公开(公告)号：US10181946B2

公开(公告)日：2019-01-15

申请号：US14974956

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Bin Xing ,  Pradeep M. Pappachan ,  Reouven Elbaz

IPC: H04L9/06 ,  G06F13/28 ,  H04L9/08 ,  H04L9/32

Abstract: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.

公开(公告)号：US20170364689A1

公开(公告)日：2017-12-21

申请号：US15628012

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Baruch Chaikin ,  Bin Xing ,  William A. Stevens, JR.

IPC: G06F21/60 ,  G06F21/57 ,  H04L9/32

CPC classification number: G06F21/602 ,  G06F13/20 ,  G06F13/28 ,  G06F21/51 ,  G06F21/57 ,  G06F21/6218 ,  G06F21/6281 ,  G06F21/85 ,  G09C1/00 ,  H04L9/0637 ,  H04L9/32 ,  H04L9/3242 ,  H04L63/12 ,  H04L63/126

Abstract: Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.

公开(公告)号：US09720843B2

公开(公告)日：2017-08-01

申请号：US13729439

申请日：2012-12-28

Applicant: Intel Corporation

Inventor： Gur Hildesheim ,  Shlomo Raikin ,  Ittai Anati ,  Gideon Gerzon ,  Hisham Shafi ,  Alex Berenzon ,  Geoffrey S. Strongin ,  Iris Sorani

IPC: G06F12/00 ,  G06F12/1027 ,  G06F12/14

CPC classification number: G06F12/1027 ,  G06F12/1441 ,  G06F12/145 ,  G06F2212/1052

Abstract: A processor of an aspect includes operation mode check logic to determine whether to allow an attempted access to an operation mode and access type protected memory based on an operation mode that is to indicate whether the attempted access is by an on-die processor logic. Access type check logic is to determine whether to allow the attempted access to the operation mode and access type protected memory based on an access type of the attempted access to the operation mode and access type protected memory. Protection logic is coupled with the operation mode check logic and is coupled with the access type check logic. The protection logic is to deny the attempted access to the operation mode and access type protected memory if at least one of the operation mode check logic and the access type check logic determines not to allow the attempted access.

公开(公告)号：US20170090800A1

公开(公告)日：2017-03-30

申请号：US14866478

申请日：2015-09-25

Applicant: Intel Corporation

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F13/40 ,  G06F13/16

Abstract: An integrated circuit of an aspect includes protected container access control logic to perform a set of access control checks and to determine to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). This is done after it has been determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for said one of DMA and MMIO.

公开(公告)号：US20170026171A1

公开(公告)日：2017-01-26

申请号：US14974956

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Bin Xing ,  Pradeep M. Pappachan ,  Reouven Elbaz

IPC: H04L9/06 ,  G06F13/28 ,  H04L9/08

CPC classification number: H04L9/0631 ,  G06F13/28 ,  H04L9/0618 ,  H04L9/0822 ,  H04L9/3242

Abstract: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may be coupled to one or more I/O devices. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.

Abstract translation: 用于I / O数据加密保护的技术包括具有一个或多个I / O控制器的计算设备。 每个I / O控制器可以耦合到一个或多个I / O设备。 每个I / O控制器可以生成包括指示I / O控制器并且指示耦合到I / O控制器的I / O设备的信道标识符的直接存储器访问（DMA）事务。 计算设备拦截DMA事务，并根据信道标识确定是否保护DMA事务。 如果是这样，则计算设备使用与该信道标识符相关联的加密密钥来执行密码操作。 计算设备可以包括密码引擎，其拦截DMA事务并且通过确定信道标识符是否匹配密码引擎的信道标识符表中的条目来确定是否保护DMA事务。 描述和要求保护其他实施例。

公开(公告)号：US20160188504A1

公开(公告)日：2016-06-30

申请号：US14800419

申请日：2015-07-15

Applicant: Intel Corporation

Inventor： Rajesh Sankaran Madukkarumukumana ,  Gilbert Neiger ,  Ohad Falik ,  Sridhar Muthrasanallur ,  Gideon Gerzon

IPC: G06F13/24

CPC classification number: G06F13/24 ,  G06F9/4812

Abstract: Embodiments of systems, apparatuses, and methods for posting interrupts to virtual processors are disclosed. In one embodiment, an apparatus includes look-up logic and posting logic. The look-up logic is to look-up an entry associated with an interrupt request to a virtual processor in a data structure. The posting logic is to post the interrupt request in a data structure specified by information in the first data structure.

公开(公告)号：US08843683B2

公开(公告)日：2014-09-23

申请号：US13837730

申请日：2013-03-15

Applicant: Intel Corporation

Inventor： Rajesh Sankaran Madukkarumukumana ,  Gilbert Neiger ,  Ohad Falik ,  Sridhar Muthrasanallur ,  Gideon Gerzon

IPC: G06F13/24

CPC classification number: G06F13/24 ,  G06F9/4812

Abstract: Embodiments of systems, apparatuses, and methods for posting interrupts to virtual processors are disclosed. In one embodiment, an apparatus includes look-up logic and posting logic. The look-up logic is to look-up an entry associated with an interrupt request to a virtual processor in a data structure. The posting logic is to post the interrupt request in a data structure specified by information in the first data structure.

Abstract translation: 公开了向虚拟处理器发布中断的系统，装置和方法的实施例。 在一个实施例中，装置包括查找逻辑和发布逻辑。 查找逻辑是在数据结构中查找与中断请求相关联的条目给虚拟处理器。 发布逻辑是将中断请求发布在由第一数据结构中的信息指定的数据结构中。

公开(公告)号：US12174972B2

公开(公告)日：2024-12-24

申请号：US17464163

申请日：2021-09-01

Applicant: Intel Corporation

Inventor： Dror Caspi ,  Arie Aharon ,  Gideon Gerzon ,  Hormuzd Khosravi

IPC: G06F21/00 ,  G06F21/60 ,  H04L9/08 ,  H04L9/14

Abstract: Implementations describe providing secure encryption key management in trust domains. In one implementation, a processing device includes a key ownership table (KOT) that is protected against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to create a trust domain (TD) and a randomly-generated encryption key corresponding to the TD, the randomly-generated encryption key identified by a guest key identifier (GKID) and protected against software access from at least one of the TDRM or other TDs, the TDRM is to reference the KOT to obtain at least one unassigned host key identifier (HKID) utilized to encrypt a TD memory, the TDRM is to assign the HKID to the TD by marking the HKID in the KOT as assigned, and configure the randomly-generated encryption key on the processing device by associating the randomly-generated encryption key with the HKID.

公开(公告)号：US12021980B2

公开(公告)日：2024-06-25

申请号：US17465311

申请日：2021-09-02

Applicant: Intel Corporation

Inventor： Ido Ouziel ,  Arie Aharon ,  Dror Caspi ,  Baruch Chaikin ,  Jacob Doweck ,  Gideon Gerzon ,  Barry E. Huntley ,  Francis X. McKeen ,  Gilbert Neiger ,  Carlos V. Rozas ,  Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Assaf Zaltsman

IPC: H04L9/08 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/60 ,  G06F21/62

CPC classification number: H04L9/088 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/602 ,  G06F21/62 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1044 ,  G06F2212/657

Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.

公开(公告)号：US11775447B2

公开(公告)日：2023-10-03

申请号：US17450597

申请日：2021-10-12

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC: G06F12/14 ,  G06F21/53 ,  G06F3/06 ,  G06F21/78 ,  G06F21/82 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F3/0623 ,  G06F12/145 ,  G06F21/53 ,  G06F21/602 ,  G06F21/78 ,  G06F21/82 ,  G06F2212/1052 ,  G06F2212/401 ,  G06F2212/402

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.