公开(公告)号：US20170249261A1

公开(公告)日：2017-08-31

申请号：US15175348

申请日：2016-06-07

Applicant: Intel Corporation

Inventor： DAVID M. DURHAM ,  RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  ANDREW V. ANDERSON ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  ARUMUGAM THIYAGARAJAH ,  ASIT K. MALLICK ,  BARRY E. HUNTLEY ,  DAVID A. KOUFATY ,  DEEPAK K. GUPTA ,  BAIJU V. PATEL

IPC: G06F12/14 ,  G06F12/10 ,  G06F9/455

CPC classification number: G06F12/145 ,  G06F9/45533 ,  G06F12/1009 ,  G06F12/1027 ,  G06F21/78 ,  G06F2212/1016 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/656 ,  G06F2212/657

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20150378633A1

公开(公告)日：2015-12-31

申请号：US14320334

申请日：2014-06-30

Applicant: Intel Corporation

Inventor： RAVI L. SAHITA ,  VEDVYAS SHANBHOGUE ,  GILBERT NEIGER ,  JONATHAN EDWARDS ,  IDO OUZIEL ,  BARRY E. HUNTLEY ,  STANISLAV SHWARTSMAN ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  MICHAEL LEMAY

IPC: G06F3/06 ,  G06F9/455 ,  G06F12/10

CPC classification number: G06F9/45558 ,  G06F9/3004 ,  G06F9/30076 ,  G06F12/1009 ,  G06F2009/45583 ,  G06F2212/657

Abstract: An apparatus and method for fine grain memory protection. For example, one embodiment of a method comprises: performing a first lookup operation using a virtual address to identify a physical address of a memory page, the memory page comprising a plurality of sub-pages; determining whether sub-page permissions are enabled for the memory page; if sub-page permissions are enabled, then performing a second lookup operation to determine permissions associated with one or more of the sub-pages of the memory page; and implementing the permissions associated with the one or more sub-pages.

Abstract translation: 一种细粒度记忆保护装置和方法。 例如，方法的一个实施例包括：使用虚拟地址执行第一查找操作以识别存储器页面的物理地址，所述存储器页面包括多个子页面; 确定是否为所述存储器页启用子页面许可; 如果启用子页面许可，则执行第二查找操作以确定与存储器页面的一个或多个子页面相关联的许可; 以及实现与一个或多个子页面相关联的许可。

公开(公告)号：US20180191716A1

公开(公告)日：2018-07-05

申请号：US15396157

申请日：2016-12-30

Applicant: INTEL CORPORATION

Inventor： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM

IPC: H04L29/06 ,  G06F12/14

CPC classification number: G06F12/1408 ,  G06F21/57 ,  G06F21/602 ,  G06F2212/1052 ,  H04L9/0897 ,  H04L9/3242

Abstract: Various embodiments are generally directed to techniques for multi-domain memory encryption, such as with a plurality of cryptographically isolated domains, for instance. Some embodiments are particularly directed to a multi-domain encryption system that provides one or more of memory encryption, integrity, and replay protection services to a plurality of cryptographic domains. In one embodiment, for example, an apparatus may comprise a memory and logic for an encryption engine, at least a portion of the logic implemented in circuitry coupled to the memory. In various embodiments, the logic may receive a memory operation request associated with a data line of a set of data lines stored in a protected memory separate from the memory.

公开(公告)号：US20180191491A1

公开(公告)日：2018-07-05

申请号：US15394516

申请日：2016-12-29

Applicant: INTEL CORPORATION

Inventor： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM

IPC: H04L9/06 ,  G06F3/06 ,  G06F21/53 ,  G06F12/14 ,  G06F21/72

CPC classification number: H04L9/0618 ,  G06F12/08 ,  G06F12/1408 ,  G06F21/53 ,  G06F21/602 ,  G06F21/72 ,  G06F2212/1052 ,  G06F2221/034 ,  H04L9/06 ,  H04L2209/12

Abstract: Various embodiments are generally directed to techniques for converting between different cipher systems, such as, for instance, between a cipher system used for a first encryption environment and a different cipher system used for a second encryption environment, for instance. Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems. In various embodiments, for instance, the first encryption environment may include a main memory that uses a position dependent cipher system and the second encrypted environment may include a secondary memory that uses a position independent cipher system.

公开(公告)号：US20180181337A1

公开(公告)日：2018-06-28

申请号：US15390359

申请日：2016-12-23

Applicant: INTEL CORPORATION

Inventor： DAVID M. DURHAM ,  SERGEJ DEUTSCH ,  SAEEDEH KOMIJANI ,  ALPA T. NARENDRA TRIVEDI ,  SIDDHARTHA CHHABRA

IPC: G06F3/06

CPC classification number: G06F9/30047 ,  G06F21/79 ,  H03M7/30 ,  H03M7/6064

Abstract: Techniques and computing devices for compression memory coloring are described. In one embodiment, for example, an apparatus may include at least one memory, at least on processor, and logic for compression memory coloring, at least a portion of the logic comprised in hardware coupled to the at least one memory and the at least one processor, the logic to determine whether data to be written to memory is compressible, generate a compressed data element responsive to determining data is compressible, the data element comprising a compression indicator, a color, and compressed data, and write the compressed data element to memory. Other embodiments are described and claimed.

公开(公告)号：US20180074975A1

公开(公告)日：2018-03-15

申请号：US15263962

申请日：2016-09-13

Applicant: Intel Corporation

Inventor： SERGEJ DEUTSCH ,  DAVID M. DURHAM ,  KARANVIR S. GREWAL ,  MICHAEL E. KOUNAVIS

IPC: G06F12/14 ,  H04L9/06 ,  G06F21/72 ,  G06F21/79 ,  G06F3/06 ,  G06F13/28

CPC classification number: G06F12/1408 ,  G06F3/0619 ,  G06F3/0623 ,  G06F3/065 ,  G06F3/0673 ,  G06F13/28 ,  G06F21/72 ,  G06F21/79 ,  G06F2212/1052 ,  G06F2221/2107 ,  H04L9/0631 ,  H04L9/0637 ,  H04L2209/12

Abstract: Embodiments of apparatus, method, and storage medium associated with multi-stage memory integrity for securing/protecting memory content are described herein. In some embodiments, an apparatus may include multiple stages having respective encryption engines to encrypt data in response to a write or restore operation; wherein the encryption engines are to successively encrypt the data in a plurality of encryption stages using a plurality of tweaks based on a plurality of selectors of different types {s1, s2, . . . }. In embodiments, the multiple stages may further comprise one or more decryption engines to partially, fully, or pseudo decrypt the plural encrypted data, in response to a read, move or copy operation; wherein the one or more decryption engines are to partially, fully, or pseudo decrypt the plural encrypted data in one or more decryption stages using one or more tweaks based on a subset of the selectors of different types {s1, s2, . . . }.

公开(公告)号：US20170315926A1

公开(公告)日：2017-11-02

申请号：US15652028

申请日：2017-07-17

Applicant: INTEL CORPORATION

Inventor： MICHAEL LEMAY ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  GILBERT NEIGER ,  RAVI L. SAHITA

IPC: G06F12/1009 ,  G06F12/1027 ,  G06F21/00 ,  G06F9/455 ,  G06F12/14

CPC classification number: G06F12/1009 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/1027 ,  G06F12/1483 ,  G06F21/00 ,  G06F21/53 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1024 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/651 ,  G06F2212/657 ,  G06F2212/68 ,  G06F2221/2141

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.

公开(公告)号：US20170177505A1

公开(公告)日：2017-06-22

申请号：US14975588

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： ABHISHEK BASAK ,  SIDDHARTHA CHHABRA ,  JUNGJU OH ,  DAVID M. DURHAM

IPC: G06F12/14 ,  H04L9/06 ,  G06F3/06 ,  G06F12/12 ,  G06F12/08

CPC classification number: G06F21/79 ,  G06F3/0623 ,  G06F3/0661 ,  G06F3/0673 ,  G06F7/724 ,  G06F12/0886 ,  G06F12/0891 ,  G06F12/124 ,  G06F12/1408 ,  G06F2212/1052 ,  G06F2212/401 ,  G06F2212/402 ,  G06F2212/60 ,  G06F2212/70 ,  H03M13/15 ,  H04L9/0637 ,  H04L9/3242 ,  H04N19/463 ,  H04N19/93

Abstract: Examples include techniques for compressing counter values included in cryptographic metadata. In some examples, a cache line to fill a cache included in on-die processor memory may be received. The cache arranged to store cryptographic metadata. The cache line includes a counter value generated by a counter. The counter value to serve as version information for a memory encryption scheme to write a data cache line to a memory location of an off-die memory. In some examples, the counter value is compressed based on whether the counter value includes a pattern that matches a given pattern and is then stored to the cache. In some examples, a compression aware and last recently used (LRU) scheme is used to determine whether to evict cryptographic metadata from the cache.

公开(公告)号：US20160378678A1

公开(公告)日：2016-12-29

申请号：US14750982

申请日：2015-06-25

Applicant: Intel Corporation

Inventor： MICHAEL LEMAY ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  GILBERT NEIGER ,  RAVI L. SAHITA

IPC: G06F12/10 ,  G06F9/455 ,  G06F12/14

CPC classification number: G06F12/1009 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/1027 ,  G06F12/1483 ,  G06F21/00 ,  G06F21/53 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1024 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/651 ,  G06F2212/657 ,  G06F2212/68 ,  G06F2221/2141

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.

Abstract translation: 通常，本公开提供了用于页表编辑控制器的系统，方法和计算机可读介质，其被配置为通过操纵扩展页表来控制虚拟机（VM）客户软件对访客页表的访问。 该系统可以包括翻译后备缓冲器（TLB），以维护将一个或多个客户线性地址（GLA）锁定到一个或多个允许的访客物理地址（GPA）的策略; 页面处理器，用于根据访客页表更新TLB; 以及页表编辑控制（PTEC）模块，用于：识别将与所述策略相关联的GLA映射到第一GPA的所述访客页表的条目; 验证映射是否符合策略; 并且基于验证，应用于VM访客和页面移动处理器的受限辅助功能，将访客页面表放入多个受限访问状态之一。

公开(公告)号：US20160283748A1

公开(公告)日：2016-09-29

申请号：US14670061

申请日：2015-03-26

Applicant: Intel Corporation

Inventor： JUNGJU OH ,  SIDDHARTHA CHHABRA ,  DAVID M. DURHAM

IPC: G06F21/78 ,  G06F21/72

CPC classification number: G06F21/78 ,  G06F21/52 ,  G06F21/72

Abstract: The present disclosure is directed to a flexible counter system for memory protection. In general, a counter system for supporting memory protection operations in a device may be made more efficient utilizing flexible counter structures. A device may comprise a processing module and a memory module. A flexible counter system in the memory module may comprise at least one data line including a plurality of counters. The bit-size of the counters may be reduced and/or varied from existing implementations through an overflow counter that may account for smaller counters entering an overflow state. Counters that utilize the overflow counter may be identified using a bit indicator. In at least one embodiment selectors corresponding to each of the plurality of counters may be able to map particular memory locations to particular counters.

Abstract translation: 本公开涉及用于存储器保护的灵活计数器系统。 通常，利用灵活的计数器结构，可以使用于支持设备中的存储器保护操作的计数器系统更有效。 设备可以包括处理模块和存储器模块。 存储器模块中的灵活的计数器系统可以包括至少一个包括多个计数器的数据线。 计数器的位大小可以通过可能导致较小计数器进入溢出状态的溢出计数器从现有实现中减少和/或变化。 可以使用位指示器来识别利用溢出计数器的计数器。 在至少一个实施例中，对应于多个计数器中的每一个的选择器可以能够将特定存储器位置映射到特定计数器。