公开(公告)号：US20210073145A1

公开(公告)日：2021-03-11

申请号：US17022029

申请日：2020-09-15

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Abhishek Basak ,  David M. Durham

IPC: G06F12/14 ,  G06F12/0831 ,  G06F21/78 ,  G06F21/60 ,  G06F13/28 ,  G06F21/85

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

公开(公告)号：US10943012B2

公开(公告)日：2021-03-09

申请号：US16260850

申请日：2019-01-29

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

公开(公告)号：US20200327241A1

公开(公告)日：2020-10-15

申请号：US16913224

申请日：2020-06-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/60 ,  H04L9/08 ,  G06F21/31 ,  G06F21/78

Abstract: A server includes a processor core including system memory, and a cryptographic engine storing a key data structure. The data structure is to store multiple keys for multiple secure domains. The core receives a request to program a first secure domain into the cryptographic engine. The request includes first domain information within a first wrapped binary large object (blob). In response a determination that there is no available entry in the data structure, the core selects a second secure domain within the data structure to de-schedule and issues a read key command to read second domain information from a target entry of the data structure. The core encrypts the second domain information to generate a second wrapped blob and stores the second wrapped blob in a determined region of the system memory, which frees up the target entry for use to program the first secure domain.

公开(公告)号：US10795829B2

公开(公告)日：2020-10-06

申请号：US16145942

申请日：2018-09-28

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Vedvyas Shanbhogue

IPC: G06F12/14 ,  G06F21/62 ,  G06F21/64 ,  G06F21/74 ,  G06F21/78 ,  H04L9/14

Abstract: Techniques and mechanisms for configuring services which variously facilitate data protection. In an embodiment, circuitry coupled to a memory comprises both a first circuit which calculates integrity information based on data, and a second circuit which evaluates data validity based on such integrity information. A configuration of the circuitry provides a combination of one or more services which is specific to a corresponding domain of the memory. With respect to accesses to the corresponding domain, the configuration prevents an access to the first circuit while an access to the second circuit is permitted. In another embodiment, a processor signals the circuitry to transition to another configuration which, with respect to accesses to the corresponding domain, permits access to both the first circuit and the second circuit.

公开(公告)号：US10783089B2

公开(公告)日：2020-09-22

申请号：US16023661

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Abhishek Basak ,  David M. Durham

IPC: G06F21/85 ,  G06F12/14 ,  G06F12/0831 ,  G06F21/78 ,  G06F21/60 ,  G06F13/28

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

公开(公告)号：US10740454B2

公开(公告)日：2020-08-11

申请号：US15856576

申请日：2017-12-28

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Pradeep Pappachan ,  Reshma Lal ,  Siddhartha Chhabra

IPC: G06F13/38 ,  G06F12/14 ,  G06F21/57 ,  G06F21/52 ,  G06F21/53 ,  G06F21/82

Abstract: Technologies for USB controller state integrity protection with trusted I/O are disclosed. A computing device includes an I/O controller, a channel identifier filter, and a memory. The I/O controller generates a memory access to controller state data in a scratchpad buffer in the memory. The memory access includes a channel identifier associated with the I/O controller. The channel identifier filter determines whether a memory address of the memory access is included in a range of a processor reserved memory region associated with the channel identifier. A processor of the computing device may copy the controller state data to a memory buffer outside of the processor reserved memory region. The computing device may reserve an isolated memory region in the memory that includes the processor reserved memory region. Secure routing hardware of the computing device may control access to the isolated memory region. Other embodiments are described and claimed.

公开(公告)号：US10706159B2

公开(公告)日：2020-07-07

申请号：US15623318

申请日：2017-06-14

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan

IPC: G06F21/60 ,  H04W4/021 ,  H04L29/06 ,  H04W12/08 ,  G06F21/62 ,  G06F21/78 ,  H04W88/02

Abstract: Technologies for dynamically protecting memory of the mobile compute device include a main memory, a location sensor that produces sensor data indicative of a present location of the mobile compute device, a sensor hub communicatively coupled to the location sensor, and a security engine communicatively coupled to the sensor hub. The sensor hub determines a present location security zone of the mobile compute device based on the present location of the mobile compute device and a geofence policy, which maps locations to location security zones. The security engine encrypts the main memory of the mobile compute device and determines whether the present location security zone has changed relative to a most-previous location security zone of the mobile compute device. If the present location security zone has changed to a safe zone, the security engine decrypts the main memory.

公开(公告)号：US10691813B2

公开(公告)日：2020-06-23

申请号：US15942122

申请日：2018-03-30

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/60 ,  H04L9/08 ,  H04L9/06 ,  G06F21/79 ,  G06F12/1009 ,  G06F12/14 ,  G06F12/1027

Abstract: Various embodiments are generally directed to techniques for enclave confidentiality management, such as for protecting cross enclave confidentiality on servers, for instance. Some embodiments are particularly directed to a computing platform including hardware and/or instruction set architecture (ISA) extensions that ensure enclaves cannot access confidential data of other enclaves. For example, key programming ISA extensions and/or hardware changes to the page miss handler (PMH) may ensure that the key uniquely associated with an enclave is used for its memory accesses.

公开(公告)号：US20200183730A1

公开(公告)日：2020-06-11

申请号：US16748176

申请日：2020-01-21

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F9/455 ,  H04L29/06 ,  G06F21/79 ,  G06F21/53 ,  G06F12/14 ,  G06F12/0891

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US20200167294A1

公开(公告)日：2020-05-28

申请号：US16777956

申请日：2020-01-31

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Siddhartha Chhabra ,  David M. Durham ,  Karanvir S. Grewal ,  Alpa T. Narendra Trivedi

IPC: G06F12/14 ,  G06F21/62 ,  G06F21/60 ,  G06F21/10 ,  G06F3/06 ,  G06F21/74

Abstract: In one embodiment, an apparatus includes: at least one core to execute instructions, the at least one core formed on a semiconductor die; a first memory formed on the semiconductor die, the first memory comprising a non-volatile random access memory, the first memory to store a first entry to be a monotonic counter, the first entry including a value field and a status field; and a control circuit, wherein the control circuit is to enable access to the first entry if the apparatus is in a secure mode and otherwise prevent the access to the first entry. Other embodiments are described and claimed.