公开(公告)号：US10073977B2

公开(公告)日：2018-09-11

申请号：US14974874

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Reouven Elbaz

IPC: G06F21/00 ,  G06F21/60 ,  G06F13/28 ,  G06F17/30 ,  G06F21/64

CPC classification number: G06F21/602 ,  G06F13/28 ,  G06F16/2365 ,  G06F21/606 ,  G06F21/64 ,  G06F2221/031

Abstract: Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/O data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.

公开(公告)号：US20170024569A1

公开(公告)日：2017-01-26

申请号：US14974944

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Bin Xing ,  Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Reshma Lal ,  Steven B. McGowan

IPC: G06F21/60 ,  G06F13/28

Abstract: Technologies for trusted I/O (TIO) include a computing device with a cryptographic engine and one or more I/O controllers. The computing device executes a TIO core service that has a cryptographic engine programming privileged granted by an operating system. The TIO core service receives a request from an application to protect a DMA channel. The TIO core service requests the operating system to protect the DMA channel, and the operating system verifies the cryptographic engine programming privilege of the TIO core service in response. The operating system programs the cryptographic engine to protect the DMA channel in response to verifying the cryptographic engine programming privilege of the TIO core service. If a privileged delegate determines that a user has confirmed termination of protection of the DMA channel, the TIO core service may unprotect the DMA channel. Other embodiments are described and claimed.

Abstract translation: 可信任I / O（TIO）技术包括具有加密引擎和一个或多个I / O控制器的计算设备。 计算设备执行具有由操作系统许可的加密引擎编程的TIO核心服务。 TIO核心服务接收来自应用程序的请求以保护DMA通道。 TIO核心服务请求操作系统保护DMA通道，操作系统会对TIO核心服务的加密引擎编程权限进行验证。 响应于验证TIO核心服务的加密引擎编程权限，操作系统对加密引擎进行编程以保护DMA通道。 如果特权代表确定用户已经确认终止对DMA通道的保护，TIO核心服务可能会取消保护DMA通道。 描述和要求保护其他实施例。

公开(公告)号：US12284286B2

公开(公告)日：2025-04-22

申请号：US18048737

申请日：2022-10-21

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal

IPC: H04L9/32 ,  G06F21/60 ,  H04L9/08

Abstract: Embodiments are directed to providing integrity-protected command buffer execution. An embodiment of an apparatus includes a computer-readable memory comprising one or more command buffers and a processing device communicatively coupled to the computer-readable memory to read, from a command buffer of the computer-readable memory, a first command received from a host device, the first command executable by one or more processing elements on the processing device, the first command comprising an instruction and associated parameter data, compute a first authentication tag using a cryptographic key associated with the host device, the instruction and at least a portion of the parameter data, and authenticate the first command by comparing the first authentication tag with a second authentication tag computed by the host device and associated with the command.

公开(公告)号：US20250125944A1

公开(公告)日：2025-04-17

申请号：US19000185

申请日：2024-12-23

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Rakesh A. Ughreja ,  Kumar N. Dwarakanath ,  Victoria C. Moore

IPC: H04L9/00 ,  G06F9/54 ,  G06F21/44 ,  G06F21/57 ,  G06F21/60 ,  G06F21/83 ,  G06F21/84 ,  H04L9/08 ,  H04L9/40

Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.

公开(公告)号：US20250112756A1

公开(公告)日：2025-04-03

申请号：US18978334

申请日：2024-12-12

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Rakesh A. Ughreja ,  Kumar N. Dwarakanath ,  Victoria C. Moore

IPC: H04L9/00 ,  G06F9/54 ,  G06F21/44 ,  G06F21/57 ,  G06F21/60 ,  G06F21/83 ,  G06F21/84 ,  H04L9/08 ,  H04L9/40

Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.

公开(公告)号：US20240143802A1

公开(公告)日：2024-05-02

申请号：US18496108

申请日：2023-10-27

Applicant: Intel Corporation

Inventor： Salessawi Ferede Yitbarek ,  Lawrence A. Booth, Jr. ,  Brent D. Thomas ,  Reshma Lal ,  Pradeep M. Pappachan ,  Akshay Kadam

IPC: G06F21/60 ,  G06F21/76 ,  H04L9/08 ,  H04L9/14

CPC classification number: G06F21/606 ,  G06F21/76 ,  H04L9/0827 ,  H04L9/14 ,  G06F2221/2149

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

公开(公告)号：US11665144B2

公开(公告)日：2023-05-30

申请号：US17743659

申请日：2022-05-13

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal

IPC: H04L9/40 ,  H04W12/04 ,  H04W12/06 ,  H04L9/08 ,  G06F21/57

CPC classification number: H04L63/0428 ,  G06F21/57 ,  H04L9/0841 ,  H04L63/061 ,  H04W12/04 ,  H04W12/06

Abstract: Embodiments are directed to a session management framework for secure communications between host systems and trusted devices. An embodiment of computer-readable storage mediums includes instructions for establishing a security agreement between a host system and a trusted device, the host device including a trusted execution environment (TEE); initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device; sending an initialization message to the trusted device; validating capabilities of the trusted device for a secure communication session between the host system and the trusted device; provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.

公开(公告)号：US11575672B2

公开(公告)日：2023-02-07

申请号：US16723688

申请日：2019-12-20

Applicant: Intel Corporation

Inventor： Salessawi Ferede Yitbarek ,  Pradeep M. Pappachan ,  Vincent Scarlata ,  Reshma Lal

IPC: H04L29/06 ,  H04L9/40 ,  G06F21/62

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent executes an attestation algorithm to generate a first secure attestation for the first I/O device and a second secure attestation for the second I/O device, obtains a peer-to-peer communication key, and forwards the peer-to-peer communication key to the first I/O device and a second I/O device to enable secure peer-to-peer communication between the first I/O device and the second I/O device over a communication link secured by the peer-to-peer communication key. Other embodiments are described and claimed.

公开(公告)号：US11416415B2

公开(公告)日：2022-08-16

申请号：US16444053

申请日：2019-06-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L41/28 ,  G06F21/79 ,  H04L41/046 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US20220035923A1

公开(公告)日：2022-02-03

申请号：US17451922

申请日：2021-10-22

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.