公开(公告)号：US12248807B2

公开(公告)日：2025-03-11

申请号：US17134339

申请日：2020-12-26

Applicant: INTEL CORPORATION

Inventor： Ravi Sahita ,  Dror Caspi ,  Vincent Scarlata ,  Sharon Yaniv ,  Baruch Chaikin ,  Vedvyas Shanbhogue ,  Jun Nakajima ,  Arumugam Thiyagarajah ,  Sean Christopherson ,  Haidong Xia ,  Vinay Awasthi ,  Isaku Yamahata ,  Wei Wang ,  Thomas Adelmeyer

IPC: G06F9/48 ,  G06F9/38 ,  G06F9/455 ,  G06F21/60

Abstract: Techniques for migration of a source protected virtual machine from a source platform to a destination platform are descried. A method of an aspect includes enforcing that bundles of state, of a first protected virtual machine (VM), received at a second platform over a stream, during an in-order phase of a migration of the first protected VM from a first platform to the second platform, are imported to a second protected VM of the second platform, in a same order that they were exported from the first protected VM. Receiving a marker over the stream marking an end of the in-order phase. Determining that all bundles of state exported from the first protected VM prior to export of the marker have been imported to the second protected VM. Starting an out-of-order phase of the migration based on the determination that said all bundles of the state exported have been imported.

公开(公告)号：US12106133B2

公开(公告)日：2024-10-01

申请号：US17095119

申请日：2020-11-11

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Vedvyas Shanbhogue

IPC: G06F9/455 ,  G06F9/445 ,  H04L9/32 ,  H04L9/40

CPC classification number: G06F9/45558 ,  G06F9/445 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/08 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: Methods and apparatus for trusted devices using trust domain extensions. The method is implemented on a compute platform including one or more devices and a set of hardware, firmware, and software components associated with a trusted computing base (TCB), including a host operating system and virtual machine manager (VMM). A device trust domain (dTD) is implemented in a trusted address space that is separate from the TCB, and one or multiple of the devices are bound to the dTD, which enables one or more virtual machines (VMs) or trusted domains (TDs) to access one or more functions provided by the bound device(s) in a secure and trusted manner. Firmware from a device is onloaded to the dTD and executed in the trusted address space to facilitate secure access to functions provided by the bound devices without using the VMM. Moreover, the VMM and any other software in the TCB cannot access data such as cryptographic keys and secrets that are employed by the dTD.

公开(公告)号：US11768931B2

公开(公告)日：2023-09-26

申请号：US17456744

申请日：2021-11-29

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Barry E. Huntley ,  Ravi Sahita

IPC: G06F21/53 ,  G06F9/50 ,  G06F21/12 ,  G06F21/74 ,  G06F12/00

CPC classification number: G06F21/53 ,  G06F9/5016 ,  G06F12/00 ,  G06F21/121 ,  G06F21/74 ,  G06F2221/033 ,  G06F2221/0713 ,  G06F2221/2113

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

公开(公告)号：US11556341B2

公开(公告)日：2023-01-17

申请号：US17341068

申请日：2021-06-07

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Deepak Gupta ,  Vedvyas Shanbhogue ,  David Hansen ,  Jason W. Brandt ,  Joseph Nuzman ,  Mingwei Zhang

IPC: G06F9/30 ,  G06F9/38 ,  G06F12/14

Abstract: Systems, methods, and apparatuses relating to instructions to compartmentalize memory accesses and execution (e.g., non-speculative and speculative) are described. In one embodiment, a compartment manager circuit is to determine, when a compartment control register of a hardware processor core is set to an enable value, that a first subset of code requested for execution on the hardware processor core in user privilege is within a first compartment of memory, load a first compartment descriptor for the first compartment into one or more registers of the hardware processor core from the memory, check if the first compartment is marked in the first compartment descriptor, within the one or more registers of the hardware processor core, as a management compartment, and, when the first compartment is marked in the first compartment descriptor as the management compartment, allowing the first subset of the code within the first compartment to load a second compartment descriptor for a second compartment of the memory into the one or more registers of the hardware processor core from the memory, switching execution from the first subset of code within the first compartment to a second subset of code in user privilege within the second compartment, allowing speculative memory accesses for the second subset of code only within the second compartment, and preventing a memory access outside of the second compartment for the second subset of code as indicated by the second compartment descriptor stored within the one or more registers of the hardware processor core.

公开(公告)号：US20220222340A1

公开(公告)日：2022-07-14

申请号：US17711883

申请日：2022-04-01

Applicant: Intel Corporation

Inventor： Vidhya Krishnan ,  Ankur Shah ,  Bryan White ,  Daniel Nemiroff ,  David Puffer ,  Julien Carreno ,  Scott Janus ,  Ravi Sahita ,  Hema Nalluri ,  Utkarsh Y. Kakaiya

IPC: G06F21/55 ,  G06F21/54 ,  G06F21/60 ,  G06F9/50

Abstract: Security and support for trust domain operation is described. An example of a method includes processing, at an accelerator, one or more compute workloads received from a host system; upon receiving a notification that a trust domain has transitioned to a secure state, transition an original set of privileges for the accelerator to a downgraded set of privileges; upon receiving a command from the host system for the trust domain, processing the command in accordance with the trust domain; and upon receiving a request from the host system to access a register, for a register included in an allowed list of registers for access, allow access to the register, and, for a register that is not within the allowed list of registers for access, disallowing access to the register.

公开(公告)号：US20210312038A1

公开(公告)日：2021-10-07

申请号：US17346757

申请日：2021-06-14

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Barry E. Huntley ,  Ravi Sahita

IPC: G06F21/53 ,  G06F9/50 ,  G06F21/12 ,  G06F21/74 ,  G06F12/00

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

公开(公告)号：US11036850B2

公开(公告)日：2021-06-15

申请号：US16218908

申请日：2018-12-13

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Barry E. Huntley ,  Ravi Sahita

IPC: G06F21/53 ,  G06F9/50 ,  G06F21/12 ,  G06F21/74 ,  G06F12/00

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

公开(公告)号：US10705976B2

公开(公告)日：2020-07-07

申请号：US16023537

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Dror Caspi ,  Baruch Chaikin ,  Gilbert Neiger ,  Arie Aharon ,  Arumugam Thiyagarajah

IPC: G06F12/1036 ,  G06F12/14 ,  G06F9/455 ,  G06F12/109 ,  G06F21/53 ,  G06F21/78 ,  G06F12/1009 ,  G06F12/02

Abstract: Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.

公开(公告)号：US10649911B2

公开(公告)日：2020-05-12

申请号：US15940490

申请日：2018-03-29

Applicant: Intel Corporation

Inventor： Hormuzd M. Khosravi ,  Baiju Patel ,  Ravi Sahita ,  Barry Huntley

IPC: G06F12/1036 ,  G06F12/1009 ,  G06F12/14 ,  G06F12/0891 ,  G06F21/79 ,  G06F21/62

Abstract: Embodiment of this disclosure provide techniques to support full memory paging between different trust domains (TDs) in compute system without losing any of the security properties, such as tamper resistant/detection and confidentiality, on a per TD basis. In one embodiment, a processing device including a memory controller and a memory paging circuit operatively coupled to the memory controller is provided. The memory paging circuit is to evict a memory page associated with a trust domain (TD) executed by the processing device. A binding of the memory page to a first memory location of the TD is removed. A transportable page that includes encrypted contents of the memory page is created. Thereupon, the memory page is provided to a second memory location.

公开(公告)号：US10296366B2

公开(公告)日：2019-05-21

申请号：US15391576

申请日：2016-12-27

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Mayank Bomb ,  Manohar Castelino ,  Robert Chappell ,  David Durham ,  Barry Huntley ,  Anton Ivanov ,  Madhavan Parthasarathy ,  Scott Rodgers ,  Ravi Sahita ,  Vedvyas Shanbhogue

IPC: G06F9/455 ,  G06F9/48 ,  G06F11/07

Abstract: Embodiments of an invention for virtualization exceptions are disclosed. In one embodiment, a processor includes instruction hardware, control logic, and execution hardware. The instruction hardware is to receive a plurality of instructions, including an instruction to enter a virtual machine. The control logic is to determine, in response to a privileged event occurring within the virtual machine, whether to generate a virtualization exception. The execution hardware is to generate a virtualization exception in response to the control logic determining to generate a virtualization exception.