公开(公告)号：US20220206958A1

公开(公告)日：2022-06-30

申请号：US17481405

申请日：2021-09-22

Applicant: Intel Corporation

Inventor： Michael D. LeMay ,  David M. Durham ,  Anjo Lucas Vahldiek-Oberwagner ,  Anna Trikalinou

IPC: G06F12/14 ,  G06F12/1027

Abstract: An apparatus comprising a processor unit comprising circuitry to generate, for a first network host, a request for an object of a second network host, wherein the request comprises an address comprising a routable host ID of the second network host and an at least partially encrypted object ID, wherein the address uniquely identifies the object within a distributed computing domain; and a memory element to store at least a portion of the object.

公开(公告)号：US11354423B2

公开(公告)日：2022-06-07

申请号：US16723977

申请日：2019-12-20

Applicant: Intel Corporation

Inventor： Michael E. Kounavis ,  Santosh Ghosh ,  Sergej Deutsch ,  Michael LeMay ,  David M. Durham

IPC: G06F21/60 ,  G06F21/12 ,  G06F9/455 ,  G06F9/30 ,  H04L9/08 ,  G06F12/0811 ,  G06F12/0897 ,  G06F9/48 ,  G06F21/72 ,  H04L9/06 ,  G06F12/06 ,  G06F12/0875 ,  G06F21/79 ,  G06F12/14 ,  G06F9/32 ,  G06F9/50 ,  G06F12/02 ,  H04L9/14 ,  G06F21/62

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises executing a first instruction of a first software entity to receive a first input operand indicating a first key associated with a first memory compartment of a plurality of memory compartments stored in a first memory unit, and execute a cryptographic algorithm in a core of a processor to compute first encrypted contents based at least in part on the first key. Subsequent to computing the first encrypted contents in the core, the first encrypted contents are stored at a memory location in the first memory compartment of the first memory unit. More specific embodiments include, prior to storing the first encrypted contents at the memory location in the first memory compartment and subsequent to computing the first encrypted contents in the core, moving the first encrypted contents into a level one (L1) cache outside a boundary of the core.

公开(公告)号：US11316661B2

公开(公告)日：2022-04-26

申请号：US16733685

申请日：2020-01-03

Applicant: Intel Corporation

Inventor： Eugene M. Kishinevsky ,  Uday R. Savagaonkar ,  Alpa T. Narendra Trivedi ,  Siddhartha Chhabra ,  Baiju V. Patel ,  Men Long ,  Kirk S. Yap ,  David M. Durham

IPC: H04L9/12 ,  H04L9/22 ,  H04L9/06 ,  G06F12/14 ,  G09C1/00 ,  G06F21/85 ,  G06F21/60 ,  H04L9/14

Abstract: Encryption interface technologies are described. A processor can include a system agent, an encryption interface, and a memory controller. The system agent can communicate data with a hardware functional block. The encryption interface can be coupled between the system agent and a memory controller. The encryption interface can receive a plaintext request from the system agent, encrypt the plaintext request to obtain an encrypted request, and communicate the encrypted request to the memory controller. The memory controller can communicate the encrypted request to a main memory of the computing device.

公开(公告)号：US11301344B2

公开(公告)日：2022-04-12

申请号：US16902755

申请日：2020-06-16

Applicant: Intel Corporation

Inventor： David M. Durham ,  Karanvir S. Grewal ,  Sergej Deutsch ,  Michael E. Kounavis

IPC: G06F11/27 ,  G06F7/72 ,  G06F11/07 ,  G06F11/10 ,  G06F11/14 ,  G06F11/30 ,  G06F12/14 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32

Abstract: Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.

公开(公告)号：US11275603B2

公开(公告)日：2022-03-15

申请号：US16748176

申请日：2020-01-21

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F21/71 ,  G06F21/62 ,  G06F9/455 ,  G06F21/79 ,  H04L29/06 ,  H04L69/04 ,  G06F12/0891 ,  G06F12/14 ,  G06F21/53 ,  G06F21/78

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US20210405896A1

公开(公告)日：2021-12-30

申请号：US17472272

申请日：2021-09-10

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael D. LeMay ,  Sergej Deutsch ,  Joydeep Rakshit ,  Anant Vithal Nori ,  Jayesh Gaur ,  Sreenivas Subramoney

IPC: G06F3/06 ,  G06F12/1027 ,  G06F12/02

Abstract: Technologies disclosed herein provide one example of a system that includes processor circuitry to be communicatively coupled to a memory circuitry. The processor circuitry is to receive a memory access request corresponding to an application for access to an address range in a memory allocation of the memory circuitry and to locate a metadata region within the memory allocation. The processor circuitry is also to, in response to a determination that the address range includes at least a portion of the metadata region, obtain first metadata stored in the metadata region, use the first metadata to determine an alternate memory address in a relocation region, and read, at the alternate memory address, displaced data from the portion of the metadata region included in the address range of the memory allocation. The address range includes one or more bytes of an expected allocation region of the memory allocation.

公开(公告)号：US20210390024A1

公开(公告)日：2021-12-16

申请号：US16902755

申请日：2020-06-16

Applicant: Intel Corporation

Inventor： David M. Durham ,  Karanvir S. Grewal ,  Sergej Deutsch ,  Michael E. Kounavis

IPC: G06F11/27 ,  G06F11/07 ,  G06F11/10 ,  G06F11/14 ,  G06F11/30 ,  G06F12/14 ,  G06F7/72 ,  H04L9/32 ,  H04L9/06 ,  H04L9/08

Abstract: Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.

公开(公告)号：US20210349999A1

公开(公告)日：2021-11-11

申请号：US17384279

申请日：2021-07-23

Applicant: Intel Corporation

Inventor： Michael LeMay ,  David M. Durham ,  Men Long

IPC: G06F21/56 ,  G06F12/0802 ,  G06F12/1009

Abstract: An example apparatus includes a scan manager to add a portion of a page of physical memory from a first sequence of mappings to a second sequence of mappings in response to determining the second sequence includes an address corresponding to the portion of the page of physical memory, and a scanner to scan the first sequence and the second sequence to determine whether at least one of first data in the first sequence or second data in the second sequence includes a pattern indicative of malware.

公开(公告)号：US20210319143A1

公开(公告)日：2021-10-14

申请号：US17358677

申请日：2021-06-25

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/79 ,  G06F21/60 ,  G06F21/57 ,  H04L9/08 ,  H04L9/32

Abstract: In one embodiment, a system includes a processor and a memory module coupled to the processor over a memory bus. The processor and memory module perform a key exchange at boot to obtain an encryption key. The processor generates first ciphertext by encrypting plaintext data using a first encryption protocol, and generates second ciphertext by encrypting the first ciphertext using a second encryption protocol based on the encryption key obtained at boot. The second ciphertext is transmitted to the memory module via the memory bus. The memory module decrypts the second ciphertext based on the encryption key obtained at boot to yield third ciphertext, and stores the third ciphertext.

公开(公告)号：US11144479B2

公开(公告)日：2021-10-12

申请号：US16686379

申请日：2019-11-18

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  David M. Durham ,  Andrew V. Anderson ,  David A. Koufaty ,  Asit K. Mallick ,  Arumugam Thiyagarajah ,  Barry E. Huntley ,  Deepak K. Gupta ,  Michael Lemay ,  Joseph F. Cihula ,  Baiju V. Patel

IPC: G06F12/00 ,  G06F12/14 ,  G06F12/1009 ,  G06F12/1027 ,  G06F9/455 ,  G06F21/78

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.