公开(公告)号：US20160380985A1

公开(公告)日：2016-12-29

申请号：US14752379

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Reshma Lal ,  Ulhas S. Warrier

IPC: H04L29/06

CPC classification number: H04L63/061 ,  G06F21/74 ,  G06F21/82 ,  H04L63/062 ,  H04L63/0876 ,  H04L67/146 ,  H04L2463/062

Abstract: According to an embodiment provided herein, there is provided a system that binds a trusted output session to a trusted input session. The system includes a processor to execute an enclave application in an architecturally protected memory. The system includes at least one logic unit forming a trusted entity to, responsive to a request to set up a trusted I/O session, generate a unique session identifier logically associated with the trusted I/O session and set a trusted I/O session indicator to a first state. The system includes at least one logic unit forming a cryptographic module to, responsive to the request to set up the trusted I/O session, receive an encrypted encryption key and the unique session identifier from the enclave application; verify the unique session identifier; and responsive a successful verification, decrypt and save the decrypted encryption key in an encryption key register.

Abstract translation: 根据本文提供的实施例，提供了将可信输出会话绑定到可信输入会话的系统。 该系统包括处理器，用于在架构受保护的存储器中执行飞地应用。 系统包括形成可信实体的至少一个逻辑单元，以响应于建立可信I / O会话的请求，生成与可信I / O会话逻辑关联的唯一会话标识符，并设置可信任I / O会话 指标到第一个状态。 该系统包括形成加密模块的至少一个逻辑单元，以响应于建立可信I / O会话的请求，从飞地应用接收加密的加密密钥和唯一的会话标识符; 验证唯一会话标识符; 并响应成功的验证，解密并将解密的加密密钥保存在加密密钥寄存器中。

公开(公告)号：US09525555B2

公开(公告)日：2016-12-20

申请号：US14574969

申请日：2014-12-18

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Kapil Sood ,  Kumar N. Dwarakanath ,  Ioannis T. Schoinas ,  William A. Stevens, Jr. ,  Ned M. Smith

IPC: H04L29/06 ,  H04L9/32 ,  G06F12/14

CPC classification number: H04L9/3263 ,  G06F21/572 ,  G06F21/74 ,  G09C1/00 ,  H04L9/321 ,  H04L9/3234 ,  H04L9/3242 ,  H04L2209/12 ,  H04L2209/68

Abstract: In one embodiment, a processor has at least one core to execute instructions, a security engine coupled to the at least one core, a first storage to store a first immutable key associated with a vendor of the processor, and a second storage to store a second immutable key associated with an original equipment manufacturer (OEM) of the system. A first portion of firmware is to be verified based at least in part on the first immutable key and a second portion of firmware is to be verified based at least in part on the second immutable key, the first portion of firmware associated with the vendor and the second portion of firmware associated with the OEM. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，处理器具有执行指令的至少一个核心，耦合到所述至少一个核心的安全引擎，用于存储与所述处理器的供应商相关联的第一不可变密钥的第一存储器，以及存储 与系统的原始设备制造商（OEM）相关联的第二个不可变的密钥。 至少部分地基于第一不可变密钥验证固件的第一部分，并且至少部分地基于第二不可变密钥，与供应商相关联的固件的第一部分和 与OEM相关联的固件的第二部分。 描述和要求保护其他实施例。

公开(公告)号：US20160117497A1

公开(公告)日：2016-04-28

申请号：US14523884

申请日：2014-10-25

Applicant: Intel Corporation

Inventor： Paritosh Saxena ,  Adrian M.M.T. Dunbar ,  Michael S. Hughes ,  John Teddy ,  David Michael Durham ,  Balaji Vembu ,  Prashant Dewan ,  Debra Cablao ,  Nicholas D. Triantafillou ,  Craig D. Schmugar ,  Jason M. Surprise

IPC: G06F21/44 ,  G06F21/71 ,  G06F21/57

CPC classification number: G06F21/566 ,  G06F21/52 ,  G06F21/74

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution.

公开(公告)号：US08909898B2

公开(公告)日：2014-12-09

申请号：US13860912

申请日：2013-04-11

Applicant: Intel Corporation

Inventor： David Durham ,  Prashant Dewan

IPC: G06F12/00 ,  G06F12/14 ,  G06F9/455

CPC classification number: G06F9/455 ,  G06F12/145 ,  G06F12/1491

Abstract: Embodiments of copy equivalent protection using secure page flipping for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor (VMM), Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. In an embodiment, an embedded VM is allowed to directly manipulate page table mappings so that, even without running the VMM or obtaining VMXRoot privilege, the embedded VM can directly flip pages of memory into its direct/exclusive control and back. Other embodiments may be described and claimed.

Abstract translation: 这里一般地描述使用执行环境中的软件组件的安全页面翻转的复制等效保护的实施例。 一个实施例包括虚拟机监视器（VMM），操作系统监视器或其他底层平台功能的能力，以限制仅通过特定认证，授权和验证的软件组件进行访问的存储区域，即使在其他方面受到损害的操作系统环境的一部分 。 在一个实施例中，嵌入式VM被允许直接操纵页表映射，使得即使没有运行VMM或获得VMXRoot特权，嵌入式VM也可以将存储器的页面直接翻转为其直接/排他控制和返回。 可以描述和要求保护其他实施例。

公开(公告)号：US20250117503A1

公开(公告)日：2025-04-10

申请号：US18930695

申请日：2024-10-29

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Baiju Patel

IPC: G06F21/79 ,  G06F12/14 ,  G06F13/28 ,  G06F21/60 ,  G06F21/62 ,  G06F21/85

Abstract: The disclosed embodiments are generally directed to inline encryption of data at line speed at a chip interposed between two memory components. The inline encryption may be implemented at a System-on-Chip (“SOC” or “SOC”). The memory components may comprise Non-Volatile Memory express (NVMe) and a dynamic random access memory (DRAM). An exemplary device includes an SOC to communicate with a Non-Volatile Memory NVMe circuitry to provide direct memory access (DMA) to an external memory component. The SOC may include: a cryptographic controller circuitry; a cryptographic memory circuitry in communication with the cryptographic controller, the cryptographic memory circuitry configured to store instructions to encrypt or decrypt data transmitted through the SOC; and an encryption engine in communication with the crypto controller circuitry, the encryption engine configured to encrypt or decrypt data according to instructions stored at the crypto memory circuitry. Other embodiments are also disclosed and claimed.

公开(公告)号：US11847228B2

公开(公告)日：2023-12-19

申请号：US17548938

申请日：2021-12-13

Applicant: Intel Corporation

Inventor： Baiju Patel ,  Prashant Dewan

IPC: G06F21/57 ,  G06F9/4401 ,  G06F21/60 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  G06F21/71 ,  G06F21/79 ,  G06F21/78 ,  G06F15/78

CPC classification number: G06F21/575 ,  G06F9/4413 ,  G06F21/602 ,  H04L9/0861 ,  H04L9/14 ,  H04L9/3278 ,  G06F2221/034

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

公开(公告)号：US11847067B2

公开(公告)日：2023-12-19

申请号：US17504609

申请日：2021-10-19

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan

IPC: G06F12/14 ,  G06F13/16 ,  G06F21/79

CPC classification number: G06F12/1408 ,  G06F12/1425 ,  G06F12/1466 ,  G06F13/1668 ,  G06F21/79

Abstract: Methods and apparatus relating to cryptographic protection of memory attached over interconnects are described. In an embodiment, memory stores data and a processor having execution circuitry executes an instruction to program an inline memory expansion logic and a host memory encryption logic with one or more cryptographic keys. The inline memory expansion logic encrypts the data to be written to the memory and decrypts encrypted data to be read from the memory. The memory is coupled to the processor via an interconnect endpoint of a system fabric. Other embodiments are also disclosed and claimed.

公开(公告)号：US11734436B2

公开(公告)日：2023-08-22

申请号：US17357978

申请日：2021-06-25

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Siddhartha Chhabra ,  Junhai Qiu ,  Ke Sun

IPC: H04L29/06 ,  G06F21/62

CPC classification number: G06F21/62

Abstract: Methods and apparatus relating to Organic Light Emitting Diode (OLED) compensation based on protected content are described. In an embodiment, secure memory stores data that is only accessible by trusted logic. Display controller logic circuitry updates pixel values to be stored in the secure memory based on a plurality of frames. The display controller logic circuitry allows access by untrusted software to the updated pixel values after a first number of updates to the pixel values stored in the secure memory. Other embodiments are also disclosed and claimed.

公开(公告)号：US11698973B2

公开(公告)日：2023-07-11

申请号：US17546243

申请日：2021-12-09

Applicant: Intel Corporation

Inventor： Baiju Patel ,  Prashant Dewan

IPC: G06F21/57 ,  G06F9/4401 ,  G06F21/60 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  G06F21/71 ,  G06F21/79 ,  G06F21/78

CPC classification number: G06F21/575 ,  G06F9/4413 ,  G06F21/602 ,  H04L9/0861 ,  H04L9/14 ,  H04L9/3278 ,  G06F2221/034

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

公开(公告)号：US20220197678A1

公开(公告)日：2022-06-23

申请号：US17131289

申请日：2020-12-22

Applicant: INTEL CORPORATION

Inventor： Rajesh Poornachandran ,  Vincent Zimmer ,  Prashant Dewan

IPC: G06F9/455 ,  G06F9/38 ,  G06F9/30

Abstract: Apparatus and method for secure instruction set execution, emulation, monitoring, and prevention. A processor embodiment includes registers, evaluator, and execution unit. The registers are to store rules which specify actions to be taken with respect to one or more instructions. The evaluator is to detect a request to execute a first instruction and to evaluate the first instruction based on the rules stored in the one or more registers. The evaluator is further to block execution of the first instruction when a first rule corresponding to the first instruction specifies that execution of the first instruction is prohibited, and to allow execution of the first instruction when there is no rule in the one or more registers specifying that the execution of the first instruction is prohibited. The execution unit is to execute the first instruction when the evaluator allows execution of the first instruction.