公开(公告)号：US20220207138A1

公开(公告)日：2022-06-30

申请号：US17134350

申请日：2020-12-26

Applicant: Intel Corporation

Inventor： Carlos Rozas ,  Fangfei Liu ,  Xiang Zou ,  Francis McKeen ,  Jason W. Brandt ,  Joseph Nuzman ,  Alaa Alameldeen ,  Abhishek Basak ,  Scott Constable ,  Thomas Unterluggauer ,  Asit Mallick ,  Matthew Fernandez

IPC: G06F21/55 ,  G06F21/54 ,  G06F9/30 ,  G06F9/38

Abstract: Embodiments for dynamically mitigating speculation vulnerabilities are disclosed. In an embodiment, an apparatus includes a decode circuitry and store circuitry coupled to the decode circuitry. The decode circuitry is to decode a store hardening instruction to mitigate vulnerability to a speculative execution attack. The store circuitry is to be hardened in response to the store hardening instruction.

公开(公告)号：US11347839B2

公开(公告)日：2022-05-31

申请号：US16452916

申请日：2019-06-26

Applicant: INTEL CORPORATION

Inventor： Abhishek Basak ,  Ravi L. Sahita ,  Vedvyas Shanbhogue

IPC: G06F21/00 ,  G06F21/52 ,  G06F12/126 ,  G06F12/06

Abstract: Various embodiments are generally directed to techniques for control flow protection with minimal performance overhead, such as by utilizing one or more micro-architectural optimizations to implement a shadow stack (SS) to verify a return address before returning from a function call, for instance. Some embodiments are particularly directed to a computing platform, such as an internet of things (IoT) platform, that overlaps or parallelizes one or more SS access operations with one or more data stack (DS) access operations.

公开(公告)号：US20220121447A1

公开(公告)日：2022-04-21

申请号：US17560363

申请日：2021-12-23

Applicant: Intel Corporation

Inventor： Abhishek Basak ,  Santosh Ghosh ,  Michael D. LeMay ,  David M. Durham

IPC: G06F9/38 ,  G06F9/30

Abstract: In one embodiment, a processor includes a memory hierarchy and a core. The core includes circuitry to access an encoded code pointer for a load instruction and perform a memory disambiguation (MD) lookup using a subset of address bits indicated by the encoded code pointer and context information indicated by one or more of the encoded code pointer or an encoded data pointer of the load instruction. The circuitry is further to determine, based on the MD lookup, that the load instruction is predicted to be independent from previous store instructions and forward the load instruction for out-of-order execution based on the determination.

公开(公告)号：US20220091998A1

公开(公告)日：2022-03-24

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L12/24 ,  G06F21/79 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US11163913B2

公开(公告)日：2021-11-02

申请号：US16234871

申请日：2018-12-28

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US11144468B2

公开(公告)日：2021-10-12

申请号：US16024072

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Abhishek Basak ,  Arun Kanuparthi ,  Nagaraju N. Kodalapura ,  Jason M. Fung

IPC: G06F12/0891

Abstract: A system may include a processor and a memory, the processor having at least one cache. The cache may include a plurality of sets, each set having a plurality of cache lines. Each cache line may include several bits for storing information, including at least a “shared” bit to indicate whether the cache line is shared between different processes being executed by the processor. The example cache may also include shared cache line detection and eviction logic. During normal operation, the cache logic may monitor for a context switch (i.e., determine if the processor is switching from executing instructions for a first process to executing instructions for a second process). Upon a context switch, the cache logic may evict the shared cache lines (e.g., the cache lines with a shared bit of 1). This eviction of shared cache lines may prevent attackers utilizing such attacks from gleaning meaningful information.

公开(公告)号：US20210117576A1

公开(公告)日：2021-04-22

申请号：US17109742

申请日：2020-12-02

Applicant: Intel Corporation

Inventor： Krystof Zmudzinski ,  Siddhartha Chhabra ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Luis S. Kida ,  Pradeep M. Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F9/455 ,  G06F9/46 ,  G06F9/50 ,  G06F12/1009 ,  G06F13/28 ,  G06F21/53 ,  G06F21/57 ,  G06F21/62 ,  G06F21/85 ,  H04L9/32

Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

公开(公告)号：US20190042479A1

公开(公告)日：2019-02-07

申请号：US16024198

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Abhishek Basak ,  Li Chen ,  Ravi Sahita

IPC: G06F12/14 ,  G06F12/0891 ,  G06F21/55

Abstract: A system may include a processor and a memory, the processor having at least one cache as well as memory access monitoring logic. The cache may include a plurality of sets, each set having a plurality of cache lines. Each cache line includes several bits for storing information. During normal operation, the memory access monitoring logic may monitor for a memory access pattern indicative of a side-channel attack (e.g., an abnormally large number of recent CLFLUSH instructions). Upon detecting a possible side-channel attack, the memory access monitoring logic may implement one of several mitigation policies, such as, for example, restricting execution of CLFLUSH operations. Due to the nature of cache-timing side-channel attacks, this prevention of CLFLUSH may prevent attackers utilizing such attacks from gleaning meaningful information.

公开(公告)号：US12210660B2

公开(公告)日：2025-01-28

申请号：US17548170

申请日：2021-12-10

Applicant: Intel Corporation

Inventor： Anna Trikalinou ,  Abhishek Basak ,  Rupin H. Vakharwala ,  Utkarsh Y. Kakaiya

IPC: G06F21/83 ,  G06F21/62 ,  G06F21/78

Abstract: In one embodiment, a read request is received from a peripheral device across an interconnect, with the read request including a process identifier and an encrypted virtual address. One or more keys are obtained based on the process identifier of the read request, and the encrypted virtual address of the read request is decrypted based on the one or more keys to obtain an unencrypted virtual address. Encrypted data is retrieved from memory based on the unencrypted virtual address, and the encrypted data is decrypted based on the one or more keys to obtain plaintext data. The plaintext data is transmitted to the peripheral device across the interconnect.

公开(公告)号：US12189542B2

公开(公告)日：2025-01-07

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/455 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  H04L41/046 ,  H04L41/28

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.