公开(公告)号：US10592436B2

公开(公告)日：2020-03-17

申请号：US16036654

申请日：2018-07-16

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Krystof C. Zmudzinski

IPC: G06F12/14 ,  G06F9/52 ,  G06F21/74 ,  G06F21/79 ,  G06F21/53

Abstract: Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.

公开(公告)号：US20190095345A1

公开(公告)日：2019-03-28

申请号：US15712968

申请日：2017-09-22

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Carlos V. Rozas

IPC: G06F12/126 ,  G06F12/128 ,  G06F3/06

Abstract: Secure memory paging technologies are described. Embodiments of the disclosure may include checking attributes of secure page cache map to determine whether a target page to be evicted is clean and replay protected by a unified version-paging data structure and checking the unified version-paging data structure to determine whether contents of the unified version-paging data structure match the target page. When the target page to be evicted is clean and replay protected and the contents match, the target page can be removed without encrypting the contents of the target page.

公开(公告)号：US09870467B2

公开(公告)日：2018-01-16

申请号：US14671346

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Prashant Pandey ,  Mona Vij ,  Somnath Chakrabarti ,  Krystof C. Zmudzinski

IPC: G06F9/46 ,  G06F21/53 ,  G06F21/57

CPC classification number: G06F21/53 ,  G06F21/57

Abstract: In an embodiment, at least one machine-readable storage medium includes instructions that when executed enable a system to receive, at a special library of a parent process located outside of a parent protected region of the parent process, from the parent protected region of the parent process, a call to create a child process and responsive to the call received at the special library, issue by the special library a first request and a second request. The first request is to execute, by a processor, a non-secure instruction to create the child process. The second request is to execute, by the processor, a first secure instruction to create a child protected region within the child process. Responsive to the first request the child process is to be created and responsive to the second request the child protected region is to be created. Other embodiments are described and claimed.

公开(公告)号：US09703720B2

公开(公告)日：2017-07-11

申请号：US14581654

申请日：2014-12-23

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski

IPC: G06F12/1009 ,  G06F12/1036 ,  G06F12/14 ,  G06F9/455

CPC classification number: G06F12/1009 ,  G06F9/45558 ,  G06F12/1036 ,  G06F12/145 ,  G06F12/1475 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2212/657

Abstract: An apparatus and method for efficient guest EPT manipulation. For example, one embodiment of a apparatus comprises: a hypervisor to create extended page table (EPT) mappings between a guest physical address (GPA) space and a host physical address (HPA) space; the hypervisor to create an EPT edit table and populate the EPT edit table with information related to permitted mappings between the GPA space and HPA space; a guest to read the EPT edit table to determine information related to the permitted mappings between the GPA space and HPA space, the guest to use the information to map one or more pages in the GPA space to one or more pages in the HPA space.

公开(公告)号：US11782849B2

公开(公告)日：2023-10-10

申请号：US17367349

申请日：2021-07-03

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. Mckeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53 ,  G06F8/41 ,  G06F9/455

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F12/1441 ,  G06F12/1483 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US11467981B2

公开(公告)日：2022-10-11

申请号：US16807872

申请日：2020-03-03

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Krystof C. Zmudzinski

IPC: G06F12/14 ,  G06F9/52 ,  G06F21/74 ,  G06F21/79 ,  G06F21/53

Abstract: Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.

公开(公告)号：US20210064546A1

公开(公告)日：2021-03-04

申请号：US16454481

申请日：2019-06-27

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Simon P. Johnson ,  Raghunandan Makaram ,  Francis X. McKeen ,  Carlos V. Rozas ,  Meltem Ozsoy ,  Ilya Alexandrovich ,  Siddhartha Chhabra

IPC: G06F12/14 ,  G06F12/1045 ,  G06F12/0882 ,  G06F12/0891 ,  G06F12/0871 ,  G06F9/4401 ,  G06F11/07 ,  G06F11/30

Abstract: A processor includes a cryptographic engine to control access, using an secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally-protected memory regions, and a processor core. The processor core is to, responsive to receipt of a request to access the memory, perform a walk of page tables and extended page tables to translate a linear address of the request to a physical address of the memory. The processor core is further to determine that the physical address corresponds to an secure page within the one or more memory range of the memory, that a first key ID located within the physical address does not match the secure region key ID, and issue a page fault and deny access to the secure page in the memory.

公开(公告)号：US20200233807A1

公开(公告)日：2020-07-23

申请号：US16838418

申请日：2020-04-02

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Krystof C. Zmudzinski ,  Carlos V. Rozas ,  Francis X. McKeen ,  Raghunandan Makaram ,  Ilya Alexandrovich ,  Ittai Anati ,  Meltem Ozsoy

IPC: G06F12/0862 ,  G06F12/1009 ,  G06F12/14 ,  G06F12/1027 ,  G06F12/0846

Abstract: Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processor core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.

公开(公告)号：US10255199B1

公开(公告)日：2019-04-09

申请号：US15712968

申请日：2017-09-22

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Carlos V. Rozas

IPC: G06F12/10 ,  G06F12/126 ,  G06F12/128 ,  G06F3/06 ,  G06F12/0831

Abstract: Secure memory paging technologies are described. Embodiments of the disclosure may include checking attributes of secure page cache map to determine whether a target page to be evicted is clean and replay protected by a unified version-paging data structure and checking the unified version-paging data structure to determine whether contents of the unified version-paging data structure match the target page. When the target page to be evicted is clean and replay protected and the contents match, the target page can be removed without encrypting the contents of the target page.

公开(公告)号：US20190102324A1

公开(公告)日：2019-04-04

申请号：US15721631

申请日：2017-09-29

Applicant: Intel Corporation

Inventor： Meltem Ozsoy ,  Krystof C. Zmudzinski ,  Larisa Novakovsky ,  Julius Mandelblat ,  Francis X. McKeen ,  Carlos V. Rozas ,  Ittai Anati ,  Ilya Alexandrovich

IPC: G06F12/14 ,  G06F12/0846 ,  G06F12/128 ,  G06F12/0831 ,  G06F12/0806 ,  G06F12/1027 ,  G06F12/0888 ,  G06F12/1009

Abstract: Cache behavior for secure memory repartitioning systems is described. Implementations may include a processing core and a memory controller coupled between the processor core and a memory device. The processor core is to receive a memory access request to a page in the memory device, the memory access request comprising a first guarded attribute (GA) indicator indicating whether the page is a secure page belonging to an enclave, determine whether the first GA indicator matches a second GA indicator in a cache line entry corresponding to the page, the cache line entry comprised in a cache, and responsive to a determination that the first GA indicator does not match the second GA indicator, apply an eviction policy to the cache line entry based on whether the cache line is indicated as a dirty cache line and accessing second data in the memory device for the page.