公开(公告)号：US20150134952A1

公开(公告)日：2015-05-14

申请号：US14557079

申请日：2014-12-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Hormuzd M. Khosravi ,  Uri Blumenthal ,  Men Long

IPC: G06F21/62 ,  G06F12/14

CPC classification number: G06F21/6209 ,  G06F12/1408 ,  G06F12/1466 ,  G06F12/1475 ,  G06F21/52 ,  G06F21/53

Abstract: Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

公开(公告)号：US08903084B2

公开(公告)日：2014-12-02

申请号：US13916027

申请日：2013-06-12

Applicant: Intel Corporation

Inventor： Men Long ,  Jesse Walker ,  Karanvir S. Grewal

IPC: H04L9/00 ,  H04L9/08 ,  G06F7/04 ,  G06F21/00 ,  H04L29/06 ,  H04L9/06

CPC classification number: H04L9/0866 ,  H04L9/0631 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/125

Abstract: Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES128(base_key_1,client_ID),  (1) client_key_LSB=AES128(base_key_2,client_ID+pad),and  (2) client_key=client_key_MSB∥client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.

Abstract translation: 端到端安全性和流量可见性可以由使用控制器的系统来实现，所述控制器基于在每个数据分组中传送的导出密钥和客户端标识符来导出每个客户端不同的密码密钥。 控制器将派生密钥分发到信息技术监控设备和服务器，以提供流量可视性。 对于较大的密钥大小，可以使用如下的推导公式来导出密钥：client_key_MSB = AES128（base_key_1，client_ID），（1）client_key_LSB = AES128（base_key_2，client_ID + pad）和（2）cli​​ent_key =client_key_MSB‖client_key_LSB， 其中（1）和（2）并行执行。 可以使用客户端密钥和客户端标识符，以便可以实现端到端的安全性。

公开(公告)号：US20220382684A1

公开(公告)日：2022-12-01

申请号：US17819418

申请日：2022-08-12

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Men Long

IPC: G06F12/1027 ,  G06F12/14 ,  G06F9/30

Abstract: Technologies for execute only transactional memory include a computing device with a processor and a memory. The processor includes an instruction translation lookaside buffer (iTLB) and a data translation lookaside buffer (dTLB). In response to a page miss, the processor determines whether a page physical address is within an execute only transactional (XOT) range of the memory. If within the XOT range, the processor may populate the iTLB with the page physical address and prevent the dTLB from being populated with the page physical address. In response to an asynchronous change of control flow such as an interrupt, the processor determines whether a last iTLB translation is within the XOT range. If within the XOT range, the processor clears or otherwise secures the processor register state. The processor ensures that an XOT range starts execution at an authorized entry point. Other embodiments are described and claimed.

公开(公告)号：US10726162B2

公开(公告)日：2020-07-28

申请号：US14577812

申请日：2014-12-19

Applicant: Intel Corporation

Inventor： Manoj R Sastry ,  Alpa Narendra Trivedi ,  Men Long

IPC: G06F21/72 ,  G09C1/00 ,  G06F21/85 ,  H04L9/06 ,  H04L9/08

Abstract: Systems and techniques for a System-on-a-Chip (SoC) security plugin are described herein. A component message may be received at an interconnect endpoint from an SoC component. The interconnect endpoint may pass the component message to a security component via a security interlink. The security component may secure the component message, using a cryptographic engine, to create a secured message. The secured message is delivered back to the interconnect endpoint via the security interlink and transmitted across the interconnect by the interconnect endpoint.

公开(公告)号：US20200050764A1

公开(公告)日：2020-02-13

申请号：US16657669

申请日：2019-10-18

Applicant: Intel Corporation

Inventor： Michael LeMay ,  David M. Durham ,  Men Long

IPC: G06F21/56 ,  G06F12/0802 ,  G06F12/1009

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes an address identifier to, when an entry of a paging structure has been accessed, determine a first address corresponding to a page of physical memory when the entry of the paging structure maps to the page of the physical memory; and a scanner to: scan a threshold amount of memory beginning at a physical memory address corresponding to the first address; and determine whether the threshold amount of memory includes a pattern indicative of malware.

公开(公告)号：US10558582B2

公开(公告)日：2020-02-11

申请号：US14974972

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay ,  Men Long

IPC: G06F12/00 ,  G06F12/1027 ,  G06F9/30 ,  G06F12/14

Abstract: Technologies for execute only transactional memory include a computing device with a processor and a memory. The processor includes an instruction translation lookaside buffer (iTLB) and a data translation lookaside buffer (dTLB). In response to a page miss, the processor determines whether a page physical address is within an execute only transactional (XOT) range of the memory. If within the XOT range, the processor may populate the iTLB with the page physical address and prevent the dTLB from being populated with the page physical address. In response to an asynchronous change of control flow such as an interrupt, the processor determines whether a last iTLB translation is within the XOT range. If within the XOT range, the processor clears or otherwise secures the processor register state. The processor ensures that an XOT range starts execution at an authorized entry point. Other embodiments are described and claimed.

公开(公告)号：US10530568B2

公开(公告)日：2020-01-07

申请号：US15457004

申请日：2017-03-13

Applicant: INTEL CORPORATION

Inventor： Eugene M. Kishinevsky ,  Uday R. Savagaonkar ,  Alpa T. Narendra Trivedi ,  Siddhartha Chhabra ,  Baiju V. Patel ,  Men Long ,  Kirk S. Yap ,  David M. Durham

IPC: H04L9/12 ,  H04L9/06 ,  G06F12/14 ,  G09C1/00 ,  G06F21/85 ,  G06F21/60 ,  G06F12/0868

Abstract: Encryption interface technologies are described. A processor can include a system agent, an encryption interface, and a memory controller. The system agent can communicate data with a hardware functional block. The encryption interface can be coupled between the system agent and a memory controller. The encryption interface can receive a plaintext request from the system agent, encrypt the plaintext request to obtain an encrypted request, and communicate the encrypted request to the memory controller. The memory controller can communicate the encrypted request to a main memory of the computing device.

公开(公告)号：US09910793B2

公开(公告)日：2018-03-06

申请号：US15358976

申请日：2016-11-22

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Men Long ,  Edgar Borrayo ,  Alpa T. Narendra Trivedi ,  Carlos Ornelas

IPC: G06F21/00 ,  G06F12/14 ,  G06F9/54 ,  G06F13/16 ,  G06F21/72

CPC classification number: G06F12/1408 ,  G06F9/546 ,  G06F13/16 ,  G06F13/1605 ,  G06F21/72 ,  G06F2212/1052 ,  Y02D10/14

Abstract: Memory encryption engine (MEE) integration technologies are described. A MEE system may include a MEE interface and a MEE core. The MEE interface may receive a data from an arbiter, where the data is selected by the arbiter from data at memory link queues. The MEE interface may adjust a timing rate to send the data to match a timing of a MEE core. The MEE core may be coupled to the MEE interface and may receive the data from the MEE interface.

公开(公告)号：US09893881B2

公开(公告)日：2018-02-13

申请号：US14753987

申请日：2015-06-29

Applicant: Intel Corporation

Inventor： Binata Bhattacharyya ,  Siddhartha Chhabra ,  Evgeny Zhyvov ,  Eugene M. Kishinevsky ,  Men Long

IPC: H04L9/06 ,  G06F21/72 ,  G06F21/76

CPC classification number: H04L9/0637 ,  G06F21/57 ,  G06F21/72 ,  G06F21/76 ,  G09C1/00 ,  H04L9/0631 ,  H04L2209/125

Abstract: A processing or memory device may include a first encryption pipeline to encrypt and decrypt data with a first encryption mode and a second encryption pipeline to encrypt and decrypt data with a second encryption mode, wherein the first encryption pipeline and the second encryption pipeline share a single, shared pipeline for a majority of encryption and decryption operations performed by the first encryption pipeline and by the second encryption pipeline. A controller (and/or other logic) may direct selection of encrypted (or decrypted) data from the first and second encryption pipelines responsive to a region of memory to which a physical address of a memory request is directed. The result of the selection may result in bypassing encryption/decryption or encrypting/decrypting the data according to the first encryption mode or the second encryption mode. More than two encryption modes are envisioned.

公开(公告)号：US20170063532A1

公开(公告)日：2017-03-02

申请号：US14753987

申请日：2015-06-29

Applicant: Intel Corporation

Inventor： Binata Bhattacharyya ,  Siddhartha Chhabra ,  Evgeny Zhyvov ,  Eugene M. Kishinevsky ,  Men Long

IPC: H04L9/06 ,  G06F21/76 ,  G06F21/72

CPC classification number: H04L9/0637 ,  G06F21/57 ,  G06F21/72 ,  G06F21/76 ,  G09C1/00 ,  H04L9/0631 ,  H04L2209/125

Abstract: A processing or memory device may include a first encryption pipeline to encrypt and decrypt data with a first encryption mode and a second encryption pipeline to encrypt and decrypt data with a second encryption mode, wherein the first encryption pipeline and the second encryption pipeline share a single, shared pipeline for a majority of encryption and decryption operations performed by the first encryption pipeline and by the second encryption pipeline. A controller (and/or other logic) may direct selection of encrypted (or decrypted) data from the first and second encryption pipelines responsive to a region of memory to which a physical address of a memory request is directed. The result of the selection may result in bypassing encryption/decryption or encrypting/decrypting the data according to the first encryption mode or the second encryption mode. More than two encryption modes are envisioned.

Abstract translation: 处理或存储设备可以包括用第一加密模式加密和解密数据的第一加密流水线和用第二加密模式对数据进行加密和解密的第二加密流水线，其中第一加密流水线和第二加密流水线共享一个 ，用于由第一加密流水线和第二加密流水线执行的大多数加密和解密操作的共享流水线。 响应于存储器请求的物理地址所针对的存储器区域，控制器（和/或其他逻辑）可以直接从第一和第二加密流水线中选择加密（或解密的）数据。 选择的结果可能导致绕过加密/解密或者根据第一加密模式或第二加密模式对数据进行加密/解密。 设想了两种以上的加密模式。