公开(公告)号：US11775332B2

公开(公告)日：2023-10-03

申请号：US17532886

申请日：2021-11-22

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F12/14 ,  G06F21/64 ,  G06F21/79 ,  G06F9/455 ,  H04L9/40 ,  H04L69/04 ,  G06F12/0891 ,  G06F21/53 ,  G06F12/16 ,  G06F21/80

CPC classification number: G06F9/45558 ,  G06F12/0891 ,  G06F12/1408 ,  G06F21/53 ,  G06F21/79 ,  H04L63/0227 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/0471 ,  H04L69/04 ,  H04L63/123

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US11765239B2

公开(公告)日：2023-09-19

申请号：US17591116

申请日：2022-02-02

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Siddhartha Chhabra ,  Uttam K. Sengupta ,  Howard C. Herbert

IPC: G06F13/40 ,  G06F12/14 ,  H04L67/142 ,  H04L9/40

CPC classification number: H04L67/142 ,  H04L63/0435 ,  H04L63/105 ,  H04L63/1466 ,  H04L63/20

Abstract: Technologies disclosed herein provide a method for receiving at a device from a remote server, a request for state information from a first processor of the device, obtaining the state information from one or more registers of the first processor based on a request structure indicated by a first instruction of a software program executing on the device, and generating a response structure based, at least in part, on the obtained state information. The method further includes using a cryptographic algorithm and a shared key established between the device and the remote server to generate a signature based, at least in part, on the response structure, and communicating the response structure and the signature to the remote server. In more specific embodiments, both the response structure and the request structure each include a same nonce value.

公开(公告)号：US11687654B2

公开(公告)日：2023-06-27

申请号：US15705562

申请日：2017-09-15

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC: G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L9/40 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79 ,  G06F9/455

CPC classification number: G06F21/57 ,  G06F12/1408 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/71 ,  G06F21/79 ,  H04L9/0618 ,  H04L63/061 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2221/2107 ,  G06F2221/2149

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

公开(公告)号：US11641272B2

公开(公告)日：2023-05-02

申请号：US16948460

申请日：2020-09-18

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra

IPC: H04L9/08 ,  G06F9/455 ,  G06F12/0882

Abstract: An apparatus including a processor comprising at least one core to execute instructions of a plurality of virtual machines and a virtual machine monitor; and a cryptographic engine comprising circuitry to protect data associated with the plurality of virtual machines through use of a plurality of private keys and an accessor key, wherein each of the plurality of private keys are to protect a respective virtual machine and the accessor key is to protect management structures of the plurality of virtual machines; and wherein the processor is to provide, to the virtual machine monitor, direct read access to the management structures of the plurality of virtual machines through the accessor key and indirect write access to the management structures of the plurality of virtual machines through a secure software module.

公开(公告)号：US11630920B2

公开(公告)日：2023-04-18

申请号：US16024257

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay ,  Siddhartha Chhabra ,  Kai Cong

IPC: G06F21/72 ,  G06F21/73 ,  G06F21/64 ,  G06F21/53 ,  G06F12/0895 ,  H04L9/06 ,  H04L9/00 ,  H04L9/32 ,  G06F21/75

Abstract: A system may use memory tagging for side-channel defense, memory safety, and sandboxing to reduce the likelihood of successful attacks. The system may include memory tagging circuitry to address existing and potential hardware and software architectures security vulnerabilities. The memory tagging circuitry may prevent memory pointers from being overwritten, prevent memory pointer manipulation (e.g., by adding values), and increase the granularity of memory tagging to include byte-level tagging in cache. The memory tagging circuitry may sandbox untrusted code by tagging portions of memory to indicate when the tagged portions of memory include contain a protected pointer. The memory tagging circuitry provides security features while enabling CPUs to continue using and benefiting from speculatively performing operations. By co-locating all tagging information at a cacheline granularity with its associated data, the processor has all the information needed to perform access control decisions immediately and non-speculatively, while maintaining high performance and cache coherency.

公开(公告)号：US20230042288A1

公开(公告)日：2023-02-09

申请号：US17867306

申请日：2022-07-18

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Simon P. Johnson ,  Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Gilbert Neiger ,  Raghunandan Makaram ,  Carlos V. Rozas ,  Amy L. Santoni ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Ilya Alexandrovich ,  Ittai Anati ,  Wesley H. Smith ,  Michael Goldsmith

IPC: G06F12/1009 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/109 ,  G06F12/14 ,  G06F9/455

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

公开(公告)号：US11520859B2

公开(公告)日：2022-12-06

申请号：US15942096

申请日：2018-03-30

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Siddhartha Chhabra

IPC: G06F21/10 ,  G06F21/44 ,  H04L9/40

Abstract: The present disclosure is directed to secure processing and display of protected content. The use of a trusted execution environment (TEE) to handle authentication and session key negotiation in accordance with a selected content protection protocol may reduce any trusted computing base (TCB) needed for such operations, and thereby present a smaller target for potential attackers. Techniques are presented in which a session key negotiated via such a TEE is securely provided to output circuitry such as a display controller, which may encrypt protected content that has been requested for viewing on a protocol-compliant display device communicatively coupled to a device comprising the TEE and/or the output circuitry. The output circuitry may then provide the encrypted protected content to the protocol-compliant display device, such as for compliant display of the protected content.

公开(公告)号：US11416415B2

公开(公告)日：2022-08-16

申请号：US16444053

申请日：2019-06-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L41/28 ,  G06F21/79 ,  H04L41/046 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US20220198027A1

公开(公告)日：2022-06-23

申请号：US17133627

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Baiju Patel

IPC: G06F21/60 ,  G06F21/62 ,  G06F21/79 ,  G06F15/78

Abstract: Methods and apparatus relating to a Converged Cryptographic Engine (CCE) for storage encryption are described. In an embodiment, decode circuitry decodes an instruction to determine whether Converged Cryptographic Engine (CCE) circuitry is enabled. Execution circuitry executes the instruction to program a plurality of keys in response to the CCE circuitry being enabled. The CCE circuitry performs all encryption and all decryption of data to be transferred between a memory and a storage device based at least in part on at least one of the plurality of keys. Other embodiments are also disclosed and claimed.

公开(公告)号：US20220138286A1

公开(公告)日：2022-05-05

申请号：US17133336

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： David Zage ,  Scott Janus ,  Ned M. Smith ,  Vidhya Krishnan ,  Siddhartha Chhabra ,  Rajesh Poornachandran ,  Tomer Levy ,  Julien Carreno ,  Ankur Shah ,  Ronald Silvas ,  Aravindh Anantaraman ,  David Puffer ,  Vedvyas Shanbhogue ,  David Cowperthwaite ,  Aditya Navale ,  Omer Ben-Shalom ,  Alex Nayshtut ,  Xiaoyu Ruan

IPC: G06F21/10 ,  G06F21/60 ,  G06T1/20 ,  G06F9/455

Abstract: Systems, apparatuses and methods may provide for encryption based technology. Data may be encrypted locally with a graphics processor with encryption engines. The graphics processor components may be verified with a root-of-trust and based on collection of claims. The graphics processor may further be able to modify encrypted data from a non-pageable format to a pageable format. The graphics processor may further process data associated with a virtual machine based on a key that is known by the virtual machine and the graphics processor.