公开(公告)号：US20200226074A1

公开(公告)日：2020-07-16

申请号：US16831976

申请日：2020-03-27

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC: G06F12/14 ,  G06F21/53 ,  G06F21/78 ,  G06F3/06 ,  G06F21/60 ,  G06F21/82

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US09525555B2

公开(公告)日：2016-12-20

申请号：US14574969

申请日：2014-12-18

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Kapil Sood ,  Kumar N. Dwarakanath ,  Ioannis T. Schoinas ,  William A. Stevens, Jr. ,  Ned M. Smith

IPC: H04L29/06 ,  H04L9/32 ,  G06F12/14

CPC classification number: H04L9/3263 ,  G06F21/572 ,  G06F21/74 ,  G09C1/00 ,  H04L9/321 ,  H04L9/3234 ,  H04L9/3242 ,  H04L2209/12 ,  H04L2209/68

Abstract: In one embodiment, a processor has at least one core to execute instructions, a security engine coupled to the at least one core, a first storage to store a first immutable key associated with a vendor of the processor, and a second storage to store a second immutable key associated with an original equipment manufacturer (OEM) of the system. A first portion of firmware is to be verified based at least in part on the first immutable key and a second portion of firmware is to be verified based at least in part on the second immutable key, the first portion of firmware associated with the vendor and the second portion of firmware associated with the OEM. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，处理器具有执行指令的至少一个核心，耦合到所述至少一个核心的安全引擎，用于存储与所述处理器的供应商相关联的第一不可变密钥的第一存储器，以及存储 与系统的原始设备制造商（OEM）相关联的第二个不可变的密钥。 至少部分地基于第一不可变密钥验证固件的第一部分，并且至少部分地基于第二不可变密钥，与供应商相关联的固件的第一部分和 与OEM相关联的固件的第二部分。 描述和要求保护其他实施例。

公开(公告)号：US09507952B2

公开(公告)日：2016-11-29

申请号：US14938021

申请日：2015-11-11

Applicant: Intel Corporation

Inventor： John H. Wilson ,  Ioannis T. Schoinas ,  Mazin S. Yousif ,  Linda J. Rankin ,  David W. Grawrock ,  Robert J. Greiner ,  James A. Sutton ,  Kushagra Vaid ,  Willard M. Wiseman

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/44 ,  G06F21/57 ,  G06F21/64

CPC classification number: G06F21/575 ,  G06F21/44 ,  G06F21/445 ,  G06F21/50 ,  G06F21/606 ,  G06F21/64 ,  G06F21/71 ,  G06F2221/034

Abstract: In one embodiment of the present invention, a method includes verifying a master processor of a system; validating a trusted agent with the master processor if the master processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

公开(公告)号：US20160255008A1

公开(公告)日：2016-09-01

申请号：US15060965

申请日：2016-03-04

Applicant: Intel Corporation

Inventor： Ioannis T. Schoinas ,  Doddaballapur N. Jayasimha

IPC: H04L12/801 ,  H04L12/823 ,  H04L1/18

CPC classification number: H04L47/193 ,  G06F15/173 ,  H04L1/1803 ,  H04L1/1874 ,  H04L45/22 ,  H04L45/28 ,  H04L47/32 ,  H04L47/34

Abstract: A separable Transport Layer is described in the context of cache coherent multiple component micro-electronic systems. In one example, a packet is received from a source component, the packet containing a Protocol Layer. A Transport Layer is attached to the packet and the packet is sent across a component communications interface to a second component, the packet containing the Transport Layer and the Protocol Layer.

Abstract translation: 在缓存相干多分量微电子系统的上下文中描述了可分离的传输层。 在一个示例中，从源组件接收分组，该分组包含协议层。 传输层连接到分组，并且分组通过组件通信接口发送到第二组件，该分组包含传输层和协议层。

公开(公告)号：US08959576B2

公开(公告)日：2015-02-17

申请号：US13828676

申请日：2013-03-14

Applicant: Intel Corporation

Inventor： Manoj R. Sastry ,  Ioannis T. Schoinas ,  Daniel M. Cermak

IPC: G06F21/62

CPC classification number: G06F21/74 ,  G06F21/57 ,  G06F21/78

Abstract: Method, apparatus, and system for qualifying CPU transactions with security attributes. Immutable security attributes are generated for transactions initiator by a CPU or processor core that identifying the execution mode of the CPU/core being trusted or untrusted. The transactions may be targeted to an Input/Output (I/O) device or system memory via which a protected asset may be accessed. Policy enforcement logic blocks are implemented at various points in the apparatus or system that allow or deny transactions access to protected assets based on the immutable security attributes generated for the transactions. In one aspect, a multiple-level security scheme is implemented under which a mode register is updated via a first transaction to indicate the CPU/core is operating in a trusted execution mode, and security attributes are generated for a second transaction using execution mode indicia in the mode register to verify the transaction is from a trusted initiator.

Abstract translation: 用于对具有安全属性的CPU事务进行限定的方法，设备和系统。 由CPU或处理器核心为事务发起者生成不可变的安全属性，用于识别CPU /核心被信任或不可信任的执行模式。 这些事务可以被定向到可被访问受保护资产的输入/输出（I / O）设备或系统存储器。 策略执行逻辑块在设备或系统中的不同点实现，其允许或拒绝事务基于为事务生成的不可变安全属性而访问被保护资产。 在一个方面，实现多级安全方案，在该级别下，通过第一事务来更新模式寄存器以指示CPU /核心以可信执行模式运行，并且使用执行模式标记为第二事务生成安全属性 在模式寄存器中验证事务来自可信发起者。

公开(公告)号：US12238221B2

公开(公告)日：2025-02-25

申请号：US17542842

申请日：2021-12-06

Applicant: INTEL CORPORATION

Inventor： David M. Durham ,  Rajat Agarwal ,  Siddhartha Chhabra ,  Sergej Deutsch ,  Karanvir S. Grewal ,  Ioannis T. Schoinas

IPC: H04L9/32 ,  G06F3/06 ,  G06F11/10 ,  G06F12/0886 ,  G06F12/14 ,  G06F21/78 ,  G06F21/79 ,  G11C29/52 ,  H04L9/06 ,  H04L9/08 ,  G11C29/44

Abstract: In one example, a system for managing encrypted memory comprises a processor to store a first MAC based on data stored in system memory in response to a write operation to the system memory. The processor can also detect a read operation corresponding to the data stored in the system memory, calculate a second MAC based on the data retrieved from the system memory, determine that the second MAC does not match the first MAC, and recalculate the second MAC with a correction operation, wherein the correction operation comprises an XOR operation based on the data retrieved from the system memory and a replacement value for a device of the system memory. Furthermore, the processor can decrypt the data stored in the system memory in response to detecting the recalculated second MAC matches the first MAC and transmit the decrypted data to cache thereby correcting memory errors.

公开(公告)号：US12079341B2

公开(公告)日：2024-09-03

申请号：US17354733

申请日：2021-06-22

Applicant: Intel Corporation

Inventor： Kapil Sood ,  Ioannis T. Schoinas ,  Yu-Yuan Chen ,  Raghunandan Makaram ,  David J. Harriman ,  Baiju Patel ,  Ronald Perez ,  Matthew E. Hoekstra ,  Reshma Lal

IPC: G06F21/57 ,  G06F9/50 ,  G06F21/53 ,  G06F21/72 ,  G06F21/85

CPC classification number: G06F21/57 ,  G06F9/505 ,  G06F21/53 ,  G06F21/72 ,  G06F21/85 ,  G06F2221/034

Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.

公开(公告)号：US11907389B2

公开(公告)日：2024-02-20

申请号：US17745740

申请日：2022-05-16

Applicant: Intel Corporation

Inventor： David J. Harriman ,  Ioannis T. Schoinas ,  Kapil Sood ,  Raghunandan Makaram ,  Yu-Yuan Chen

IPC: G06F21/62 ,  G06F21/64

CPC classification number: G06F21/6218 ,  G06F21/64

Abstract: First data is stored. A request for the first data is received from a communication device over a link established with a communication device. An access control engine comprising circuitry is to control access to the first data to the communication device based on an authentication state of the communication device and a protection state of the link.

公开(公告)号：US11775447B2

公开(公告)日：2023-10-03

申请号：US17450597

申请日：2021-10-12

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC: G06F12/14 ,  G06F21/53 ,  G06F3/06 ,  G06F21/78 ,  G06F21/82 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F3/0623 ,  G06F12/145 ,  G06F21/53 ,  G06F21/602 ,  G06F21/78 ,  G06F21/82 ,  G06F2212/1052 ,  G06F2212/401 ,  G06F2212/402

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US20220094553A1

公开(公告)日：2022-03-24

申请号：US17542842

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： David M. Durham ,  Rajat Agarwal ,  Siddhartha Chhabra ,  Sergej Deutsch ,  Karanvir S. Grewal ,  Ioannis T. Schoinas

IPC: H04L9/32 ,  G06F3/06 ,  G11C29/52 ,  H04L9/06 ,  G06F11/10 ,  G06F12/0886 ,  G06F12/14 ,  G06F21/79 ,  H04L9/08 ,  G06F21/78

Abstract: In one example, a system for managing encrypted memory comprises a processor to store a first MAC based on data stored in system memory in response to a write operation to the system memory. The processor can also detect a read operation corresponding to the data stored in the system memory, calculate a second MAC based on the data retrieved from the system memory, determine that the second MAC does not match the first MAC, and recalculate the second MAC with a correction operation, wherein the correction operation comprises an XOR operation based on the data retrieved from the system memory and a replacement value for a device of the system memory. Furthermore, the processor can decrypt the data stored in the system memory in response to detecting the recalculated second MAC matches the first MAC and transmit the decrypted data to cache thereby correcting memory errors.