公开(公告)号：US10592663B2

公开(公告)日：2020-03-17

申请号：US15856573

申请日：2017-12-28

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Pradeep Pappachan ,  Reshma Lal ,  Siddhartha Chhabra

IPC: G06F21/53 ,  G06F13/38 ,  G06F21/57 ,  G06F21/51

Abstract: Technologies for USB controller state integrity protection are disclosed. A computing device reserves an isolated memory region in system memory and programs a base address register of a USB controller with the address of the isolated memory region. The computing device locks the base address register from further chances. The USB controller may store controller state data in a scratchpad buffer located within the isolated memory region. Software executed by a processor may read controller state data from the scratchpad buffer. Secure routing hardware of the computing device controls access to the isolated memory region. The secure routing hardware may allow read and write access by the USB controller and read-only access by software executed by the processor. After storing the controller state data, the computing device may power down the I/O controller. Other embodiments are described and claimed.

公开(公告)号：US10546157B2

公开(公告)日：2020-01-28

申请号：US15792350

申请日：2017-10-24

Applicant: INTEL CORPORATION

Inventor： Jungju Oh ,  Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/78 ,  G06F21/72 ,  G06F21/52

Abstract: The present disclosure is directed to a flexible counter system for memory protection. In general, a counter system for supporting memory protection operations in a device may be made more efficient utilizing flexible counter structures. A device may comprise a processing module and a memory module. A flexible counter system in the memory module may comprise at least one data line including a plurality of counters. The bit-size of the counters may be reduced and/or varied from existing implementations through an overflow counter that may account for smaller counters entering an overflow state. Counters that utilize the overflow counter may be identified using a bit indicator. In at least one embodiment selectors corresponding to each of the plurality of counters may be able to map particular memory locations to particular counters.

公开(公告)号：US10545783B2

公开(公告)日：2020-01-28

申请号：US16108453

申请日：2018-08-22

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Siddhartha Chhabra ,  Uttam Sengupta

IPC: G06F9/455 ,  G06F9/46 ,  G06F9/30 ,  H04L9/32

Abstract: A data processing system with technology to secure a virtual machine control data structure (VMCDS) comprises random access memory (RAM) and a processor in communication with the RAM. The processor comprises virtualization technology that enables the processor to run a virtual machine monitor (VMM) in the data processing system and to run guest software in a virtual machine (VM) that is managed by the VMM. The VM is based at least in part on a VMCDS for the VM. An instruction decoder in the processor recognizes and dispatches a set-mask instruction. The set-mask instruction specifies access restrictions to be imposed on the VMM with respect to the VMCDS of the VM. The processor also comprises a mask enforcer to automatically enforce the access restrictions specified by the set-mask instruction, in response to an attempt by the VMM to access the VMCDS of the VM. Other embodiments are described and claimed.

公开(公告)号：US10540198B2

公开(公告)日：2020-01-21

申请号：US15640478

申请日：2017-07-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F21/78 ,  G06F9/455 ,  G06F12/0891 ,  G06F12/14 ,  G06F21/53 ,  H04L29/06 ,  G06F21/62 ,  G06F21/64

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US20190311123A1

公开(公告)日：2019-10-10

申请号：US16444053

申请日：2019-06-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F21/57 ,  G06F21/64 ,  H04L12/24 ,  H04L9/08 ,  G06F9/455

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US20190306134A1

公开(公告)日：2019-10-03

申请号：US16445019

申请日：2019-06-18

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Siddhartha Chhabra ,  David J. Harriman ,  Raghunandan Makaram ,  Ioannis T. Schoinas

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/64 ,  G06F13/42

Abstract: Methods, systems, and apparatuses associated with a secure stream protocol for a serial interconnect are disclosed. An apparatus comprises a first device comprising circuitry to, using an end-to-end protocol, secure a transaction in a first secure stream based at least in part on a transaction type of the transaction, where the first secure stream is separate from a second secure stream. The first device is further to send the transaction secured in the first secure stream to a second device over a link established between the first device and the second device, where the transaction is to traverse one or more intermediate devices from the first device to the second device. In more specific embodiments, the first secure stream is based on one of a posted transaction type, a non-posted transaction type, or completion transaction type.

公开(公告)号：US10372628B2

公开(公告)日：2019-08-06

申请号：US15720521

申请日：2017-09-29

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/14 ,  H04L9/14 ,  H04L9/08 ,  G06F12/0811

Abstract: Solutions for secure memory access in a computing platform, include a multi-key encryption (MKE) engine as part of the memory interface between processor core(s) and memory of a computing platform. The processor core(s) perform workloads, each utilizing allocated portions of memory. The MKE engine performs key-based cryptography operations on data to isolate portions of the memory from workloads to which those portions of the memory are not allocated. A key-mapping data store is accessible to the MKE engine and contains associations between identifiers of portions of the memory, and corresponding key identification data from which cryptographic keys are obtained. A key tracking log is maintained by the MKE engine, and the MKE engine temporarily stores entries in the key tracking log containing the identifiers of the portions of the memory and key identification data for those portions of memory during memory-access operations of those portions of memory.

公开(公告)号：US20190227827A1

公开(公告)日：2019-07-25

申请号：US16369295

申请日：2019-03-29

Applicant: Intel Corporation

Inventor： Krystof Zmudzinski ,  Siddhartha Chhabra ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Luis S. Kida ,  Pradeep M. Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F9/455 ,  G06F21/62 ,  G06F9/50 ,  G06F9/46 ,  G06F13/28 ,  G06F12/1009

Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

公开(公告)号：US10341087B2

公开(公告)日：2019-07-02

申请号：US15394516

申请日：2016-12-29

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: H04L9/06 ,  G06F3/06 ,  G06F21/53 ,  G06F12/14 ,  G06F21/72

Abstract: Various embodiments are generally directed to techniques for converting between different cipher systems, such as, for instance, between a cipher system used for a first encryption environment and a different cipher system used for a second encryption environment, for instance. Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems. In various embodiments, for instance, the first encryption environment may include a main memory that uses a position dependent cipher system and the second encrypted environment may include a secondary memory that uses a position independent cipher system.

公开(公告)号：US10339327B2

公开(公告)日：2019-07-02

申请号：US15628012

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Baruch Chaikin ,  Bin Xing ,  William A. Stevens, Jr.

IPC: G06F21/76 ,  G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F13/20 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F21/70 ,  G06F21/51 ,  H04L9/06

Abstract: Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.