公开(公告)号：US11328111B2

公开(公告)日：2022-05-10

申请号：US17129223

申请日：2020-12-21

Applicant: Intel Corporation

Inventor： Steffen Schulz ,  Alpa Trivedi ,  Patrick Koeberl

IPC: G06F21/00 ,  G06F30/398 ,  G06N3/04 ,  H04L9/00 ,  H04L9/08 ,  G06F9/30 ,  G06F9/50 ,  G06F15/177 ,  G06F15/78 ,  H04L29/06 ,  G06N20/00 ,  G06F11/07 ,  G06F30/331 ,  G06F9/38 ,  G06F119/12 ,  G06F21/76 ,  G06N3/08 ,  G06F21/85 ,  G06F111/04 ,  G06F30/31 ,  G06F21/30 ,  G06F21/53 ,  G06F21/57 ,  G06F21/73 ,  G06F21/74 ,  G06F21/71 ,  G06F21/44

Abstract: An apparatus to facilitate broadcast remote sealing for scalable trusted execution environment provisioning is disclosed. The apparatus includes one or more processors to: request a group status report to confirm a status of a group of trusted execution platforms from a cloud service provider (CSP) providing scalable runtime validation for on-device design rule checks; validate, by a tenant, a minimum trusted computing base (TCB) declared with the group status report; determine, based on validation of the minimum TCB, whether a set of group members of the group of trusted execution platforms satisfies security requirements of the tenant; responsive to the set of group members satisfying the security requirement, utilize a group public key to encrypt a workload of the tenant; and send the encrypted workload to the CSP for storage by the CSP and subsequent execution by an execution platform of the group using a private group key.

公开(公告)号：US20210110065A1

公开(公告)日：2021-04-15

申请号：US17130506

申请日：2020-12-22

Applicant: Intel Corporation

Inventor： Alpa Trivedi ,  Steffen Schulz ,  Patrick Koeberl

IPC: G06F21/73 ,  G06F21/74 ,  G06F21/76 ,  G06F21/85

Abstract: An apparatus to facilitate enabling secure communication via attestation of multi-tenant configuration on accelerator devices is disclosed. The apparatus includes a processor to: verify a base bitstream of an accelerator device, the base bitstream published by a cloud service provider (CSP); verify partial reconfiguration (PR) boundary setups and PR isolation of an accelerator device, the PR boundary setups and PR isolation published by the CSP; generate PR bitstream to fit within at least one PR region of the PR boundary setups of the accelerator device; inspect accelerator device attestation received from a secure device manager (SDM) of the accelerator device; and responsive to successful inspection of the accelerator device attestation, provide the PR bitstream to the CSP for PR reconfiguration of the accelerator device.

公开(公告)号：US20180173644A1

公开(公告)日：2018-06-21

申请号：US15384267

申请日：2016-12-19

Applicant: Intel Corporation

Inventor： Patrick Koeberl ,  Steffen Schulz ,  Vedvyas Shanbhogue ,  Jason W. Brandt ,  Venkateswara R. Madduri ,  Sang W. Kim ,  Julien Carreno

IPC: G06F12/14 ,  G06F3/06 ,  G06F9/44 ,  G06F21/57

Abstract: Methods and apparatus relating to lightweight trusted tasks are disclosed. In one embodiment, a processor includes a memory interface to a memory to store code, data, and stack segments for a lightweight-trusted task (LTT) mode task and for another task, a LTT control and status register including a lock bit, a processor core to enable LTT-mode, configure the LTT-mode task, and lock down the configuration by writing the lock bit, and a memory protection circuit to: receive a memory access request from the memory interface, the memory access request being associated with the other task, determine whether the memory access request is attempting to access a protected memory region of the LTT-mode task, and protect against the memory access request accessing the protected memory region of the LTT-mode task, regardless of a privilege level of the other task, and regardless of whether the other task is also a LTT-mode task.

公开(公告)号：US20160306752A1

公开(公告)日：2016-10-20

申请号：US15192049

申请日：2016-06-24

Applicant: INTEL CORPORATION

Inventor： Patrick Koeberl ,  Steffen Schulz

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/30

CPC classification number: G06F12/1441 ,  G06F9/3005 ,  G06F9/3802 ,  G06F9/3824

Abstract: Execution-Aware Memory protection technologies are described. A processor includes a processor core and a memory protection unit (MPU). The MPU includes a memory protection table and memory protection logic. The memory protection table defines a first protection region in main memory, the first protection region including a first instruction region and a first data region. The memory protection logic determines a protection violation by a first instruction when 1) an instruction address, resulting from an instruction fetch operation corresponding to the first instruction, is not within the first instruction region or 2) a data address, resulting from an execute operation corresponding to the first instruction, is not within the first data region.

Abstract translation: 执行意识描述内存保护技术。 处理器包括处理器核和存储器保护单元（MPU）。 MPU包括存储器保护表和存储器保护逻辑。 存储器保护表定义主存储器中的第一保护区域，第一保护区域包括第一指令区域和第一数据区域。 存储器保护逻辑在1）由与第一指令相对应的指令获取操作产生的指令地址不在第一指令区域内时由第一指令确定保护违规，或2）由执行操作产生的数据地址 对应于第一指令，不在第一数据区域内。

公开(公告)号：US11853468B2

公开(公告)日：2023-12-26

申请号：US18049781

申请日：2022-10-26

Applicant: Intel Corporation

Inventor： Steffen Schulz ,  Alpa Trivedi ,  Patrick Koeberl

IPC: G06F21/85 ,  G06F30/398 ,  G06N3/04 ,  H04L9/08 ,  G06F9/30 ,  G06F9/50 ,  G06F15/177 ,  G06F15/78 ,  H04L9/40 ,  G06F11/07 ,  G06F30/331 ,  G06F9/38 ,  G06F11/30 ,  G06F21/53 ,  G06F21/57 ,  G06F21/73 ,  G06F21/74 ,  G06N20/00 ,  G06F21/71 ,  G06F21/44 ,  G06F119/12 ,  G06F21/76 ,  G06N3/08 ,  H04L9/00 ,  G06F111/04 ,  G06F30/31 ,  G06F21/30

CPC classification number: G06F21/85 ,  G06F9/30101 ,  G06F9/3877 ,  G06F9/505 ,  G06F11/0709 ,  G06F11/0751 ,  G06F11/0754 ,  G06F11/0793 ,  G06F11/3058 ,  G06F15/177 ,  G06F15/7825 ,  G06F15/7867 ,  G06F30/331 ,  G06F30/398 ,  G06N3/04 ,  H04L9/0877 ,  H04L63/0442 ,  H04L63/12 ,  H04L63/20 ,  G06F11/0772 ,  G06F11/3051 ,  G06F21/30 ,  G06F21/44 ,  G06F21/53 ,  G06F21/57 ,  G06F21/575 ,  G06F21/71 ,  G06F21/73 ,  G06F21/74 ,  G06F21/76 ,  G06F30/31 ,  G06F2111/04 ,  G06F2119/12 ,  G06F2221/034 ,  G06N3/08 ,  G06N20/00 ,  H04L9/008 ,  H04L9/0841

Abstract: An apparatus to facilitate transparent network access controls for spatial accelerator device multi-tenancy is disclosed. The apparatus includes a secure device manager (SDM) to: establish a network-on-chip (NoC) communication path in the apparatus, the NoC communication path comprising a plurality of NoC nodes for ingress and egress of communications on the NoC communication path; for each NoC node of the NoC communication path, configure a programmable register of the NoC node to indicate a node group that the NoC node is assigned, the node group corresponding to a persona configured on the apparatus; determine whether a prefix of received data at the NoC node matches the node group indicated by the programmable register of the NoC; and responsive to determining that the prefix does not match the node group, discard the data from the NoC node.

公开(公告)号：US11651111B2

公开(公告)日：2023-05-16

申请号：US17129250

申请日：2020-12-21

Applicant: Intel Corporation

Inventor： Alpa Trivedi ,  Scott Weber ,  Steffen Schulz ,  Patrick Koeberl

IPC: G06F21/76 ,  G06F21/57 ,  G06F21/53 ,  G06F21/30 ,  G06F21/85 ,  G06F30/398 ,  G06N3/04 ,  H04L9/08 ,  G06F9/30 ,  G06F9/50 ,  G06F15/177 ,  G06F15/78 ,  H04L9/40 ,  G06F11/07 ,  G06F30/331 ,  G06F9/38 ,  G06F11/30 ,  G06F119/12 ,  G06N3/08 ,  H04L9/00 ,  G06F111/04 ,  G06F30/31 ,  G06F21/73 ,  G06F21/74 ,  G06N20/00 ,  G06F21/71 ,  G06F21/44

CPC classification number: G06F21/85 ,  G06F9/30101 ,  G06F9/3877 ,  G06F9/505 ,  G06F11/0709 ,  G06F11/0751 ,  G06F11/0754 ,  G06F11/0793 ,  G06F11/3058 ,  G06F15/177 ,  G06F15/7825 ,  G06F15/7867 ,  G06F30/331 ,  G06F30/398 ,  G06N3/04 ,  H04L9/0877 ,  H04L63/0442 ,  H04L63/12 ,  H04L63/20 ,  G06F11/0772 ,  G06F11/3051 ,  G06F21/30 ,  G06F21/44 ,  G06F21/53 ,  G06F21/57 ,  G06F21/575 ,  G06F21/71 ,  G06F21/73 ,  G06F21/74 ,  G06F21/76 ,  G06F30/31 ,  G06F2111/04 ,  G06F2119/12 ,  G06F2221/034 ,  G06N3/08 ,  G06N20/00 ,  H04L9/008 ,  H04L9/0841

Abstract: An apparatus to facilitate enabling secure state-clean during configuration of partial reconfiguration bitstreams on accelerator devices is disclosed. The apparatus includes a security engine to receive an incoming partial reconfiguration (PR) bitstream corresponding to a new PR persona to configure a region of the apparatus; perform, as part of a PR configuration sequence for the new PR persona, a first clear operation to clear previously-set persona configuration bits in the region; perform, as part of the PR configuration sequence subsequent to the first clear operation, a set operation to set new persona configuration bits in the region; and perform, as part of the PR configuration sequence, a second clear operation to clear memory blocks of the region that became unfrozen subsequent to the set operation, the second clear operation performed using a persona-dependent mask corresponding to the new PR persona.

公开(公告)号：US20230089869A1

公开(公告)日：2023-03-23

申请号：US18070655

申请日：2022-11-29

Applicant: Intel Corporation

Inventor： Furkan Turan ,  Patrick Koeberl ,  Alpa Trivedi ,  Steffen Schulz ,  Scott Weber

IPC: G06F21/85 ,  G06F30/398 ,  G06N3/04 ,  H04L9/08 ,  G06F9/30 ,  G06F9/50 ,  G06F15/177 ,  G06F15/78 ,  H04L9/40 ,  G06F11/07 ,  G06F30/331 ,  G06F9/38 ,  G06F11/30

Abstract: An apparatus to facilitate scalable runtime validation for on-device design rule checks is disclosed. The apparatus includes a memory to store a contention set, multiplexers, and a validator. In one implementation, the validator is to: receive design rule information for the multiplexers, the design rule information referencing the contention set, wherein the contention set identifies a determined harmful bitstream configuration for each multiplexer instance of the multiplexers, and wherein the contention set comprises a mapping of contents of a user bitstream to configuration bits of the multiplexers; receive, at the validator of the apparatus, the user bitstream for programming the multiplexers of the apparatus; analyze, at the validator using the design rule information, the user bitstream against the contention set at a programming time of the apparatus; and provide an error indication responsive to identifying a match between the user bitstream and the contention set.

公开(公告)号：US20230068607A1

公开(公告)日：2023-03-02

申请号：US18049781

申请日：2022-10-26

Applicant: Intel Corporation

Inventor： Steffen Schulz ,  Alpa Trivedi ,  Patrick Koeberl

IPC: G06F21/85 ,  G06F30/398 ,  G06N3/04 ,  H04L9/08 ,  G06F9/30 ,  G06F9/50 ,  G06F15/177 ,  G06F15/78 ,  H04L9/40 ,  G06F11/07 ,  G06F30/331 ,  G06F9/38 ,  G06F11/30

Abstract: An apparatus to facilitate transparent network access controls for spatial accelerator device multi-tenancy is disclosed. The apparatus includes a secure device manager (SDM) to: establish a network-on-chip (NoC) communication path in the apparatus, the NoC communication path comprising a plurality of NoC nodes for ingress and egress of communications on the NoC communication path; for each NoC node of the NoC communication path, configure a programmable register of the NoC node to indicate a node group that the NoC node is assigned, the node group corresponding to a persona configured on the apparatus; determine whether a prefix of received data at the NoC node matches the node group indicated by the programmable register of the NoC; and responsive to determining that the prefix does not match the node group, discard the data from the NoC node.

公开(公告)号：US20220114023A1

公开(公告)日：2022-04-14

申请号：US17560652

申请日：2021-12-23

Applicant: Intel Corporation

Inventor： Alpa Choksi ,  Patrick Koeberl ,  Steffen Schulz ,  Reshma Lal

IPC: G06F9/50 ,  G06F9/4401

Abstract: A computing platform comprising a plurality of disaggregated data center resources and an infrastructure processing unit (IPU), communicatively coupled to the plurality of resources, to compose a platform of the plurality of disaggregated data center resources for allocation of microservices cluster.

公开(公告)号：US20210150033A1

公开(公告)日：2021-05-20

申请号：US17129243

申请日：2020-12-21

Applicant: Intel Corporation

Inventor： Alpa Trivedi ,  Steffen Schulz ,  Patrick Koeberl

IPC: G06F21/57 ,  G06F21/44 ,  G06F30/331 ,  G06F9/38

Abstract: An apparatus to facilitate enabling late-binding of security features via configuration security controller for accelerator devices is disclosed. The apparatus includes a security controller to initialize as part of a secure boot and attestation chain of trust; receive configuration data for portions of the security controller, the portions comprising components of the security controller capable of re-programming; verify and validate the configuration data to as originating from a secure and trusted source; and responsive to successful verification and validation of the configuration data, re-program the portions of the security controller based on the configuration data.