-
公开(公告)号:US11782716B2
公开(公告)日:2023-10-10
申请号:US17517580
申请日:2021-11-02
Applicant: Intel Corporation
Inventor: Michael LeMay , Vedvyas Shanbhogue , Deepak Gupta , Ravi Sahita , David M. Durham , Willem Pinckaers , Enrico Perla
IPC: G06F9/30 , G06F9/38 , G06F9/448 , G06F9/46 , G06F16/901 , G06F9/455 , G06F12/14 , G06F21/52 , G06F21/79 , G06F9/35
CPC classification number: G06F9/30145 , G06F9/3836 , G06F9/449 , G06F9/468 , G06F16/9017
Abstract: Systems, methods, and apparatuses relating to circuitry to implement individually revocable capabilities for enforcing temporal memory safety are described. In one embodiment, a hardware processor comprises an execution unit to execute an instruction to request access to a block of memory through a pointer to the block of memory, and a memory controller circuit to allow access to the block of memory when an allocated object tag in the pointer is validated with an allocated object tag in an entry of a capability table in memory that is indexed by an index value in the pointer, wherein the memory controller circuit is to clear the allocated object tag in the capability table when a corresponding object is deallocated.
-
公开(公告)号:US20230315857A1
公开(公告)日:2023-10-05
申请号:US18131199
申请日:2023-04-05
Applicant: Intel Corporation
Inventor: Ravi L. Sahita , Baiju V. Patel , Barry E. Huntley , Gilbert Neiger , Hormuzd M. Khosravi , Ido Ouziel , David M. Durham , Ioannis T. Schoinas , Siddhartha Chhabra , Carlos V. Rozas , Gideon Gerzon
CPC classification number: G06F21/57 , G06F21/6218 , G06F12/1408 , H04L9/0618 , H04L63/061 , G06F21/53 , G06F21/71 , G06F21/79 , G06F2009/45587
Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.
-
公开(公告)号:US11741018B2
公开(公告)日:2023-08-29
申请号:US17873668
申请日:2022-07-26
Applicant: Intel Corporation
Inventor: David M. Durham , Jacob Doweck , Michael Lemay , Deepak Gupta
IPC: G06F12/10 , G06F12/1027
CPC classification number: G06F12/1027 , G06F2212/681
Abstract: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.
-
144.发明授权公开(公告)号:US11693754B2
公开(公告)日:2023-07-04
申请号:US17685557
申请日:2022-03-03
Applicant: Intel Corporation
Inventor: David M. Durham , Karanvir S. Grewal , Sergej Deutsch , Michael E. Kounavis
IPC: G06F11/27 , G06F7/72 , G06F11/07 , G06F11/10 , G06F11/14 , G06F11/30 , G06F12/14 , H04L9/06 , H04L9/08 , H04L9/32
CPC classification number: G06F11/27 , G06F7/724 , G06F11/0772 , G06F11/1068 , G06F11/1435 , G06F11/3037 , G06F12/1408 , H04L9/0637 , H04L9/0643 , H04L9/085 , H04L9/3242
Abstract: Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.
-
公开(公告)号:US11669625B2
公开(公告)日:2023-06-06
申请号:US17134405
申请日:2020-12-26
Applicant: Intel Corporation
Inventor: David M. Durham , Karanvir S. Grewal , Michael D. LeMay , Salmin Sultana
CPC classification number: G06F21/602 , G06F9/30101 , G06F9/30145 , G06F9/5016 , G06F21/54 , G06F21/79
Abstract: A processor includes a register to store an encoded pointer to a memory location in memory and the encoded pointer is to include an encrypted portion. The processor further includes circuitry to determine a first data encryption factor based on a first data access instruction, decode the encoded pointer to obtain a memory address of the memory location, use the memory address to access an encrypted first data element, and decrypt the encrypted first data element using a cryptographic algorithm with first inputs to generate a decrypted first data element. The first inputs include the first data encryption factor based on the first data access instruction and a second data encryption factor from the encoded pointer.
-
Patent Agency Ranking
公开(公告)号:US11651085B2
公开(公告)日:2023-05-16
申请号:US16934089
申请日:2020-07-21
Applicant: Intel Corporation
Inventor: David M. Durham , Siddhartha Chhabra , Ravi L. Sahita , Barry E. Huntley , Gilbert Neiger , Gideon Gerzon , Baiju V. Patel
IPC: G06F21/60 , G06F3/06 , G06F12/1009 , G06F21/57 , G06F21/53
CPC classification number: G06F21/602 , G06F3/067 , G06F3/0623 , G06F3/0661 , G06F12/1009 , G06F21/53 , G06F21/57 , G06F2212/1052
Abstract: A processor executes an untrusted VMM that manages execution of a guest workload. The processor also populates an entry in a memory ownership table for the guest workload. The memory ownership table is indexed by an original hardware physical address, the entry comprises an expected guest address that corresponds to the original hardware physical address, and the entry is encrypted with a key domain key. In response to receiving a request from the guest workload to access memory using a requested guest address, the processor (a) obtains, from the untrusted VMM, a hardware physical address that corresponds to the requested guest address; (b) uses that physical address as an index to find an entry in the memory ownership table; and (c) verifies whether the expected guest address from the found entry matches the requested guest address. Other embodiments are described and claimed.
-
公开(公告)号:US11636049B2
公开(公告)日:2023-04-25
申请号:US17705857
申请日:2022-03-28
Applicant: Intel Corporation
Inventor: David M. Durham , Ron Gabor
Abstract: Embodiments are directed to memory protection with hidden inline metadata. An embodiment of an apparatus includes processor cores; a computer memory for the storage of data; and cache memory communicatively coupled with one or more of the processor cores, wherein one or more processor cores of the plurality of processor cores are to implant hidden inline metadata in one or more cachelines for the cache memory, the hidden inline metadata being hidden at a linear address level.
-
公开(公告)号:US11580035B2
公开(公告)日:2023-02-14
申请号:US17134406
申请日:2020-12-26
Applicant: Intel Corporation
Inventor: David M. Durham , Karanvir S. Grewal , Michael D. LeMay , Salmin Sultana , Andrew James Weiler
Abstract: A processor includes a register to store an encoded pointer to a variable in stack memory. The encoded pointer includes an encrypted portion and a fixed plaintext portion of a memory address corresponding to the variable. The processor further includes circuitry to, in response to a memory access request for associated with the variable, decrypt the encrypted portion of the encoded pointer to obtain first upper address bits of the memory address and a memory allocation size for a variable, decode the encoded pointer to obtain the memory address, verify the memory address is valid based, at least in part on the memory allocation size, and in response to determining that the memory address is valid, allow the memory access request.
-
公开(公告)号:US20230027329A1
公开(公告)日:2023-01-26
申请号:US17791000
申请日:2020-12-26
Applicant: Intel Corporation
Inventor: David M. Durham , Michael D. LeMay , Salmin Sultana , Karanvir S. Grewal , Michael E. Kounavis , Sergej Deutsch , Andrew James Weiler , Abhishek Basak , Dan Baum , Santosh Ghosh
Abstract: A processor, a system, a machine readable medium, and a method. The processor comprises first circuitry to: encrypt a first code image using a first code key; load the encrypted first code image into a memory area allocated in memory for the first code image by an operating system miming on the processor; and send to the operating system a substitute key that corresponds to the first code key, wherein the first code key is concealed from the operating system; and an instruction cache including control circuitry; and second circuitry coupled to the instruction cache, the second circuitry to: receive the substitute key from the operating system; in response to a first request from the operating system to execute the first code image to instantiate a first process, perform a first cryptographic function using a hardware key to generate the first code key from the substitute key; and program the control circuitry of the instruction cache with the first code key to enable the first code image to be decrypted using the first code key.
-
公开(公告)号:US20220413715A1
公开(公告)日:2022-12-29
申请号:US17357951
申请日:2021-06-24
Applicant: Intel Corporation
Inventor: Michael LeMay , David M. Durham
IPC: G06F3/06
Abstract: Methods and apparatus relating to zero-redundancy tag storage for bucketed allocators are described. In some embodiments, memory stores a memory page. The memory page includes a metadata page and a plurality of slots. The metadata page includes information corresponding to the plurality of slots. Decode circuitry decodes an instruction that includes a source operand. Execution circuitry executes the decoded instruction according to the source operand to load a first tag for a first slot of the plurality of slots in response to a memory access request directed at the first slot of the plurality of slots. The memory access request is allowed to proceed in response to a match between the first tag and a second tag of a pointer of the memory access request. The memory page stores a separate tag in proximity to each of the plurality of slots. Other embodiments are also disclosed and claimed.
-
-
-
-
-
-
-
-
-
Search Results
338
records
(took 0.028 seconds)
