公开(公告)号：US10303900B2

公开(公告)日：2019-05-28

申请号：US14979002

申请日：2015-12-22

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  Gideon Gerzon ,  Reshma Lal ,  Bin Xing ,  Pradeep M. Pappachan ,  Steven B. McGowan

IPC: H04L9/08 ,  H04L9/32 ,  G06F21/72 ,  G06F21/57

Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes, an invoking secure enclave using secure enclave support of a processor. The invoking enclave configures channel programming information, including a channel key, and invokes a processor instruction with the channel programming information as a parameter. The processor generates wrapped programming information including an encrypted channel key and a message authentication code. The encrypted channel key is protected with a key known only to the processor. The invoking enclave provides the wrapped programming information to untrusted software, which invokes a processor instruction with the wrapped programming information as a parameter. The processor unwraps and verifies the wrapped programming information and then programs the cryptographic engine. The processor generates an authenticated response that may be verified by the invoking enclave. Other embodiments are described and claimed.

公开(公告)号：US20190140817A1

公开(公告)日：2019-05-09

申请号：US16150195

申请日：2018-10-02

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Rakesh A. Ughreja ,  Kumar N. Dwarakanath ,  Victoria C. Moore

IPC: H04L9/00 ,  H04L29/06 ,  G06F21/57 ,  G06F21/83 ,  G06F21/60 ,  G06F9/54 ,  G06F21/44 ,  H04L9/08 ,  G06F21/84

CPC classification number: H04L9/00 ,  G06F9/54 ,  G06F21/445 ,  G06F21/57 ,  G06F21/606 ,  G06F21/83 ,  G06F21/84 ,  G06F2221/033 ,  H04L9/0838 ,  H04L63/0428 ,  H04L63/145

Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.

公开(公告)号：US10248791B2

公开(公告)日：2019-04-02

申请号：US14974960

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F13/28 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

公开(公告)号：US20170364688A1

公开(公告)日：2017-12-21

申请号：US15628006

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Siddhartha Chhabra ,  Bin Xing ,  Pradeep M. Pappachan ,  Reshma Lal

IPC: G06F21/60 ,  G06F21/57 ,  G06F13/28 ,  H04L29/06 ,  H04L9/32

CPC classification number: G06F21/602 ,  G06F13/20 ,  G06F13/28 ,  G06F21/51 ,  G06F21/57 ,  G06F21/6218 ,  G06F21/6281 ,  G06F21/85 ,  G09C1/00 ,  H04L9/0637 ,  H04L9/32 ,  H04L9/3242 ,  H04L63/12 ,  H04L63/126

Abstract: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.

公开(公告)号：US09426159B2

公开(公告)日：2016-08-23

申请号：US14498701

申请日：2014-09-26

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan

IPC: G06F21/00 ,  H04L29/06

CPC classification number: G06F21/44 ,  G06F21/32 ,  G06F21/602 ,  G06F21/606 ,  G06F21/6218 ,  H04L9/0816 ,  H04L9/083 ,  H04L9/14 ,  H04L9/321 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/10 ,  H04L2209/127

Abstract: Systems and methods include establishing a secure communication between an application module and a sensor module. The application module is executing on an information-handling machine, and the sensor module is coupled to the information-handling machine. The establishment of the secure communication is at least partially facilitated by a mutually trusted module.

Abstract translation: 系统和方法包括建立应用模块和传感器模块之间的安全通信。 应用模块正在信息处理机上执行，传感器模块耦合到信息处理机。 安全通信的建立至少部分地由相互信任的模块促成。

公开(公告)号：US20250125966A1

公开(公告)日：2025-04-17

申请号：US18990178

申请日：2024-12-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal

IPC: H04L9/32 ,  G06F21/60 ,  H04L9/08

Abstract: Embodiments are directed to providing integrity-protected command buffer execution. An embodiment of an apparatus includes a computer-readable memory comprising one or more command buffers and a processing device communicatively coupled to the computer-readable memory to read, from a command buffer of the computer-readable memory, a first command received from a host device, the first command executable by one or more processing elements on the processing device, the first command comprising an instruction and associated parameter data, compute a first authentication tag using a cryptographic key associated with the host device, the instruction and at least a portion of the parameter data, and authenticate the first command by comparing the first authentication tag with a second authentication tag computed by the host device and associated with the command.

公开(公告)号：US20250103514A1

公开(公告)日：2025-03-27

申请号：US18974472

申请日：2024-12-09

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/455 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  H04L41/046 ,  H04L41/28

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US12204662B2

公开(公告)日：2025-01-21

申请号：US18496108

申请日：2023-10-27

Applicant: Intel Corporation

Inventor： Salessawi Ferede Yitbarek ,  Lawrence A. Booth, Jr. ,  Brent D. Thomas ,  Reshma Lal ,  Pradeep M. Pappachan ,  Akshay Kadam

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/76 ,  H04L9/08 ,  H04L9/14

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

公开(公告)号：US12189542B2

公开(公告)日：2025-01-07

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/455 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  H04L41/046 ,  H04L41/28

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US20240121097A1

公开(公告)日：2024-04-11

申请号：US18391375

申请日：2023-12-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal

IPC: H04L9/32 ,  G06F21/60 ,  H04L9/08

CPC classification number: H04L9/3226 ,  G06F21/602 ,  H04L9/085

Abstract: Embodiments are directed to providing integrity-protected command buffer execution. An embodiment of an apparatus includes a computer-readable memory comprising one or more command buffers and a processing device communicatively coupled to the computer-readable memory to read, from a command buffer of the computer-readable memory, a first command received from a host device, the first command executable by one or more processing elements on the processing device, the first command comprising an instruction and associated parameter data, compute a first authentication tag using a cryptographic key associated with the host device, the instruction and at least a portion of the parameter data, and authenticate the first command by comparing the first authentication tag with a second authentication tag computed by the host device and associated with the command.