公开(公告)号：US20220197995A1

公开(公告)日：2022-06-23

申请号：US17133455

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Baruch Chaikin

IPC: G06F21/53 ,  G06F9/38 ,  G06F9/445 ,  G06F9/52 ,  G06F9/30 ,  G06F9/455

Abstract: Techniques and mechanisms to efficiently provide features of a secure authentication mode (SEAM) by a processor. In an embodiment, cores of the processor support an instruction set which comprises instructions to invoke the SEAM. One such core installs an authenticated code module (ACM), which is executed to load a persistent SEAM loader module (P-SEAMLDR) in a reserved region of a system memory. In turn, the P-SEAMLDR loads into the reserved region a SEAM module which facilitates trust domain extension (TDX) protections for a given trusted domain. In another embodiment, the instruction set supports a SEAM call instruction with which either of the P-SEAMLDR or the SEAM module is accessed in the reserved region.

公开(公告)号：US11139967B2

公开(公告)日：2021-10-05

申请号：US16228002

申请日：2018-12-20

Applicant: Intel Corporation

Inventor： Ido Ouziel ,  Arie Aharon ,  Dror Caspi ,  Baruch Chaikin ,  Jacob Doweck ,  Gideon Gerzon ,  Barry E. Huntley ,  Francis X. Mckeen ,  Gilbert Neiger ,  Carlos V. Rozas ,  Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Assaf Zaltsman

IPC: H04L9/08 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/60 ,  G06F21/62

Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.

公开(公告)号：US20190042766A1

公开(公告)日：2019-02-07

申请号：US16113013

申请日：2018-08-27

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC: G06F21/60 ,  H04L9/08 ,  G06F21/62

Abstract: In one embodiment, an apparatus includes: a memory encryption circuit to encrypt data from a protected device, the data to be stored to a memory; and a filter circuit coupled to the memory encryption circuit, the filter circuit including a plurality of filter entries, each filter entry to store a channel identifier corresponding to a protected device, an access control policy for the protected device, and a session encryption key provided by an enclave, the enclave permitted to access the data according to the access control policy, where the filter circuit is to receive the session encryption key from the enclave in response to validation of the enclave. Other embodiments are described and claimed.

公开(公告)号：US20190004972A1

公开(公告)日：2019-01-03

申请号：US15637524

申请日：2017-06-29

Applicant: Intel Corporation

Inventor： Uri Bear ,  Gyora Benedek ,  Baruch Chaikin ,  Jacob Jack Doweck ,  Reuven Elbaum ,  Dimitry Kloper ,  Elad Peer ,  Chaim Shen-orr ,  Yonatan Shlomovich

IPC: G06F12/14 ,  G06F12/1009

Abstract: Various systems and methods for detecting and preventing side-channel attacks, including attacks aimed at discovering the location of KASLR-randomized privileged code sections in virtual memory address space, are described. In an example, a computing system includes electronic operations for detecting unauthorized attempts to access kernel virtual memory pages via trap entry detection, with operations including: generating a trap page with a physical memory address; assigning a phantom page at an open location in the privileged portion of the virtual memory address space; generating a plurality of phantom page table entries corresponding to an otherwise-unmapped privileged virtual memory region; placing the trap page in physical memory and placing the phantom page table entry in a page table map; and detecting an access to the trap page via the phantom page table entry, to trigger a response to a potential attack.

公开(公告)号：US20180189482A1

公开(公告)日：2018-07-05

申请号：US15907551

申请日：2018-02-28

Applicant: Intel Corporation

Inventor： Nadav Nesher ,  Alex Berenzon ,  Baruch Chaikin

IPC: G06F21/53 ,  G06F21/57 ,  G06F21/71

CPC classification number: G06F21/53 ,  G06F21/57 ,  G06F21/71 ,  H04L2209/127

Abstract: An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.

公开(公告)号：US12248807B2

公开(公告)日：2025-03-11

申请号：US17134339

申请日：2020-12-26

Applicant: INTEL CORPORATION

Inventor： Ravi Sahita ,  Dror Caspi ,  Vincent Scarlata ,  Sharon Yaniv ,  Baruch Chaikin ,  Vedvyas Shanbhogue ,  Jun Nakajima ,  Arumugam Thiyagarajah ,  Sean Christopherson ,  Haidong Xia ,  Vinay Awasthi ,  Isaku Yamahata ,  Wei Wang ,  Thomas Adelmeyer

IPC: G06F9/48 ,  G06F9/38 ,  G06F9/455 ,  G06F21/60

Abstract: Techniques for migration of a source protected virtual machine from a source platform to a destination platform are descried. A method of an aspect includes enforcing that bundles of state, of a first protected virtual machine (VM), received at a second platform over a stream, during an in-order phase of a migration of the first protected VM from a first platform to the second platform, are imported to a second protected VM of the second platform, in a same order that they were exported from the first protected VM. Receiving a marker over the stream marking an end of the in-order phase. Determining that all bundles of state exported from the first protected VM prior to export of the marker have been imported to the second protected VM. Starting an out-of-order phase of the migration based on the determination that said all bundles of the state exported have been imported.

公开(公告)号：US12153665B2

公开(公告)日：2024-11-26

申请号：US17133455

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Baruch Chaikin

IPC: G06F21/53 ,  G06F9/30 ,  G06F9/38 ,  G06F9/445 ,  G06F9/455 ,  G06F9/52

Abstract: Techniques and mechanisms to efficiently provide features of a secure authentication mode (SEAM) by a processor. In an embodiment, cores of the processor support an instruction set which comprises instructions to invoke the SEAM. One such core installs an authenticated code module (ACM), which is executed to load a persistent SEAM loader module (P-SEAMLDR) in a reserved region of a system memory. In turn, the P-SEAMLDR loads into the reserved region a SEAM module which facilitates trust domain extension (TDX) protections for a given trusted domain. In another embodiment, the instruction set supports a SEAM call instruction with which either of the P-SEAMLDR or the SEAM module is accessed in the reserved region.

公开(公告)号：US20240220388A1

公开(公告)日：2024-07-04

申请号：US18091975

申请日：2022-12-30

Applicant: Intel Corporation

Inventor： Baruch Chaikin ,  Ahmad Yasin

IPC: G06F11/34 ,  G06F9/455 ,  G06F9/50

CPC classification number: G06F11/3466 ,  G06F9/45533 ,  G06F9/5011 ,  G06F2201/88

Abstract: Techniques for flexible virtualization of performance monitoring are described. In an embodiment, an apparatus includes a plurality of performance monitoring hardware resources and an instruction decoder to decode a first instruction to access a first performance monitoring hardware resource of the plurality of performance monitoring hardware resources. In response to the first instruction being received by a virtual machine, the apparatus is to determine whether the first performance monitoring hardware resource is allocated to the virtual machine based on an allocation model to allow any set of the performance monitoring hardware resources to be allocated to the virtual machine, execute the first instruction within the virtual machine in response to a determination that the first performance monitoring hardware resource is allocated to the virtual machine, and raise an exception within the virtual machine in response to a determination that the first performance monitoring hardware resource is not allocated to the virtual machine.

公开(公告)号：US10705976B2

公开(公告)日：2020-07-07

申请号：US16023537

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Dror Caspi ,  Baruch Chaikin ,  Gilbert Neiger ,  Arie Aharon ,  Arumugam Thiyagarajah

IPC: G06F12/1036 ,  G06F12/14 ,  G06F9/455 ,  G06F12/109 ,  G06F21/53 ,  G06F21/78 ,  G06F12/1009 ,  G06F12/02

Abstract: Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.

公开(公告)号：US10339327B2

公开(公告)日：2019-07-02

申请号：US15628012

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Baruch Chaikin ,  Bin Xing ,  William A. Stevens, Jr.

IPC: G06F21/76 ,  G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F13/20 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F21/70 ,  G06F21/51 ,  H04L9/06

Abstract: Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.