cache line granularity aliasing, any page in memory may contain a different set of aliases at the cache line level and be non-deterministic to an adversary.

公开(公告)号：US20200076924A1

公开(公告)日：2020-03-05

申请号：US16674363

申请日：2019-11-05

Applicant: Intel Corporation

Inventor： Michael Kounavis ,  David M. Durham ,  Karanvir Grewal ,  Wenjie Xiong ,  Sergej Deutsch

IPC: H04L29/06 ,  H04L29/12 ,  H03M7/30

Abstract: A method of data nibble-histogram compression can include determining a first amount of space freed by compressing the input data using a first compression technique, determining a second amount of space freed by compressing the input data using a second, different compression technique, compressing the input data using the compression technique of the first and second compression techniques determined to free up more space to create compressed input data, and inserting into the compressed input data, security data including one of a message authentication control (MAC) and an inventory control tag (ICT).

公开(公告)号：US10565130B2

公开(公告)日：2020-02-18

申请号：US15714323

申请日：2017-09-25

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Reouven Elbaz ,  Krishnakumar Narasimhan ,  Prashant Dewan ,  David M. Durham

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/72 ,  G06F21/79 ,  G06F21/85

Abstract: Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed.

公开(公告)号：US10536264B2

公开(公告)日：2020-01-14

申请号：US15392324

申请日：2016-12-28

Applicant: Intel Corporation

Inventor： Santosh Ghosh ,  Manoj R Sastry ,  Jesse R. Walker ,  Ravi L. Sahita ,  Abhishek Basak ,  Vedvyas Shanbhogue ,  David M. Durham

IPC: H04L9/06 ,  G06F21/72 ,  G06F21/44

Abstract: Embodiments include a computing processor control flow enforcement system including a processor, a block cipher encryption circuit, and an exclusive-OR (XOR) circuit. The control flow enforcement system uses a block cipher encryption to authenticate a return address when returning from a call or interrupt. The block cipher encryption circuit executes a block cipher encryption on a first number including an identifier to produce a first encrypted result and executes a block cipher encryption on a second number including a return address and a stack location pointer to produce a second encrypted result. The XOR circuit performs an XOR operation on the first encrypted result and the second encrypted result to produce a message authentication code tag.

公开(公告)号：US10402574B2

公开(公告)日：2019-09-03

申请号：US15396157

申请日：2016-12-30

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/60 ,  G06F21/57 ,  H04L9/08 ,  H04L9/32 ,  G06F12/14

Abstract: Various embodiments are generally directed to techniques for multi-domain memory encryption, such as with a plurality of cryptographically isolated domains, for instance. Some embodiments are particularly directed to a multi-domain encryption system that provides one or more of memory encryption, integrity, and replay protection services to a plurality of cryptographic domains. In one embodiment, for example, an apparatus may comprise a memory and logic for an encryption engine, at least a portion of the logic implemented in circuitry coupled to the memory. In various embodiments, the logic may receive a memory operation request associated with a data line of a set of data lines stored in a protected memory separate from the memory.

公开(公告)号：US20190087354A1

公开(公告)日：2019-03-21

申请号：US16191961

申请日：2018-11-15

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/14 ,  G06F21/64 ,  G06F21/72 ,  H04L9/14 ,  H04L29/06

Abstract: In one embodiment, an apparatus includes a core to execute instructions, where in response to a first instruction, the core is to obtain an encrypted binary of a requester from a source location and store the encrypted binary to a destination location. The apparatus may further include a memory execution circuit coupled to the core that, in response to a request from the core and based on the first instruction, is to generate at least one integrity value for the binary and store the at least one integrity value in association with the binary.

公开(公告)号：US10235304B2

公开(公告)日：2019-03-19

申请号：US15283339

申请日：2016-10-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Serge J. Deutsch ,  Michael E. Kounavis ,  Alpa T. Narendra Trivedi

IPC: G06F21/00 ,  G06F12/14 ,  G06F12/0831 ,  G06F12/128

Abstract: Embodiments of apparatus, method, and storage medium associated with MCCG memory integrity for securing/protecting memory content/data of VM or enclave are described herein. In some embodiments, an apparatus may include one or more encryption engines to encrypt a unit of data to be stored in a memory in response to a write operation from a VM or an enclave of an application, prior to storing the unit of data into the memory in an encrypted form; wherein to encrypt the unit of data, the one or more encryption engines are to encrypt the unit of data using at least a key domain selector associated with the VM or enclave, and a tweak based on a color within a color group associated with the VM or enclave. Other embodiments may be described and/or claimed.