公开(公告)号：US20200151362A1

公开(公告)日：2020-05-14

申请号：US16740373

申请日：2020-01-10

Applicant: Intel Corporation

Inventor： David J. Harriman ,  Raghunandan Makaram ,  Ioannis T. Schoinas ,  Vedvyas Shanbhogue ,  Siddhartha Chhabra ,  Kapil Sood

IPC: G06F21/64 ,  H04L9/06 ,  G06F21/60

Abstract: A system may include a root port and an endpoint upstream port. The root port may include transaction layer hardware circuitry to determine, by logic circuitry at a transaction layer of a protocol stack of a device, that a packet is to traverse to a link partner on a secure stream, authenticate a receiving port of the link partner, configure a transaction layer packet (TLP) prefix to identify the TLP as a secure TLP, associating the secure TLP with the secure stream, apply integrity protection and data encryption to the Secure TLP, transmit the secure TLP across the secure stream to the link partner.

公开(公告)号：US09990327B2

公开(公告)日：2018-06-05

申请号：US14880443

申请日：2015-10-12

Applicant: Intel Corporation

Inventor： Michael T. Klinglesmith ,  Chang Yong Kang ,  Robert DeGruijl ,  Ioannis T. Schoinas ,  Darren Abramson ,  Khee Wooi Lee

IPC: G06F13/14 ,  G06F13/42 ,  G06F3/06 ,  G06F12/0817 ,  G06F13/16

CPC classification number: G06F13/4282 ,  G06F3/0604 ,  G06F3/0644 ,  G06F3/068 ,  G06F12/0828 ,  G06F13/1663 ,  G06F2212/621

Abstract: In one embodiment, a system includes: a first root space associated with a first root space identifier and including at least one first host processor and a first agent, the at least one first host processor and the first agent associated with the first root space identifier; a second root space associated with a second root space identifier and including at least one second host processor and a second agent, the at least one second host processor and the second agent associated with the second root space identifier; and a shared fabric to couple the first root space and the second root space, the shared fabric to route a transaction to the first root space or the second root space based at least in part on a root space field of the transaction. Other embodiments are described and claimed.

公开(公告)号：US20230315857A1

公开(公告)日：2023-10-05

申请号：US18131199

申请日：2023-04-05

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC: G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L9/40 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79

CPC classification number: G06F21/57 ,  G06F21/6218 ,  G06F12/1408 ,  H04L9/0618 ,  H04L63/061 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79 ,  G06F2009/45587

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

公开(公告)号：US11361093B2

公开(公告)日：2022-06-14

申请号：US16367204

申请日：2019-03-27

Applicant: Intel Corporation

Inventor： David J. Harriman ,  Ioannis T. Schoinas ,  Kapil Sood ,  Raghunandan Makaram ,  Yu-Yuan Chen

IPC: G06F21/62 ,  G06F21/64

Abstract: First data is stored. A request for the first data is received from a communication device over a link established with a communication device. An access control engine comprising circuitry is to control access to the first data to the communication device based on an authentication state of the communication device and a protection state of the link.

公开(公告)号：US20220019667A1

公开(公告)日：2022-01-20

申请号：US17354733

申请日：2021-06-22

Applicant: Intel Corporation

Inventor： Kapil Sood ,  Ioannis T. Schoinas ,  Yu-Yuan Chen ,  Raghunandan Makaram ,  David J. Harriman ,  Baiju Patel ,  Ronald Perez ,  Matthew E. Hoekstra ,  Reshma Lal

IPC: G06F21/57 ,  G06F9/50 ,  G06F21/85 ,  G06F21/72 ,  G06F21/53

Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.

公开(公告)号：US11176059B2

公开(公告)日：2021-11-16

申请号：US16831976

申请日：2020-03-27

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC: G06F12/14 ,  G06F21/53 ,  G06F21/78 ,  G06F21/60 ,  G06F21/82 ,  G06F3/06

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US11100023B2

公开(公告)日：2021-08-24

申请号：US15718178

申请日：2017-09-28

Applicant: Intel Corporation

Inventor： Ruirui Huang ,  Nilanjan Palit ,  Robert P. Adler ,  Ioannis T. Schoinas ,  Avishay Snir ,  Boris Dolgunov

IPC: G06F13/40 ,  H04L12/741 ,  G06F15/78 ,  H04L29/06

Abstract: In one example, a semiconductor die includes a plurality of agents and a fabric coupled to at least some of the plurality of agents. The fabric may include at least one router to provide communication between two or more of the plurality of agents, the at least one router coupled to a first agent of the plurality of agents, where the first agent is to send a first message to the at least one router, the first message comprising a first header including a first source identifier, and the at least one router is to validate that the first source identifier is associated with the first agent and if so to direct the first message towards a destination agent, and otherwise to prevent the first message from being directed towards the destination agent. Other embodiments are described and claimed.

公开(公告)号：US11070527B2

公开(公告)日：2021-07-20

申请号：US16372353

申请日：2019-04-01

Applicant: Intel Corporation

Inventor： David J. Harriman ,  Raghunandan Makaram ,  Ioannis T. Schoinas ,  Kapil Sood ,  Yu-Yuan Chen ,  Vedvyas Shanbhogue ,  Siddhartha Chhabra ,  Reshma Lal ,  Reouven Elbaz

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/06 ,  G06F13/42

Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.

公开(公告)号：US11048800B2

公开(公告)日：2021-06-29

申请号：US16362218

申请日：2019-03-22

Applicant: Intel Corporation

Inventor： Kapil Sood ,  Ioannis T. Schoinas ,  Yu-Yuan Chen ,  Raghunandan Makaram ,  David J. Harriman ,  Baiju Patel ,  Ronald Perez ,  Matthew E. Hoekstra ,  Reshma Lal

IPC: G06F21/57 ,  G06F9/50 ,  G06F21/85 ,  G06F21/72 ,  G06F21/53

Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.

公开(公告)号：US20210064254A1

公开(公告)日：2021-03-04

申请号：US16643836

申请日：2017-09-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Barry E. Huntley ,  Baiju Patel ,  Gideon Gerzon ,  Ioannis T. Schoinas ,  Hormuzd M. Khosravi ,  Siddhartha Chhabra ,  Carlos V. Rozas

IPC: G06F3/06 ,  G06F9/455

Abstract: There is disclosed a microprocessor, including: a processing core; and a total memory encryption (TME) engine to provide TME for a first trust domain (TD), and further to: allocate a block of physical memory to the first TD and a first cryptographic key to the first TD; map within an extended page table (EPT) a host physical address (HPA) space to a guest physical address (GPA) space of the TD; create a memory ownership table (MOT) entry for a memory page within the block of physical memory, wherein the MOT table comprises a GPA reverse mapping; encrypt the MOT entry using the first cryptographic key; and append to the MOT entry verification data, wherein the MOT entry verification data enables detection of an attack on the MOT entry.