公开(公告)号：US20190095334A1

公开(公告)日：2019-03-28

申请号：US15719023

申请日：2017-09-28

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Krystof C. Zmudzinski ,  Carlos V. Rozas ,  Francis X. McKeen ,  Raghunandan Makaram ,  Ilya Alexandrovich ,  Ittai Anati ,  Meltem Ozsoy

IPC: G06F12/0862 ,  G06F12/0846 ,  G06F12/1027 ,  G06F12/14 ,  G06F12/1009

Abstract: Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processing core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.

公开(公告)号：US20190052469A1

公开(公告)日：2019-02-14

申请号：US16162776

申请日：2018-10-17

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, JR. ,  Piotr Zmijewski ,  Wesley H. Smith ,  Eduardo Cabre

IPC: H04L9/32 ,  G06F21/53 ,  G09C1/00 ,  H04L29/06 ,  G06F21/44 ,  H04L9/30 ,  H04L9/14 ,  H04L9/08

Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

公开(公告)号：US09942035B2

公开(公告)日：2018-04-10

申请号：US14829340

申请日：2015-08-18

Applicant: INTEL CORPORATION

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich

IPC: H04L9/08 ,  G06F9/455 ,  H04L29/08 ,  H04L29/06

CPC classification number: H04L9/0891 ,  G06F9/45558 ,  G06F2009/45575 ,  G06F2009/45587 ,  H04L63/061 ,  H04L63/10 ,  H04L67/34

Abstract: A processor to support platform migration of secure enclaves is disclosed. In one embodiment, the processor includes a memory controller unit to access secure enclaves and a processor core coupled to the memory controller unit. The processor core to identify a control structure associated with a secure enclave. The control structure comprises a plurality of data slots and keys associated with a first platform comprising the memory controller unit and the processor core. A version of data from the secure enclave is associated with the plurality of data slots. Migratable keys are generated as a replacement for the keys associated with the control structure. The migratable keys control access to the secure enclave. Thereafter, the control structure is migrated to a second platform to enable access to the secure enclave on the second platform.

公开(公告)号：US09710401B2

公开(公告)日：2017-07-18

申请号：US14752227

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F11/30 ,  G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US20160381005A1

公开(公告)日：2016-12-29

申请号：US14752259

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Mona Vij ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Francis X. McKeen ,  Bo Zhang

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  G06F9/45558 ,  G06F2009/45587 ,  H04L63/0281 ,  H04L63/10

Abstract: Technologies for secure access to platform security services include a computing device having a processor and a security engine. The computing device establishes a platform services enclave in a virtual machine of the computing device using secure enclave support of the processor. The platform services enclave receives a platform services request from an application enclave via a first authenticated session and transmits the platform services request to a virtual security engine established by a host environment via a second authenticated session. The first and second authenticated sessions may be authenticated by report-based attestation and quote-based attestation, respectively. The virtual security engine transmits the platform services request to the security engine via a long-term pairing session established by the virtual security engine with the security engine. The security engine performs the platform services request using hardware resources shared with other platform services enclaves. Other embodiments are described and claimed.

Abstract translation: 用于安全访问平台安全服务的技术包括具有处理器和安全引擎的计算设备。 计算设备使用处理器的安全飞行支持在计算设备的虚拟机中建立平台服务飞地。 平台服务飞地通过第一认证会话从应用飞地接收平台服务请求，并通过第二认证会话将平台服务请求发送到由主机环境建立的虚拟安全引擎。 第一次和第二次认证会话可以分别通过基于报告的认证和基于报价的认证进行认证。 虚拟安全引擎通过虚拟安全引擎与安全引擎建立的长期配对会话将平台服务请求发送到安全引擎。 安全引擎使用与其他平台服务飞地共享的硬件资源来执行平台服务请求。 描述和要求保护其他实施例。

公开(公告)号：US20160378664A1

公开(公告)日：2016-12-29

申请号：US14752109

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Carlos V. Rozas ,  Francis X. McKeen ,  Ilya Alexandrovich ,  Vedvyas Shanbhogue ,  Bin Xing ,  Mark W. Shanahan ,  Simon P. Johnson

IPC: G06F12/08

CPC classification number: G06F12/0844 ,  G06F11/073 ,  G06F11/0775 ,  G06F12/0882 ,  G06F2212/1032 ,  G06F2212/1052 ,  G06F2212/281 ,  G06F2212/312 ,  G06F2212/402 ,  G06F2212/608

Abstract: A processor implementing techniques to supporting fault information delivery is disclosed. In one embodiment, the processor includes a memory controller unit to access an enclave page cache (EPC) and a processor core coupled to the memory controller unit. The processor core to detect a fault associated with accessing the EPC and generate an error code associated with the fault. The error code reflects an EPC-related fault cause. The processor core is further to encode the error code into a data structure associated with the processor core. The data structure is for monitoring a hardware state related to the processor core.

Abstract translation: 公开了一种实现技术支持故障信息传递的处理器。 在一个实施例中，处理器包括存储器控制器单元，用于访问耦合到存储器控制器单元的飞地页面缓存（EPC）和处理器核心。 处理器核心，用于检测与访问EPC相关的故障并生成与故障相关的错误代码。 错误代码反映了与EPC相关的故障原因。 处理器核心还将错误代码编码成与处理器核心相关联的数据结构。 数据结构用于监视与处理器核心相关的硬件状态。

公开(公告)号：US20230042288A1

公开(公告)日：2023-02-09

申请号：US17867306

申请日：2022-07-18

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Simon P. Johnson ,  Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Gilbert Neiger ,  Raghunandan Makaram ,  Carlos V. Rozas ,  Amy L. Santoni ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Ilya Alexandrovich ,  Ittai Anati ,  Wesley H. Smith ,  Michael Goldsmith

IPC: G06F12/1009 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/109 ,  G06F12/14 ,  G06F9/455

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

公开(公告)号：US20210255962A1

公开(公告)日：2021-08-19

申请号：US17156175

申请日：2021-01-22

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Simon P. Johnson ,  Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Gilbert Neiger ,  Raghunandan Makaram ,  Carlos V. Rozas ,  Amy L. Santoni ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Ilya Alexandrovich ,  Ittai Anati ,  Wesley H. Smith ,  Michael Goldsmith

IPC: G06F12/1009 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/109 ,  G06F12/14 ,  G06F9/455

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

公开(公告)号：US20210006416A1

公开(公告)日：2021-01-07

申请号：US16856968

申请日：2020-04-23

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, JR. ,  Piotr Zmijewski ,  Wesley Hamilton Smith ,  Eduardo Cabre ,  Uday R. Savagaonkar

IPC: H04L9/32 ,  H04L9/08 ,  G09C1/00 ,  H04L29/06 ,  H04L9/14

Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.

公开(公告)号：US10671542B2

公开(公告)日：2020-06-02

申请号：US15200796

申请日：2016-07-01

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ittai Anati ,  Francis X. McKeen ,  Krystof C. Zmudzinski ,  Meltem Ozsoy

IPC: G06F12/1009 ,  G06F3/06 ,  G06F12/14

Abstract: Apparatuses, methods and storage medium associated with application execution enclave memory page cache management, are disclosed herein. In embodiments, an apparatus may include a processor with processor supports for application execution enclaves; memory organized into a plurality of host physical memory pages; and a virtual machine monitor to be operated by the processor to manage operation of virtual machines. Management of operation of the virtual machines may include facilitation of mapping of virtual machine-physical memory pages of the virtual machines to the host physical memory pages, including maintenance of an unallocated subset of the host physical memory pages to receive increased security protection for selective allocation to the virtual machines, for virtualization and selective allocation to application execution enclaves of applications of the virtual machines. Other embodiments may be described and/or claimed.