公开(公告)号：US11531772B2

公开(公告)日：2022-12-20

申请号：US16913224

申请日：2020-06-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/60 ,  H04L9/08 ,  G06F21/31 ,  G06F21/78 ,  H04W12/06 ,  H04L9/06 ,  H04W12/04

Abstract: A server includes a processor core including system memory, and a cryptographic engine storing a key data structure. The data structure is to store multiple keys for multiple secure domains. The core receives a request to program a first secure domain into the cryptographic engine. The request includes first domain information within a first wrapped binary large object (blob). In response a determination that there is no available entry in the data structure, the core selects a second secure domain within the data structure to de-schedule and issues a read key command to read second domain information from a target entry of the data structure. The core encrypts the second domain information to generate a second wrapped blob and stores the second wrapped blob in a determined region of the system memory, which frees up the target entry for use to program the first secure domain.

公开(公告)号：US20220335140A1

公开(公告)日：2022-10-20

申请号：US17854814

申请日：2022-06-30

Applicant: Intel Corporation

Inventor： Salmin Sultana ,  David M. Durham ,  Michael LeMay ,  Karanvir S. Grewal ,  Sergej Deutsch

IPC: G06F21/60 ,  G06F21/31 ,  G06F21/80 ,  G06F9/30

Abstract: Techniques for cryptographic computing isolation are described. A processor includes circuitry to be coupled to memory configured to store one or more instructions. The circuitry is to execute the one or more instructions to instantiate a first process based on an application. To instantiate the first process is to include creating a context table to be used by the first process, identifying a software component to be invoked during the first process, encrypting the software component using a first cryptographic key, and creating a first entry in the context table. The first entry is to include first context information identifying the encrypted software component and second context information representing the first cryptographic key. In more specific embodiments, third context information representing a first load address of the encrypted software component is stored in the first entry of the context table.

公开(公告)号：US11416624B2

公开(公告)日：2022-08-16

申请号：US16722707

申请日：2019-12-20

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Ramya Jayaram Masti ,  Gilbert Neiger ,  Jason W. Brandt

IPC: G06F21/60 ,  G06F9/30 ,  G06F21/72 ,  G06F21/79 ,  G06F21/12 ,  H04L9/08 ,  G06F12/14 ,  H04L9/14 ,  G06F21/62 ,  G06F12/0897 ,  G06F9/48 ,  H04L9/06 ,  G06F12/06 ,  G06F12/0875 ,  G06F12/0811 ,  G06F9/32 ,  G06F9/50 ,  G06F12/02 ,  G06F9/455

Abstract: Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

公开(公告)号：US20220222158A1

公开(公告)日：2022-07-14

申请号：US17685557

申请日：2022-03-03

Applicant: Intel Corporation

Inventor： David M. Durham ,  Karanvir S. Grewal ,  Sergej Deutsch ,  Michael E. Kounavis

IPC: G06F11/27 ,  G06F7/72 ,  G06F11/07 ,  G06F11/10 ,  G06F11/14 ,  G06F11/30 ,  G06F12/14 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32

Abstract: Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.

公开(公告)号：US20220214881A1

公开(公告)日：2022-07-07

申请号：US17696330

申请日：2022-03-16

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Hans Goran Liljestrand ,  Peiming Liu ,  David M. Durham ,  Scott Constable

IPC: G06F9/30 ,  G06F9/38

Abstract: Techniques for ratchet pointers in computing hardware are described. The technology includes a memory to store an object referenced by a ratchet pointer, and a processor to provide access to a slice of the object by decrypting a base address and a limit of the ratchet pointer, generating a cryptographic address in an encrypted format bound to an identity of the object and not the slice; and performing effective address generation for the cryptographic address based at least in part on the base address and the limit.

公开(公告)号：US20220121447A1

公开(公告)日：2022-04-21

申请号：US17560363

申请日：2021-12-23

Applicant: Intel Corporation

Inventor： Abhishek Basak ,  Santosh Ghosh ,  Michael D. LeMay ,  David M. Durham

IPC: G06F9/38 ,  G06F9/30

Abstract: In one embodiment, a processor includes a memory hierarchy and a core. The core includes circuitry to access an encoded code pointer for a load instruction and perform a memory disambiguation (MD) lookup using a subset of address bits indicated by the encoded code pointer and context information indicated by one or more of the encoded code pointer or an encoded data pointer of the load instruction. The circuitry is further to determine, based on the MD lookup, that the load instruction is predicted to be independent from previous store instructions and forward the load instruction for out-of-order execution based on the determination.

公开(公告)号：US11288213B2

公开(公告)日：2022-03-29

申请号：US16369880

申请日：2019-03-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Ron Gabor

IPC: G06F21/00 ,  G06F12/14 ,  G06F21/60 ,  G06F21/62 ,  G06F21/57

Abstract: Embodiments are directed to memory protection with hidden inline metadata. An embodiment of an apparatus includes processor cores; a computer memory for the storage of data; and cache memory communicatively coupled with one or more of the processor cores, wherein one or more processor cores of the plurality of processor cores are to implant hidden inline metadata in one or more cachelines for the cache memory, the hidden inline metadata being hidden at a linear address level.

公开(公告)号：US20220083366A1

公开(公告)日：2022-03-17

申请号：US17532886

申请日：2021-11-22

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F9/455 ,  G06F21/79 ,  H04L29/06 ,  G06F12/0891 ,  G06F12/14 ,  G06F21/53

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US20220019698A1

公开(公告)日：2022-01-20

申请号：US17449343

申请日：2021-09-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/71 ,  G06F9/455 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  G06F8/61 ,  H04L9/08

Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.

公开(公告)号：US20220012188A1

公开(公告)日：2022-01-13

申请号：US17485213

申请日：2021-09-24

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Santosh Ghosh ,  Sergej Deutsch

IPC: G06F12/14 ,  G06F12/0802 ,  G06F21/55

Abstract: Technologies disclosed herein provide one example of a system that includes processor circuitry and integrity circuitry. The processor circuitry is to receive a first request associated with an application to perform a memory access operation for an address range in a memory allocation of memory circuitry. The integrity circuitry is to determine a location of a metadata region within a cacheline that includes at least some of the address range, identify a first portion of the cacheline based at least in part on a first data bounds value stored in the metadata region, generate a first integrity value based on the first portion of the cacheline, and prevent the memory access operation in response to determining that the first integrity value does not correspond to a second integrity value stored in the metadata region.