公开(公告)号：US20140101461A1

公开(公告)日：2014-04-10

申请号：US13646105

申请日：2012-10-05

申请人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  David M. Durham ,  Niranjan L. Cooray ,  Men Long ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi

发明人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  David M. Durham ,  Niranjan L. Cooray ,  Men Long ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi

IPC分类号： G06F12/14

CPC分类号： G06F12/1408 ,  G06F21/71

摘要： A processor includes a memory encryption engine that provides replay and confidentiality protections to a memory region. The memory encryption engine performs low-overhead parallelized tree walks along a counter tree structure. The memory encryption engine upon receiving an incoming read request for the protected memory region, performs a dependency check operation to identify dependency between the incoming read request and an in-process request and to remove the dependency when the in-process request is a read request that is not currently suspended.

摘要翻译： 处理器包括为存储器区域提供重放和保密性保护的存储器加密引擎。 存储器加密引擎沿着计数器树结构执行低架构并行化的树行走。 存储器加密引擎在接收到对受保护的存储器区域的传入读取请求时，执行依赖性检查操作以识别传入的读取请求与进程内请求之间的依赖关系，并且当进程内请求是读取请求时，去除依赖关系 目前尚未暂停。

公开(公告)号：US08819455B2

公开(公告)日：2014-08-26

申请号：US13646105

申请日：2012-10-05

申请人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  David M. Durham ,  Niranjan L. Cooray ,  Men Long ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi

发明人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  David M. Durham ,  Niranjan L. Cooray ,  Men Long ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi

IPC分类号： G06F11/30 ,  G06F12/14

CPC分类号： G06F12/1408 ,  G06F21/71

摘要： A processor includes a memory encryption engine that provides replay and confidentiality protections to a memory region. The memory encryption engine performs low-overhead parallelized tree walks along a counter tree structure. The memory encryption engine upon receiving an incoming read request for the protected memory region, performs a dependency check operation to identify dependency between the incoming read request and an in-process request and to remove the dependency when the in-process request is a read request that is not currently suspended.

摘要翻译： 处理器包括为存储器区域提供重放和保密性保护的存储器加密引擎。 存储器加密引擎沿着计数器树结构执行低架构并行化的树行走。 存储器加密引擎在接收到对受保护的存储器区域的传入读取请求时，执行依赖性检查操作以识别传入的读取请求与进程内请求之间的依赖关系，并且当进程内请求是读取请求时，去除依赖关系 目前尚未暂停。

公开(公告)号：US20140208109A1

公开(公告)日：2014-07-24

申请号：US13976935

申请日：2011-12-28

申请人： Alpa T. Narendra Trivedi ,  David M. Durham ,  Men Long ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Carlos V. Rozas

发明人： Alpa T. Narendra Trivedi ,  David M. Durham ,  Men Long ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Carlos V. Rozas

IPC分类号： H04L29/06

CPC分类号： G06F21/64 ,  G06F12/1408 ,  G06F21/78 ,  G06F21/79 ,  H04L9/0643 ,  H04L2209/12

摘要： A method and system to provide an effective, scalable and yet low-cost solution for Confidentiality, Integrity and Replay protection for sensitive information stored in a memory and prevent an attacker from observing and/or modifying the state of the system. In one embodiment of the invention, the system has strong hardware protection for its memory contents via XTS-tweak mode of encryption where the tweak is derived based on “Global and Local Counters”. This scheme offers to enable die-area efficient Replay protection for any sized memory by allowing multiple counter levels and facilitates using small counter-sizes to derive the “tweak” used in the XTS encryption without sacrificing cryptographic strength.

摘要翻译： 一种方法和系统，为存储在存储器中的敏感信息提供有效，可扩展且低成本的保密性，完整性和重放保护解决方案，并防止攻击者观察和/或修改系统的状态。 在本发明的一个实施例中，系统通过经由XTS调整加密模式对其存储器内容具有强大的硬件保护，其中基于“全局和本地计数器”导出调整。 该方案提供了通过允许多个计数器级别为任何大小的存储器提供芯片区域高效的重放保护，并有助于使用小型计数器来导出XTS加密中使用的“调​​整”，而不会牺牲加密强度。

公开(公告)号：US20140040632A1

公开(公告)日：2014-02-06

申请号：US13976930

申请日：2011-12-28

申请人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi ,  Men Long ,  David M. Durham

发明人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi ,  Men Long ,  David M. Durham

IPC分类号： G06F21/64

CPC分类号： G06F21/64 ,  G06F12/1408 ,  G06F21/00 ,  G06F21/77

摘要： A method and system to provide a low-overhead cryptographic scheme that affords memory confidentiality, integrity and replay-protection by removing the critical read-after-write dependency between the various levels of the cryptographic tree. In one embodiment of the invention, the cryptographic processing of a child node can be pipelined with that of the parent nodes. This parallelization provided by the invention results in an efficient utilization of the cryptographic pipeline, enabling significantly lower performance overheads.

摘要翻译： 一种提供低开销加密方案的方法和系统，其通过去除加密树的各个级别之间的关键读后依赖关系来提供内存机密性，完整性和重放保护。 在本发明的一个实施例中，子节点的密码处理可以与母节点的密码处理流水线化。 由本发明提供的这种并行化导致密码流水线的有效利用，能够显着降低性能开销。

公开(公告)号：US09053346B2

公开(公告)日：2015-06-09

申请号：US13976930

申请日：2011-12-28

申请人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi ,  Men Long ,  David M. Durham

发明人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi ,  Men Long ,  David M. Durham

IPC分类号： G06F12/00 ,  G06F21/64 ,  G06F12/14 ,  G06F21/00 ,  G06F21/77

CPC分类号： G06F21/64 ,  G06F12/1408 ,  G06F21/00 ,  G06F21/77

摘要： A method and system to provide a low-overhead cryptographic scheme that affords memory confidentiality, integrity and replay-protection by removing the critical read-after-write dependency between the various levels of the cryptographic tree. In one embodiment of the invention, the cryptographic processing of a child node can be pipelined with that of the parent nodes. This parallelization provided by the invention results in an efficient utilization of the cryptographic pipeline, enabling significantly lower performance overheads.

摘要翻译： 一种提供低开销加密方案的方法和系统，其通过去除加密树的各个级别之间的关键读后依赖关系来提供内存机密性，完整性和重放保护。 在本发明的一个实施例中，子节点的密码处理可以与母节点的密码处理流水线化。 由本发明提供的这种并行化导致密码流水线的有效利用，能够显着降低性能开销。

公开(公告)号：US09076019B2

公开(公告)日：2015-07-07

申请号：US13977213

申请日：2011-06-29

申请人： Shay Gueron ,  Uday Savagaonkar ,  Francis X. McKeen ,  Carlos V. Rozas ,  David M. Durham ,  Jacob Doweck ,  Ofir Mulla ,  Ittai Anati ,  Zvika Greenfield ,  Moshe Maor

发明人： Shay Gueron ,  Uday Savagaonkar ,  Francis X. McKeen ,  Carlos V. Rozas ,  David M. Durham ,  Jacob Doweck ,  Ofir Mulla ,  Ittai Anati ,  Zvika Greenfield ,  Moshe Maor

IPC分类号： G06F21/00 ,  G06F21/72 ,  G06F12/14

CPC分类号： G06F21/72 ,  G06F12/1408 ,  G06F21/00 ,  G06F21/64 ,  H04L9/0637 ,  H04L9/3242

摘要： A method and apparatus to provide cryptographic integrity checks and replay protection to protect against hardware attacks on system memory is provided. A mode of operation for block ciphers enhances the standard XTS-AES mode of operation to perform memory encryption by extending a tweak to include a “time stamp” indicator. A tree-based replay protection scheme uses standard XTS-AES to encrypt contents of a cache line in the system memory. A Message-Authentication Code (MAC) for the cache line is encrypted using enhanced XTS-AES and a “time stamp” indicator associated with the cache line. The “time stamp indicator” is stored in a processor.

摘要翻译： 提供了一种提供加密完整性检查和重放保护以防止对系统存储器的硬件​​攻击的方法和装置。 分组密码的操作模式增强了标准的XTS-AES操作模式，通过扩展调整以包括“时间戳”指示符来执行存储器加密。 基于树的重放保护方案使用标准的XTS-AES来加密系统内存中的高速缓存行的内容。 高速缓存行的消息认证码（MAC）使用增强型XTS-AES和与高速缓存行相关联的“时间戳”指示符进行加密。 “时间戳指示符”存储在处理器中。

公开(公告)号：US20140223197A1

公开(公告)日：2014-08-07

申请号：US13977213

申请日：2011-06-29

申请人： Shay Gueron ,  Uday Savagaonkar ,  Francis X. McKeen ,  Carlos V. Rozas ,  David M. Durham ,  Jacob Doweck ,  Ofir Mulla ,  Ittai Anati ,  Zvika Greenfield ,  Moshe Maor

发明人： Shay Gueron ,  Uday Savagaonkar ,  Francis X. McKeen ,  Carlos V. Rozas ,  David M. Durham ,  Jacob Doweck ,  Ofir Mulla ,  Ittai Anati ,  Zvika Greenfield ,  Moshe Maor

IPC分类号： G06F21/72

CPC分类号： G06F21/72 ,  G06F12/1408 ,  G06F21/00 ,  G06F21/64 ,  H04L9/0637 ,  H04L9/3242

摘要： A method and apparatus to provide cryptographic integrity checks and replay protection to protect against hardware attacks on system memory is provided. A mode of operation for block ciphers enhances the standard XTS-AES mode of operation to perform memory encryption by extending a tweak to include a “time stamp” indicator. A tree-based replay protection scheme uses standard XTS-AES to encrypt contents of a cache line in the system memory. A Message-Authentication Code (MAC) for the cache line is encrypted using enhanced XTS-AES and a “time stamp” indicator associated with the cache line. The “time stamp indicator” is stored in a processor.

摘要翻译： 提供了一种提供加密完整性检查和重放保护以防止对系统存储器的硬件​​攻击的方法和装置。 分组密码的操作模式增强了标准的XTS-AES操作模式，通过扩展调整以包括“时间戳”指示符来执行存储器加密。 基于树的重放保护方案使用标准的XTS-AES来加密系统内存中的高速缓存行的内容。 高速缓存行的消息认证码（MAC）使用增强型XTS-AES和与高速缓存行相关联的“时间戳”指示符进行加密。 “时间戳指示符”存储在处理器中。

公开(公告)号：US20180114013A1

公开(公告)日：2018-04-26

申请号：US15298419

申请日：2016-10-20

申请人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

发明人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

IPC分类号： G06F21/53 ,  G06F12/14 ,  G06F21/57 ,  G06F21/44 ,  G06F9/455 ,  G06F9/445

CPC分类号： G06F21/53 ,  G06F8/61 ,  G06F9/45558 ,  G06F12/1408 ,  G06F21/44 ,  G06F21/572 ,  G06F21/606 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2212/152 ,  G06F2212/402

摘要： Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves. Tokens are used by accelerators to validate access to memory in secure enclaves, and used by both accelerators and secure enclaves to access encrypted memory external to secure enclaves.

公开(公告)号：US08595483B2

公开(公告)日：2013-11-26

申请号：US13329713

申请日：2011-12-19

申请人： Carlos V. Rozas

发明人： Carlos V. Rozas

IPC分类号： H04L29/00

CPC分类号： G06F21/57 ,  G06F2221/2101 ,  G06F2221/2129 ,  G06F2221/2145

摘要： In one embodiment, the present invention includes a method for creating an instance of a virtual trusted platform module (TPM) in a central platform and associating the instance with a managed platform coupled to the central platform. Multiple such vTPM's may be instantiated, each associated with a different managed platform coupled to the central platform. The instances may all be maintained on the central platform, improving security. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，本发明包括用于在中央平台中创建虚拟可信平台模块（TPM）的实例并将该实例与耦合到中央平台的受管平台相关联的方法。 多个这样的vTPM可以被实例化，每个都与耦合到中央平台的不同的管理平台相关联。 这些实例都可以在中央平台上维护，从而提高安全性。 描述和要求保护其他实施例。

公开(公告)号：US08108668B2

公开(公告)日：2012-01-31

申请号：US11474778

申请日：2006-06-26

申请人： Carlos V. Rozas

发明人： Carlos V. Rozas

IPC分类号： H04L9/00

CPC分类号： G06F21/57 ,  G06F2221/2101 ,  G06F2221/2129 ,  G06F2221/2145

摘要： In one embodiment, the present invention includes a method for creating an instance of a virtual trusted platform module (TPM) in a central platform and associating the instance with a managed platform coupled to the central platform. Multiple such vTPM's may be instantiated, each associated with a different managed platform coupled to the central platform. The instances may all be maintained on the central platform, improving security. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，本发明包括用于在中央平台中创建虚拟可信平台模块（TPM）的实例并将该实例与耦合到中央平台的受管平台相关联的方法。 多个这样的vTPM可以被实例化，每个都与耦合到中央平台的不同的管理平台相关联。 这些实例都可以在中央平台上维护，从而提高安全性。 描述和要求保护其他实施例。