公开(公告)号：US09971705B2

公开(公告)日：2018-05-15

申请号：US15048400

申请日：2016-02-19

Applicant: Intel Corporation

Inventor： Gur Hildesheim ,  Shlomo Raikin ,  Ittai Anati ,  Gideon Gerzon ,  Uday Savagaonkar ,  Francis Mckeen ,  Carlos Rozas ,  Michael Goldsmith ,  Prashant Dewan

IPC: G06F12/10 ,  G06F12/109 ,  G06F12/1036 ,  G06F12/02

CPC classification number: G06F12/109 ,  G06F12/0284 ,  G06F12/1036 ,  G06F2212/656 ,  G06F2212/657

Abstract: Embodiments of apparatuses and methods including virtual address memory range registers are disclosed. In one embodiment, a processor includes a memory interface, address translation hardware, and virtual memory address comparison hardware. The memory interface is to access a system memory using a physical memory address. The address translation hardware is to support translation of a virtual memory address to the physical memory address. The virtual memory address is used by software to access a virtual memory location in the virtual memory address space of the processor. The virtual memory address comparison hardware is to determine whether the virtual memory address is within a virtual memory address range.

公开(公告)号：US09892069B2

公开(公告)日：2018-02-13

申请号：US14800419

申请日：2015-07-15

Applicant: Intel Corporation

Inventor： Rajesh Sankaran Madukkarumukumana ,  Gilbert Neiger ,  Ohad Falik ,  Sridhar Muthrasanallur ,  Gideon Gerzon

IPC: G06F13/24 ,  G06F9/48

CPC classification number: G06F13/24 ,  G06F9/4812

Abstract: Embodiments of systems, apparatuses, and methods for posting interrupts to virtual processors are disclosed. In one embodiment, an apparatus includes look-up logic and posting logic. The look-up logic is to look-up an entry associated with an interrupt request to a virtual processor in a data structure. The posting logic is to post the interrupt request in a data structure specified by information in the first data structure.

公开(公告)号：US20170364707A1

公开(公告)日：2017-12-21

申请号：US15628008

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/62 ,  G06F21/57 ,  G06F21/60 ,  G06F13/20 ,  G06F21/51

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US09116869B2

公开(公告)日：2015-08-25

申请号：US14467604

申请日：2014-08-25

Applicant: Intel Corporation

Inventor： Rajesh Sankaran Madukkarumukumana ,  Gilbert Neiger ,  Ohad Falik ,  Sridhar Muthrasanallur ,  Gideon Gerzon

IPC: G06F13/24 ,  G06F9/48

CPC classification number: G06F13/24 ,  G06F9/4812

Abstract: Embodiments of systems, apparatuses, and methods for posting interrupts to virtual processors are disclosed. In one embodiment, an apparatus includes look-up logic and posting logic. The look-up logic is to look-up an entry associated with an interrupt request to a virtual processor in a data structure. The posting logic is to post the interrupt request in a data structure specified by information in the first data structure.

Abstract translation: 公开了向虚拟处理器发布中断的系统，装置和方法的实施例。 在一个实施例中，装置包括查找逻辑和发布逻辑。 查找逻辑是在数据结构中查找与中断请求相关联的条目给虚拟处理器。 发布逻辑是将中断请求发布在由第一数据结构中的信息指定的数据结构中。

公开(公告)号：US20250028455A1

公开(公告)日：2025-01-23

申请号：US18909658

申请日：2024-10-08

Applicant: Intel Corporation

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F13/16 ,  G06F13/40 ,  G06F21/78 ,  G06F21/79 ,  G06F21/85

Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device. In some cases, a determination may be made that a type of access is compatible with one or more allowed access types for the page as represented in a protected container page metadata structure.

公开(公告)号：US12141450B2

公开(公告)日：2024-11-12

申请号：US18083277

申请日：2022-12-16

Applicant: INTEL CORPORATION

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F13/16 ,  G06F13/40 ,  G06F21/78 ,  G06F21/79 ,  G06F21/85

Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device. In some cases, a determination may be made that a type of access is compatible with one or more allowed access types for the page as represented in a protected container page metadata structure.

公开(公告)号：US20230128711A1

公开(公告)日：2023-04-27

申请号：US18062957

申请日：2022-12-07

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/60 ,  H04L9/40 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US11422811B2

公开(公告)日：2022-08-23

申请号：US17098129

申请日：2020-11-13

Applicant: Intel Corporation

Inventor： Gideon Gerzon ,  Dror Caspi ,  Arie Aharon ,  Ido Ouziel

IPC: G06F12/0804 ,  G06F9/30 ,  G06F9/455

Abstract: A processor includes a global register to store a value of an interrupted block count. A processor core, communicably coupled to the global register, may, upon execution of an instruction to flush blocks of a cache that are associated with a security domain: flush the blocks of the cache sequentially according to a flush loop of the cache; and in response to detection of a system interrupt: store a value of a current cache block count to the global register as the interrupted block count; and stop execution of the instruction to pause the flush of the blocks of the cache. After handling of the interrupt, the instruction may be called again to restart the flush of the cache.

公开(公告)号：US11138320B2

公开(公告)日：2021-10-05

申请号：US16228206

申请日：2018-12-20

Applicant: Intel Corporation

Inventor： Dror Caspi ,  Arie Aharon ,  Gideon Gerzon ,  Hormuzd Khosravi

IPC: G06F21/00 ,  G06F21/60 ,  H04L9/08 ,  H04L9/14

Abstract: Implementations describe providing secure encryption key management in trust domains. In one implementation, a processing device includes a key ownership table (KOT) that is protected against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to create a trust domain (TD) and a randomly-generated encryption key corresponding to the TD, the randomly-generated encryption key identified by a guest key identifier (GKID) and protected against software access from at least one of the TDRM or other TDs, the TDRM is to reference the KOT to obtain at least one unassigned host key identifier (HKID) utilized to encrypt a TD memory, the TDRM is to assign the HKID to the TD by marking the HKID in the KOT as assigned, and configure the randomly-generated encryption key on the processing device by associating the randomly-generated encryption key with the HKID.

公开(公告)号：US10789371B2

公开(公告)日：2020-09-29

申请号：US15628008

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/00 ,  G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20 ,  H04L9/06 ,  G06F21/51

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.